Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
Analysis ID:	1471674
MD5:	a6d83330743edcff48a85dfa1013fdab
SHA1:	0aa8362a86274edcba3c111e8d729b1e0198a92b
SHA256:	03c769a2c069d127c2d9a5103853218a8f108074f0012776ff871dadf346c39e
Tags:	exe
Infos:

Detection

Petite Virus

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Petite Virus

Installs Task Scheduler Managed Wrapper

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe" MD5: A6D83330743EDCFF48A85DFA1013FDAB)

SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp (PID: 2828 cmdline: "C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp" /SL5="$103DA,8156847,189952,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe" MD5: B3937B0F947BBEB9F93859803C6FD14E)

BA002.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe" MD5: 9AA0F5A7FBC6F7A2E6FEAF78F8E6B7D7)

installer.exe (PID: 3352 cmdline: .\installer.exe MD5: 4D66DE397B5BF1F085AA7046A578A34C)

GenericSetup.exe (PID: 1804 cmdline: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe MD5: 1F4C6E7D827B980005B2C9C057018BD0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3970419543.0000000006271000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.608ee0f.3.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.5f99937.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET MALWARE Lavasoft PUA/Adware Client Install - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:38.782654
SID:	2025537
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:44.565238
SID:	2849740
Source Port:	49751
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (sos .adaware .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.212.94

Timestamp:	07/11/24-19:39:40.960268
SID:	2849741
Source Port:	49745
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:42.215264
SID:	2849740
Source Port:	49747
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:43.806977
SID:	2849740
Source Port:	49749
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:42.987417
SID:	2849740
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI - Source IP: 192.168.2.4 - Destination IP: 104.16.148.130

Timestamp:	07/11/24-19:39:39.840011
SID:	2849740
Source Port:	49742
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00F87E70 CryptAcquireContextW,___std_exception_copy,CryptCreateHash,___std_exception_copy,CryptHashData,___std_exception_copy,CryptGetHashParam,	6_2_00F87E70
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FF01E0 CryptAcquireContextA,CryptCreateHash,	6_2_00FF01E0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FF0240 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	6_2_00FF0240
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FF0220 CryptHashData,	6_2_00FF0220
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FEEB50 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	6_2_00FEEB50
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FEEE50 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	6_2_00FEEE50
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00F8F870 CryptReleaseContext,CryptDestroyHash,	6_2_00F8F870

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: mov dword ptr [ebx+04h], 424D53FFh

6_2_00FDC1C0

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.16.213.94:443 -> 192.168.2.6:57188 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.6:57184 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\2024.07.11_13.50.15.338184_installer_pid=3352.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GenericSetup.exe.log			Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Installer\Source\InstallerStealth\DevLib\obj\Release\DevLib.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr
Source:	Binary string: E:\Installer\Source\InstallerStealth\WizardPages\obj\Release\WizardPages.pdb source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr
Source:	Binary string: E:\Installer\Build\installer.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000006.00000000.2432182463.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe, 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe.4.dr
Source:	Binary string: E:\Installer\Source\InstallerStealth\OfferInstaller\obj\Release\OfferInstaller.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, OfferInstaller.exe.4.dr

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Code function: 4_2_00405434 FindFirstFileA,FindFirstFileW,

4_2_00405434

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025537 ET MALWARE Lavasoft PUA/Adware Client Install 192.168.2.4:49740 -> 104.16.148.130:80
Source: Traffic	Snort IDS: 2849740 ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI 192.168.2.4:49742 -> 104.16.148.130:443
Source: Traffic	Snort IDS: 2849741 ETPRO MALWARE Suspicious Domain (sos .adaware .com) in TLS SNI 192.168.2.4:49745 -> 104.16.212.94:443
Source: Traffic	Snort IDS: 2849740 ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI 192.168.2.4:49747 -> 104.16.148.130:443
Source: Traffic	Snort IDS: 2849740 ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI 192.168.2.4:49748 -> 104.16.148.130:443
Source: Traffic	Snort IDS: 2849740 ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI 192.168.2.4:49749 -> 104.16.148.130:443
Source: Traffic	Snort IDS: 2849740 ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI 192.168.2.4:49751 -> 104.16.148.130:443

Source: global traffic	HTTP traffic detected: POST /v1/bundle/list/?bundleId=BA002 HTTP/1.1Content-Type: application/json;charset=utf-8Host: sos.adaware.comContent-Length: 185Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat/?ProductID=IS&Type=BundleInstallStart HTTP/1.1Content-Type: application/json;charset=utf-8Host: flow.lavasoft.comContent-Length: 848Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /v1/event-stat/?ProductID=IS&Type=BundleProposedOffersIsEmpty HTTP/1.1Content-Type: application/json;charset=utf-8Host: flow.lavasoft.comContent-Length: 230
Source: global traffic	HTTP traffic detected: POST /v1/event-stat/?ProductID=IS&Type=PageShown HTTP/1.1Content-Type: application/json;charset=utf-8Host: flow.lavasoft.comContent-Length: 188
Source: global traffic	HTTP traffic detected: POST /v1/event-stat/?ProductID=IS&Type=BundleInstallComplete HTTP/1.1Content-Type: application/json;charset=utf-8Host: flow.lavasoft.comContent-Length: 1283
Source: global traffic	HTTP traffic detected: POST /v1/event-stat/?ProductID=IS&Type=ProfileDebug HTTP/1.1Content-Type: application/json;charset=utf-8Host: flow.lavasoft.comContent-Length: 2860
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1Host: flow.lavasoft.comAccept: application/jsonContent-Type: application/jsoncharsets: utf-8Content-Length: 274Data Raw: 7b 22 44 61 74 61 22 3a 7b 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 20 28 62 75 69 6c 64 20 31 39 30 34 35 29 2c 20 36 34 2d 62 69 74 22 2c 22 44 6f 74 4e 65 74 46 72 61 6d 65 77 6f 72 6b 22 3a 22 33 2e 35 2c 20 34 2e 30 20 43 6c 69 65 6e 74 2c 20 34 2e 30 20 46 75 6c 6c 2c 20 34 2e 35 2c 20 34 2e 35 2e 31 2c 20 34 2e 35 2e 32 2c 20 34 2e 36 2c 20 34 2e 36 2e 31 2c 20 34 2e 36 2e 32 22 7d 7d 0a Data Ascii: {"Data":{"BundleId":"BA002","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","OsVersion":"Microsoft Windows 10 (build 19045), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2"}}
Source: global traffic	HTTP traffic detected: POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1Host: flow.lavasoft.comAccept: application/jsonContent-Type: application/jsoncharsets: utf-8Content-Length: 151Data Raw: 7b 22 44 61 74 61 22 3a 7b 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 49 6e 50 72 6f 63 65 73 73 22 3a 22 74 72 75 65 22 7d 7d 0a Data Ascii: {"Data":{"BundleId":"BA002","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","InProcess":"true"}}

Source: Joe Sandbox View

IP Address: 104.16.149.130 104.16.149.130

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 104.16.213.94:443 -> 192.168.2.6:57188 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.16.149.130:443 -> 192.168.2.6:57184 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00FCD610 recv,WSAGetLastError,

6_2_00FCD610

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: flow.lavasoft.com
Source: global traffic	DNS traffic detected: DNS query: sos.adaware.com

Source: unknown

HTTP traffic detected: POST /v1/bundle/list/?bundleId=BA002 HTTP/1.1Content-Type: application/json;charset=utf-8Host: sos.adaware.comContent-Length: 185Connection: Keep-Alive

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://counter-strike.com.ua/
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000006107000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3965128605.000000000018D000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, BA002.exe.2.dr, is-BLFBV.tmp.2.dr, is-5QV8V.tmp.2.dr, is-F96N3.tmp.2.dr, is-BDOB3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000006107000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3965128605.000000000018D000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, BA002.exe.2.dr, is-BLFBV.tmp.2.dr, is-5QV8V.tmp.2.dr, is-F96N3.tmp.2.dr, is-BDOB3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng3.crl0
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0Y
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: installer.exe, 00000006.00000002.3965677324.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
Source: installer.exe, 00000006.00000002.3965677324.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStartU
Source: installer.exe, 00000006.00000002.3965677324.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
Source: is-BDOB3.tmp.2.dr	String found in binary or memory: http://lame.sf.net
Source: is-BDOB3.tmp.2.dr	String found in binary or memory: http://lame.sf.net1.0LAME3.99rLAME3.99r43.99.4
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000006107000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3965128605.000000000018D000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, BA002.exe.2.dr, is-BLFBV.tmp.2.dr, is-5QV8V.tmp.2.dr, is-F96N3.tmp.2.dr, is-BDOB3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng30V
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng3ocsp.crt04
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://webcompanion.com/privacy
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr	String found in binary or memory: http://webcompanion.com/terms?http://webcompanion.com/privacyOOptional
Source: is-BDOB3.tmp.2.dr	String found in binary or memory: http://www.audiocoding.com/)
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.000000000236D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.burnaware.com/
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.burnaware.com/2http://www.burnaware.com/2http://www.burnaware.com/&
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3968953523.0000000003419000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3968953523.00000000033ED000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.burnaware.com/after-install.html
Source: is-FLSM1.tmp.2.dr	String found in binary or memory: http://www.burnaware.com/update.verU
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3965128605.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-5QV8V.tmp.2.dr	String found in binary or memory: http://www.burnaware.comD
Source: is-F96N3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr	String found in binary or memory: http://www.burnaware.comDVarFileInfo$
Source: is-F96N3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr, is-2RS4N.tmp.2.dr	String found in binary or memory: http://www.burnaware.comopenU
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099446062.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099078375.00000000026D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000000.2100552726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mp3dev.org/
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mp3dev.org/0.89LAME3.93
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099446062.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099078375.00000000026D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000000.2100552726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webcompanion.com/:http://webcompanion.com/terms
Source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, installer.exe, installer.exe, 00000006.00000000.2432182463.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe, 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe.4.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: installer.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: BurnAware Free.log.7.dr	String found in binary or memory: https://flow.lavasoft.com
Source: installer.exe, 00000006.00000002.3965677324.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://flow.lavasoft.com0:15.
Source: installer.exe, 00000006.00000002.3965677324.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://flow.lavasoft.comj
Source: BA002.exe, 00000004.00000003.2428985153.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000006.00000002.3965677324.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, GenericSetup.exe.config.4.dr	String found in binary or memory: https://sos.adaware.com
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr	String found in binary or memory: https://taskscheduler.codeplex.com/F
Source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 57189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57190

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00FEEE50 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

6_2_00FEEE50

System Summary

PE file has nameless sections

Source: is-KTHJV.tmp.2.dr	Static PE information: section name:
Source: is-KTHJV.tmp.2.dr	Static PE information: section name:
Source: is-PBHEO.tmp.2.dr	Static PE information: section name:
Source: is-PBHEO.tmp.2.dr	Static PE information: section name:
Source: is-7RQ8V.tmp.2.dr	Static PE information: section name:
Source: is-7RQ8V.tmp.2.dr	Static PE information: section name:
Source: is-BSUHA.tmp.2.dr	Static PE information: section name:
Source: is-BSUHA.tmp.2.dr	Static PE information: section name:
Source: is-QUKL7.tmp.2.dr	Static PE information: section name:
Source: is-QUKL7.tmp.2.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00416076	4_2_00416076
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_0040E38E	4_2_0040E38E
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00412480	4_2_00412480
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_004039C8	4_2_004039C8
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00418CC1	4_2_00418CC1
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00418D9B	4_2_00418D9B
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FCC880	6_2_00FCC880
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FC1010	6_2_00FC1010
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FA9D50	6_2_00FA9D50
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FCFE30	6_2_00FCFE30
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FEA0C0	6_2_00FEA0C0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01070010	6_2_01070010
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FEE180	6_2_00FEE180
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_010127C0	6_2_010127C0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0109A6E0	6_2_0109A6E0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01062A90	6_2_01062A90
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01082AB0	6_2_01082AB0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0107AF92	6_2_0107AF92
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FE90A0	6_2_00FE90A0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0107B1C1	6_2_0107B1C1
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01061020	6_2_01061020
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0107B3F0	6_2_0107B3F0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FF14B0	6_2_00FF14B0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FD77E0	6_2_00FD77E0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_010716B7	6_2_010716B7
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FE9B20	6_2_00FE9B20
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0108BD24	6_2_0108BD24
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01073D4F	6_2_01073D4F

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: String function: 00413724 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: String function: 00403A63 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FF2308 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 0100C2B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00F89F40 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FD7F80 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00F911B0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FCD340 appears 162 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FF2328 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FCD3E0 appears 151 times
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: String function: 00FD7520 appears 37 times

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-5LLBU.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5LLBU.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099446062.000000007FE35000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099078375.00000000027F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-KTHJV.tmp.2.dr	Static PE information: Section: ZLIB complexity 0.9989476697198276
Source: is-BSUHA.tmp.2.dr	Static PE information: Section: ZLIB complexity 0.9936018318965517
Source: is-QUKL7.tmp.2.dr	Static PE information: Section: ZLIB complexity 0.993896484375

Source: is-BLFBV.tmp.2.dr

Binary string: DWDMicrosoft CorporationGetMessageTimeGetCursorPosuser32.dllRtlInitUnicodeStringNtOpenFileNtQuerySystemInformation\Device\KsecDDecaffine_table_construction input

Source: classification engine

Classification label: mal42.troj.evad.winEXE@9/81@4/2

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00FD9850 GetLastError,_strncpy,FormatMessageA,___swprintf_l,_strrchr,_strrchr,GetLastError,SetLastError,

6_2_00FD9850

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00F872E0 CoCreateInstance,CoSetProxyBlanket,

6_2_00F872E0

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

File created: C:\Program Files (x86)\BurnAware Free

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\GenericSetupBurnAware Free
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\GenericSetupInstaller_BA002

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

File created: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp

Jump to behavior

Source: Yara match	File source: 00000002.00000002.3970419543.0000000006271000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp, type: DROPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp "C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp" /SL5="$103DA,8156847,189952,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe "C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe .\installer.exe
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp "C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp" /SL5="$103DA,8156847,189952,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe "C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe .\installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: BurnAware Free.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\BurnAware Free\BurnAware.exe
Source: Help.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\BurnAware Free\burnaware.chm
Source: Uninstall BurnAware Free.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\BurnAware Free\unins000.exe
Source: BurnAware Free.lnk0.2.dr	LNK file: ..\..\..\Program Files (x86)\BurnAware Free\BurnAware.exe

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static file information: File size 8728608 > 1048576

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Installer\Source\InstallerStealth\DevLib\obj\Release\DevLib.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr
Source:	Binary string: E:\Installer\Source\InstallerStealth\WizardPages\obj\Release\WizardPages.pdb source: BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr
Source:	Binary string: E:\Installer\Build\installer.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000006.00000000.2432182463.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe, 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe.4.dr
Source:	Binary string: E:\Installer\Source\InstallerStealth\OfferInstaller\obj\Release\OfferInstaller.pdb source: BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, OfferInstaller.exe.4.dr

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Code function: 4_2_004180F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_004180F0

Source: initial sample

Static PE information: section where entry point is pointing to: petite

Source: BA002.exe.2.dr	Static PE information: section name: .sxdata
Source: is-VR3U7.tmp.2.dr	Static PE information: section name: .didata
Source: is-FQ19R.tmp.2.dr	Static PE information: section name: .didata
Source: is-F96N3.tmp.2.dr	Static PE information: section name: .didata
Source: is-KN6PN.tmp.2.dr	Static PE information: section name: .didata
Source: is-1G882.tmp.2.dr	Static PE information: section name: .didata
Source: is-FLSM1.tmp.2.dr	Static PE information: section name: .didata
Source: is-LACR3.tmp.2.dr	Static PE information: section name: .didata
Source: is-8HNGJ.tmp.2.dr	Static PE information: section name: .didata
Source: is-2A9L3.tmp.2.dr	Static PE information: section name: .didata
Source: is-QIUH5.tmp.2.dr	Static PE information: section name: .didata
Source: is-2RS4N.tmp.2.dr	Static PE information: section name: .didata
Source: is-7C2AO.tmp.2.dr	Static PE information: section name: .didata
Source: is-KTHJV.tmp.2.dr	Static PE information: section name:
Source: is-KTHJV.tmp.2.dr	Static PE information: section name:
Source: is-KTHJV.tmp.2.dr	Static PE information: section name: petite
Source: is-PBHEO.tmp.2.dr	Static PE information: section name:
Source: is-PBHEO.tmp.2.dr	Static PE information: section name:
Source: is-PBHEO.tmp.2.dr	Static PE information: section name: petite
Source: is-7RQ8V.tmp.2.dr	Static PE information: section name:
Source: is-7RQ8V.tmp.2.dr	Static PE information: section name:
Source: is-7RQ8V.tmp.2.dr	Static PE information: section name: petite
Source: is-BSUHA.tmp.2.dr	Static PE information: section name:
Source: is-BSUHA.tmp.2.dr	Static PE information: section name:
Source: is-BSUHA.tmp.2.dr	Static PE information: section name: petite
Source: is-QUKL7.tmp.2.dr	Static PE information: section name:
Source: is-QUKL7.tmp.2.dr	Static PE information: section name:
Source: is-QUKL7.tmp.2.dr	Static PE information: section name: petite
Source: is-5QV8V.tmp.2.dr	Static PE information: section name: .didata
Source: is-OIJLO.tmp.2.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00411130 push ecx; mov dword ptr [esp], ecx	4_2_00411131
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00413724 push eax; ret	4_2_00413742
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_00413A90 push eax; ret	4_2_00413ABE
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0100C2F6 push ecx; ret	6_2_0100C309
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0100BD43 push ecx; ret	6_2_0100BD56

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-BDOB3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	File created: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-QIUH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\DiscInfo.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bamedenclib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-BLFBV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\EraseDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-OIJLO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\UnpackISO.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-FLSM1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\VerifyDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bassenc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bashell64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-FQ19R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-8HNGJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\fr\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bamainlib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-VR3U7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\SpanDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-3KPCR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-5LLBU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-JVN9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\en\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\baplayer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\BurnImage.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\AudioCD.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bashell32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-7C2AO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\MakeISO.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\MediaDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-LACR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\CopyImage.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-5U77G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\DataDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\tags.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-F96N3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\OfferInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\es\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\WizardPages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-1G882.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-2RS4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\DevLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bawmalib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\badecx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-KN6PN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\de\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\is-2A9L3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\Program Files (x86)\BurnAware Free\BurnAware.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\2024.07.11_13.50.15.338184_installer_pid=3352.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GenericSetup.exe.log			Jump to behavior

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

File created: C:\Users\user\AppData\Local\Temp\7zSC9543C70\Microsoft.Win32.TaskScheduler.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\BurnAware Free.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\Help.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\BurnAware Free on the Web.url	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\Uninstall BurnAware Free.lnk	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Memory allocated: B50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Window / User API: threadDelayed 2808			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Window / User API: threadDelayed 2668			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-BDOB3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-QIUH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\DiscInfo.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bamedenclib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-BLFBV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\EraseDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-OIJLO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\UnpackISO.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-FLSM1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bassenc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\VerifyDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bashell64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-FQ19R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-8HNGJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\fr\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bamainlib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-VR3U7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\SpanDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-3KPCR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-5LLBU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-JVN9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\en\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\baplayer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\BurnImage.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\AudioCD.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-7C2AO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\MakeISO.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\MediaDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-LACR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\CopyImage.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-5U77G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\DataDisc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\tags.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-F96N3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\OfferInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\es\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\WizardPages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\DevLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-1G882.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-2RS4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bawmalib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\badecx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-KN6PN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC9543C70\de\DevLib.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\is-2A9L3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BurnAware Free\BurnAware.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe TID: 5796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe TID: 2524	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe TID: 5072	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe TID: 5796	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Code function: 4_2_00405434 FindFirstFileA,FindFirstFileW,

4_2_00405434

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00FBE920 GetVersionExW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,

6_2_00FBE920

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3966757905.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: installer.exe, 00000006.00000002.3965677324.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

API call chain: ExitProcess graph end node

graph_4-16385

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_01079047 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_01079047

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Code function: 4_2_004180F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_004180F0

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_01089701 mov eax, dword ptr fs:[00000030h]

6_2_01089701

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00F83EA0 GetProcessHeap,HeapFree,

6_2_00F83EA0

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_0041561A SetUnhandledExceptionFilter,	4_2_0041561A
Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe	Code function: 4_2_0041562C SetUnhandledExceptionFilter,	4_2_0041562C
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_01079047 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_01079047
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_0100B5EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0100B5EA

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, is-5QV8V.tmp.2.dr	Binary or memory string: ProgmanU
Source: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, is-5QV8V.tmp.2.dr	Binary or memory string: Shell_TrayWndU

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_0100BF48 cpuid

6_2_0100BF48

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	6_2_010059F0
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: ___crtGetLocaleInfoEx,	6_2_01005BA6
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: EnumSystemLocalesW,	6_2_0109258C
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: GetLocaleInfoW,	6_2_01092AD8
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_01098FA3
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: EnumSystemLocalesW,	6_2_01099301
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: EnumSystemLocalesW,	6_2_0109921B
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: EnumSystemLocalesW,	6_2_01099266
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_01099707
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_010998DB

Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC9543C70\DevLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC9543C70\WizardPages.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_00F97720 GetSystemTimeAsFileTime,__aulldiv,__aulldiv,

6_2_00F97720

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Code function: 6_2_01091B5D _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

6_2_01091B5D

Source: C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Code function: 4_2_004148D4 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

4_2_004148D4

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Petite Virus

Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.608ee0f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.5f99937.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp, type: DROPPED

Remote Access Functionality

Yara detected Petite Virus

Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.608ee0f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60b1e6f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.60ad2ab.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.5f99937.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FCE690 htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,		6_2_00FCE690
Source: C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe	Code function: 6_2_00FDEA40 bind,WSAGetLastError,		6_2_00FDEA40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	2 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	156 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Masquerading	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	341 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	13%	ReversingLabs	Win32.PUA.ICBundler

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\BurnAware Free\AudioCD.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\BurnAware.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\BurnImage.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\CopyImage.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\DataDisc.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\DiscInfo.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\EraseDisc.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\MakeISO.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\MediaDisc.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\SpanDisc.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\UnpackISO.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\VerifyDisc.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\badecx.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bamainlib.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bamedenclib.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\baplayer.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bashell32.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bashell64.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bass.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bassenc.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bassflac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\basswma.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\bawmalib.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-1G882.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-2A9L3.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-2RS4N.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-3KPCR.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-5LLBU.tmp	4%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-5U77G.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-7C2AO.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-8HNGJ.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-BDOB3.tmp	4%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-BLFBV.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-F96N3.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-FLSM1.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-FQ19R.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-JVN9C.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-KN6PN.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-LACR3.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-OIJLO.tmp	3%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-QIUH5.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\is-VR3U7.tmp	2%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\tags.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BurnAware Free\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSC9543C70\DevLib.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSC9543C70\Microsoft.Win32.TaskScheduler.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.webcompanion.com/:http://webcompanion.com/terms	0%	Avira URL Cloud	safe
http://lame.sf.net1.0LAME3.99rLAME3.99r43.99.4	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStartU	0%	Avira URL Cloud	safe
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=ProfileDebug	0%	Avira URL Cloud	safe
http://www.burnaware.com/	0%	Avira URL Cloud	safe
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart	0%	Avira URL Cloud	safe
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallComplete	0%	Avira URL Cloud	safe
https://flow.lavasoft.com	0%	Avira URL Cloud	safe
http://www.mp3dev.org/0.89LAME3.93	0%	Avira URL Cloud	safe
https://curl.haxx.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe
http://www.dk-soft.org/	0%	Avira URL Cloud	safe
https://sos.adaware.com/v1/bundle/list/?bundleId=BA002	0%	Avira URL Cloud	safe
http://webcompanion.com/privacy	0%	Avira URL Cloud	safe
https://sos.adaware.com	0%	Avira URL Cloud	safe
https://flow.lavasoft.com0:15.	0%	Avira URL Cloud	safe
https://taskscheduler.codeplex.com/	0%	Avira URL Cloud	safe
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown	0%	Avira URL Cloud	safe
http://www.burnaware.comD	0%	Avira URL Cloud	safe
http://lame.sf.net	0%	Avira URL Cloud	safe
http://www.burnaware.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://www.audiocoding.com/)	0%	Avira URL Cloud	safe
https://taskscheduler.codeplex.com/F	0%	Avira URL Cloud	safe
http://www.burnaware.com/update.verU	0%	Avira URL Cloud	safe
http://www.burnaware.comopenU	0%	Avira URL Cloud	safe
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	0%	Avira URL Cloud	safe
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart	0%	Avira URL Cloud	safe
http://counter-strike.com.ua/	0%	Avira URL Cloud	safe
http://www.mp3dev.org/	0%	Avira URL Cloud	safe
http://www.burnaware.com/2http://www.burnaware.com/2http://www.burnaware.com/&	0%	Avira URL Cloud	safe
https://flow.lavasoft.comj	0%	Avira URL Cloud	safe
http://www.palkornel.hu/innosetup%1	0%	Avira URL Cloud	safe
http://www.burnaware.com/after-install.html	0%	Avira URL Cloud	safe
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffersIsEmpty	0%	Avira URL Cloud	safe
http://webcompanion.com/terms?http://webcompanion.com/privacyOOptional	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sos.adaware.com	104.16.213.94	true	false	unknown
www.google.com	142.250.185.132	true	false	unknown
flow.lavasoft.com	104.16.149.130	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=ProfileDebug	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallComplete	false	Avira URL Cloud: safe	unknown
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart	false	Avira URL Cloud: safe	unknown
https://sos.adaware.com/v1/bundle/list/?bundleId=BA002	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart	false	Avira URL Cloud: safe	unknown
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffersIsEmpty	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099446062.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099078375.00000000026D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000000.2100552726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.mp3dev.org/0.89LAME3.93	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	false	URL Reputation: safe	unknown
https://flow.lavasoft.com	BurnAware Free.log.7.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.net1.0LAME3.99rLAME3.99r43.99.4	is-BDOB3.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStartU	installer.exe, 00000006.00000002.3965677324.00000000006C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.burnaware.com/	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.000000000236D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webcompanion.com/:http://webcompanion.com/terms	BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, installer.exe, installer.exe, 00000006.00000000.2432182463.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe, 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmp, installer.exe.4.dr	false	URL Reputation: safe	unknown
https://curl.haxx.se/docs/http-cookies.html#	installer.exe	false	Avira URL Cloud: safe	unknown
http://www.dk-soft.org/	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://webcompanion.com/privacy	BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://taskscheduler.codeplex.com/	BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr	false	Avira URL Cloud: safe	unknown
https://sos.adaware.com	BA002.exe, 00000004.00000003.2428985153.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000006.00000002.3965677324.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, GenericSetup.exe.config.4.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	is-BDOB3.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr, Microsoft.Win32.TaskScheduler.dll.4.dr, installer.exe.4.dr, OfferInstaller.exe.4.dr	false	URL Reputation: safe	unknown
http://www.burnaware.comD	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005B50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005BDE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3965128605.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-5QV8V.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.com0:15.	installer.exe, 00000006.00000002.3965677324.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.burnaware.comDVarFileInfo$	is-F96N3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://taskscheduler.codeplex.com/F	BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Win32.TaskScheduler.dll.4.dr	false	Avira URL Cloud: safe	unknown
http://www.audiocoding.com/)	is-BDOB3.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://www.burnaware.comopenU	is-F96N3.tmp.2.dr, is-LACR3.tmp.2.dr, is-2A9L3.tmp.2.dr, is-KN6PN.tmp.2.dr, is-QIUH5.tmp.2.dr, is-FLSM1.tmp.2.dr, is-2RS4N.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://www.burnaware.com/update.verU	is-FLSM1.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://www.mp3dev.org/	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3970419543.0000000005F98000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.burnaware.com/2http://www.burnaware.com/2http://www.burnaware.com/&	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://counter-strike.com.ua/	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://flow.lavasoft.comj	installer.exe, 00000006.00000002.3965677324.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.burnaware.com/after-install.html	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3968953523.0000000003419000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3968953523.00000000033ED000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.palkornel.hu/innosetup%1	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000002.3966285678.000000000233E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2098466936.0000000002590000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000002.3967179950.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000003.2101802904.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099446062.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe, 00000000.00000003.2099078375.00000000026D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp, 00000002.00000000.2100552726.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp.0.dr	false	URL Reputation: safe	unknown
http://webcompanion.com/terms?http://webcompanion.com/privacyOOptional	BA002.exe, 00000004.00000003.2431734850.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, BA002.exe, 00000004.00000003.2431430059.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, WizardPages.dll.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.213.94	sos.adaware.com	United States		13335	CLOUDFLARENETUS	false
104.16.149.130	flow.lavasoft.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1471674
Start date and time:	2024-07-11 19:48:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
Detection:	MAL
Classification:	mal42.troj.evad.winEXE@9/81@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 137 Number of non-executed functions: 216
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.16.213.94	Setup.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Adware.Downware.20552.29919.24444.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Program.Unwanted.4662.20461.1147.exe	Get hash	malicious	Unknown	Browse
104.16.149.130	Setup.exe	Get hash	malicious	Unknown	Browse	geo.lavasoft.com/
	Setup.exe	Get hash	malicious	Unknown	Browse	geo.lavasoft.com/
	Setup.exe	Get hash	malicious	Unknown	Browse	geo.lavasoft.com/
	Setup.exe	Get hash	malicious	Unknown	Browse	geo.lavasoft.com/
	SecuriteInfo.com.Program.Unwanted.4662.20461.1147.exe	Get hash	malicious	Unknown	Browse	downloadnada.lavasoft.com/update/12.10.158.0/win32/AdAwareWebInstaller.exe
	Setup (1).exe	Get hash	malicious	Unknown	Browse	wcdownloadercdn.lavasoft.com/12.1.4.1003/WebCompanion-12.1.4.1003-prod.zip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.google.com	http://www.xfinityconnect.comcastappmobile.162-240-175-16.cprapid.com	Get hash	malicious	Unknown	Browse	142.250.186.36
	http://track.fsome.us/?xtl=1viwu5za3qfkgb4bktigd6w9r2aiqj8ubi9x5aevx7vsdxmw96lm51d09tvturwitx5wwhlphpachqeuw68ny1p2uhpiqa5szmrev8&eih=pq9mx5ijy0kxtkev624h50srg6ww83cce1e&__stmp=sgg9ci&__onlt=h	Get hash	malicious	Unknown	Browse	142.250.186.132
	https://link.edgepilot.com/s/58f2f2eb/x4Qvr3PeoEWaCYfnNgIJ1g?u=https://onmicrosoft.highachieverssam.org/404	Get hash	malicious	HTMLPhisher	Browse	172.217.16.196
	https://www.canva.com/design/DAGKqBoB-pk/5yZY6xv4Mi45lnpws5bCrQ/edit?utm_content=DAGKqBoB-pk&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	216.58.206.36
	http://plnbl.io/review/WX__Ro3YJP2_	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	142.250.184.196
	Mott Corporation_SKM_C590368369060_417161.pdf.pdf	Get hash	malicious	HTMLPhisher	Browse	142.250.184.196
	https://sites.google.com/view/thewassociatespe-lspllc/home	Get hash	malicious	HTMLPhisher	Browse	142.250.186.68
	https://8pingstate.sbs/y289	Get hash	malicious	Unknown	Browse	172.217.18.4
	https://www.evernote.com/shard/s552/sh/d87c15a9-f5fc-dbbf-e870-00a99882fe99/Bu1HrA086twuEcRU5pyqlAC6c1YNBJWK_suwXIxI6ybw-NGqVUWWtfJo1w	Get hash	malicious	HTMLPhisher	Browse	172.217.16.196
flow.lavasoft.com	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	JDownloaderSetup.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	SecuriteInfo.com.Adware.Downware.20552.29919.24444.exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	SecuriteInfo.com.Adware.Downware.20552.29919.24444.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	SecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exe	Get hash	malicious	Unknown	Browse	104.16.149.130
	SecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exe	Get hash	malicious	Unknown	Browse	104.16.148.130
	SecuriteInfo.com.Program.Unwanted.5399.28168.2681.exe	Get hash	malicious	Unknown	Browse	104.17.8.52
	SecuriteInfo.com.Program.Unwanted.5399.28168.2681.exe	Get hash	malicious	Unknown	Browse	104.17.9.52
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	104.17.9.52
sos.adaware.com	SecuriteInfo.com.Adware.Downware.20552.29919.24444.exe	Get hash	malicious	Unknown	Browse	104.16.213.94
	SecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	SecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	SecuriteInfo.com.Program.Unwanted.5399.28168.2681.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	SecuriteInfo.com.Program.Unwanted.5399.28168.2681.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	Pokemon_ Ruby Version (V1.2).exe	Get hash	malicious	Unknown	Browse	104.18.67.73
	GenericSetup.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	VicoHome_App.exe	Get hash	malicious	Unknown	Browse	104.18.68.73
	_Papa Louie 2_ When Burgers Attack!.exe	Get hash	malicious	Unknown	Browse	104.18.68.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.xfinityconnect.comcastappmobile.162-240-175-16.cprapid.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://track.fsome.us/?xtl=1viwu5za3qfkgb4bktigd6w9r2aiqj8ubi9x5aevx7vsdxmw96lm51d09tvturwitx5wwhlphpachqeuw68ny1p2uhpiqa5szmrev8&eih=pq9mx5ijy0kxtkev624h50srg6ww83cce1e&__stmp=sgg9ci&__onlt=h	Get hash	malicious	Unknown	Browse	104.18.11.207
	LummaC2.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://link.edgepilot.com/s/58f2f2eb/x4Qvr3PeoEWaCYfnNgIJ1g?u=https://onmicrosoft.highachieverssam.org/404	Get hash	malicious	HTMLPhisher	Browse	172.64.153.29
	DO70976789089.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	https://www.canva.com/design/DAGKqBoB-pk/5yZY6xv4Mi45lnpws5bCrQ/edit?utm_content=DAGKqBoB-pk&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://plnbl.io/review/WX__Ro3YJP2_	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.22.54.104
	Mott Corporation_SKM_C590368369060_417161.pdf.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://sites.google.com/view/thewassociatespe-lspllc/home	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
CLOUDFLARENETUS	http://www.xfinityconnect.comcastappmobile.162-240-175-16.cprapid.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://track.fsome.us/?xtl=1viwu5za3qfkgb4bktigd6w9r2aiqj8ubi9x5aevx7vsdxmw96lm51d09tvturwitx5wwhlphpachqeuw68ny1p2uhpiqa5szmrev8&eih=pq9mx5ijy0kxtkev624h50srg6ww83cce1e&__stmp=sgg9ci&__onlt=h	Get hash	malicious	Unknown	Browse	104.18.11.207
	LummaC2.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://link.edgepilot.com/s/58f2f2eb/x4Qvr3PeoEWaCYfnNgIJ1g?u=https://onmicrosoft.highachieverssam.org/404	Get hash	malicious	HTMLPhisher	Browse	172.64.153.29
	DO70976789089.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	https://www.canva.com/design/DAGKqBoB-pk/5yZY6xv4Mi45lnpws5bCrQ/edit?utm_content=DAGKqBoB-pk&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://plnbl.io/review/WX__Ro3YJP2_	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.22.54.104
	Mott Corporation_SKM_C590368369060_417161.pdf.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://sites.google.com/view/thewassociatespe-lspllc/home	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	DO70976789089.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.16.213.94 104.16.149.130
	P.O.exe	Get hash	malicious	Snake Keylogger	Browse	104.16.213.94 104.16.149.130
	0001244.pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.16.213.94 104.16.149.130
	MT_056013785200.exe	Get hash	malicious	Snake Keylogger	Browse	104.16.213.94 104.16.149.130
	rSWIFT.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.16.213.94 104.16.149.130
	Order_YK240612-01D(estimate).scr.exe	Get hash	malicious	Remcos	Browse	104.16.213.94 104.16.149.130
	SI HE Voy - TC Relet 11.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	104.16.213.94 104.16.149.130
	RFQ_92889128.pif.exe	Get hash	malicious	Snake Keylogger	Browse	104.16.213.94 104.16.149.130
	rC1JYAnNNn.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.16.213.94 104.16.149.130

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2048216
Entropy (8bit):	6.523206686484186
Encrypted:	false
SSDEEP:	24576:j1H4xy4kR3za8sVPggUuBFzmBLSFRBNTvgADqjuOr75S6UMDmc9rO3T4JkQjy:jou9SzDiFr75S65Dbx6T4iX
MD5:	E5D98861DD116EDA1908CF22D466CD45
SHA1:	A689C7B7ED7C0E4346E1BA7FBEE00997F0B70F08
SHA-256:	0CD6431FA27A99E40FEE93B5741A3CED349F56609A9E9A75EF10859AF3DDF674
SHA-512:	6715E64D594401D60AC144DBC799C4F2E0EA99F5DE2FD46DC8BE111BCFFDEE0F27C246961B0561166389EBD7A569F29680AA48B328894F8C9F227E3428DC6FCA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.....................P....................@.......................... 3......< ..........@............................-..>...p/..............,........-..............................p-.......................-.\|....P-. ....................text............................... ..`.itext..< .......".................. ..`.data...............................@....bss.................\...................idata...>....-..@...\..............@....didata. ....P-.....................@....tls....<....`-..........................rdata.......p-.....................@..@.reloc........-.....................@..B.rsrc........p/.....................@..@............. 3......,..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\BurnAware.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1350360
Entropy (8bit):	6.642861347345999
Encrypted:	false
SSDEEP:	24576:ye08zSJMzUJ5I4VSwq2BdS/7IF3B9G4J+gPOiIsTAA7ZUWkUNmN:lkvS0395J+gPOYTAPamN
MD5:	08E8163EBA464CB7AE6F2B3A0BE3B291
SHA1:	5AC0076EC87BD3D06772CEFCAE11148021121046
SHA-256:	6E185E0ADF5B486AD1076F1C374196BA98651065934A7530D5110891BEEB0C2E
SHA-512:	513846CFF37BC120CDF5F39F2D6966EBB983A6C3EA89B324BF0865A0CF38BF14EBE33B26ACCE95133FAD4C441C660166D049C199002ABAC98086973CFBCA7F50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................v..........X.............@..........................`.......z...........@..............................Z2... ...@......................8..................................................8................................text....e.......f.................. ..`.itext...............j.............. ..`.data....e.......f...z..............@....bss.....y...............................idata..Z2.......4..................@....didata.............................@....tls....<................................rdata..............................@..@.reloc..8.......,..................@..B.rsrc....@... ...@...F..............@..@.............`......................@..@........................................................

C:\Program Files (x86)\BurnAware Free\BurnImage.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1802456
Entropy (8bit):	6.520785784660294
Encrypted:	false
SSDEEP:	24576:MhUTyZQFMCiQonb6M9+yBKS4pEj3TihQXahcwgwux/Xl6jGyTtKMf:4qiTsSeGahc/wuxfADTtKE
MD5:	9791043AE6ABEBF8179899AADCAA6235
SHA1:	B53C8E37444D1B7D45150261A8DFADFF081148E4
SHA-256:	865D2CF4B136FF4B5EC65E97F1BCA6852567D8F9887021B790332B789B32FF03
SHA-512:	FA9B37F90113410DEDDC68547D07D2E80963C3CD45489D9A24D64D6746E64F1EFC5DCF2E1B09E2B3CAC4F5C07E656B5C10709B4507994ED94A242A7F3AD77B07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.........................................@..........................P/..................@............................)..8....+..p...........l.......0.T............................ .......................)........ ....................text....f.......h.................. ..`.itext... ......."...l.............. ..`.data....{.......\|..................@....bss.........0...........................idata...8....)..:..................@....didata. ...........D..............@....tls....<...........J...................rdata....... ......J..............@..@.reloc..T....0*......L..............@..B.rsrc....p....+..p..................@..@.............P/......l..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\CopyImage.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1538264
Entropy (8bit):	6.488992484377018
Encrypted:	false
SSDEEP:	24576:NXOpC0NNHAxRVJG0WdKM6BHS2xVDkGcM3qBSsEXmgTm8ELlOR:Njyo5SUu/M3qBSsEFTCLl4
MD5:	3B9CA55AAA6C2F1089F04317A1D0ED5C
SHA1:	D263CC81CDBE420F45B26BB46FBE367E0DBC5AAC
SHA-256:	6615AFC9218EC2AC5A9FC52C3195316BF2C7F3D1F015EEB505082A3541DF5451
SHA-512:	202EF63DE215AB5A9B94B753855276971782F617C8CECA8B92803D0DEAAE53BF222A20C6BD565CC0AB5E5B3515BDD6134F7F76BB2F91CA543504F9CE67FFA809
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................`...........n.......p....@..........................0.......S...........@...........................`..:5...`...............d..........8....................................................i..,....... ....................text...,N.......P.................. ..`.itext.......`.......T.............. ..`.data...pj...p...l...d..............@....bss....t\|...............................idata..:5...`...6..................@....didata. ...........................@....tls....<................................rdata..............................@..@.reloc..8...........................@..B.rsrc........`......................@..@.............0.......d..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\DataDisc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2240216
Entropy (8bit):	6.515674271457544
Encrypted:	false
SSDEEP:	24576:9YQlxYiPt1wRr3AJId1qBHSMi2UiHQho+3HxDfzFxPK05M9NyKIbTvhTjQF:+8/5ScHL+3HxDfRxCcTvhTu
MD5:	5BCD29D045C4346F0DC4DC16712608A4
SHA1:	05F58AD366145F9135C583A262C51C558CF48452
SHA-256:	6AE136A1B4ED9E5C1187F466FB304A0A1F42E6E92BD73FBD9C79904D1621E88B
SHA-512:	493718D696513C378139E50ECCF2A69041A37520EAF1F3060E25E6E9C83302FDBA24B3C2744698FEFA8D5D18CBAE6FB8F6B82259A904BCFFFFFC9ACF4400AD4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................J..........._.......p....@...........................6......."..........@............................/..;... 2...............".......0.L.............................0......................./......./. ....................text....'.......(.................. ..`.itext... ...@..."...,.............. ..`.data...p....p.......N..............@....bss.....................................idata...;..../..<..................@....didata. ...../.....................@....tls....<...../......$...................rdata........0......$..............@..@.reloc..L.....0......&..............@..B.rsrc........ 2......4..............@..@..............6.......".............@..@........................................................

C:\Program Files (x86)\BurnAware Free\DiscInfo.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1439960
Entropy (8bit):	6.459374732571663
Encrypted:	false
SSDEEP:	24576:g1Y2Zf4AVKcuPVmsmgreaBtSLNomKP5WzSe3yjvTGK/k:af4Ag/SYP5WzSe3OTGK8
MD5:	D636263A0C8B6D3E1E09A3C6F512DD07
SHA1:	9D15830E18D428DBCFB098DB8781BDF8269CD14C
SHA-256:	8E19C44FFB6C9F2990EC70D0C3793AC2DBC0D4D054FC451FC9CD4A39C5F1DF82
SHA-512:	07BA604C7CCA094B512CDF746BC943F3546501C044E3FD2CABFA3B9D92454476306C0AF555342ACF045DA7083F40659CA81E168079353432DFD8112AF6F28BAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................~...b......t.............@.................................;d...........@..............................j0...`...T.......................j.....................................................t............................text...$o.......p.................. ..`.itext...............t.............. ..`.data...<h.......j..................@....bss.....{...............................idata..j0.......2..................@....didata.............................@....tls....<............"...................rdata..............."..............@..@.reloc...j.......l...$..............@..B.rsrc....T...`...T..................@..@....................................@..@........................................................

C:\Program Files (x86)\BurnAware Free\Dos622.img (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	DOS/MBR boot sector, code offset 0x3c+2, OEM-ID ")TNQ9IHC" cached by Windows 9M, root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x350518e3, label: "BOOT622 ", FAT (12 bit), followed by FAT
Category:	dropped
Size (bytes):	1474560
Entropy (8bit):	6.99474059909904
Encrypted:	false
SSDEEP:	24576:A1o795/aeZ9NJ6P+TqpVj9jyJYNQKj43FuI97CwiQqddnr5O9aH41SflbEkj3eSa:A1EU+TqpVjOYNnPnrw9arIkjuSgog
MD5:	A4A096CAB6079C2CFA88A8BDE0EAC3AA
SHA1:	14F2A0E33B11F047D16DE56E92567C5FAA6C5668
SHA-256:	1AB300A0A54B8F384CC457424EA0D2F3F46BEF11C0172429C6B207B2EC539E6E
SHA-512:	415F5EE18500D442824546002C8B21FC96EAC883BD5844862767381EF05803440115FBD7ACB569A68862FD89E6C11C6B63465895134020520E2070429FD6BFB7
Malicious:	false
Preview:	.<.)TNQ9IHC........@..................)...5BOOT622 FAT12 .3....\|...x.6.7.V.S.>\|........E.....\|.M..G...>\|...ry3.9..\|t....\|.. \|..\|.&.\|...\|...\|...\|....P\|..R\|.I\|..K\|. ..&.\|...\|..H....I\|..K\|......R\|.P\|..r.....r........}.u... ....t...}._.3...^....D...XXX..G.HH...\|2.....I\|..K\|......PRQ.:.r...T.YZXr..........\|....\|..$\|..I\|.K\|...p....t).........;..\|s..6.\|...O\|3..6.\|..%\|.M\|.......M\|.....6O\|....$\|.6%\|.....Non-System disk or disk error..Replace and press any key when ready...IO SYSMSDOS SYS..U.....@..`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q..S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../.../.3A.5a.7..9..;..=..?..A!.CA.Ea

C:\Program Files (x86)\BurnAware Free\EraseDisc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1227992
Entropy (8bit):	6.429619289168852
Encrypted:	false
SSDEEP:	24576:Z7xQFeOBnPU4ObAztEBrS5+cJg2g9hB6QCP11/TvtGoh:9DAy9ST29hB6QCP/Tvx
MD5:	2573FA5EA27B5BFC5EE3EE6CFE9A2EB9
SHA1:	96C74694EA78A9F24958C6B54342532C0F031831
SHA-256:	06B8CA60A33AAFF9F35535AC335559CE452CCDCBB79BF8125A7261BCB583D0AE
SHA-512:	FF48BC9DF0D39B24CE13A7FB32A333A5E50229DD9DD854732D6AE2272C75F7953D5CCB89C589A911B735667B9425D84FE30E21C69AE914863BD3C009FE848741
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................x...,....................@..............................................@...............................0...0...N......................4<......................................................t............................text....g.......h.................. ..`.itext...............l.............. ..`.data....f.......h...\|..............@....bss.....{...............................idata...0.......2..................@....didata.............................@....tls....<................................rdata..............................@..@.reloc..4<.......>..................@..B.rsrc....N...0...N...Z..............@..@....................................@..@........................................................

C:\Program Files (x86)\BurnAware Free\MakeISO.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2121432
Entropy (8bit):	6.495534230734781
Encrypted:	false
SSDEEP:	24576:dkaUj1cbQ5aRqDoAEzWoG5zYBbSuEl9ZTvmUBlHwedEIPp3dNmKyiLxNpmwGjh6U:Bqb8lST5+UBlHweGIPpNEdUTQ
MD5:	8586A5A100F5CBA368B0097494AB2F35
SHA1:	9C902450F0DCD458B3FB3B67F5D8621FB28BF094
SHA-256:	72F0505C570B9BAB6E54D92B0A335D40105453EECB3C631FEF2344A867A8EA55
SHA-512:	E4146E7DD9310C9BDC221074E209A0CB42FB759E1858D6FE8C45DAE2501E4B142BBE8413E6579B90F691DBC4B195D79C6064A97E864D12E366613E2B217FCC85
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.....................,...............@....@..........................P4....... ..........@...........................p..B;....0..d...........J ..............................................................z.......... ....................text............................... ..`.itext..< .......".................. ..`.data...x....@......................@....bss.....................................idata..B;...p...<..................@....didata. ...........................@....tls....<................................rdata..............................@..@.reloc..............................@..B.rsrc....d....0..d..................@..@.............P4......J .............@..@........................................................

C:\Program Files (x86)\BurnAware Free\MediaDisc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2164440
Entropy (8bit):	6.517328304440149
Encrypted:	false
SSDEEP:	24576:WtaauPx4fUV+ax/PlxBXwCBNS1xOqeW2STMZQRcl6SIjQlDfxhKrXd6TtAOut:rPafavvSv2STMZQRcn88aATtAOg
MD5:	2AA349075A63AA40B009625C3C36C5C9
SHA1:	E3EC33A7EA6FC78CE096B1F3ED223B57E4961530
SHA-256:	75F9B7BF768D2AD9B52C734F9C8BBA08F7360FCC00CB526DF7A56DFEE0F1759A
SHA-512:	36255BDF234A44145C9A06DA3A1A20BA14567B0DC73CD8EF2D35AEFC33C5FB4887CE30D69F1539DA24BCD1812241F8AED7D15BDB3C4FEE38D8399FB852E3D66C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................j........................@...........................4.......!..........@...............................;...01............... ......0/.............................. /.............................../. ....................text....G.......H.................. ..`.itext... ...`..."...L.............. ..`.data................n..............@....bss.........0...........................idata...;.......<..................@....didata. ...../......<..............@....tls....<...../......B...................rdata....... /......B..............@..@.reloc.......0/......D..............@..B.rsrc........01......@..............@..@..............4....... .............@..@........................................................

C:\Program Files (x86)\BurnAware Free\SpanDisc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2230488
Entropy (8bit):	6.507196691314208
Encrypted:	false
SSDEEP:	24576:LP7xaFoyifoS3H/OL4NWBPSMOSfaIwwSZ07PDefPmVVDiaBYyYEiiWC/Lh2JjJLD:LMz5ZSVwSZ07PDenMDiaWyO/T3QEJ
MD5:	25620AF6CEB4BCD99655EB2EB5BC6362
SHA1:	D85F9C4B6143FD730724C2A311EC1049C3D695D6
SHA-256:	CD8040B346C6704EC2CC9645702F1535D4D1B9CF6B37DC9B62BEA0AC39019936
SHA-512:	2CA6AC5D2BCED2A54290CAA924B3146FA787480F3776E384DDEEB3E14162902D0CB50961A51D8DF0C2D02A1A702D128CCB12BF373FE08A10A66A04B01E3BE304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.................@..........$O.......`....@...........................5......."..........@............................/..;....2...............!.......0.............................../....................../......./. ....................text...$........................... ..`.itext... ...0..."...".............. ..`.data...\....`.......D..............@....bss.... ................................idata...;..../..<..................@....didata. ...../.....................@....tls....<...../..........................rdata......../.....................@..@.reloc........0.....................@..B.rsrc.........2......(..............@..@..............5.......!.............@..@........................................................

C:\Program Files (x86)\BurnAware Free\UnpackISO.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1724632
Entropy (8bit):	6.500646018433855
Encrypted:	false
SSDEEP:	24576:N2v7p4I5zw3eOqw0ujdMLjwEBFSJlnhFS0KUjnaaeXcXgECGexDpwT5Lxg5bZ:NgyES6FXS3h1tnadXcXi9aT5L2X
MD5:	4348EB48837517BCD6D3C1F62AA87896
SHA1:	6D9F6CF08237F06FCCEC6BF81E5941A3681B9CE1
SHA-256:	2CA2D2B3D68D9D5FE71A927A051B355158A3C9FAC3BB0810472B06F796639825
SHA-512:	64B429798C4B93532F966652B74D76A34ABDB90B3F5B087220815A28301E5B9D02684713ED9FA3D2244FC5A0B6D72D8A050317D1089C0C74DE84E26B97D43DC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.....................x....................@..............................................@............................(..8..................<.......P).p............................@).......................(...... ). ....................text.............................. ..`.itext........... .................. ..`.data...H{.......\|..................@....bss.........P.......@...................idata...8....(..:...@..............@....didata. .... )......z..............@....tls....<....0)..........................rdata.......@).....................@..@.reloc..p....P).....................@..B.rsrc............... ..............@..@.....................<..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\VerifyDisc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1550040
Entropy (8bit):	6.460281125947317
Encrypted:	false
SSDEEP:	24576:vNanyO0LRZBCH6wYtQ61QkDBrSeTchSRpevKM5qC5gT+VCBpwW:vrbZXNStsevKM5pyTtBp5
MD5:	35C1484D5AB51E9127FFF29F1EC5E8BF
SHA1:	642B15CAC9E614564BEF6EC1554D271490C9DC4B
SHA-256:	223B5A52DB60618BE714B319C0F000E040B48E1BE6ACB9DFEDFD674844F744FC
SHA-512:	4D62E252A0321312FF980B7FEEDE6FBBE2B5543FBA4DEBED19D1E709847811BABC4EB4731F74B37BAE0F266EE4A8054E0ACEEE71A829CDFA5D6C54D8E7AB85E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[..........................................@...........................+..................@............................&.\5....(......................P'..{...........................@'.......................&.,.... '......................text...X........................... ..`.itext........... .................. ..`.data...@y.......z..................@....bss.........P.......4...................idata..\5....&..6...4..............@....didata...... '......j..............@....tls....<....0'......n...................rdata.......@'......n..............@..@.reloc...{...P'..\|...p..............@..B.rsrc.........(.....................@..@..............+.....................@..@........................................................

C:\Program Files (x86)\BurnAware Free\badecx.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	578776
Entropy (8bit):	6.655075918317694
Encrypted:	false
SSDEEP:	12288:LAlJu8NZLfIzUipVPgJ0//B9wEi9vKpzp2ZVNF5BBceV8z5U:LADuS1ywJgCl9yppoVD5BBceV8z5U
MD5:	3F8FF7F25E3834DB92B0DE00621FD437
SHA1:	C0A94BC6C371ADCC8AB490A6A90CEF99117A6562
SHA-256:	CAB385455ACA791F41E01FEEC3B9DE61D2F0449E1018A075AF22219ED5D201B5
SHA-512:	454D6463EDE1AB92C152AF1CD68DB55A14BFFCC2E2470ABEF0B5A360D42D7F8B6A2162E2AD6C06DDA4D29E4258CC237B2C7632CA6B179070B0B5E8F6DD842BC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m M0)A#c)A#c)A#ctc(c(A#c.]-c2A#ctc)cJA#c)A"c`A#cK^0c,A#cvc(c.A#c.a'c(A#cRich)A#c........PE..L...l..9...........!........................ .......................................E...............................(..........<...................................................................................(................................text...z........................... ..`.rdata../.... ....... ..............@..@.data........0...P...0..............@....idata.."...........................@....reloc...*.......0..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\bamainlib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3017432
Entropy (8bit):	6.571487341115199
Encrypted:	false
SSDEEP:	49152:i9TAxIGE68oFvXexWTBQH8HHGGdnFBZHbtNsvL70VlSQhGFCbHDauRAXHWB/JABk:mTAxHKaQHyHGGdnF7BNsD70VlSQhGMXB
MD5:	E0B2CF5ED07CFFC970C50EAAB3451043
SHA1:	30A7480E8FAA8A7494F7163CD95CA0D6FE7D8D3A
SHA-256:	1B0F5A28F4CDC6BEF0808239DA4B7138B16166A3574276F619BA5169FF09D351
SHA-512:	5F91E45D2BF717ED720F4D91955EE65B82EF265725F3B8F08E01398636B542AA81A5EADBB631D3FBD2EB2A2C84310A0DA6DC2BBF5B316F7973C5C6D34B24846A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....................S........b........]............................b..0....b.......b.......b.......b......Rich....................PE..L....GjX...........!...... .........[.........!...............................>.....M.....@......................... =(.....8.(.\|.....9.VZ............-.......;.8.....................................$.@.............!.x............................text..... ....... ................. ..`.rdata...Q....!..R.... .............@..@.data...h9...`(......<(.............@....rsrc...VZ....9..\....(.............@..@.reloc.......;......R*.............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\bamedenclib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2710232
Entropy (8bit):	4.449689803792709
Encrypted:	false
SSDEEP:	24576:NL50dQ1nZACUQtQ20BJ3KaUjZG44v7JyvVasNerG747HlhNh:NL5+IAbwQ2UKtIVzkv4s8rGGFhNh
MD5:	D858A70BFD136126C43755BADFFF7C80
SHA1:	EA1C9003429396AE211526E6E650A0F5B2E54856
SHA-256:	A6DC15E8104C7E246FD63E57BEBEB4645E2FB034743DE1E9F0EB23CA4FF5036B
SHA-512:	D005F3A39FF973912AA452459CDE1E3A03AC8CF63721734D0E73163D7897500CBBD165803138E36E4915A482DEF7F08D34E08CF440ADC24B5F6DC0FAC7726518
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j..j..j......j.)...j.)...j.....j..k...j.)..X.j.)...j.)...j.)...j.Rich..j.................PE..L.....[O...........!................%q........................................*.......)...@..........................G'.X...$='.P.....)..............F).......).......................................&.@............................................text...^........................... ..`.rdata...\|.......~..................@..@.data....8...P'......6'.............@....rsrc.........).......(.............@..@.reloc..R.....)......0(.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\baplayer.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1004760
Entropy (8bit):	6.827276750755658
Encrypted:	false
SSDEEP:	24576:Rck4lJqowqlZbVFfSWLfipEJWzzauTlG7WpiH3Y92:R3sVFfnLficWSuhGKpiH3Y92
MD5:	AF55D432BA090E333B4115B20A0684F9
SHA1:	D1B0D9060B7F30FC2AB3EF5297A8341698BB638B
SHA-256:	31E54D819597B90FA668141204A5862D4669D696232C2D709094A4972EBBD8F5
SHA-512:	B100B43EA1C94F82C7B907F1458E5598C5408BE7FC1A599B718B0FE43E5E7B27D913B5E128EDC68AA41E5DE1A83DD48B0DF579D0B5F2337172C4207E4224541E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Zy..Zy..Zy.....^y..}...fy..Zy..Yy..}...Wy..Y..Xy..}...px..Zy...y..v..Qy..}....y..}...[y..}...[y..}...[y..RichZy..........PE..L...p..K...........!.........P.........................................................................................Q............................@..........0\|...................................1..@...............\|............................text............................... ..`.rdata..!...........................@..@.data...............................@....rsrc...............................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\bashell32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1337048
Entropy (8bit):	6.551634819186885
Encrypted:	false
SSDEEP:	24576:mdw4IDLMqHhkKfg18tEBhw6PBQSY4irrCi1ocBoM3Icij77M:mdwttBx6PSSY4iboMfijPM
MD5:	C28B8514752068017D0549D512A92995
SHA1:	BFFE081E502DBF1EFEF5F4427FDCAB0C15F76583
SHA-256:	5ADD3A389504588123F7FEC33D5F5615D13D5AFBF682B25E04A20DBC5F81C63A
SHA-512:	68F8475161F25ED41B8EC72F233B6DDA7C95752662AB6C8BD2A12694574741C1390E058F8D470ECFE21D3164083475FDF09651D7C165D428224472659864AAE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....8.Z............................d.............@..........................................................................p...5...p...............R..............................................................y..L............................text............................... ..`.itext..\|........................... ..`.data...L:.......<..................@....bss....0T...............................idata...5...p...6..................@....didata..............0..............@....edata...............8..............@..@.reloc..............:..............@..B.rsrc........p......................@..@.....................R..............@..@................................................................................................

C:\Program Files (x86)\BurnAware Free\bashell64.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2128600
Entropy (8bit):	5.92597532283096
Encrypted:	false
SSDEEP:	12288:d1GA4AOyb8SyFXjZKJ4Sb9bnNBNSKyXSYt/R+Mt9tAFp51kSgdExIXVyk00y/Zml:dQFAZNBNSKyXSYt/R+CAzjkSPmV4+H
MD5:	CD32BE24426955B5141204FA035CA6B3
SHA1:	6AEB4836B01ED01DA3CAB689A3B8E108FE411C9A
SHA-256:	E5D7E21FA3ED144228D7500C5C3E41EB8F2AAFB581741854092BF3F2BAE1F937
SHA-512:	90884D1EE59007616B3B8783E212F61474318342B2831FA40A0400A6BD8D14846E1224CFFC285BB43ACF177EE81D544A034BBB989D2F624FED7A63C2BCFC3004
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..d....8.Z.........." ................ .........@..............................P!.......!.............................. ..........................LF.... ......`..0Y...f ..........G..................................................@................................text............................... ..`.data...P,..........................@....bss.....................................idata..LF.......H..................@....didata..............2..............@....edata...............>..............@..@.reloc...G.......H...@..............@..B.pdata..0Y...`...Z..................@..@.rsrc......... .....................@..@.............P!......f .............@..@................................................................................

C:\Program Files (x86)\BurnAware Free\bass.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124060
Entropy (8bit):	7.95689673801651
Encrypted:	false
SSDEEP:	3072:h4Ht0B1105GzXyO6vvasTeprZKYQ+U1YUjJ09d:qs11IdPvCUef519d
MD5:	68523838F432A39A764B5FD4E4DD14CF
SHA1:	46F09323FECCFEFA3AA1D5940D9BF09A2A14351F
SHA-256:	EFB350839CBE0074F799A28EC76513C32E2CB1ADC85CEBA527859EC36B1B5FB5
SHA-512:	468C3AF4BC3154882217676E9EE9EB29C623F0DC4BE951175D6D93281A9449616803499D7B19A26D0C0E6F18C976D7BE32FFD4C7A50AFE0D6D72E6ADB60E383C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....WFZ...........!.................@.......................................P............@..........................B.......A..........@...................0.......................................................<B..H...............................................................@..@.rsrc...............................@..@......... ... .........................@petite.......@......................`..`....................................]......Y....z\|y.....GqOn=..2Z.". ..hV..caQ...N.N.VQ..w.O5.Q..pH.=@.`....H...xi..De 06j..Z.?).n\|.`68..8:.0..EI.X..v0.!P...t.@....Z.q5.....d(..~.&...%..&.sFl.A....H.1...g+........_B..."...SOZVLSGRCWJ.o..^F[C............1.f.......t(."0?.9W....2...P....:2...F..O...a&.J.7L,...4.../.1.....c<.Q...2.x0&..618F...Q.QPu.%...:q..........a...1m=.0..D..\./.!............B...Z....!..Q%....#...n.`..1...C(Rd...z..7....3....8;wI1.b.....,]..O..zo.QKl/.6...Y1TY....w.....(.K.N..m3.......,K

C:\Program Files (x86)\BurnAware Free\bassenc.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19396
Entropy (8bit):	7.541174332849443
Encrypted:	false
SSDEEP:	384:KobrFPWMgug1kD3uxnqtpJUBGWFXO1H6OGZ9k0yKfg5io/s2R9SzK0r8pD2:KovFPW7Gyp0JsXOYOGZ9k0XfgC
MD5:	74B6071109D2FA2B27B75BD3CC100BBB
SHA1:	0038A6A686EEB5BD082A4FB32413A48D4D0F1AFF
SHA-256:	8A3391210D0CDEBB06B0292D0DF9CEC3A2BBCBCA0B99979B65143B0568F04106
SHA-512:	CCEA98DA1F00A8AC159703AE13F92748DB2D323B94E91B361D6D136515D0C715D394FAAE5A52664F96F1452D4B5F820EB1B4773A37F0D82C094DAAECA1ED8E17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...................................D.... ..PE..L....v.V...........!.........D...............p............................................@.............................................@....................N......................................................"...H............................................@..................@..@.rsrc................B..............@..@.......................................@petite...............F..............`..`..........................................>m@.SE3..f..H4\....5b.31bo.. ..w.#&-..h.....D@....QfS......S.<..m.g..T&\|h.@.J..._.(.)..D.....=#.H.0..J.F......I.Mg......B...f...k.V..........B.~.C..\|..."p./...?.[..k.o[/R..2...:Z?N...8.Z..^....."........ .h..8LQ.e..T1[.eX...'(.D..!R..o....J....+..P..9..PDC..... RZ..Q....:...J0.e:c..@.iW...2..<.&{.5....zZ..?.D.${..:...:\L.....v.s12..{..ezU[...4a..l....#p../?m.;...\|8+@Myo3...f)....z....J7..slp...5.....d...f2.i.....G.......A.+"g......z&,..=3.39j../..,h.Z...[.F..

C:\Program Files (x86)\BurnAware Free\bassflac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24844
Entropy (8bit):	7.754417060273362
Encrypted:	false
SSDEEP:	768:q4r9klplrstQxDCPbUJT/tYunwvPwHP9MeO528W:q4usiv/tYCwvPUPt8W
MD5:	3CA82F8E39DE39A50C13474905EF2D65
SHA1:	57694C057C49532632113EA5E0A14C1B9023E0EA
SHA-256:	03507E3FB3B2DFDA8A79FBD4A745B1D401CDE8C9F939FEFD48678C42F211DCDB
SHA-512:	0196D3CB83F04CFA93EA0E80EF8DAB28FE7EC89E3E4D6552929B8ED8B59FA76B8E571066BAAA02665D3B45BF54E7F15B2C025AF4D313E0BCA4CD52DC3A9990C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....9.Y...........!.........\............................................................@.........................P...........d.......@...................<g..........................................................8............................................X..................@..@.rsrc................Z..............@..@.......................................@petite...............^..............`..`...................................... ...F..O.L$+^..N\.m.:.5...../...?.@....<.6.u ..%.l+.c."..l.9...7R9R........&.i.......h9...`."..o...0.....i....Y.....2..F.J...I..XP,.+.l..qP.~X.g\|.D.%f..@.Pu._.s...pW'Tc.....1hP.\.L.E...63.2..4L...g..PY9.\|.&\|...P..-X..YA...,.....5...h.j..;..B..v.$2.%....2.W.....e...i..e.2..\..R...B.......>.x.i..<.:..$I.....>..I.....BK)..k.h..JQr\|\|...%m.;.a..9.P!.\|Y`.#.jyy.b.=..>1d...M.HM..C.\T.T.0.....jp............}...U..(n;0.j.....]8....2...QD....H1"....w...=w.p..8.....U

C:\Program Files (x86)\BurnAware Free\basswma.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17733
Entropy (8bit):	7.598626308964297
Encrypted:	false
SSDEEP:	384:OPR8697gJWJ/IAzOvfHNfd+E5hHkCwp0jcGDv6K0Ww:2Po2IA+fNfcEfHkCwqjcUlw
MD5:	D2177355BECCFDBC1E7B5C687DFBA290
SHA1:	0557F3883AA8EABEFA6A110A08CF549117FD1901
SHA-256:	A844247B7CDCAC1A5F61C604E4DB111B274616C0EB19A70CDFB073C8C2F3B375
SHA-512:	7E5CE3047E4661969A3827B225F1B88F80BFEA221549E37B406DA52D1C51F60667340BB1A074F96A516D185979AB5E298FAB76BF5789CE7EE34B399FD2BDFA3C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....N.W...........!....E....>...............`............................................@.....................................x.......@...................lI..........................................................@....................................p.......:..................@..@.rsrc................<..............@..@.......................................@petite..E.......E....@..............`..`.......................................`.......`...>..z...........E2.dzo..[..^..7..m..&.@...6.@...5...d`o.O.:IPx.......... !......"H(-_.L.......X....P.j.........J..7l.I3j.)...u's...3y.t...!W..[....1...Z1......5....C~t@`n...L..x.....5.H9.R\..c...r..1.C....(....9..S..-c....@.3..."gZ..d..j}...@lv.e!;.R].....$\|e\|`...%.P..IV...x.4D...h.!.>.kg.i.......... .DAC...mfz.W!K.P.k...p...h..9}..ze...2....a..g..[y....P@.=........?.I..G.......qO...qo......m....Q....L.O....h.~4..95.".y..m4u...cBUH...y.S$i.8q

C:\Program Files (x86)\BurnAware Free\bawmalib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300248
Entropy (8bit):	6.398876873804225
Encrypted:	false
SSDEEP:	6144:KeiRTXptFP/h16je0F0T99C1FfEObNOiuG9mAO4iBd:fiR9/nIe0CTvC1Fx2Fd
MD5:	255F8B5BA8FCED381089981B95C6AB61
SHA1:	D20CEEC8693362C6651EDD55823B3675A8AC0AA3
SHA-256:	92B98D076993159D70B36C129B4508815A9C4E34532669F2B4F95D589FCC6BF6
SHA-512:	430E218EC8EF80A70CDF258A3A51D2EC77A5A59433C3D8476E3B9EE3023EDC59602214106330F5C65FEB5575420A2CEA8A8ABDCDED43DD8102670730F7210CF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................u.......u.G.................;....u.....u......u......u.....Rich...........................PE..L....q.J...........!.........p......,......................................................................................L........`.......................p..\..................................x...@............................................text...>........................... ..`.rdata..............................@..@.data...d........@..................@....rsrc........`......................@..@.reloc..dY...p...`... ..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\burnaware.chm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	102640
Entropy (8bit):	7.810597006099471
Encrypted:	false
SSDEEP:	3072:gIvgrB9Fg4mqOXEBL6sZqRF7kB+F/Uq+2:gIyg4mSu6sFIB+Fsg
MD5:	C2D09407D88D80FEEE01A5BA49158EEF
SHA1:	E7B66B693EECB22232159A502F3E51C0F4D7280B
SHA-256:	1D101980FBB738DB9BA98901B3A46CB9FECDF174BD0981262B78F97AD9736CD4
SHA-512:	24E1AF4770EA46E8140FB0A1AB9F094E54454948B30BB2B9CACA9159E658BD827908BA4A073C3187177F7EABFC032665B27566221644D5E94A9DBA37621A4341
Malicious:	false
Preview:	ITSF....`.........V........\|.{.......".....\|.{......."..`...............x.......T......................................ITSP....T...........................................j..].!......."..T...............PMGL^................/..../#IDXHDR...\|.../#ITBITS..../#STRINGS......./#SYSTEM....<./#TOPICS...\|.@./#URLSTR...l.../#URLTBL...<.0./#WINDOWS...$.L./$FIftiMain...x..../$OBJINST...9.?./$WWAssociativeLinks/..../$WWAssociativeLinks/BTree...t.L./$WWAssociativeLinks/Data...@.G./$WWAssociativeLinks/Map....../$WWAssociativeLinks/Property.... ./$WWKeywordLinks/..../$WWKeywordLinks/Property...p../audio_cd.htm..4.../audio_grabber.htm..F.s./blu-ray_disc.htm...9.l./boot.htm...%.8./boot_disc.htm...].9./btn_home_h.gif.....d./btn_home_n.gif...d.X./btn_next_d.gif...<.../btn_next_h.gif...F.../btn_next_n.gif...S.5./btn_prev_d.gif.....g./btn_prev_h.gif...o.b./btn_prev_n.gif...Q.../burn.htm.....P./burn_image.htm...f.g./burnaware.hhc...B.4./burnaware_popup_html.js..../button_closedbook.gif...k.u./button_openbo

C:\Program Files (x86)\BurnAware Free\is-1G882.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2121432
Entropy (8bit):	6.495534230734781
Encrypted:	false
SSDEEP:	24576:dkaUj1cbQ5aRqDoAEzWoG5zYBbSuEl9ZTvmUBlHwedEIPp3dNmKyiLxNpmwGjh6U:Bqb8lST5+UBlHweGIPpNEdUTQ
MD5:	8586A5A100F5CBA368B0097494AB2F35
SHA1:	9C902450F0DCD458B3FB3B67F5D8621FB28BF094
SHA-256:	72F0505C570B9BAB6E54D92B0A335D40105453EECB3C631FEF2344A867A8EA55
SHA-512:	E4146E7DD9310C9BDC221074E209A0CB42FB759E1858D6FE8C45DAE2501E4B142BBE8413E6579B90F691DBC4B195D79C6064A97E864D12E366613E2B217FCC85
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.....................,...............@....@..........................P4....... ..........@...........................p..B;....0..d...........J ..............................................................z.......... ....................text............................... ..`.itext..< .......".................. ..`.data...x....@......................@....bss.....................................idata..B;...p...<..................@....didata. ...........................@....tls....<................................rdata..............................@..@.reloc..............................@..B.rsrc....d....0..d..................@..@.............P4......J .............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-2A9L3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2230488
Entropy (8bit):	6.507196691314208
Encrypted:	false
SSDEEP:	24576:LP7xaFoyifoS3H/OL4NWBPSMOSfaIwwSZ07PDefPmVVDiaBYyYEiiWC/Lh2JjJLD:LMz5ZSVwSZ07PDenMDiaWyO/T3QEJ
MD5:	25620AF6CEB4BCD99655EB2EB5BC6362
SHA1:	D85F9C4B6143FD730724C2A311EC1049C3D695D6
SHA-256:	CD8040B346C6704EC2CC9645702F1535D4D1B9CF6B37DC9B62BEA0AC39019936
SHA-512:	2CA6AC5D2BCED2A54290CAA924B3146FA787480F3776E384DDEEB3E14162902D0CB50961A51D8DF0C2D02A1A702D128CCB12BF373FE08A10A66A04B01E3BE304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.................@..........$O.......`....@...........................5......."..........@............................/..;....2...............!.......0.............................../....................../......./. ....................text...$........................... ..`.itext... ...0..."...".............. ..`.data...\....`.......D..............@....bss.... ................................idata...;..../..<..................@....didata. ...../.....................@....tls....<...../..........................rdata......../.....................@..@.reloc........0.....................@..B.rsrc.........2......(..............@..@..............5.......!.............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-2RS4N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1802456
Entropy (8bit):	6.520785784660294
Encrypted:	false
SSDEEP:	24576:MhUTyZQFMCiQonb6M9+yBKS4pEj3TihQXahcwgwux/Xl6jGyTtKMf:4qiTsSeGahc/wuxfADTtKE
MD5:	9791043AE6ABEBF8179899AADCAA6235
SHA1:	B53C8E37444D1B7D45150261A8DFADFF081148E4
SHA-256:	865D2CF4B136FF4B5EC65E97F1BCA6852567D8F9887021B790332B789B32FF03
SHA-512:	FA9B37F90113410DEDDC68547D07D2E80963C3CD45489D9A24D64D6746E64F1EFC5DCF2E1B09E2B3CAC4F5C07E656B5C10709B4507994ED94A242A7F3AD77B07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.........................................@..........................P/..................@............................)..8....+..p...........l.......0.T............................ .......................)........ ....................text....f.......h.................. ..`.itext... ......."...l.............. ..`.data....{.......\|..................@....bss.........0...........................idata...8....)..:..................@....didata. ...........D..............@....tls....<...........J...................rdata....... ......J..............@..@.reloc..T....0*......L..............@..B.rsrc....p....+..p..................@..@.............P/......l..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-3KPCR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1004760
Entropy (8bit):	6.827276750755658
Encrypted:	false
SSDEEP:	24576:Rck4lJqowqlZbVFfSWLfipEJWzzauTlG7WpiH3Y92:R3sVFfnLficWSuhGKpiH3Y92
MD5:	AF55D432BA090E333B4115B20A0684F9
SHA1:	D1B0D9060B7F30FC2AB3EF5297A8341698BB638B
SHA-256:	31E54D819597B90FA668141204A5862D4669D696232C2D709094A4972EBBD8F5
SHA-512:	B100B43EA1C94F82C7B907F1458E5598C5408BE7FC1A599B718B0FE43E5E7B27D913B5E128EDC68AA41E5DE1A83DD48B0DF579D0B5F2337172C4207E4224541E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Zy..Zy..Zy.....^y..}...fy..Zy..Yy..}...Wy..Y..Xy..}...px..Zy...y..v..Qy..}....y..}...[y..}...[y..}...[y..RichZy..........PE..L...p..K...........!.........P.........................................................................................Q............................@..........0\|...................................1..@...............\|............................text............................... ..`.rdata..!...........................@..@.data...............................@....rsrc...............................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-5LLBU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1278181
Entropy (8bit):	6.457767718219793
Encrypted:	false
SSDEEP:	24576:EnbbPImgK4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEt7Afjqx9z1:SHeKh4nqzF3PYdStuWz
MD5:	E2E897166C54B6EE47F0167221C28BD6
SHA1:	973EE8DEB14DBF2B52B8218FC82027BE186F1982
SHA-256:	C9B0BAD8C38604734F0ACAED5C6AA1A3142667E9E17D65838D964169C69C48EE
SHA-512:	EC0B6499C160090CAF95A1E377413DB51E7EDE6D8EB4302C5661558F56288A83AADF24FD0547538C001199A991ABB346520ADB0AFA1D2C861C492C9CA47D2348
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1337048
Entropy (8bit):	6.551634819186885
Encrypted:	false
SSDEEP:	24576:mdw4IDLMqHhkKfg18tEBhw6PBQSY4irrCi1ocBoM3Icij77M:mdwttBx6PSSY4iboMfijPM
MD5:	C28B8514752068017D0549D512A92995
SHA1:	BFFE081E502DBF1EFEF5F4427FDCAB0C15F76583
SHA-256:	5ADD3A389504588123F7FEC33D5F5615D13D5AFBF682B25E04A20DBC5F81C63A
SHA-512:	68F8475161F25ED41B8EC72F233B6DDA7C95752662AB6C8BD2A12694574741C1390E058F8D470ECFE21D3164083475FDF09651D7C165D428224472659864AAE6
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\BurnAware Free\is-5QV8V.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....8.Z............................d.............@..........................................................................p...5...p...............R..............................................................y..L............................text............................... ..`.itext..\|........................... ..`.data...L:.......<..................@....bss....0T...............................idata...5...p...6..................@....didata..............0..............@....edata...............8..............@..@.reloc..............:..............@..B.rsrc........p......................@..@.....................R..............@..@................................................................................................

C:\Program Files (x86)\BurnAware Free\is-5U77G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	578776
Entropy (8bit):	6.655075918317694
Encrypted:	false
SSDEEP:	12288:LAlJu8NZLfIzUipVPgJ0//B9wEi9vKpzp2ZVNF5BBceV8z5U:LADuS1ywJgCl9yppoVD5BBceV8z5U
MD5:	3F8FF7F25E3834DB92B0DE00621FD437
SHA1:	C0A94BC6C371ADCC8AB490A6A90CEF99117A6562
SHA-256:	CAB385455ACA791F41E01FEEC3B9DE61D2F0449E1018A075AF22219ED5D201B5
SHA-512:	454D6463EDE1AB92C152AF1CD68DB55A14BFFCC2E2470ABEF0B5A360D42D7F8B6A2162E2AD6C06DDA4D29E4258CC237B2C7632CA6B179070B0B5E8F6DD842BC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m M0)A#c)A#c)A#ctc(c(A#c.]-c2A#ctc)cJA#c)A"c`A#cK^0c,A#cvc(c.A#c.a'c(A#cRich)A#c........PE..L...l..9...........!........................ .......................................E...............................(..........<...................................................................................(................................text...z........................... ..`.rdata../.... ....... ..............@..@.data........0...P...0..............@....idata.."...........................@....reloc...*.......0..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-7C2AO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2164440
Entropy (8bit):	6.517328304440149
Encrypted:	false
SSDEEP:	24576:WtaauPx4fUV+ax/PlxBXwCBNS1xOqeW2STMZQRcl6SIjQlDfxhKrXd6TtAOut:rPafavvSv2STMZQRcn88aATtAOg
MD5:	2AA349075A63AA40B009625C3C36C5C9
SHA1:	E3EC33A7EA6FC78CE096B1F3ED223B57E4961530
SHA-256:	75F9B7BF768D2AD9B52C734F9C8BBA08F7360FCC00CB526DF7A56DFEE0F1759A
SHA-512:	36255BDF234A44145C9A06DA3A1A20BA14567B0DC73CD8EF2D35AEFC33C5FB4887CE30D69F1539DA24BCD1812241F8AED7D15BDB3C4FEE38D8399FB852E3D66C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................j........................@...........................4.......!..........@...............................;...01............... ......0/.............................. /.............................../. ....................text....G.......H.................. ..`.itext... ...`..."...L.............. ..`.data................n..............@....bss.........0...........................idata...;.......<..................@....didata. ...../......<..............@....tls....<...../......B...................rdata....... /......B..............@..@.reloc.......0/......D..............@..B.rsrc........01......@..............@..@..............4....... .............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24844
Entropy (8bit):	7.754417060273362
Encrypted:	false
SSDEEP:	768:q4r9klplrstQxDCPbUJT/tYunwvPwHP9MeO528W:q4usiv/tYCwvPUPt8W
MD5:	3CA82F8E39DE39A50C13474905EF2D65
SHA1:	57694C057C49532632113EA5E0A14C1B9023E0EA
SHA-256:	03507E3FB3B2DFDA8A79FBD4A745B1D401CDE8C9F939FEFD48678C42F211DCDB
SHA-512:	0196D3CB83F04CFA93EA0E80EF8DAB28FE7EC89E3E4D6552929B8ED8B59FA76B8E571066BAAA02665D3B45BF54E7F15B2C025AF4D313E0BCA4CD52DC3A9990C1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\BurnAware Free\is-7RQ8V.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....9.Y...........!.........\............................................................@.........................P...........d.......@...................<g..........................................................8............................................X..................@..@.rsrc................Z..............@..@.......................................@petite...............^..............`..`...................................... ...F..O.L$+^..N\.m.:.5...../...?.@....<.6.u ..%.l+.c."..l.9...7R9R........&.i.......h9...`."..o...0.....i....Y.....2..F.J...I..XP,.+.l..qP.~X.g\|.D.%f..@.Pu._.s...pW'Tc.....1hP.\.L.E...63.2..4L...g..PY9.\|.&\|...P..-X..YA...,.....5...h.j..;..B..v.$2.%....2.W.....e...i..e.2..\..R...B.......>.x.i..<.:..$I.....>..I.....BK)..k.h..JQr\|\|...%m.;.a..9.P!.\|Y`.#.jyy.b.=..>1d...M.HM..C.\T.T.0.....jp............}...U..(n;0.j.....]8....2...QD....H1"....w...=w.p..8.....U

C:\Program Files (x86)\BurnAware Free\is-8HNGJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1724632
Entropy (8bit):	6.500646018433855
Encrypted:	false
SSDEEP:	24576:N2v7p4I5zw3eOqw0ujdMLjwEBFSJlnhFS0KUjnaaeXcXgECGexDpwT5Lxg5bZ:NgyES6FXS3h1tnadXcXi9aT5L2X
MD5:	4348EB48837517BCD6D3C1F62AA87896
SHA1:	6D9F6CF08237F06FCCEC6BF81E5941A3681B9CE1
SHA-256:	2CA2D2B3D68D9D5FE71A927A051B355158A3C9FAC3BB0810472B06F796639825
SHA-512:	64B429798C4B93532F966652B74D76A34ABDB90B3F5B087220815A28301E5B9D02684713ED9FA3D2244FC5A0B6D72D8A050317D1089C0C74DE84E26B97D43DC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[.....................x....................@..............................................@............................(..8..................<.......P).p............................@).......................(...... ). ....................text.............................. ..`.itext........... .................. ..`.data...H{.......\|..................@....bss.........P.......@...................idata...8....(..:...@..............@....didata. .... )......z..............@....tls....<....0)..........................rdata.......@).....................@..@.reloc..p....P).....................@..B.rsrc............... ..............@..@.....................<..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-ADA9F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 64x64, 32 bits/pixel
Category:	dropped
Size (bytes):	40426
Entropy (8bit):	3.8853121111300246
Encrypted:	false
SSDEEP:	384:/0xZ9ubhnD2LXMyQwNHnudJv31xtplGsUsgL:/8AxD2LXMyZsJv+L
MD5:	BDB8D4677CEA3AAB8A33C99BBA4A4D0A
SHA1:	3DCE6ABBC37FD5DE1894430D8976C1F2CE206415
SHA-256:	9D9BACE04F18D8E22D492DF129C3E8B762BFB35C42DDF4FB775E7D8E42AAFF3D
SHA-512:	CDC05588C1E3666FD6ACF835327F028808A7FC0120DC720255E9E8FF7109283307C4EDF89FDE26906A20F13C02CDAA11EA8C90B205A028AA2CF56416C72B1F0D
Malicious:	false
Preview:	............ .....f...@@.... .(B......00.... ..%...Y.. .... .....R......... ............... .h........PNG........IHDR.............\r.f....pHYs..........o.d....IDATx...}pT....I...4...."+.5.8.....@UL.d3.H.V,..n;s..2.s....v...v.Z.o..R.,.S.\V.D..1...$@.iR.."..c.HB....M..gf.!...?$..<.y......\|.......IY.%........J..MU.\.W.x..u.....t......."...(u............]...........2zNU...Bv...D......S.........5...7?E0....%.]..Og.r.!N..{.i$......L..6s.. .. ...hii...2.C.=....Dv.>..8:.H..C......l.. ....4c...@.knn...D.2.,.. .......iii"....b..#...r.J......i.a..HMM.i.......5}.t.~.....0..q3f........_G...........,_..!`3..%...,].T.9C....J....[D.3......SSS.........0.().7........qb.P.?.>...Z....80.(.]w.uX.`.hs..A..Jz7.p....D.3..`...x.b.;W.9C@......&.=[.9C@.....n..555....:..4..\|....+E.3.40.h.III..e.PUU%..C ....I)))..w.../.\t...(..4f.....n..^*..C`....i...X.b......M..C0.h.KMM..w...r.M..Q............2.M..`..8.....+W....D..`......U.V...Xt..C..@.Nzz:...QPP ...!...q)++..W...^(...!..

C:\Program Files (x86)\BurnAware Free\is-BDOB3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2710232
Entropy (8bit):	4.449689803792709
Encrypted:	false
SSDEEP:	24576:NL50dQ1nZACUQtQ20BJ3KaUjZG44v7JyvVasNerG747HlhNh:NL5+IAbwQ2UKtIVzkv4s8rGGFhNh
MD5:	D858A70BFD136126C43755BADFFF7C80
SHA1:	EA1C9003429396AE211526E6E650A0F5B2E54856
SHA-256:	A6DC15E8104C7E246FD63E57BEBEB4645E2FB034743DE1E9F0EB23CA4FF5036B
SHA-512:	D005F3A39FF973912AA452459CDE1E3A03AC8CF63721734D0E73163D7897500CBBD165803138E36E4915A482DEF7F08D34E08CF440ADC24B5F6DC0FAC7726518
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j..j..j......j.)...j.)...j.....j..k...j.)..X.j.)...j.)...j.)...j.Rich..j.................PE..L.....[O...........!................%q........................................*.......)...@..........................G'.X...$='.P.....)..............F).......).......................................&.@............................................text...^........................... ..`.rdata...\|.......~..................@..@.data....8...P'......6'.............@....rsrc.........).......(.............@..@.reloc..R.....)......0(.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-BLFBV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300248
Entropy (8bit):	6.398876873804225
Encrypted:	false
SSDEEP:	6144:KeiRTXptFP/h16je0F0T99C1FfEObNOiuG9mAO4iBd:fiR9/nIe0CTvC1Fx2Fd
MD5:	255F8B5BA8FCED381089981B95C6AB61
SHA1:	D20CEEC8693362C6651EDD55823B3675A8AC0AA3
SHA-256:	92B98D076993159D70B36C129B4508815A9C4E34532669F2B4F95D589FCC6BF6
SHA-512:	430E218EC8EF80A70CDF258A3A51D2EC77A5A59433C3D8476E3B9EE3023EDC59602214106330F5C65FEB5575420A2CEA8A8ABDCDED43DD8102670730F7210CF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................u.......u.G.................;....u.....u......u......u.....Rich...........................PE..L....q.J...........!.........p......,......................................................................................L........`.......................p..\..................................x...@............................................text...>........................... ..`.rdata..............................@..@.data...d........@..................@....rsrc........`......................@..@.reloc..dY...p...`... ..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17733
Entropy (8bit):	7.598626308964297
Encrypted:	false
SSDEEP:	384:OPR8697gJWJ/IAzOvfHNfd+E5hHkCwp0jcGDv6K0Ww:2Po2IA+fNfcEfHkCwqjcUlw
MD5:	D2177355BECCFDBC1E7B5C687DFBA290
SHA1:	0557F3883AA8EABEFA6A110A08CF549117FD1901
SHA-256:	A844247B7CDCAC1A5F61C604E4DB111B274616C0EB19A70CDFB073C8C2F3B375
SHA-512:	7E5CE3047E4661969A3827B225F1B88F80BFEA221549E37B406DA52D1C51F60667340BB1A074F96A516D185979AB5E298FAB76BF5789CE7EE34B399FD2BDFA3C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\BurnAware Free\is-BSUHA.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....N.W...........!....E....>...............`............................................@.....................................x.......@...................lI..........................................................@....................................p.......:..................@..@.rsrc................<..............@..@.......................................@petite..E.......E....@..............`..`.......................................`.......`...>..z...........E2.dzo..[..^..7..m..&.@...6.@...5...d`o.O.:IPx.......... !......"H(-_.L.......X....P.j.........J..7l.I3j.)...u's...3y.t...!W..[....1...Z1......5....C~t@`n...L..x.....5.H9.R\..c...r..1.C....(....9..S..-c....@.3..."gZ..d..j}...@lv.e!;.R].....$\|e\|`...%.P..IV...x.4D...h.!.>.kg.i.......... .DAC...mfz.W!K.P.k...p...h..9}..ze...2....a..g..[y....P@.=........?.I..G.......qO...qo......m....Q....L.O....h.~4..95.".y..m4u...cBUH...y.S$i.8q

C:\Program Files (x86)\BurnAware Free\is-F96N3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1227992
Entropy (8bit):	6.429619289168852
Encrypted:	false
SSDEEP:	24576:Z7xQFeOBnPU4ObAztEBrS5+cJg2g9hB6QCP11/TvtGoh:9DAy9ST29hB6QCP/Tvx
MD5:	2573FA5EA27B5BFC5EE3EE6CFE9A2EB9
SHA1:	96C74694EA78A9F24958C6B54342532C0F031831
SHA-256:	06B8CA60A33AAFF9F35535AC335559CE452CCDCBB79BF8125A7261BCB583D0AE
SHA-512:	FF48BC9DF0D39B24CE13A7FB32A333A5E50229DD9DD854732D6AE2272C75F7953D5CCB89C589A911B735667B9425D84FE30E21C69AE914863BD3C009FE848741
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................x...,....................@..............................................@...............................0...0...N......................4<......................................................t............................text....g.......h.................. ..`.itext...............l.............. ..`.data....f.......h...\|..............@....bss.....{...............................idata...0.......2..................@....didata.............................@....tls....<................................rdata..............................@..@.reloc..4<.......>..................@..B.rsrc....N...0...N...Z..............@..@....................................@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-FLSM1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1350360
Entropy (8bit):	6.642861347345999
Encrypted:	false
SSDEEP:	24576:ye08zSJMzUJ5I4VSwq2BdS/7IF3B9G4J+gPOiIsTAA7ZUWkUNmN:lkvS0395J+gPOYTAPamN
MD5:	08E8163EBA464CB7AE6F2B3A0BE3B291
SHA1:	5AC0076EC87BD3D06772CEFCAE11148021121046
SHA-256:	6E185E0ADF5B486AD1076F1C374196BA98651065934A7530D5110891BEEB0C2E
SHA-512:	513846CFF37BC120CDF5F39F2D6966EBB983A6C3EA89B324BF0865A0CF38BF14EBE33B26ACCE95133FAD4C441C660166D049C199002ABAC98086973CFBCA7F50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................v..........X.............@..........................`.......z...........@..............................Z2... ...@......................8..................................................8................................text....e.......f.................. ..`.itext...............j.............. ..`.data....e.......f...z..............@....bss.....y...............................idata..Z2.......4..................@....didata.............................@....tls....<................................rdata..............................@..@.reloc..8.......,..................@..B.rsrc....@... ...@...F..............@..@.............`......................@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-FQ19R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1439960
Entropy (8bit):	6.459374732571663
Encrypted:	false
SSDEEP:	24576:g1Y2Zf4AVKcuPVmsmgreaBtSLNomKP5WzSe3yjvTGK/k:af4Ag/SYP5WzSe3OTGK8
MD5:	D636263A0C8B6D3E1E09A3C6F512DD07
SHA1:	9D15830E18D428DBCFB098DB8781BDF8269CD14C
SHA-256:	8E19C44FFB6C9F2990EC70D0C3793AC2DBC0D4D054FC451FC9CD4A39C5F1DF82
SHA-512:	07BA604C7CCA094B512CDF746BC943F3546501C044E3FD2CABFA3B9D92454476306C0AF555342ACF045DA7083F40659CA81E168079353432DFD8112AF6F28BAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................~...b......t.............@.................................;d...........@..............................j0...`...T.......................j.....................................................t............................text...$o.......p.................. ..`.itext...............t.............. ..`.data...<h.......j..................@....bss.....{...............................idata..j0.......2..................@....didata.............................@....tls....<............"...................rdata..............."..............@..@.reloc...j.......l...$..............@..B.rsrc....T...`...T..................@..@....................................@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-JVN9C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3017432
Entropy (8bit):	6.571487341115199
Encrypted:	false
SSDEEP:	49152:i9TAxIGE68oFvXexWTBQH8HHGGdnFBZHbtNsvL70VlSQhGFCbHDauRAXHWB/JABk:mTAxHKaQHyHGGdnF7BNsD70VlSQhGMXB
MD5:	E0B2CF5ED07CFFC970C50EAAB3451043
SHA1:	30A7480E8FAA8A7494F7163CD95CA0D6FE7D8D3A
SHA-256:	1B0F5A28F4CDC6BEF0808239DA4B7138B16166A3574276F619BA5169FF09D351
SHA-512:	5F91E45D2BF717ED720F4D91955EE65B82EF265725F3B8F08E01398636B542AA81A5EADBB631D3FBD2EB2A2C84310A0DA6DC2BBF5B316F7973C5C6D34B24846A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....................S........b........]............................b..0....b.......b.......b.......b......Rich....................PE..L....GjX...........!...... .........[.........!...............................>.....M.....@......................... =(.....8.(.\|.....9.VZ............-.......;.8.....................................$.@.............!.x............................text..... ....... ................. ..`.rdata...Q....!..R.... .............@..@.data...h9...`(......<(.............@....rsrc...VZ....9..\....(.............@..@.reloc.......;......R*.............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BurnAware Free\is-KN6PN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1538264
Entropy (8bit):	6.488992484377018
Encrypted:	false
SSDEEP:	24576:NXOpC0NNHAxRVJG0WdKM6BHS2xVDkGcM3qBSsEXmgTm8ELlOR:Njyo5SUu/M3qBSsEFTCLl4
MD5:	3B9CA55AAA6C2F1089F04317A1D0ED5C
SHA1:	D263CC81CDBE420F45B26BB46FBE367E0DBC5AAC
SHA-256:	6615AFC9218EC2AC5A9FC52C3195316BF2C7F3D1F015EEB505082A3541DF5451
SHA-512:	202EF63DE215AB5A9B94B753855276971782F617C8CECA8B92803D0DEAAE53BF222A20C6BD565CC0AB5E5B3515BDD6134F7F76BB2F91CA543504F9CE67FFA809
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................`...........n.......p....@..........................0.......S...........@...........................`..:5...`...............d..........8....................................................i..,....... ....................text...,N.......P.................. ..`.itext.......`.......T.............. ..`.data...pj...p...l...d..............@....bss....t\|...............................idata..:5...`...6..................@....didata. ...........................@....tls....<................................rdata..............................@..@.reloc..8...........................@..B.rsrc........`......................@..@.............0.......d..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124060
Entropy (8bit):	7.95689673801651
Encrypted:	false
SSDEEP:	3072:h4Ht0B1105GzXyO6vvasTeprZKYQ+U1YUjJ09d:qs11IdPvCUef519d
MD5:	68523838F432A39A764B5FD4E4DD14CF
SHA1:	46F09323FECCFEFA3AA1D5940D9BF09A2A14351F
SHA-256:	EFB350839CBE0074F799A28EC76513C32E2CB1ADC85CEBA527859EC36B1B5FB5
SHA-512:	468C3AF4BC3154882217676E9EE9EB29C623F0DC4BE951175D6D93281A9449616803499D7B19A26D0C0E6F18C976D7BE32FFD4C7A50AFE0D6D72E6ADB60E383C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\BurnAware Free\is-KTHJV.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....WFZ...........!.................@.......................................P............@..........................B.......A..........@...................0.......................................................<B..H...............................................................@..@.rsrc...............................@..@......... ... .........................@petite.......@......................`..`....................................]......Y....z\|y.....GqOn=..2Z.". ..hV..caQ...N.N.VQ..w.O5.Q..pH.=@.`....H...xi..De 06j..Z.?).n\|.`68..8:.0..EI.X..v0.!P...t.@....Z.q5.....d(..~.&...%..&.sFl.A....H.1...g+........_B..."...SOZVLSGRCWJ.o..^F[C............1.f.......t(."0?.9W....2...P....:2...F..O...a&.J.7L,...4.../.1.....c<.Q...2.x0&..618F...Q.QPu.%...:q..........a...1m=.0..D..\./.!............B...Z....!..Q%....#...n.`..1...C(Rd...z..7....3....8;wI1.b.....,]..O..zo.QKl/.6...Y1TY....w.....(.K.N..m3.......,K

C:\Program Files (x86)\BurnAware Free\is-LACR3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1550040
Entropy (8bit):	6.460281125947317
Encrypted:	false
SSDEEP:	24576:vNanyO0LRZBCH6wYtQ61QkDBrSeTchSRpevKM5qC5gT+VCBpwW:vrbZXNStsevKM5pyTtBp5
MD5:	35C1484D5AB51E9127FFF29F1EC5E8BF
SHA1:	642B15CAC9E614564BEF6EC1554D271490C9DC4B
SHA-256:	223B5A52DB60618BE714B319C0F000E040B48E1BE6ACB9DFEDFD674844F744FC
SHA-512:	4D62E252A0321312FF980B7FEEDE6FBBE2B5543FBA4DEBED19D1E709847811BABC4EB4731F74B37BAE0F266EE4A8054E0ACEEE71A829CDFA5D6C54D8E7AB85E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2[..........................................@...........................+..................@............................&.\5....(......................P'..{...........................@'.......................&.,.... '......................text...X........................... ..`.itext........... .................. ..`.data...@y.......z..................@....bss.........P.......4...................idata..\5....&..6...4..............@....didata...... '......j..............@....tls....<....0'......n...................rdata.......@'......n..............@..@.reloc...{...P'..\|...p..............@..B.rsrc.........(.....................@..@..............+.....................@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-LUM9C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	102640
Entropy (8bit):	7.810597006099471
Encrypted:	false
SSDEEP:	3072:gIvgrB9Fg4mqOXEBL6sZqRF7kB+F/Uq+2:gIyg4mSu6sFIB+Fsg
MD5:	C2D09407D88D80FEEE01A5BA49158EEF
SHA1:	E7B66B693EECB22232159A502F3E51C0F4D7280B
SHA-256:	1D101980FBB738DB9BA98901B3A46CB9FECDF174BD0981262B78F97AD9736CD4
SHA-512:	24E1AF4770EA46E8140FB0A1AB9F094E54454948B30BB2B9CACA9159E658BD827908BA4A073C3187177F7EABFC032665B27566221644D5E94A9DBA37621A4341
Malicious:	false
Preview:	ITSF....`.........V........\|.{.......".....\|.{......."..`...............x.......T......................................ITSP....T...........................................j..].!......."..T...............PMGL^................/..../#IDXHDR...\|.../#ITBITS..../#STRINGS......./#SYSTEM....<./#TOPICS...\|.@./#URLSTR...l.../#URLTBL...<.0./#WINDOWS...$.L./$FIftiMain...x..../$OBJINST...9.?./$WWAssociativeLinks/..../$WWAssociativeLinks/BTree...t.L./$WWAssociativeLinks/Data...@.G./$WWAssociativeLinks/Map....../$WWAssociativeLinks/Property.... ./$WWKeywordLinks/..../$WWKeywordLinks/Property...p../audio_cd.htm..4.../audio_grabber.htm..F.s./blu-ray_disc.htm...9.l./boot.htm...%.8./boot_disc.htm...].9./btn_home_h.gif.....d./btn_home_n.gif...d.X./btn_next_d.gif...<.../btn_next_h.gif...F.../btn_next_n.gif...S.5./btn_prev_d.gif.....g./btn_prev_h.gif...o.b./btn_prev_n.gif...Q.../burn.htm.....P./burn_image.htm...f.g./burnaware.hhc...B.4./burnaware_popup_html.js..../button_closedbook.gif...k.u./button_openbo

C:\Program Files (x86)\BurnAware Free\is-OIJLO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2128600
Entropy (8bit):	5.92597532283096
Encrypted:	false
SSDEEP:	12288:d1GA4AOyb8SyFXjZKJ4Sb9bnNBNSKyXSYt/R+Mt9tAFp51kSgdExIXVyk00y/Zml:dQFAZNBNSKyXSYt/R+CAzjkSPmV4+H
MD5:	CD32BE24426955B5141204FA035CA6B3
SHA1:	6AEB4836B01ED01DA3CAB689A3B8E108FE411C9A
SHA-256:	E5D7E21FA3ED144228D7500C5C3E41EB8F2AAFB581741854092BF3F2BAE1F937
SHA-512:	90884D1EE59007616B3B8783E212F61474318342B2831FA40A0400A6BD8D14846E1224CFFC285BB43ACF177EE81D544A034BBB989D2F624FED7A63C2BCFC3004
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..d....8.Z.........." ................ .........@..............................P!.......!.............................. ..........................LF.... ......`..0Y...f ..........G..................................................@................................text............................... ..`.data...P,..........................@....bss.....................................idata..LF.......H..................@....didata..............2..............@....edata...............>..............@..@.reloc...G.......H...@..............@..B.pdata..0Y...`...Z..................@..@.rsrc......... .....................@..@.............P!......f .............@..@................................................................................

C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19396
Entropy (8bit):	7.541174332849443
Encrypted:	false
SSDEEP:	384:KobrFPWMgug1kD3uxnqtpJUBGWFXO1H6OGZ9k0yKfg5io/s2R9SzK0r8pD2:KovFPW7Gyp0JsXOYOGZ9k0XfgC
MD5:	74B6071109D2FA2B27B75BD3CC100BBB
SHA1:	0038A6A686EEB5BD082A4FB32413A48D4D0F1AFF
SHA-256:	8A3391210D0CDEBB06B0292D0DF9CEC3A2BBCBCA0B99979B65143B0568F04106
SHA-512:	CCEA98DA1F00A8AC159703AE13F92748DB2D323B94E91B361D6D136515D0C715D394FAAE5A52664F96F1452D4B5F820EB1B4773A37F0D82C094DAAECA1ED8E17
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\BurnAware Free\is-PBHEO.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...................................D.... ..PE..L....v.V...........!.........D...............p............................................@.............................................@....................N......................................................"...H............................................@..................@..@.rsrc................B..............@..@.......................................@petite...............F..............`..`..........................................>m@.SE3..f..H4\....5b.31bo.. ..w.#&-..h.....D@....QfS......S.<..m.g..T&\|h.@.J..._.(.)..D.....=#.H.0..J.F......I.Mg......B...f...k.V..........B.~.C..\|..."p./...?.[..k.o[/R..2...:Z?N...8.Z..^....."........ .h..8LQ.e..T1[.eX...'(.D..!R..o....J....+..P..9..PDC..... RZ..Q....:...J0.e:c..@.iW...2..<.&{.5....zZ..?.D.${..:...:\L.....v.s12..{..ezU[...4a..l....#p../?m.;...\|8+@Myo3...f)....z....J7..slp...5.....d...f2.i.....G.......A.+"g......z&,..=3.39j../..,h.Z...[.F..

C:\Program Files (x86)\BurnAware Free\is-QIUH5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2048216
Entropy (8bit):	6.523206686484186
Encrypted:	false
SSDEEP:	24576:j1H4xy4kR3za8sVPggUuBFzmBLSFRBNTvgADqjuOr75S6UMDmc9rO3T4JkQjy:jou9SzDiFr75S65Dbx6T4iX
MD5:	E5D98861DD116EDA1908CF22D466CD45
SHA1:	A689C7B7ED7C0E4346E1BA7FBEE00997F0B70F08
SHA-256:	0CD6431FA27A99E40FEE93B5741A3CED349F56609A9E9A75EF10859AF3DDF674
SHA-512:	6715E64D594401D60AC144DBC799C4F2E0EA99F5DE2FD46DC8BE111BCFFDEE0F27C246961B0561166389EBD7A569F29680AA48B328894F8C9F227E3428DC6FCA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.....................P....................@.......................... 3......< ..........@............................-..>...p/..............,........-..............................p-.......................-.\|....P-. ....................text............................... ..`.itext..< .......".................. ..`.data...............................@....bss.................\...................idata...>....-..@...\..............@....didata. ....P-.....................@....tls....<....`-..........................rdata.......p-.....................@..@.reloc........-.....................@..B.rsrc........p/.....................@..@............. 3......,..............@..@........................................................

C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14324
Entropy (8bit):	7.652105290311656
Encrypted:	false
SSDEEP:	384:uJsyVJWQTkvwm96zI7QvGIdfjMrE12S6zt+q9JVeJSwrWK0C:uNVkgvm9QIYfAYVotthvw5
MD5:	6F26A1A5D165272BA48F45BC0B79750E
SHA1:	01E410C26CDDB4D413609D867ED0B9B9E524C1C0
SHA-256:	5B97117B37D3CF1EDA8AFA90D872E4D2A74C5E59FC925E637AD1290865F582E5
SHA-512:	A7570ED8AE48574E44CB7EA04A796295657876B7A0F9B8F67D16CFAC0FEDDA1D02A4631F711195CD070AECCC8C7CA2AC2F23D28BF9DA8FA06BF2A101C53AB60F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\BurnAware Free\is-QUKL7.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...2h.V...........!.........2...............P............................................@.....................................x............................?..........................................H...............@....................................p.......0..................@..@.rsrc................2..............@..@.......................................@petite...............4..............`..`.........................................c.l.`#..j.Z........ b.E.!N...I.........K.\|....fv...ZF.1G...".w-.^f$..H..,\..U..D:.......I...n...HXg.....0.....Q.0 .8...\|..,.;.PY..RU.".....l.1...E6^..4P.K8..K.@.1.W(R..)..k.y.a._..t.t6.3qD...P../..m...m..T...P.R.\.......O....g........6..QL6.z..Y...........*f.d..+..7B....k.........<.}z0.Kmj..{%".Fg?.).Q...E.>.Y...P.t.........Eg..w..R..P.4...T.CZ.._.U..T...zt4........p. ............?.........X..,+...@..=....!{..rs=..QzY..~..0.y.D....D........Y<^...-C....$.T...

C:\Program Files (x86)\BurnAware Free\is-TQPE0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	DOS/MBR boot sector, code offset 0x3c+2, OEM-ID ")TNQ9IHC" cached by Windows 9M, root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x350518e3, label: "BOOT622 ", FAT (12 bit), followed by FAT
Category:	dropped
Size (bytes):	1474560
Entropy (8bit):	6.99474059909904
Encrypted:	false
SSDEEP:	24576:A1o795/aeZ9NJ6P+TqpVj9jyJYNQKj43FuI97CwiQqddnr5O9aH41SflbEkj3eSa:A1EU+TqpVjOYNnPnrw9arIkjuSgog
MD5:	A4A096CAB6079C2CFA88A8BDE0EAC3AA
SHA1:	14F2A0E33B11F047D16DE56E92567C5FAA6C5668
SHA-256:	1AB300A0A54B8F384CC457424EA0D2F3F46BEF11C0172429C6B207B2EC539E6E
SHA-512:	415F5EE18500D442824546002C8B21FC96EAC883BD5844862767381EF05803440115FBD7ACB569A68862FD89E6C11C6B63465895134020520E2070429FD6BFB7
Malicious:	false
Preview:	.<.)TNQ9IHC........@..................)...5BOOT622 FAT12 .3....\|...x.6.7.V.S.>\|........E.....\|.M..G...>\|...ry3.9..\|t....\|.. \|..\|.&.\|...\|...\|...\|....P\|..R\|.I\|..K\|. ..&.\|...\|..H....I\|..K\|......R\|.P\|..r.....r........}.u... ....t...}._.3...^....D...XXX..G.HH...\|2.....I\|..K\|......PRQ.:.r...T.YZXr..........\|....\|..$\|..I\|.K\|...p....t).........;..\|s..6.\|...O\|3..6.\|..%\|.M\|.......M\|.....6O\|....$\|.6%\|.....Non-System disk or disk error..Replace and press any key when ready...IO SYSMSDOS SYS..U.....@..`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q..S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../.../.3A.5a.7..9..;..=..?..A!.CA.Ea

C:\Program Files (x86)\BurnAware Free\is-VR3U7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2240216
Entropy (8bit):	6.515674271457544
Encrypted:	false
SSDEEP:	24576:9YQlxYiPt1wRr3AJId1qBHSMi2UiHQho+3HxDfzFxPK05M9NyKIbTvhTjQF:+8/5ScHL+3HxDfRxCcTvhTu
MD5:	5BCD29D045C4346F0DC4DC16712608A4
SHA1:	05F58AD366145F9135C583A262C51C558CF48452
SHA-256:	6AE136A1B4ED9E5C1187F466FB304A0A1F42E6E92BD73FBD9C79904D1621E88B
SHA-512:	493718D696513C378139E50ECCF2A69041A37520EAF1F3060E25E6E9C83302FDBA24B3C2744698FEFA8D5D18CBAE6FB8F6B82259A904BCFFFFFC9ACF4400AD4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....2[.................J..........._.......p....@...........................6......."..........@............................/..;... 2...............".......0.L.............................0......................./......./. ....................text....'.......(.................. ..`.itext... ...@..."...,.............. ..`.data...p....p.......N..............@....bss.....................................idata...;..../..<..................@....didata. ...../.....................@....tls....<...../......$...................rdata........0......$..............@..@.reloc..L.....0......&..............@..B.rsrc........ 2......4..............@..@..............6.......".............@..@........................................................

C:\Program Files (x86)\BurnAware Free\isofile.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 64x64, 32 bits/pixel
Category:	dropped
Size (bytes):	40426
Entropy (8bit):	3.8853121111300246
Encrypted:	false
SSDEEP:	384:/0xZ9ubhnD2LXMyQwNHnudJv31xtplGsUsgL:/8AxD2LXMyZsJv+L
MD5:	BDB8D4677CEA3AAB8A33C99BBA4A4D0A
SHA1:	3DCE6ABBC37FD5DE1894430D8976C1F2CE206415
SHA-256:	9D9BACE04F18D8E22D492DF129C3E8B762BFB35C42DDF4FB775E7D8E42AAFF3D
SHA-512:	CDC05588C1E3666FD6ACF835327F028808A7FC0120DC720255E9E8FF7109283307C4EDF89FDE26906A20F13C02CDAA11EA8C90B205A028AA2CF56416C72B1F0D
Malicious:	false
Preview:	............ .....f...@@.... .(B......00.... ..%...Y.. .... .....R......... ............... .h........PNG........IHDR.............\r.f....pHYs..........o.d....IDATx...}pT....I...4...."+.5.8.....@UL.d3.H.V,..n;s..2.s....v...v.Z.o..R.,.S.\V.D..1...$@.iR.."..c.HB....M..gf.!...?$..<.y......\|.......IY.%........J..MU.\.W.x..u.....t......."...(u............]...........2zNU...Bv...D......S.........5...7?E0....%.]..Og.r.!N..{.i$......L..6s.. .. ...hii...2.C.=....Dv.>..8:.H..C......l.. ....4c...@.knn...D.2.,.. .......iii"....b..#...r.J......i.a..HMM.i.......5}.t.~.....0..q3f........_G...........,_..!`3..%...,].T.9C....J....[D.3......SSS.........0.().7........qb.P.?.>...Z....80.(.]w.uX.`.hs..A..Jz7.p....D.3..`...x.b.;W.9C@......&.=[.9C@.....n..555....:..4..\|....+E.3.40.h.III..e.PUU%..C ....I)))..w.../.\t...(..4f.....n..^*..C`....i...X.b......M..C0.h.KMM..w...r.M..Q............2.M..`..8.....+W....D..`......U.V...Xt..C..@.Nzz:...QPP ...!...q)++..W...^(...!..

C:\Program Files (x86)\BurnAware Free\tags.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14324
Entropy (8bit):	7.652105290311656
Encrypted:	false
SSDEEP:	384:uJsyVJWQTkvwm96zI7QvGIdfjMrE12S6zt+q9JVeJSwrWK0C:uNVkgvm9QIYfAYVotthvw5
MD5:	6F26A1A5D165272BA48F45BC0B79750E
SHA1:	01E410C26CDDB4D413609D867ED0B9B9E524C1C0
SHA-256:	5B97117B37D3CF1EDA8AFA90D872E4D2A74C5E59FC925E637AD1290865F582E5
SHA-512:	A7570ED8AE48574E44CB7EA04A796295657876B7A0F9B8F67D16CFAC0FEDDA1D02A4631F711195CD070AECCC8C7CA2AC2F23D28BF9DA8FA06BF2A101C53AB60F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...2h.V...........!.........2...............P............................................@.....................................x............................?..........................................H...............@....................................p.......0..................@..@.rsrc................2..............@..@.......................................@petite...............4..............`..`.........................................c.l.`#..j.Z........ b.E.!N...I.........K.\|....fv...ZF.1G...".w-.^f$..H..,\..U..D:.......I...n...HXg.....0.....Q.0 .8...\|..,.;.PY..RU.".....l.1...E6^..4P.K8..K.@.1.W(R..)..k.y.a._..t.t6.3qD...P../..m...m..T...P.R.\.......O....g........6..QL6.z..Y...........*f.d..+..7B....k.........<.}z0.Kmj..{%".Fg?.).Q...E.>.Y...P.t.........Eg..w..R..P.4...T.CZ.._.U..T...zt4........p. ............?.........X..,+...@..=....!{..rs=..QzY..~..0.y.D....D........Y<^...-C....$.T...

C:\Program Files (x86)\BurnAware Free\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	InnoSetup Log BurnAware Free, version 0x418, 11990 bytes, 992547\37\user\, C:\Program Files (x86)\BurnAware Free\376\
Category:	dropped
Size (bytes):	11990
Entropy (8bit):	3.794125503819784
Encrypted:	false
SSDEEP:	96:eO5Dn8AZv/I/MAbCmbcuJlEDA4MZAe2LVu0EtUC1CRCS9ClCnCM9C7C9kClCQhqZ:55wg6bP4DSmc104+sJjzCig95dHm
MD5:	ACA87C5B6DD2EB0AFD4751BCB1FB2819
SHA1:	3EBBB20496A5FDF7BC7F8EB492DA80633805E81F
SHA-256:	B7B8D405A6F6C888803C6BD8981E4216F3F38DEA1E8FD817DE2A927F366E84E0
SHA-512:	1F550AF4E9302E32B81650B44D5DE9DCDE4E9A9E5D65BE92BEB114099FE2E246943ECF1F84572DBD6E855D46AC97396BEA1A370AD6F2BE7B081DC4E5A4DACE6B
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................BurnAware Free..................................................................................................................BurnAware Free......................................................................................................................<.......%...........................................................................................................................fT................9.9.2.5.4.7......e.n.g.i.n.e.e.r......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e................2...v.. ..............IFPS...."...............................................................................................................................................................BOOLEAN..............TSETUPSTEP.........TWIZARDFORM....TWIZARDFORM.........TEXECWAIT.........TNEWSTATICTEXT....TNEWSTATICTEXT.........TSETUPMESSAGEID.................!MAIN....-1.....6.......CURSTEPCHANGED....

C:\Program Files (x86)\BurnAware Free\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1278181
Entropy (8bit):	6.457767718219793
Encrypted:	false
SSDEEP:	24576:EnbbPImgK4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEt7Afjqx9z1:SHeKh4nqzF3PYdStuWz
MD5:	E2E897166C54B6EE47F0167221C28BD6
SHA1:	973EE8DEB14DBF2B52B8218FC82027BE186F1982
SHA-256:	C9B0BAD8C38604734F0ACAED5C6AA1A3142667E9E17D65838D964169C69C48EE
SHA-512:	EC0B6499C160090CAF95A1E377413DB51E7EDE6D8EB4302C5661558F56288A83AADF24FD0547538C001199A991ABB346520ADB0AFA1D2C861C492C9CA47D2348
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\BurnAware Free on the Web.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.burnaware.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.461161861367234
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4wUQLdYvn:HRYFVm/r4wUeOvn
MD5:	CFE219C7B0A6EDC037F6DBE7D18F8186
SHA1:	21E056119F133A5902A5545E32111B3A36FC7AEB
SHA-256:	F00E15A8922D6BDECF8A113EA78818C33647D4BBDAD83E924CFAEBFA8DA3A848
SHA-512:	67669E713BB707AA46C767FD2DE584D32DAF658C046DFEDE403D15F3C89789B98F09597930C2C339F2517205BA2D7BB7191588F68F2F539831AA0A833B981FA7
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.burnaware.com/..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\BurnAware Free.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 11 16:50:13 2024, mtime=Thu Jul 11 16:50:13 2024, atime=Wed Jun 27 00:12:10 2018, length=1350360, window=hide
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.650774732002969
Encrypted:	false
SSDEEP:	24:8mU/Ft2EeikdOEzcCzAgfQdPc4dPcwoUUkjqygm:8mgZNkdOWcLgfQdPc4dPcw94yg
MD5:	7A472AAA77E0C61510C5A6CC1CB9D78E
SHA1:	3CE0210296B0C42E25550C1B88A16AF92961DDAB
SHA-256:	D07ED0C3FF967FAEA97221BFC38791A3AAA130BE41A50F3DA8042776216ED15B
SHA-512:	3187809E692B9ADE52B126267514B05FD77F6CCB9E5A7DB3F1584D17556B949F551E4F4A634F254C55F1846D1D1F844AEEE62B9A00E4B99D5F01E4E57BDCF1EB
Malicious:	false
Preview:	L..................F.... ..........y........v................................P.O. .:i.....+00.../C:\.....................1......X3...PROGRA~2.........O.I.X3.....................V.....\.e.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1......XH...BURNAW~1..N.......XG..XH.....D.........................B.u.r.n.A.w.a.r.e. .F.r.e.e.....h.2.....L.. .BURNAW~1.EXE..L.......XG..XG.....X.........................B.u.r.n.A.w.a.r.e...e.x.e.......b...............-.......a....................C:\Program Files (x86)\BurnAware Free\BurnAware.exe..B.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.\.B.u.r.n.A.w.a.r.e...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.........*................@Z\|...K.J.........`.......X.......992547...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\Help.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 11 16:50:13 2024, mtime=Thu Jul 11 16:50:13 2024, atime=Fri May 18 16:57:50 2018, length=102640, window=hide
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.6590926209308625
Encrypted:	false
SSDEEP:	24:8mjY/LEodOEzccAgfedPcmdPcwoUUkfqygm:8mjEoodOWcbgfedPcmdPcw9Uyg
MD5:	FE388676B70A40E567C871C2B18FC587
SHA1:	5326FFA6A07BF99AF4EE8C504942B453C7DD9E5A
SHA-256:	F73E8B845BB48E01F151E10B839E90DDC60D7D68EDC975465ACBFE9681B5F26D
SHA-512:	5495A1A3E7310E4EBE01EC9EFF6A2A5CDED80FDD53CAF9BF0AB83DBF9BD8A62A43FC8231C60619EA3AF0D73FE1C767DBF14FC6C8D1E3670677D42221C95475DF
Malicious:	false
Preview:	L..................F.... .....G......G.....#b.................................P.O. .:i.....+00.../C:\.....................1......XG...PROGRA~2.........O.I.XH.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1......XH...BURNAW~1..N.......XG..XH.....D.........................B.u.r.n.A.w.a.r.e. .F.r.e.e.....h.2.....L9. .BURNAW~1.CHM..L.......XG..XG.....I.........................b.u.r.n.a.w.a.r.e...c.h.m.......b...............-.......a....................C:\Program Files (x86)\BurnAware Free\burnaware.chm..B.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.\.b.u.r.n.a.w.a.r.e...c.h.m.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.........*................@Z\|...K.J.........`.......X.......992547...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free\Uninstall BurnAware Free.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 11 16:50:12 2024, mtime=Thu Jul 11 16:50:12 2024, atime=Thu Jul 11 16:49:42 2024, length=1278181, window=hide
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	4.640499697151714
Encrypted:	false
SSDEEP:	24:8mxHQLEodOEzcB0IQA3fxdPcTgdPcwoUUk7qygm:8mxHQoodOWcB043fxdPcTgdPcw9oyg
MD5:	D061313BF69BA9A675A8D416CCC0C58E
SHA1:	29A29FD2AC8BD01D10E2084C6AFBB5166A4767B5
SHA-256:	C45D62A895F76C94879EB8B6FF69EA60E6AFBC36527EB6836F915EC229FBC667
SHA-512:	7A78A6AEAC6C0540A007A7F94885CB170FE26E93AD9776A60E1BACBC6681C8A234B38B6B328647B56DA0048D02613755C8DB1B02F131076314DAF8214B1191C1
Malicious:	false
Preview:	L..................F.... .............o.P.................................P.O. .:i.....+00.../C:\.....................1......XG...PROGRA~2.........O.I.XH.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1......XH...BURNAW~1..N.......XG..XH.....D.........................B.u.r.n.A.w.a.r.e. .F.r.e.e.....f.2.....X6. .unins000.exe..J.......XG..XG...............................u.n.i.n.s.0.0.0...e.x.e.......a...............-.......`....................C:\Program Files (x86)\BurnAware Free\unins000.exe..A.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.\.u.n.i.n.s.0.0.0...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.........*................@Z\|...K.J.........`.......X.......992547...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6

C:\Users\Public\Desktop\BurnAware Free.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jul 11 16:50:13 2024, mtime=Thu Jul 11 16:50:14 2024, atime=Wed Jun 27 00:12:10 2018, length=1350360, window=hide
Category:	dropped
Size (bytes):	1127
Entropy (8bit):	4.675660773567332
Encrypted:	false
SSDEEP:	24:8mi/LEodOEzcCzAgfndPc4dPcwoUUkjqygm:8mOoodOWcLgfndPc4dPcw94yg
MD5:	53A261E85FB1C16504FCB4222EE762FE
SHA1:	416D2E9E33854296E13A5453996227ACCA4075E8
SHA-256:	40097F61AAEE11EE4FA2974EBF8A3BBB461A7FAD679A64B9DD46596B538122A2
SHA-512:	AA4F46365404D9780D09738C703970A19325EE94180444E7C7A46FA53138707B92521B9C51408FCAF8B1BD636070619A46F058EEE1A0F40FC7E90DBCD03C0717
Malicious:	false
Preview:	L..................F.... ...................v................................P.O. .:i.....+00.../C:\.....................1......XG...PROGRA~2.........O.I.XH.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....f.1......XH...BURNAW~1..N.......XG..XH.....D.........................B.u.r.n.A.w.a.r.e. .F.r.e.e.....h.2.....L.. .BURNAW~1.EXE..L.......XG..XG.....X.........................B.u.r.n.A.w.a.r.e...e.x.e.......b...............-.......a....................C:\Program Files (x86)\BurnAware Free\BurnAware.exe..9.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.\.B.u.r.n.A.w.a.r.e...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.u.r.n.A.w.a.r.e. .F.r.e.e.........*................@Z\|...K.J.........`.......X.......992547...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GenericSetup.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH0HNpaHKlT4x:iq+wmj0qxqKkKYqGSI6oPtzH0tpaqZ4x
MD5:	0953036116DB18A3DBA50A95249AA09D
SHA1:	B0C95E1A76B13F979FA7FF6671473E983E13869B
SHA-256:	21B609D6C67BE1A72318549C614FFED1E4D09D90125217AA758DB759CB622231
SHA-512:	9A9D7AA570410A253A4DBDBFED162C3537C040425CFD7C8A9F70CA0BB7BCE4824AD959BECAF60A2FA4D090CF06328EE3A03BAC65E30209339ECA06679106166B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\3

C:\Users\user\AppData\Local\Temp\7zSC9543C70\2024.07.11_13.50.15.338184_installer_pid=3352.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe
File Type:	JSON data
Category:	modified
Size (bytes):	3577
Entropy (8bit):	5.3067262976435
Encrypted:	false
SSDEEP:	48:J3GwCR6lILzETSo1eKV/EgKlEEgciio1CZZaB2kK+xiswtpdkNo1CZZCHBNswt9c:ltCEtZyaB2kRLayEgUfs
MD5:	BCA658656108FB3CE1A6047A26969E08
SHA1:	DCABA6D48CD41885887D3048F337AB437590E2D6
SHA-256:	BF4B3030B809F1F0244E76195DB8326F233D82EE20FC5299A66C728B4A87BCEF
SHA-512:	EB9B4238D5816DBE0AB85F7FB4A20A208BA6B0853983E87797424FC91693F787B2D640DBC0D899212F94569E499CAFAC9CAB0D715EFB895A33CBD43C361EED29
Malicious:	false
Preview:	[1][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][wWinMain][429]: install id=da0b6bd0-68bb-45f6-81ab-fe5aa06695ca..[2][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][wWinMain][432]: generic setup config file path="C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe.config"..[3][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][wWinMain][448]: event service url=https://flow.lavasoft.com..[4][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][wWinMain][460]: bundle config file path="C:\Users\user\AppData\Local\Temp\7zSC9543C70\BundleConfig.xml"..[5][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][wWinMain][471]: BundleId=BA002..[6][debug][2024-07-11 13:50:15.338184][00:00:00][0x00000d18][0x00001998][installer][ReadUACSetting][93]: No such node (<xmlattr>.UACSetting)..[7][debug][2024-07-11 13:50:15.338184][00:00:00]

C:\Users\user\AppData\Local\Temp\7zSC9543C70\BundleConfig.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	ASCII text, with very long lines (2281), with CRLF line terminators
Category:	dropped
Size (bytes):	4015
Entropy (8bit):	5.880446206753272
Encrypted:	false
SSDEEP:	96:toAdVKjRCQRJ6mrwMSEIZDvVsLAbxAJYpukte/70IO1:toFULD68kMukt/
MD5:	1772E6A673818E7A5FDA40769644B517
SHA1:	87A08A8D16DA1F9C5F69DDF1A49F6995F8D382F9
SHA-256:	0E395AA80EF68FD68DF39AEB52904F6A0800D7F13BCF2F5E2B84CD6AD2105CAC
SHA-512:	1F53A5A60CAC0AD933DC618EA6F7CCE9DB3AA5B6A963E40FCCC9DD41A955DD40D18EE493102B09DACDCFAC47AA965EF310969AC5BFCA77C656F82306BCAE421E
Malicious:	false
Preview:	<BundleConfig BundleId="BA002" AppName="BurnAware Free" OfferPageIndex="0" SignBundle="false" RequireAdminAccessRights="false" UseOfferInstaller="true" PartnerName="BA002">.. <Carrier CompanyName="BurnAware" ProductName="BurnAware Free" SoftwareVersion="10.3.0.0" OriginalFilename="BurnAwareFree.exe" LegalCopyright="" FileDescription="BurnAware Free Installation" AppFileName="BA002" />.. <Form Text="Setup - BurnAware Free" Width="497" Height="360" FormBorderStyle="FixedDialog">.. <Element Name="pnlHeader" BackColor="White" Height="60" Width="497">.. <Element Name="Icon" Visible="false" />.. <Element Name="Header1" Left="23" Top="12" Font="Tahoma, 8pt, style=Bold" ForeColor="Black" AutoSize="true" />.. <Element Name="Header2" Left="41" Top="28" Font="Tahoma, 8pt" ForeColor="Black" AutoSize="true" />.. <Element Name="Separator1" Visible="true" Top="59" />.. </Element>.. <Element Name="pnlContent" Height="249" Width="497">.. <Element Name="Line1" Font="T

C:\Users\user\AppData\Local\Temp\7zSC9543C70\DevLib.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	314104
Entropy (8bit):	6.21181274464366
Encrypted:	false
SSDEEP:	6144:xIM/N4R1UOv0ul9YZmOiI6LXGGDZBXbroL3YekZe:j7OvvGFd6VZqL3Yle
MD5:	30B280C144899FB2FE8E87DB11086E79
SHA1:	A417A70554C0A13CAD46E61ED2B9AB9DC1AA9CED
SHA-256:	380A96A13CDF34B3A3F695B32C6F096CEA2BAAAB6A800158C64CE97E679E6B83
SHA-512:	7E2232002C1D9ADD7CAACE8E18DB01B5A695DF5134E296433C4F32A97767BAE0AD81CD892D34E31F934DB046022904D3135B55F9D34D2CA8446AF540E5D30DA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Np Z.........." ..0.................. ........... ....................... ............@.....................................O...................................\|................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......`...............,...P.............................................{$.....{%.....{&.....{'.....{(.....{).....(.....}$.....}%.....}&......}'......}(......}).......0...........u......9....(+....{$....{$...o,...,w(-....{%....{%...o....,_(/....{&....{&...o0...,G(1....{'....{'...o2...,/(3....{(....{(...o4...,.(5....{)....{)...o6.......0.......... .... )UU.Z(+....{$...o7...X )UU.Z(-....{%...o8...X )UU.Z(/....{&...o9...X )UU.Z(1....{'...o:...X )UU.Z(3....{(...o;...X

C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46840
Entropy (8bit):	5.786090821557103
Encrypted:	false
SSDEEP:	768:VAE+/58U13Bwtrw5MzQUiAU9tYcFroo6K1D+0/6h:VAV/582/McUiBVrool1V6
MD5:	1F4C6E7D827B980005B2C9C057018BD0
SHA1:	C83ACECC2AA11EAA585FFA6512752EF96F826828
SHA-256:	43D8917BBC213AD1DD20088C782CED72AF1AD9A2BB0C4F60216BEFE433529533
SHA-512:	70406763FC98565BFBF420A1288893F5553DAD414158E5A84044742953267BF5751F0F52F7B8CA88A7FEDE2F320CB70BADFE41C8FDD26F24D6A00E98C705D8B2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]p Z.........."...0..`...>.......~... ........@.. ....................................@.................................\|~..O.......':........................................................................... ............... ..H............text....^... ...`.................. ..`.rsrc...':.......<...b..............@..@.reloc..............................@..B.................~......H........8.. E...........}...............................................0...........(.....(.......s....}..... .(...(.....(....o....(....(.....o.....3..s......o....:.......{....s....%.o......o....,j.o....o.....+>.o....t........o ...r...po!...o"........(#...o$...(%...,.......o&...-....u........,...o'.....{.......o(....{.....o)...........J.........{.....0..^........{....o....(+....3I..(,....(-...o.......(/....(0...Y.[(1....(-...o.......(2....(3...Y.[(4...*...0...........{..

C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.174552899889409
Encrypted:	false
SSDEEP:	48:cP02EekibQtMbP+KI4YHJyIcsJcJ4YHKJyI+:l2/kPaP+KI4YpytsJcJ4YqJyt
MD5:	049B9D921F91D1E80CBF81661862AB4B
SHA1:	A6A6BF15EFD8E2584C69306231796AFC07F52AB2
SHA-256:	4846A33382A7667E206A754C47F3078054B739E2D8411A7466121145B1E78E80
SHA-512:	A61753A699611A6F95892D4A509E85506B7033E8D484D2398A1D057C7E230F4224A1751E1F8143A7626C968F6204DD8C49418D4EB2D8C519185A7C86E6F3E862
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>..... .. .. .. .....<runtime>...... .. ....<NetFx40_LegacySecurityPolicy enabled="true"/>...</runtime>...<startup useLegacyV2RuntimeActivationPolicy="true">...... .. .. ....<supportedRuntime version="v4.0"/>....<supportedRuntime version="v2.0.50727"/>...</startup>...<appSettings>...... .. .. .. .. ....<add key="OfferServiceHostUrl" value="https://sos.adaware.com"/>....<add key="EventServiceUrl" value="https://flow.lavasoft.com"/>....<add key="ClientSettingsProvider.ServiceUri" value=""/>....<add key="InstallId" value="da0b6bd0-68bb-45f6-81ab-fe5aa06695ca"/>...</appSettings>...<system.web>...... .. .. ....<membership defaultProvider="ClientAuthenticationMembershipProvider">....... .. .....<providers>........ .. ......<add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Ver

C:\Users\user\AppData\Local\Temp\7zSC9543C70\Microsoft.Win32.TaskScheduler.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	303352
Entropy (8bit):	6.146428936546734
Encrypted:	false
SSDEEP:	6144:5G07E8NW93vlxjYULsxwwnpfmEtXqMDYr5vnA+19afZt:BE73vPYULsxwwnpfmEtXqMuvFkf/
MD5:	5B13DE19962A1F69B6ED29ABCAD1E901
SHA1:	E22DA90A8656C2731379CF3EC792ACCDC0B950CD
SHA-256:	26D14050598608F14D8EE65CB3446A5C57B86EE7A429C1C10B6D3FE5DC321353
SHA-512:	6B5F459C2BD6CE3394DE08A0FD96657E85F879A3668C75901624038A23AEA87A2C8CDCF613EECC70A2331A9C958809526C4C284DA705486E013DBC7C65EFA101
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.RY.........." ..0................. ........... ...................................@.....................................O.......0...........................`................................................ ............... ..H............text...@.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B.......................H........y..$............E...W............................................{......{....V.(......}......}.......0..;........u,.....,/(.....{.....{....o....,.(.....{.....{....o...... .F. )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0...........r...p......%..{.........../...../...-.q/......../...-.&.+.../...o.....%..{...........0.....0...-.q0........0...-.&.+...0...o.....(......{......{......{....r.(......}......}......}........0..S........u1.....,G(.....{.....{....o

C:\Users\user\AppData\Local\Temp\7zSC9543C70\OfferInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25848
Entropy (8bit):	5.572877039684841
Encrypted:	false
SSDEEP:	384:M+4mFeZm7y5dOSxzHwU18Q7/mA83ptYcF0Kc03Ks8n+YPLbY+lzL:M/o7y5dOMzQUiA8ZtYcF0Kc6Ks8+0/lv
MD5:	B4744A5699F0F78C231D1505D21AFB0A
SHA1:	230A6C84A6535102A7BC86512EEF9C084E277AEC
SHA-256:	66FBB836C78A4B025036A76E0F352582740948072D9D591043D308117C5D6B92
SHA-512:	1BBFC7A142AD7310E91F915C2B8A3CA57163C51C08F2E12E668CD3EAE498457881585B5B5DA345658FA7E93070EACA81597E258B394AE02E199FE6661D75F100
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\p Z.........."...0......:.......0... ...@....@.. ....................................@..................................0..O....@...6...........N..............l/............................................... ............... ..H............text........ ...................... ..`.rsrc....6...@...8..................@..@.reloc...............L..............@..B.................0......H........"...............................................................0..P.......(...........s....o......r...pr...p.s......s......o.....o....%(....(...+..o......r+..p..(....(....(.....o.......,..o........,..o......o....(....-..o....r7..p(....+.rW..p.(...........o....o ....ru..p..$...(!...(.....o"...(#...($....o....o%...&.(&....L..(......o'...r...p..o(...()...(......(.....(....r...p(+...(,...r...p(+.... ....(-...Ad......0...>...n...............)...Q...z...................

C:\Users\user\AppData\Local\Temp\7zSC9543C70\OfferInstaller.exe.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1093
Entropy (8bit):	5.091088372767926
Encrypted:	false
SSDEEP:	24:JduG/mh9jnk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOT:30nnKS4YHJyILsJ+J4YHKJyIvT
MD5:	DD39824ADEB4FF5BCDA330F48A1777B9
SHA1:	EE46838177B0CD7E17C77F1FADB2A516A960AF12
SHA-256:	D31388110FFDEF2AC150BDF02E69EBF81895D2B0EC8400558601A9E498E05DFC
SHA-512:	79BA2C8605C359BC4E4FA10550F4771C3DF77EF395CB1D9F4014925FC885225331E9F2915AEF071D4394845D79126166719AD82AFD51116FD796F55D46101BBB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <NetFx40_LegacySecurityPolicy enabled="true" />.. </runtime>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cache

C:\Users\user\AppData\Local\Temp\7zSC9543C70\WizardPages.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58104
Entropy (8bit):	5.574131051536826
Encrypted:	false
SSDEEP:	768:6qctE6OVHn3bDkdC+Ya/uMloameNmNDYz+0/02:6qcOVPklpqadyDYl82
MD5:	25F08F3D68A79554CCF75EC08D1D8820
SHA1:	2C0BCC8C215D4CA15E1EAE33D1BF372C2B0C8C8B
SHA-256:	AB14AC1D6645CC1470C4177E6E838F2475D7C1DAAC375DD25DD49D1D29D249ED
SHA-512:	0186E8EC44E5BBB4327B51ADD76EC8AA3D0529AEA0BBB8545EAE1F6355F2E02F06126C0C54465A82190942EC87BB95B4A7C92B8A4F6540763EF219ACE923DA4A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Op Z.........." ..0.................. ........... .......................@......p.....@.....................................O............................ ......T................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........}...[..........................................................>...(.....(......(....o....,..(....o....o.........0...........{....o....,/.{....o....,".(....o....,..(....o....r...po.....{....o....,F.{....o....,9.(....o....,,.(....o....o....(....-..(....o....o....(....(....o.....(....z.,..{....,..{....o......(....*..0...........s....}.....s....}.....s....}.....s....}.....{ ...o!....{"...o!....{#...o!....{$...o%....(!....{"...o&....{....o'....{"...o&....{....o'....{

C:\Users\user\AppData\Local\Temp\7zSC9543C70\de\DevLib.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.450102420013877
Encrypted:	false
SSDEEP:	48:6wQau9KYa5QHb/bmlR40PQWqb7BpS7LSkjnpAkdznwUJ0LcOc:wEQjSlRj+RaZdzwU2Iz
MD5:	9C30F5969E8C131EDD9C14870748AB67
SHA1:	FD372AA55B56077CC48932A1E48B262A549AA336
SHA-256:	8F2ACD179C0A9A52F01B7FD4E1D2A5422EEEC46F97DAEA59BD55AFF8E75EC77E
SHA-512:	DB862DAAD8C618EFC356F6CA3E452EFEFAF1F59D3570CD668EA9D1B68D8CE12C5D3E16DDB5EC18627516DEA012035361B9ED8E8A754C699CB14875329C95BA2B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Np Z...........!.................&... ...@....@.. ....................................@.................................L&..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H........#..H...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPf.......p...].ec..................L........C.a.n.c.e.l.M.e.s.s.a.g.e.....(C.a.n.c.e.l.M.e.s.s.a.g.e.C.a.p.t.i.o.n./...@C.a.n.c.e.l.M.e.s.s.a.g.e.L.a.s.t.S.c.r.e.e.n.O.f.f.e.r.P.a.g.e.8....C.o.u.l.d.N.o.t.D.o.w.n.l.o.a.d.M.e.s.

C:\Users\user\AppData\Local\Temp\7zSC9543C70\en\DevLib.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.40565817824893
Encrypted:	false
SSDEEP:	48:6wQqyC9KYag3vLV/SumlR40PI8qb7BBS7LSkjnpAkdznwUJ0LcOc:icV3vLV/alRJ+5aZdzwU2Iz
MD5:	9B2C1B850E4A0CA8BDBC5BC7DCAD72C7
SHA1:	717C2294FED24006C1B00B5BF21F4C117411EECD
SHA-256:	80E61A5769A0D2645CEC809567C0408DC97A42754E1083AC90C644DD9CF6B3E6
SHA-512:	991EFFCBF2A42968C176314645515A727DCAB2CD440015EDB75E933F2EEF487F0DF8880CC990A2111917C2E03E475EB49B7F411695F418FC77FC16563AF016D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Np Z...........!.................&... ...@....@.. ....................................@.................................4&..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p&......H........"..H...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPf.......p...].ec..................L........C.a.n.c.e.l.M.e.s.s.a.g.e.....(C.a.n.c.e.l.M.e.s.s.a.g.e.C.a.p.t.i.o.n."...@C.a.n.c.e.l.M.e.s.s.a.g.e.L.a.s.t.S.c.r.e.e.n.O.f.f.e.r.P.a.g.e.+....C.o.u.l.d.N.o.t.D.o.w.n.l.o.a.d.M.e.s.

C:\Users\user\AppData\Local\Temp\7zSC9543C70\es\DevLib.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.409634995101771
Encrypted:	false
SSDEEP:	48:6wQqyC9KYag3vye5SumlR40PFcqb7BBS7LSkjnpAkdznwUJ0LcOc:icV3vye5alRq+5aZdzwU2Iz
MD5:	3875A76EBDD113524E5DC3B4276FEC67
SHA1:	A606A0AF593B918DC5DC05AFFA154EB22B7A551E
SHA-256:	562C2B0800CDC27B6EE52DF8B068A2BD4B41C8D8FB5133B3DBB76B3E5EA50B76
SHA-512:	722B410BD815B58FD8D9D3FB7B62BCD6BE75B50A2B7AD2673E3475F6B58919607A0D733744899EB9C72E2EF72207EA4BC070A4E24181A517CDB312AFD6B19F7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Np Z...........!.................&... ...@....@.. ....................................@.................................4&..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p&......H........"..H...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPf.......p...].ec..................L........C.a.n.c.e.l.M.e.s.s.a.g.e.....(C.a.n.c.e.l.M.e.s.s.a.g.e.C.a.p.t.i.o.n."...@C.a.n.c.e.l.M.e.s.s.a.g.e.L.a.s.t.S.c.r.e.e.n.O.f.f.e.r.P.a.g.e.+....C.o.u.l.d.N.o.t.D.o.w.n.l.o.a.d.M.e.s.

C:\Users\user\AppData\Local\Temp\7zSC9543C70\fr\DevLib.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.492003999715567
Encrypted:	false
SSDEEP:	48:6wQK69KYaj20icbIVJNmlR40PJQgqb7B5S7LSkjnpAkdznwUJ0LcOc:Um2WKJIlRWg+BaZdzwU2Iz
MD5:	03F7047A3B237E021FC335656709D598
SHA1:	CA0257B4D7445F48C1F3AD676372107B9DFEA8B5
SHA-256:	18E38B17A644F0334C0B2E90E31DBB16EEC690EBFEBEB2FECBEA83DC4F4EEE35
SHA-512:	010C4F47B01CC2CD2E1B9B5821BA5EA051B02F1F09EB003207D3576614F3D8421065B23AD023CE5DCA3D9856EC80901178B7E90C42137346E854D60DF0AC5294
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Np Z...........!.................&... ...@....@.. ....................................@.................................\&..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H........#..H...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPf.......p...].ec..................L........C.a.n.c.e.l.M.e.s.s.a.g.e.....(C.a.n.c.e.l.M.e.s.s.a.g.e.C.a.p.t.i.o.n.%...@C.a.n.c.e.l.M.e.s.s.a.g.e.L.a.s.t.S.c.r.e.e.n.O.f.f.e.r.P.a.g.e.0....C.o.u.l.d.N.o.t.D.o.w.n.l.o.a.d.M.e.s.

C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1626360
Entropy (8bit):	6.54106210872876
Encrypted:	false
SSDEEP:	49152:4cyczrbk6H/TNifx4KZsv6nAKF6YmmHgBl5cwZZJvHyi+E+6TTY:4c5/vh2NmmAL5HJvC
MD5:	4D66DE397B5BF1F085AA7046A578A34C
SHA1:	F0C58079D03C27E0E2108204DCAF463CAFA32A9C
SHA-256:	DA927CC761D621255F0FB6F51BCD240AF3220B6F8B1E53ECA54D25676AAFCE2E
SHA-512:	55612FFA8F2EC2CB2D18D238F2B6FA31E529D9AA25AD4CB6916C89C8A9D86D517C28C5BAC8C13665E7A4F3BB61CD6A8660FA6737BCA97A5325FC072FB92CC6B4
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.It...6.It.I.6.It...6.cH...6..5...6.......6.j.3...6...3...6..3...6..2...6.......6.j.2...6.....6...7...6.h.?...6.o....6.....6.h.4...6.Rich..6.........PE..L...gp Z............................6.............@.......................... ......:.....@..............................................0......................,...p...p...................<...........@...............(............................text...v........................... ..`.rdata..:...........................@..@.data..............................@....gfids...............j..............@..@.tls.................t..............@....rsrc....0.......2...v..............@..@.reloc..,...........................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BurnAware Free.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe
File Type:	ASCII text, with very long lines (3016), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	5.5172336388270855
Encrypted:	false
SSDEEP:	96:OoPEiQ5GrKSHSdpmEzN6izDN6yvKlOK+WKSHSdU8+RKKRgDjRZpzi9V50Nfgl:OosiSglT+rJill
MD5:	D03FFBC45F3CA53C745BDC97F79956A5
SHA1:	FC5AF15E666B4B2441C74EDA7630DEAFB058603B
SHA-256:	2557C6A95D6D29C939E7939F9BBF620F606DF652A05A7057882FBCD814FE0FD9
SHA-512:	D8F2F1EFCE553CAAD19B59DA971A0E616CC326C17AB0177A5157BF99B7B26486FE9E79213EB8B000F2DDB7E6755268F2D71CA5FE5AB674DDE25E837FEA560BC5
Malicious:	false
Preview:	2024-07-11 13:50:16,067 [INFO] ========================= LogWriter initialized ==========================================================..2024-07-11 13:50:16,082 [INFO] Command line arguments: ..2024-07-11 13:50:16,098 [INFO] admin access right =True..2024-07-11 13:50:16,098 [INFO] admin access right =True..2024-07-11 13:50:16,192 [ERROR] System.IO.FileNotFoundException:C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe. at System.Diagnostics.FileVersionInfo.GetVersionInfo(String fileName).. at DevLib.Service.SystemService.GetBrowserVersion(String filePath, String registryKey, Boolean isIE)...2024-07-11 13:50:16,582 [INFO] add send event to queue : BundleInstallStart..2024-07-11 13:50:17,254 [INFO] About to send WebRequest(list) bundleId=BA002..2024-07-11 13:50:18,363 [INFO] SendEvent Request ProductID:IS, Type:BundleInstallStart, EventServiceUri:https://flow.lavasoft.com, RequestData:[{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d40

C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	894336
Entropy (8bit):	7.866668144054505
Encrypted:	false
SSDEEP:	24576:fG50ZfFK0lyhTtemSv0TOqMOyiBuO4N7lXfk9/ljhhJT:fG5Ufg0U4dO/BuVN7tMhpJT
MD5:	9AA0F5A7FBC6F7A2E6FEAF78F8E6B7D7
SHA1:	AA6D766912112809FD0849DBE6171D5BD4975B17
SHA-256:	234E86126EADCD7519D481BE72BA486DDCB5C03361A85512120ACAA540221C94
SHA-512:	A1A7DD19F29815C9D42BAC3C970490950BD5BAE5FF083614011A4B367282B3BE09405C83B9269101701280F403F76856DF6970C0612A8FE5F3A59B8F7C3CD817
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s..c}...s..Yy...s..w,...s...r./.s..w....s..Yx...s.......s.......s.Zyu...s.Rich..s.................PE..L.....M........../..................H............@.............................................................................d....p..h7...........................................................................................................text............................... ..`.rdata...D.......F..................@..@.data...hZ.......2..................@....sxdata......`......................@....rsrc...h7...p...8..................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1255424
Entropy (8bit):	6.4851648915335725
Encrypted:	false
SSDEEP:	24576:cnbbPImgK4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEt7Afjqx9zq:KHeKh4nqzF3PYdStuW4
MD5:	B3937B0F947BBEB9F93859803C6FD14E
SHA1:	3FE9D0FC391A4654CEEC11DC549EBE979833D2B4
SHA-256:	0797FB9E4B8B19AF03DDE10BCF2498A605BF31CFC0E7E92BC775177EBB64A070
SHA-512:	58C66270D6662C1E8F5D2992E863D7D088D118550CB7AA706F8641EA26530674BB034BA1637378004CDFADC89F27970E10EBF68C1BF07D4E4497B1571AC4913D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.996276806312489
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
File size:	8'728'608 bytes
MD5:	a6d83330743edcff48a85dfa1013fdab
SHA1:	0aa8362a86274edcba3c111e8d729b1e0198a92b
SHA256:	03c769a2c069d127c2d9a5103853218a8f108074f0012776ff871dadf346c39e
SHA512:	2144b8b84a9769eb1257b856bf62fadfff58f715e344ee6c4021190da326bba32336b99b1086cd6ed9d1eb4b248d52130ec232cf65a7c17e92742adc35a8f302
SSDEEP:	196608:qVWJWqgbeuM2NS+JYkeC5gkdCj2HAFDEv0AIYCTNp:qVWJpGjNbjeCVsqacDbChp
TLSH:	A5963392E38B41B4FA655631949AD8303C533EEA1AD081066DFFFE1C763AA806DF7171
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	1c48490d1d1d992f

Static PE Info

General

Entrypoint:	0x41181c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	05/11/2014 01:00:00 06/11/2019 00:59:59
Subject Chain	CN=Burnaware, O=Burnaware, STREET=Krylatskie Kholmy 39-2, L=Moscow, S=Moscow, PostalCode=121614, C=RU
Version:	3
Thumbprint MD5:	E892014EF40D1CEAAA8E35FBF8E4CA54
Thumbprint SHA-1:	CD1DFF866CFBCBC9593B2D5AF7B7A621A4C048FF
Thumbprint SHA-256:	AE3E817C15946BB94DD8C21DBD9C88D3DF75BBAABA12F6950BF102B2EFBD0B16
Serial:	34A57A0F0BF4B55CCD6F48728FA63980

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 0041015Ch
call 00007F3208BF515Dh
xor eax, eax
push ebp
push 00411EFEh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00411EBAh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [00415B48h]
call 00007F3208BFD8BBh
call 00007F3208BFD40Ah
cmp byte ptr [00412AE0h], 00000000h
je 00007F3208C003DEh
call 00007F3208BFD9D0h
xor eax, eax
call 00007F3208BF31F5h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F3208BFA43Bh
mov edx, dword ptr [ebp-14h]
mov eax, 00418658h
call 00007F3208BF37CAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [00418658h]
mov dl, 01h
mov eax, dword ptr [0040C04Ch]
call 00007F3208BFAD52h
mov dword ptr [0041865Ch], eax
xor edx, edx
push ebp
push 00411E66h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F3208BFD92Eh
mov dword ptr [00418664h], eax
mov eax, dword ptr [00418664h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F3208C0041Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x1bca4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x851b48	0x14d8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf25c	0xf400	0da5d73ffbc41792fa65a09058a91476	False	0.5482197745901639	data	6.375879013420213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xfa4	0x1000	2eb275566563c3f1d0099a0da7345b74	False	0.563720703125	data	5.778765357049134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc8c	0xe00	73b859e23f5fd17e00c08db2e0e73dfe	False	0.25362723214285715	data	2.3028287433175367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x13000	0x56bc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x19000	0xe04	0x1000	e9b9c0328fd9628ad4d6ab8283dcb20e	False	0.321533203125	data	4.597812557707959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x18	0x200	3dffc444ccc131c9dcee18db49ee6403	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x1bca4	0x1be00	dc24f890fb65625d20e3bc2a39bfbfc1	False	0.5723532090807175	data	6.487924190434178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c4dc	0x2c46	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.957473089818246
RT_ICON	0x1f124	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.2998400852878465
RT_ICON	0x1ffcc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.32084837545126355
RT_ICON	0x20874	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.38078034682080925
RT_ICON	0x20ddc	0x9996	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9952947759295997
RT_ICON	0x2a774	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.3955394190871369
RT_ICON	0x2cd1c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.4969512195121951
RT_ICON	0x2ddc4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6551418439716312
RT_STRING	0x2e22c	0x68	data			0.6538461538461539
RT_STRING	0x2e294	0xd4	data			0.5283018867924528
RT_STRING	0x2e368	0xa4	data			0.6524390243902439
RT_STRING	0x2e40c	0x2ac	data			0.45614035087719296
RT_STRING	0x2e6b8	0x34c	data			0.4218009478672986
RT_STRING	0x2ea04	0x294	data			0.4106060606060606
RT_RCDATA	0x2ec98	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x36f80	0x10	data			1.5
RT_RCDATA	0x36f90	0x150	data			0.8392857142857143
RT_RCDATA	0x370e0	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x3710c	0x76	data	English	United States	0.6694915254237288
RT_VERSION	0x37184	0x4f4	data	English	United States	0.2894321766561514
RT_MANIFEST	0x37678	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/11/24-19:39:38.782654	TCP	2025537	ET MALWARE Lavasoft PUA/Adware Client Install	49740	80	192.168.2.4	104.16.148.130
07/11/24-19:39:44.565238	TCP	2849740	ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI	49751	443	192.168.2.4	104.16.148.130
07/11/24-19:39:40.960268	TCP	2849741	ETPRO MALWARE Suspicious Domain (sos .adaware .com) in TLS SNI	49745	443	192.168.2.4	104.16.212.94
07/11/24-19:39:42.215264	TCP	2849740	ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI	49747	443	192.168.2.4	104.16.148.130
07/11/24-19:39:43.806977	TCP	2849740	ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI	49749	443	192.168.2.4	104.16.148.130
07/11/24-19:39:42.987417	TCP	2849740	ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI	49748	443	192.168.2.4	104.16.148.130
07/11/24-19:39:39.840011	TCP	2849740	ETPRO MALWARE Suspicious Domain (flow .lavasoft .com) in TLS SNI	49742	443	192.168.2.4	104.16.148.130

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 11, 2024 19:50:16.982275009 CEST	57183	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:16.987190008 CEST	80	57183	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:16.987294912 CEST	57183	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:16.988071918 CEST	57183	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:16.992973089 CEST	80	57183	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.506561995 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.506613970 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.506736994 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.508939028 CEST	80	57183	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.509896040 CEST	57183	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.515099049 CEST	80	57183	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.515172005 CEST	57183	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.530796051 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.535965919 CEST	80	57185	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.536031008 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.554670095 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.560077906 CEST	80	57185	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:17.656852961 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:17.656897068 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:17.657541990 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:17.671705008 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:17.671744108 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:17.675898075 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:17.675942898 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.300378084 CEST	80	57185	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.300647974 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.303127050 CEST	80	57185	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.303169012 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.310062885 CEST	80	57185	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.310116053 CEST	57185	80	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.318046093 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.318121910 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.320497036 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.320512056 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.320810080 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.371535063 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.379149914 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.420500994 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.420581102 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.420592070 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.421344042 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.421428919 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.423912048 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.423933983 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.424257994 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.425419092 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.472503901 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.472553015 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.472567081 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.637478113 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.637639046 CEST	443	57184	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.637691021 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.671753883 CEST	57184	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.879884005 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.879954100 CEST	443	57188	104.16.213.94	192.168.2.6
Jul 11, 2024 19:50:18.880089045 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.880598068 CEST	57188	443	192.168.2.6	104.16.213.94
Jul 11, 2024 19:50:18.889326096 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.889386892 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:18.889456987 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.893414021 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:18.893426895 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.464653015 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.465943098 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.465986967 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.466027975 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.466037989 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.619530916 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.619826078 CEST	443	57189	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.619925022 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.620328903 CEST	57189	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.621840954 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.621881962 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:19.621946096 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.624514103 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:19.624541044 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.180718899 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.182075977 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.182122946 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.182277918 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.182287931 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.382638931 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.382977962 CEST	443	57190	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.383044958 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.383557081 CEST	57190	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.406832933 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.406860113 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.406928062 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.414849997 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.414864063 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.977447987 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.986704111 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.986738920 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:20.987034082 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:20.987041950 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.166371107 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.166615963 CEST	443	57192	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.166688919 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.167190075 CEST	57192	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.171536922 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.171596050 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.171680927 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.175283909 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.175302029 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.732243061 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.733906031 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.733951092 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.733971119 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.733979940 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.880373001 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.880515099 CEST	443	57193	104.16.149.130	192.168.2.6
Jul 11, 2024 19:50:21.880615950 CEST	57193	443	192.168.2.6	104.16.149.130
Jul 11, 2024 19:50:21.881078005 CEST	57193	443	192.168.2.6	104.16.149.130

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 11, 2024 19:50:01.930367947 CEST	53	56782	1.1.1.1	192.168.2.6
Jul 11, 2024 19:50:16.945641994 CEST	61626	53	192.168.2.6	1.1.1.1
Jul 11, 2024 19:50:16.953011990 CEST	53	61626	1.1.1.1	192.168.2.6
Jul 11, 2024 19:50:16.959558964 CEST	61381	53	192.168.2.6	1.1.1.1
Jul 11, 2024 19:50:16.971128941 CEST	53	61381	1.1.1.1	192.168.2.6
Jul 11, 2024 19:50:17.493616104 CEST	58319	53	192.168.2.6	1.1.1.1
Jul 11, 2024 19:50:17.502343893 CEST	53	58319	1.1.1.1	192.168.2.6
Jul 11, 2024 19:50:17.642903090 CEST	49935	53	192.168.2.6	1.1.1.1
Jul 11, 2024 19:50:17.656200886 CEST	53	49935	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 11, 2024 19:50:16.945641994 CEST	192.168.2.6	1.1.1.1	0xf8c2	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:16.959558964 CEST	192.168.2.6	1.1.1.1	0x6bc6	Standard query (0)	flow.lavasoft.com	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.493616104 CEST	192.168.2.6	1.1.1.1	0x1e59	Standard query (0)	flow.lavasoft.com	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.642903090 CEST	192.168.2.6	1.1.1.1	0xed60	Standard query (0)	sos.adaware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 11, 2024 19:50:16.953011990 CEST	1.1.1.1	192.168.2.6	0xf8c2	No error (0)	www.google.com	142.250.185.132	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:16.971128941 CEST	1.1.1.1	192.168.2.6	0x6bc6	No error (0)	flow.lavasoft.com	104.16.149.130	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:16.971128941 CEST	1.1.1.1	192.168.2.6	0x6bc6	No error (0)	flow.lavasoft.com	104.16.148.130	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.502343893 CEST	1.1.1.1	192.168.2.6	0x1e59	No error (0)	flow.lavasoft.com	104.16.149.130	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.502343893 CEST	1.1.1.1	192.168.2.6	0x1e59	No error (0)	flow.lavasoft.com	104.16.148.130	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.656200886 CEST	1.1.1.1	192.168.2.6	0xed60	No error (0)	sos.adaware.com	104.16.213.94	A (IP address)	IN (0x0001)	false
Jul 11, 2024 19:50:17.656200886 CEST	1.1.1.1	192.168.2.6	0xed60	No error (0)	sos.adaware.com	104.16.212.94	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sos.adaware.com

flow.lavasoft.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57183	104.16.149.130	80	3352	C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 11, 2024 19:50:16.988071918 CEST	455	OUT	POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 274 Data Raw: 7b 22 44 61 74 61 22 3a 7b 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4f 73 56 65 72 73 69 6f 6e 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 20 28 62 75 69 6c 64 20 31 39 30 34 35 29 2c 20 36 34 2d 62 69 74 22 2c 22 44 6f 74 4e 65 74 46 72 61 6d 65 77 6f 72 6b 22 3a 22 33 2e 35 2c 20 34 2e 30 20 43 6c 69 65 6e 74 2c 20 34 2e 30 20 46 75 6c 6c 2c 20 34 2e 35 2c 20 34 2e 35 2e 31 2c 20 34 2e 35 2e 32 2c 20 34 2e 36 2c 20 34 2e 36 2e 31 2c 20 34 2e 36 2e 32 22 7d 7d 0a Data Ascii: {"Data":{"BundleId":"BA002","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","OsVersion":"Microsoft Windows 10 (build 19045), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2"}}
Jul 11, 2024 19:50:17.508939028 CEST	524	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:17 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa28ecab25589-EWR Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 1d{"message":"Event persisted"}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57185	104.16.149.130	80	3352	C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 11, 2024 19:50:17.554670095 CEST	338	OUT	POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 151 Data Raw: 7b 22 44 61 74 61 22 3a 7b 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 49 6e 50 72 6f 63 65 73 73 22 3a 22 74 72 75 65 22 7d 7d 0a Data Ascii: {"Data":{"BundleId":"BA002","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","InProcess":"true"}}
Jul 11, 2024 19:50:18.300378084 CEST	524	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:18 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2922a939e16-EWR Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 1d{"message":"Event persisted"}0
Jul 11, 2024 19:50:18.303127050 CEST	524	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:18 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2922a939e16-EWR Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 1d{"message":"Event persisted"}0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57188	104.16.213.94	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:18 UTC	163	OUT	POST /v1/bundle/list/?bundleId=BA002 HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: sos.adaware.com Content-Length: 185 Connection: Keep-Alive
2024-07-11 17:50:18 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:18 UTC	184	OUT	Data Raw: 22 4f 66 66 65 72 46 69 6c 74 65 72 4f 72 22 3a 5b 5b 7b 22 6b 65 79 22 3a 22 6c 61 6e 67 22 2c 22 73 68 6f 75 6c 64 22 3a 74 72 75 65 2c 22 62 65 49 6e 22 3a 5b 22 65 6e 22 5d 7d 2c 7b 22 6b 65 79 22 3a 22 6f 73 76 65 72 73 69 6f 6e 22 2c 22 73 68 6f 75 6c 64 22 3a 74 72 75 65 2c 22 62 65 49 6e 22 3a 5b 22 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 22 5d 7d 2c 7b 22 6b 65 79 22 3a 22 68 6f 73 74 62 72 6f 77 73 65 72 22 2c 22 73 68 6f 75 6c 64 22 3a 74 72 75 65 2c 22 62 65 49 6e 22 3a 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 5d 7d 5d 5d 7d Data Ascii: "OfferFilterOr":[[{"key":"lang","should":true,"beIn":["en"]},{"key":"osversion","should":true,"beIn":["Windows 10 Pro"]},{"key":"hostbrowser","should":true,"beIn":["Google Chrome"]}]]}
2024-07-11 17:50:18 UTC	204	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:18 GMT Content-Type: application/json Content-Length: 158 Connection: close CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa29529d5421f-EWR
2024-07-11 17:50:18 UTC	158	IN	Data Raw: 7b 0a 20 20 22 6d 61 78 53 68 6f 77 6e 22 3a 20 32 2c 0a 20 20 22 6d 61 78 41 63 63 65 70 74 65 64 22 3a 20 32 2c 0a 20 20 22 6d 61 78 44 65 63 6c 69 6e 65 64 22 3a 20 30 2c 0a 20 20 22 73 6b 69 70 41 6c 6c 4f 66 66 65 72 73 22 3a 20 66 61 6c 73 65 2c 0a 20 20 22 73 68 6f 77 4f 66 66 65 72 43 6f 6e 73 65 6e 74 50 61 67 65 22 3a 20 66 61 6c 73 65 2c 0a 20 20 22 63 6f 75 6e 74 72 79 32 22 3a 20 22 55 53 22 2c 0a 20 20 22 4f 66 66 65 72 49 74 65 6d 73 22 3a 20 5b 5d 0a 7d Data Ascii: { "maxShown": 2, "maxAccepted": 2, "maxDeclined": 0, "skipAllOffers": false, "showOfferConsentPage": false, "country2": "US", "OfferItems": []}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57184	104.16.149.130	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:18 UTC	186	OUT	POST /v1/event-stat/?ProductID=IS&Type=BundleInstallStart HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 848 Connection: Keep-Alive
2024-07-11 17:50:18 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:18 UTC	847	OUT	Data Raw: 22 44 61 74 61 22 3a 7b 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 42 75 6e 64 6c 65 56 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 2e 35 33 35 22 2c 22 43 61 72 72 69 65 72 49 64 22 3a 6e 75 6c 6c 2c 22 43 61 72 72 69 65 72 4e 61 6d 65 22 3a 22 42 75 72 6e 41 77 61 72 65 22 2c 22 43 61 72 72 69 65 72 53 6f 66 74 77 61 72 65 4e 61 6d 65 22 3a 22 42 75 72 6e 41 77 61 72 65 20 46 72 65 65 22 2c 22 43 61 72 72 69 65 72 53 6f 66 74 77 61 72 65 Data Ascii: "Data":{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","BundleId":"BA002","BundleVersion":"2.0.0.535","CarrierId":null,"CarrierName":"BurnAware","CarrierSoftwareName":"BurnAware Free","CarrierSoftware
2024-07-11 17:50:18 UTC	479	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:18 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2957c545e80-EWR
2024-07-11 17:50:18 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-11 17:50:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	57189	104.16.149.130	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:19 UTC	171	OUT	POST /v1/event-stat/?ProductID=IS&Type=BundleProposedOffersIsEmpty HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 230
2024-07-11 17:50:19 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:19 UTC	229	OUT	Data Raw: 22 44 61 74 61 22 3a 7b 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 42 75 6e 64 6c 65 52 65 73 70 6f 6e 73 65 44 61 74 61 22 3a 7b 22 6d 61 78 53 68 6f 77 6e 22 3a 32 2c 22 6d 61 78 41 63 63 65 70 74 65 64 22 3a 32 2c 22 63 6f 75 6e 74 72 79 32 22 3a 22 55 53 22 2c 22 4f 66 66 65 72 49 74 65 6d 73 22 3a 5b 5d 7d 2c 22 44 65 6c 74 61 4d 73 22 3a 32 33 36 31 7d 7d Data Ascii: "Data":{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","BundleId":"BA002","BundleResponseData":{"maxShown":2,"maxAccepted":2,"country2":"US","OfferItems":[]},"DeltaMs":2361}}
2024-07-11 17:50:19 UTC	479	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:19 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa29bfa315e6b-EWR
2024-07-11 17:50:19 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-11 17:50:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	57190	104.16.149.130	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:20 UTC	153	OUT	POST /v1/event-stat/?ProductID=IS&Type=PageShown HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 188
2024-07-11 17:50:20 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:20 UTC	187	OUT	Data Raw: 22 44 61 74 61 22 3a 7b 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 50 61 67 65 4e 61 6d 65 22 3a 22 49 6e 73 74 61 6c 6c 69 6e 67 50 61 67 65 22 2c 22 53 65 71 4e 75 6d 62 65 72 22 3a 31 2c 22 44 65 6c 74 61 4d 73 22 3a 32 34 31 37 7d 7d Data Ascii: "Data":{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","BundleId":"BA002","PageName":"InstallingPage","SeqNumber":1,"DeltaMs":2417}}
2024-07-11 17:50:20 UTC	479	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:20 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2a078a21851-EWR
2024-07-11 17:50:20 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-11 17:50:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	57192	104.16.149.130	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:20 UTC	166	OUT	POST /v1/event-stat/?ProductID=IS&Type=BundleInstallComplete HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 1283
2024-07-11 17:50:20 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:20 UTC	1023	OUT	Data Raw: 22 44 61 74 61 22 3a 7b 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 42 75 6e 64 6c 65 56 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 2e 35 33 35 22 2c 22 43 61 72 72 69 65 72 49 64 22 3a 6e 75 6c 6c 2c 22 43 61 72 72 69 65 72 4e 61 6d 65 22 3a 22 42 75 72 6e 41 77 61 72 65 22 2c 22 43 61 72 72 69 65 72 53 6f 66 74 77 61 72 65 4e 61 6d 65 22 3a 22 42 75 72 6e 41 77 61 72 65 20 46 72 65 65 22 2c 22 43 61 72 72 69 65 72 53 6f 66 74 77 61 72 65 Data Ascii: "Data":{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","BundleId":"BA002","BundleVersion":"2.0.0.535","CarrierId":null,"CarrierName":"BurnAware","CarrierSoftwareName":"BurnAware Free","CarrierSoftware
2024-07-11 17:50:20 UTC	1	OUT	Data Raw: 6f Data Ascii: o
2024-07-11 17:50:20 UTC	258	OUT	Data Raw: 77 73 5c 5c 73 79 73 74 65 6d 33 32 5c 5c 77 62 65 6d 5c 5c 57 4d 49 41 44 41 50 2e 45 58 45 22 2c 22 70 44 65 6c 74 61 22 3a 22 2b 22 7d 2c 7b 22 70 4e 61 6d 65 22 3a 22 73 76 63 68 6f 73 74 22 2c 22 70 44 65 73 63 22 3a 22 48 6f 73 74 20 50 72 6f 63 65 73 73 20 66 6f 72 20 57 69 6e 64 6f 77 73 20 53 65 72 76 69 63 65 73 22 2c 22 70 56 65 72 73 69 6f 6e 22 3a 22 31 30 2e 30 2e 31 39 30 34 31 2e 31 20 28 57 69 6e 42 75 69 6c 64 2e 31 36 30 31 30 31 2e 30 38 30 30 29 22 2c 22 70 43 6d 64 22 3a 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 5c 5c 53 79 73 74 65 6d 33 32 5c 5c 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 22 70 44 65 6c 74 61 22 3a 22 2b 22 7d 5d 2c 22 43 61 72 72 69 65 72 4f 73 42 69 74 22 3a 22 41 6e 79 43 50 55 22 2c 22 44 65 6c 74 61 4d 73 22 3a 32 34 33 Data Ascii: ws\\system32\\wbem\\WMIADAP.EXE","pDelta":"+"},{"pName":"svchost","pDesc":"Host Process for Windows Services","pVersion":"10.0.19041.1 (WinBuild.160101.0800)","pCmd":"C:\\Windows\\System32\\svchost.exe","pDelta":"+"}],"CarrierOsBit":"AnyCPU","DeltaMs":243
2024-07-11 17:50:21 UTC	479	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:21 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2a57dcb4363-EWR
2024-07-11 17:50:21 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-11 17:50:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	57193	104.16.149.130	443	1804	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-11 17:50:21 UTC	157	OUT	POST /v1/event-stat/?ProductID=IS&Type=ProfileDebug HTTP/1.1 Content-Type: application/json;charset=utf-8 Host: flow.lavasoft.com Content-Length: 2860
2024-07-11 17:50:21 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-11 17:50:21 UTC	1023	OUT	Data Raw: 22 44 61 74 61 22 3a 7b 22 49 6e 73 74 61 6c 6c 49 64 22 3a 22 64 61 30 62 36 62 64 30 2d 36 38 62 62 2d 34 35 66 36 2d 38 31 61 62 2d 66 65 35 61 61 30 36 36 39 35 63 61 22 2c 22 4d 61 63 68 69 6e 65 49 64 22 3a 22 33 64 34 30 35 64 62 65 2d 39 64 38 66 2d 34 39 61 35 2d 61 32 33 61 2d 64 61 35 33 62 66 31 38 38 38 30 36 22 2c 22 42 75 6e 64 6c 65 49 64 22 3a 22 42 41 30 30 32 22 2c 22 44 65 6c 74 61 4d 73 22 3a 32 34 34 33 2c 22 49 6e 73 74 61 6c 6c 65 64 41 70 70 44 61 74 61 22 3a 5b 7b 22 44 69 73 70 6c 61 79 4e 61 6d 65 22 3a 22 37 2d 5a 69 70 20 32 33 2e 30 31 20 28 78 36 34 29 22 2c 22 44 69 73 70 6c 61 79 56 65 72 73 69 6f 6e 22 3a 22 32 33 2e 30 31 22 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 22 3a 6e 75 6c 6c 2c 22 49 6e 73 74 61 6c 6c 4c 6f 63 61 Data Ascii: "Data":{"InstallId":"da0b6bd0-68bb-45f6-81ab-fe5aa06695ca","MachineId":"3d405dbe-9d8f-49a5-a23a-da53bf188806","BundleId":"BA002","DeltaMs":2443,"InstalledAppData":[{"DisplayName":"7-Zip 23.01 (x64)","DisplayVersion":"23.01","InstallDate":null,"InstallLoca
2024-07-11 17:50:21 UTC	1	OUT	Data Raw: 4c Data Ascii: L
2024-07-11 17:50:21 UTC	1835	OUT	Data Raw: 6f 63 61 74 69 6f 6e 22 3a 22 22 7d 2c 7b 22 44 69 73 70 6c 61 79 4e 61 6d 65 22 3a 22 4f 66 66 69 63 65 20 31 36 20 43 6c 69 63 6b 2d 74 6f 2d 52 75 6e 20 45 78 74 65 6e 73 69 62 69 6c 69 74 79 20 43 6f 6d 70 6f 6e 65 6e 74 20 36 34 2d 62 69 74 20 52 65 67 69 73 74 72 61 74 69 6f 6e 22 2c 22 44 69 73 70 6c 61 79 56 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 31 36 38 32 37 2e 32 30 30 35 36 22 2c 22 49 6e 73 74 61 6c 6c 44 61 74 65 22 3a 22 32 30 32 33 31 30 30 35 22 2c 22 49 6e 73 74 61 6c 6c 4c 6f 63 61 74 69 6f 6e 22 3a 22 22 7d 2c 7b 22 44 69 73 70 6c 61 79 4e 61 6d 65 22 3a 22 41 64 6f 62 65 20 41 63 72 6f 62 61 74 20 28 36 34 2d 62 69 74 29 22 2c 22 44 69 73 70 6c 61 79 56 65 72 73 69 6f 6e 22 3a 22 32 33 2e 30 30 36 2e 32 30 33 32 30 22 2c 22 49 6e Data Ascii: ocation":""},{"DisplayName":"Office 16 Click-to-Run Extensibility Component 64-bit Registration","DisplayVersion":"16.0.16827.20056","InstallDate":"20231005","InstallLocation":""},{"DisplayName":"Adobe Acrobat (64-bit)","DisplayVersion":"23.006.20320","In
2024-07-11 17:50:21 UTC	479	IN	HTTP/1.1 200 OK Date: Thu, 11 Jul 2024 17:50:21 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Access-Control-Allow-Origin Access-Control-Expose-Headers: Content-Length,Content-Range CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a1aa2aa2d377ced-EWR
2024-07-11 17:50:21 UTC	35	IN	Data Raw: 31 64 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 22 45 76 65 6e 74 20 70 65 72 73 69 73 74 65 64 22 7d 0d 0a Data Ascii: 1d{"message":"Event persisted"}
2024-07-11 17:50:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:49:41
Start date:	11/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe"
Imagebase:	0x400000
File size:	8'728'608 bytes
MD5 hash:	A6D83330743EDCFF48A85DFA1013FDAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:49:42
Start date:	11/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-DMLII.tmp\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.tmp" /SL5="$103DA,8156847,189952,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe"
Imagebase:	0x400000
File size:	1'255'424 bytes
MD5 hash:	B3937B0F947BBEB9F93859803C6FD14E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.3970419543.0000000006271000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000002.00000002.3970419543.000000000608D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:50:14
Start date:	11/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-3M0V5.tmp\BA002.exe"
Imagebase:	0x400000
File size:	894'336 bytes
MD5 hash:	9AA0F5A7FBC6F7A2E6FEAF78F8E6B7D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:50:15
Start date:	11/07/2024
Path:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\installer.exe
Wow64 process (32bit):	true
Commandline:	.\installer.exe
Imagebase:	0xf80000
File size:	1'626'360 bytes
MD5 hash:	4D66DE397B5BF1F085AA7046A578A34C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:50:15
Start date:	11/07/2024
Path:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\7zSC9543C70\GenericSetup.exe
Imagebase:	0x410000
File size:	46'840 bytes
MD5 hash:	1F4C6E7D827B980005B2C9C057018BD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	14

Executed Functions

Function 004148D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004148FA

Part of subcall function 004157C8: HeapCreate.KERNELBASE(00000000,00001000,00000000,00414932,00000001), ref: 004157D9
Part of subcall function 004157C8: HeapDestroy.KERNEL32 ref: 00415818

GetCommandLineA.KERNEL32 ref: 0041495A
GetStartupInfoA.KERNEL32(?), ref: 00414985
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004149A8

Part of subcall function 00414A01: ExitProcess.KERNEL32 ref: 00414A1E

Strings

`&, xrefs: 00414974

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: `&
API String ID: 2057626494-1405188806
Opcode ID: d0b0bc6d91067fd433c2cc4b1856fc531dfd5f25a3beb9f48f66dbad23e013fe
Instruction ID: fb65514f2d73941f5fb5fe300876562abb5c146ee9b99336205dd39c2cb12ef3
Opcode Fuzzy Hash: d0b0bc6d91067fd433c2cc4b1856fc531dfd5f25a3beb9f48f66dbad23e013fe
Instruction Fuzzy Hash: BD219EB19407159FDB14EFB6DC46AEE7BB8EF44704F10412FF910AB291DB3C89818A58

Function 00405434 Relevance: 3.0, APIs: 2, Instructions: 44
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405414: FindClose.KERNELBASE(?,000000FF,00405445,000000FF), ref: 0040541F

FindFirstFileW.KERNELBASE(?,?,000000FF), ref: 00405497

Part of subcall function 00403B85: __EH_prolog.LIBCMT ref: 00403B8A

FindFirstFileA.KERNEL32(?,?,000000FF), ref: 00405467

Part of subcall function 0040551C: __EH_prolog.LIBCMT ref: 00405521

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Find$FileFirstH_prolog$Close
String ID:
API String ID: 3335342080-0
Opcode ID: 01ff4a9bc94c78cd279a0d863a54892268cf469c718bfc53d66ce16def007dff
Instruction ID: 44fa9ff84b7e7cb6f1e8d7f9ea47a8a098aa0700a3472251c04f15a334366322
Opcode Fuzzy Hash: 01ff4a9bc94c78cd279a0d863a54892268cf469c718bfc53d66ce16def007dff
Instruction Fuzzy Hash: 33014830401505ABCF20AF64DC456EE7779DF51329F20827AE855672D1D73C9A85CF98

Function 00401014 Relevance: 48.0, APIs: 8, Strings: 19, Instructions: 715
windowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401A7B: GetVersionExA.KERNEL32(?), ref: 00401A95

GetCommandLineW.KERNEL32(00000003,00000003,00000003,00000003,?,00000000), ref: 0040108B

Part of subcall function 004038D7: __EH_prolog.LIBCMT ref: 004038DC

Part of subcall function 0040460B: __EH_prolog.LIBCMT ref: 00404610
Part of subcall function 0040460B: GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000000,00000000), ref: 00404649

Part of subcall function 0040237B: __EH_prolog.LIBCMT ref: 00402380

Part of subcall function 00402340: __EH_prolog.LIBCMT ref: 00402345

Part of subcall function 00403DE4: __EH_prolog.LIBCMT ref: 00403DE9

MessageBoxW.USER32(00000000,?,?,00000010), ref: 004015DE
ShellExecuteExA.SHELL32(0000003C,?,00000001,?,?,00000003,?,00000003,00420240,;!@InstallEnd@!,?,00000003,00000000,00000002,00420278,00000003), ref: 004016D5
MessageBoxW.USER32(00000000,?,?,00000024), ref: 004012FF

Part of subcall function 00410EC0: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 00410EC9

Part of subcall function 00402EFE: __EH_prolog.LIBCMT ref: 00402F03

CloseHandle.KERNEL32(?,?,00000000), ref: 004019A8
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 004019C7
CloseHandle.KERNEL32(?,?,00000000), ref: 004019CE

Strings

%%T\, xrefs: 00401803
Can not load codecs, xrefs: 00401529
ExecuteParameters, xrefs: 0040141A
Can't load config info, xrefs: 00401185
<, xrefs: 0040166A
Can not create temp folder archive, xrefs: 004014DD
;!@Install@!UTF-8!, xrefs: 00401172
Directory, xrefs: 004012A2
Title, xrefs: 0040120B
setup.exe, xrefs: 004017B9
RunProgram, xrefs: 0040139A
;!@InstallEnd@!, xrefs: 0040116D
D, xrefs: 00401886
ExecuteFile, xrefs: 004013DA
, xrefs: 004016DB
Can not find setup.exe, xrefs: 004017DB
Can not open file, xrefs: 004016ED
Config failed, xrefs: 004011F7
%%T, xrefs: 00401832

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog$Message$CloseHandle$CommandExecuteFileLineModuleNameObjectShellSingleVersionWait
String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe
API String ID: 785510900-2114487665
Opcode ID: 6d1d7d5e5e8f17c8e0c096f6da895b612a21696790b38e54e95bb8f8772b28f7
Instruction ID: f92d1a5b025e5f1856d93d01be2b226abe75c3e6546c85d9ed47549f0c040395
Opcode Fuzzy Hash: 6d1d7d5e5e8f17c8e0c096f6da895b612a21696790b38e54e95bb8f8772b28f7
Instruction Fuzzy Hash: 485228719002199ACF25EFA5DC82AEDBB75AF04308F1040BFE156721F2DA395B86CF58

Function 0040AB05 Relevance: 14.2, APIs: 9, Instructions: 682
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040AB0A

Part of subcall function 0040D5A3: __EH_prolog.LIBCMT ref: 0040D5A8

Part of subcall function 004130E0: InitializeCriticalSection.KERNEL32(?,?,?,00000000,00000000), ref: 0041310E

DeleteCriticalSection.KERNEL32(?), ref: 0040AD3E
DeleteCriticalSection.KERNEL32(?), ref: 0040AFCB
DeleteCriticalSection.KERNEL32(?), ref: 0040B036
DeleteCriticalSection.KERNEL32(?), ref: 0040B093
DeleteCriticalSection.KERNEL32(?), ref: 0040B1A2
DeleteCriticalSection.KERNEL32(?), ref: 0040B1FC
DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040B271
DeleteCriticalSection.KERNEL32(?), ref: 0040B303

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$Delete$H_prolog$Initialize
String ID:
API String ID: 3452124646-0
Opcode ID: dea6bec7755b29b7e46bcd3bec54f2d253f19e881b251d9b3d1cd047beedd60e
Instruction ID: 4c9a54a47b38b58bbaef36bcc828af5c6ca02983ed7c574d3216c54edcd042c8
Opcode Fuzzy Hash: dea6bec7755b29b7e46bcd3bec54f2d253f19e881b251d9b3d1cd047beedd60e
Instruction Fuzzy Hash: FC627E7090024ADFDB14DFA5C944BDEBBB4FF14308F1080AEE805B7291DB789A49DB99

Function 004051B7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 004051C5
GetTickCount.KERNEL32 ref: 004051D0
GetCurrentProcessId.KERNEL32(?,00000000,?,?,00405334,?,00000000,?,00000003,00000003,00000000,00000000,00000003,?,00000000), ref: 004051DB
GetTickCount.KERNEL32 ref: 00405240
SetLastError.KERNEL32(000000B7,00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00405273
GetLastError.KERNEL32(00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00405299

Part of subcall function 004049F4: CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00404A13

Strings

.tmp, xrefs: 00405257
d, xrefs: 004052AE

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThread
String ID: .tmp$d
API String ID: 3074393274-2797371523
Opcode ID: 2fda1539db0041318063c64b288010cc5c4c3aedaa5e381c7d8f696092406eab
Instruction ID: 4fab17955b769304b7d1cf71853489b42ead9ac2cf2e2055059d54e7646dac87
Opcode Fuzzy Hash: 2fda1539db0041318063c64b288010cc5c4c3aedaa5e381c7d8f696092406eab
Instruction Fuzzy Hash: CC31C1326506009BDB10ABA098897EF7760EFA5315F14807FE902BB2D2D77C9842CF99

Function 004083AB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004083B0

Strings

Unknown error, xrefs: 00408671, 00408676
X3B, xrefs: 004086A4

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID: Unknown error$X3B
API String ID: 3519838083-1496835351
Opcode ID: 47f253f86f2cbe6f5ea7b7729e7e95f0c02779c145a6591478a86d185b5344b5
Instruction ID: 10ffca09dccd2053a4a89f972bfe6bbc607f2b880b0d523777cfa28ffc571443
Opcode Fuzzy Hash: 47f253f86f2cbe6f5ea7b7729e7e95f0c02779c145a6591478a86d185b5344b5
Instruction Fuzzy Hash: 89D16070900219EFCF05DFA4C984ADEBB74BF48304F14846EE846BB2D1DB78AA45CB95

Function 00405620 Relevance: 4.6, APIs: 3, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00405625

Part of subcall function 00405434: FindFirstFileA.KERNEL32(?,?,000000FF), ref: 00405467

GetLastError.KERNEL32(?,?,00000000,?,00000001), ref: 00405653

Part of subcall function 00405414: FindClose.KERNELBASE(?,000000FF,00405445,000000FF), ref: 0040541F

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Find$CloseErrorFileFirstH_prologLast
String ID:
API String ID: 364955512-0
Opcode ID: e39f0d4d85096f3cd882782c1d04852b930387ce9b142e76bb949cb0f7f9728b
Instruction ID: 04b13d9487752735ca5a27f2fc382c225ef0a6c39b2ce108fc8834fd1c85259b
Opcode Fuzzy Hash: e39f0d4d85096f3cd882782c1d04852b930387ce9b142e76bb949cb0f7f9728b
Instruction Fuzzy Hash: F0418E36900519AACF14FBA5D942AEFBB75EF14308F10403AE412772E1DB795E41DEA8

Function 00406F68 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00406F6D
EnterCriticalSection.KERNEL32(00000000,?,?,?,00406FF7,?,?,?,?,?), ref: 00406F7E
LeaveCriticalSection.KERNEL32(00000000,?,?,?,00406FF7,?,?,?,?,?), ref: 00406FB2

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: 07f6c1fd103800f188fec5f91ab3bb47b81eb91ba650842d040f77beb3819d41
Instruction ID: 97c3a8bfcec3db19a0bb52fb413a425f8ec3aea0187b5ae5e4fa4e2c7e55e4ea
Opcode Fuzzy Hash: 07f6c1fd103800f188fec5f91ab3bb47b81eb91ba650842d040f77beb3819d41
Instruction Fuzzy Hash: 4C013C76A00214EFCB118F94DC08B9ABBB9FF48755F11886AFD16E7250C7B4A910DFA4

Function 0040280E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00402813

Part of subcall function 00402D81: EnterCriticalSection.KERNEL32(?,?,?,00409336), ref: 00402D86
Part of subcall function 00402D81: LeaveCriticalSection.KERNEL32(?,?,?,?,00409336), ref: 00402D90

Strings

.@, xrefs: 00402A17, 00402C0B, 00402C67

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID: .@
API String ID: 367238759-2582305824
Opcode ID: 6bd0cbd02e91da8db41c1a0c9b86144ada70f8f603afc7a71f60fbc1e8ac7ead
Instruction ID: fb4838387da9abac6519c3a0e173b295c4de01f89ec6b6ed0d4ee3fc8d60aaac
Opcode Fuzzy Hash: 6bd0cbd02e91da8db41c1a0c9b86144ada70f8f603afc7a71f60fbc1e8ac7ead
Instruction Fuzzy Hash: F3F1DF70900248DFCF14EFA5C985ADEBBB4AF54308F10807EE446B72E1DB785A85DB19

Function 004030FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00403101

Part of subcall function 00405620: __EH_prolog.LIBCMT ref: 00405625

Part of subcall function 00404A3E: __EH_prolog.LIBCMT ref: 00404A43

Part of subcall function 004092E6: __EH_prolog.LIBCMT ref: 004092EB

Strings

Default, xrefs: 00403213

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID: Default
API String ID: 3519838083-753088835
Opcode ID: 0fc91ddac6c1b16fe72a6cc7b41e2781a7216c9bd00a9ca8bd5645336c638fb0
Instruction ID: 203c82e13c85383a660d5cb73dbb10af46e9aa8c77eacbcc0267a4e11568a844
Opcode Fuzzy Hash: 0fc91ddac6c1b16fe72a6cc7b41e2781a7216c9bd00a9ca8bd5645336c638fb0
Instruction Fuzzy Hash: E4514E75900209EFDB14EFA5D8819EEBBB8FF18308F00456EE556772D1DB38AA06CB14

Function 00404A3E Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00404A43
GetLastError.KERNEL32(?,?,?,00000000), ref: 00404ACB

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ErrorH_prologLast
String ID:
API String ID: 1057991267-0
Opcode ID: cf2054507fd1ee53753d2eae408e5b803be4a538542d8802e2091fe77905cd97
Instruction ID: 397979b183d08822f23b565ee303c4952bc02ec102e27be1c48eee89bea9c2ad
Opcode Fuzzy Hash: cf2054507fd1ee53753d2eae408e5b803be4a538542d8802e2091fe77905cd97
Instruction Fuzzy Hash: 1E5105719441099ACF10EBA5C942AFEBB75AF91308F11017FE602731E1DB3DAE46CB99

Function 00408755 Relevance: 3.1, APIs: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040875A
GetLastError.KERNEL32(?,00000000,?,?,00000000,?,?,0040893F,?,?,00000000,004149B4,?,?,?,00000000), ref: 004087E8

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ErrorH_prologLast
String ID:
API String ID: 1057991267-0
Opcode ID: 3fff607fbbb18c810b60b5715c755df2af7f02dc56ee627f626541e13130f925
Instruction ID: 0128b321cd566d1ceb50e896689a501b942dab3b414a73cd3b5e456030195100
Opcode Fuzzy Hash: 3fff607fbbb18c810b60b5715c755df2af7f02dc56ee627f626541e13130f925
Instruction Fuzzy Hash: EE317C719012499FCB10DF95CE849AEBBB0FF44314B24817FE496B7292CB388D40DB69

Function 0041468E Relevance: 3.0, APIs: 2, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416CCC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00416DC2

CreateThread.KERNELBASE(00000000,00000003,004146F9,00000000,00000000,?), ref: 004146CF
GetLastError.KERNEL32(?,?,?,00413009,00000000,00000000,004032CA,?,00000000,00000000,?,00402FAB,?,00000000,?), ref: 004146D9

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: 0374611688ca75c4551dea276e5d424cbadff3ac534dbe24837146ca9d20d13e
Instruction ID: 928dc59a5e1d7113ba94efa25a55b36d47ae035f635b84aed830f8a2a3c61c12
Opcode Fuzzy Hash: 0374611688ca75c4551dea276e5d424cbadff3ac534dbe24837146ca9d20d13e
Instruction Fuzzy Hash: D6F02D362006156BCB209F66EC019DB3BA5EF81375F10402EF958C2290DF3DC8914BAC

Function 00405892 Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405905: FindCloseChangeNotification.KERNELBASE(00000000,000000FF,004058A0,?,?,00000000), ref: 00405910

CreateFileW.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004058EF

Part of subcall function 00403B85: __EH_prolog.LIBCMT ref: 00403B8A

CreateFileA.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004058CB

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CreateFile$ChangeCloseFindH_prologNotification
String ID:
API String ID: 3273702577-0
Opcode ID: 34b674e9a04a5ff3e8c8923f5916708bcc46c4f31befc859c171c75614de22e6
Instruction ID: 7cb04d8d1853a58e30318ad4c29bda14cf4b58fee7e46fc4002fe1391b6e6e2b
Opcode Fuzzy Hash: 34b674e9a04a5ff3e8c8923f5916708bcc46c4f31befc859c171c75614de22e6
Instruction Fuzzy Hash: 4F01287240020AFFCF11AFA4DC45C9B7F6AEF08364B10853AF991661A1D73699A1EF94

Function 00404965 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000003,?,00000000), ref: 0040499C

Part of subcall function 00403B85: __EH_prolog.LIBCMT ref: 00403B8A

SetFileAttributesA.KERNEL32(?,00000000,?,00000003,?,00000000), ref: 00404985

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AttributesFile$H_prolog
String ID:
API String ID: 3790360811-0
Opcode ID: 5366c93646a32060bc4a1fe11ea500c12b8b92d1211a98e2b8e7846322785de3
Instruction ID: f078d443d6654451da1bdd33dee3a4941b810ca2709c1c0422ffd448cadfd8b3
Opcode Fuzzy Hash: 5366c93646a32060bc4a1fe11ea500c12b8b92d1211a98e2b8e7846322785de3
Instruction Fuzzy Hash: 12E0E5B19002106BCB302B749C08AD73F6CCB82314B108177E816B72D0DA388E06C6D9

Function 004049F4 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00404A2C

Part of subcall function 00403B85: __EH_prolog.LIBCMT ref: 00403B8A

CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00404A13

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CreateDirectory$H_prolog
String ID:
API String ID: 2325068607-0
Opcode ID: a1e0d02f5bfc64bfc09281de4819c2c8931d1b3daee1640bd6a36795e0d5f738
Instruction ID: e8b418caba4fa0c83fd0f6cce2293bab18ef6c4fa53c548cc4c0ebfda5fe1645
Opcode Fuzzy Hash: a1e0d02f5bfc64bfc09281de4819c2c8931d1b3daee1640bd6a36795e0d5f738
Instruction Fuzzy Hash: 3CE0E570B002006BDB206B64AC05B977B68CB41709F104176E902F71D0DA78DE01DA9C

Function 004157C8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00414932,00000001), ref: 004157D9

Part of subcall function 00415680: GetVersionExA.KERNEL32 ref: 0041569F

HeapDestroy.KERNEL32 ref: 00415818

Part of subcall function 00415825: HeapAlloc.KERNEL32(00000000,00000140,00415801,000003F8), ref: 00415832

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 0d18dfc85a1640e6673d81f03e6c6359104a03ea7de3319d0e450716895a192f
Instruction ID: ed3d0d0d9fb025b00032fbfed5580f0a7fafafb3549905f7ec75d8b7e0a93aa3
Opcode Fuzzy Hash: 0d18dfc85a1640e6673d81f03e6c6359104a03ea7de3319d0e450716895a192f
Instruction Fuzzy Hash: 6CF06530A54B01EEDF207B706C867EA2B90EB84795F60483BF401D81A0EB7884D1D659

Function 00405970 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040598B
GetLastError.KERNEL32(?,?,?,?), ref: 00405999

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4eb004f5f0e538f15da8fb4a4b1192dc0e26d9ca4b62000b247bbe798b79ae76
Instruction ID: b27308c8a3af6e3091502473baf333c9532b4c6e1f366657fcb3ad1a7c3590d9
Opcode Fuzzy Hash: 4eb004f5f0e538f15da8fb4a4b1192dc0e26d9ca4b62000b247bbe798b79ae76
Instruction Fuzzy Hash: 93F0B7B4500208EFDF04CF94D9458AE7BB5EF49364B208169F815E7390D7359E00DFA9

Function 00404F2C Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,?,00000000), ref: 00404F62

Part of subcall function 00403B85: __EH_prolog.LIBCMT ref: 00403B8A

SetCurrentDirectoryA.KERNEL32(00000000,00000000,?,00000000), ref: 00404F48

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CurrentDirectory$H_prolog
String ID:
API String ID: 3531555294-0
Opcode ID: 37bd0973ac103fd303293487a19168a5ccebfcf95a8c4f288a103cb7951a30b5
Instruction ID: 9edf083e53dd0555a3085cbe496080ff7240eda39e21aa363a26468641b3ea5b
Opcode Fuzzy Hash: 37bd0973ac103fd303293487a19168a5ccebfcf95a8c4f288a103cb7951a30b5
Instruction Fuzzy Hash: 75E02630B400093FDF112F78EC4A9AA3BB89B40309F10427AB403E20E1EF38CA48CA48

Function 0040B98F Relevance: 2.0, APIs: 1, Instructions: 515COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B994

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a11c13ecc7348690c9950298e9b4123e17515457bca919a0a6ec543c4fca9b97
Instruction ID: 4fbed39282daa38b1d3be95d0829f5567439209fdd6a1d56e89862dfcbe45c3a
Opcode Fuzzy Hash: a11c13ecc7348690c9950298e9b4123e17515457bca919a0a6ec543c4fca9b97
Instruction Fuzzy Hash: 05324B70904249DFDB10DFA8C584BDEBBB0AF58304F1441AEE845B7382DB78AE45CB99

Function 0040888F Relevance: 1.9, APIs: 1, Instructions: 374COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408894

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f8f61f009d3daf8c2db6a732b574bcd6eafb3dea196858b7c2c201f5376d76a6
Instruction ID: dff2ad87a4df39db6f8fa6ff6a697358cee08fb6a23258ae47e5232e80a59da3
Opcode Fuzzy Hash: f8f61f009d3daf8c2db6a732b574bcd6eafb3dea196858b7c2c201f5376d76a6
Instruction Fuzzy Hash: FFE16E70904249DFDF10DFA4C988AAEBBB4AF48314F2444AEE556F7391CB389E45CB25

Function 0040E7F4 Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E7F9

Part of subcall function 0040F836: __EH_prolog.LIBCMT ref: 0040F83B

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4ed558b650c164779cc9b57daec31bf164f2a891cd885c72c4fce8c115d9c0a5
Instruction ID: 639e188e3e769c4c76ba7ddc7be71c767d86a570cac8f7036ff280b2304c1e48
Opcode Fuzzy Hash: 4ed558b650c164779cc9b57daec31bf164f2a891cd885c72c4fce8c115d9c0a5
Instruction Fuzzy Hash: 5DC13670900259DFDB14DFA5C985BDEBBB4BF14308F1480AEE945B7282CB786A48CF65

Function 0040F449 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F44E

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b629b237c488f6570121b27c448209f08593b0ec605445137fe85d2b2ac4caf
Instruction ID: 37dc011919f3b1358f9a833e213d0996983958fb9ee029613f358e4c9ba25a45
Opcode Fuzzy Hash: 9b629b237c488f6570121b27c448209f08593b0ec605445137fe85d2b2ac4caf
Instruction Fuzzy Hash: 3C815C70E00605ABCB24DFA5C881AEEFBB1BF48304F14453EE445B3791D739A949CB99

Function 00408D5E Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408D63

Part of subcall function 00408F0B: __EH_prolog.LIBCMT ref: 00408F10

Part of subcall function 00402635: __EH_prolog.LIBCMT ref: 0040263A

Part of subcall function 00403981: __EH_prolog.LIBCMT ref: 00403986

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8e4672a25e712ee03bfe81b83f3d326a41e79320acd863c419bbbc2d4c5d2bdd
Instruction ID: 2e5fef73c4a961ecd91826de13bda49669b7ee5ae1afd1ab178ba291f64b6413
Opcode Fuzzy Hash: 8e4672a25e712ee03bfe81b83f3d326a41e79320acd863c419bbbc2d4c5d2bdd
Instruction Fuzzy Hash: E5516D7190060AEFCF11DFA5C984A9EBBB4BF08314F10462EE556B72D1CB789A45CFA4

Function 0040DB62 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DB67

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6102bc3ab49ae424949eee4761875b821dd30f392df23a536a372274e60046df
Instruction ID: 67e57bbcfb5e62c28ba97e2c762051c7e2fb602a8ee489b014dcb5d1e96c76cd
Opcode Fuzzy Hash: 6102bc3ab49ae424949eee4761875b821dd30f392df23a536a372274e60046df
Instruction Fuzzy Hash: DA419EB1E042059BEB14DF99C985ABEB7B5FF48304F14453EE402B7381D7B8A945CBA8

Function 0040CD84 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CD89

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 305c79b04e93cb02db0d94eb430663c97d837b050eba01e1428f85ec3b32050d
Instruction ID: 716710645470f9cf712b82a1641bf3e3a23618a4fc30be00c3c641d866b01c52
Opcode Fuzzy Hash: 305c79b04e93cb02db0d94eb430663c97d837b050eba01e1428f85ec3b32050d
Instruction Fuzzy Hash: 3151C531804146DFCB15CB68C4D4AEE7771EF48348F14827BE8167B2D2D6399A06DBEA

Function 00401B11 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401B16

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4a7b8dc75b00dab3078b6f2c0b685c16519ae0cc3006f02a661cb725d39e4b70
Instruction ID: dc66995ee082b2e59fd72de07b50a9d1ecefa8465c91578acc64d6d85ae5b981
Opcode Fuzzy Hash: 4a7b8dc75b00dab3078b6f2c0b685c16519ae0cc3006f02a661cb725d39e4b70
Instruction Fuzzy Hash: 7A51D071C042499FDF21DFA4C940BEEBBB4AF05394F14416AE851732E2E7789A41CB68

Function 00402EFE Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F03

Part of subcall function 0040335F: __EH_prolog.LIBCMT ref: 00403364

Part of subcall function 004034CC: __EH_prolog.LIBCMT ref: 004034D1

Part of subcall function 00403086: __EH_prolog.LIBCMT ref: 0040308B
Part of subcall function 00403086: ShowWindow.USER32(004149B4,00000001,000001F4,00000000,?,?,00000000,00000003,00000000,00000000), ref: 004030E4

Part of subcall function 00412FB0: CloseHandle.KERNEL32(00000000,00000000,0040301E,?,?,00000000,00000003,?,00000000,?,?,00000003,00000000,00000000), ref: 00412FBA
Part of subcall function 00412FB0: GetLastError.KERNEL32(?,00000003,00000000,00000000), ref: 00412FC4

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog$CloseErrorHandleLastShowWindow
String ID:
API String ID: 2740091781-0
Opcode ID: 435d4de2c910343181235d516f57e862e2f77dc60e703a2f4f1f759955e8b0df
Instruction ID: 576321bfec054c9ee934bf83a6d4a944d332aa9064831fab6676e01313dc7821
Opcode Fuzzy Hash: 435d4de2c910343181235d516f57e862e2f77dc60e703a2f4f1f759955e8b0df
Instruction Fuzzy Hash: FF419C71900248DBCB11EFA5C991AEDBBB4AF04304F1080BFE90AB72D2DA785B45CB59

Function 0040C557 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C55C

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 039900a8d840d8f65cf18cf377fd5bff5d9e595a8fad608146d0eb9be483e555
Instruction ID: 41554ca9dc53ee1e5d6d797d633c48513fe02739bc2a4d97afccdd4c6a3ff44e
Opcode Fuzzy Hash: 039900a8d840d8f65cf18cf377fd5bff5d9e595a8fad608146d0eb9be483e555
Instruction Fuzzy Hash: 89416C71A00645DFCB24CF68C48486ABBF1FF48314B244AAED096AB791C731ED46CF91

Function 0040CF82 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CF87

Part of subcall function 0040F6E0: __EH_prolog.LIBCMT ref: 0040F6E5

Part of subcall function 0040D0A6: __EH_prolog.LIBCMT ref: 0040D0AB

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 247e6e783af1532b670e604df5ee4666ee67329ca8b2db34e45a1f618534d241
Instruction ID: 59bb91874275df73172cd70bf395014d1b371f9bee4586dc4e729df687399cc5
Opcode Fuzzy Hash: 247e6e783af1532b670e604df5ee4666ee67329ca8b2db34e45a1f618534d241
Instruction Fuzzy Hash: 87319630D01248DFCB11DFA9C548BEDBBB5AF15308F14406EE8457B381C7789A49DB66

Function 004061BF Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004061C4

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5e892bd4f2dea64c0cb8d9120272725db7c3bac4477bec6e08c9f5bde4bc1f1
Instruction ID: a24cbab5944e5cd80d4d0b45cab95027a2511e7323fd1c0fe5e5f9bfcab47c11
Opcode Fuzzy Hash: e5e892bd4f2dea64c0cb8d9120272725db7c3bac4477bec6e08c9f5bde4bc1f1
Instruction Fuzzy Hash: 97218F71A05246DBCB24FFA5C44046FB7A1AB4130472285BFE053772C1C738AE61CB6A

Function 00413C73 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00413D5A

Part of subcall function 004154DA: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416D82,00000009,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00415517
Part of subcall function 004154DA: EnterCriticalSection.KERNEL32(?,?,?,00416D82,00000009,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00415532

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: cdeed90e400f99c9328ec8b59033d7a90e074e0a5ab5361bfbc3574a04fde8a1
Instruction ID: 026ee179866774db734838c78619ddc809868a86b22b68076f663e2312d1f49b
Opcode Fuzzy Hash: cdeed90e400f99c9328ec8b59033d7a90e074e0a5ab5361bfbc3574a04fde8a1
Instruction Fuzzy Hash: D4219772A00605EBDB10DF69EC42BDA7764FB00765F20411BF421EB6D0D77CAAC28A9C

Function 00413D6F Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00416D82,00000009,00000000,00000000,00000001,00415318,00000001,00000074), ref: 00413E43

Part of subcall function 004154DA: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416D82,00000009,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00415517
Part of subcall function 004154DA: EnterCriticalSection.KERNEL32(?,?,?,00416D82,00000009,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00415532

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 841176424f551508ca039d1f5d574a0052902f767b8dc575c65ddda1a9f22b4e
Instruction ID: 5a14261a50f2f4ae8fe925cd7ff68077a924e970bbdc1eb83d0c2eed9fb11c58
Opcode Fuzzy Hash: 841176424f551508ca039d1f5d574a0052902f767b8dc575c65ddda1a9f22b4e
Instruction Fuzzy Hash: 2421C272901705FADB10AF96DC02BDE7BB8EB04725F24012BF414B21C0D77C9AC08AA9

Function 004052CF Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004052D4

Part of subcall function 004050EE: __EH_prolog.LIBCMT ref: 004050F3
Part of subcall function 004050EE: GetTempPathA.KERNEL32(00000105,?,00000000,?,00000000), ref: 00405127

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog$PathTemp
String ID:
API String ID: 3652545363-0
Opcode ID: 1ef5fa40e20091595c8a07c7add8e04f0ea87ba7b14c6b9ab7bd2a47fc7370d7
Instruction ID: 884fa5787797a708672a5e156f09df22a5f972d3b51e26f7068c24b8b673b68a
Opcode Fuzzy Hash: 1ef5fa40e20091595c8a07c7add8e04f0ea87ba7b14c6b9ab7bd2a47fc7370d7
Instruction Fuzzy Hash: 5211A3759401059ACF00EFA5C552AEFBBB8EF95348F14402FE841732D1C7B90A49DE54

Function 00409DFC Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409E01

Part of subcall function 004099F1: __EH_prolog.LIBCMT ref: 004099F6

Part of subcall function 00409A39: __EH_prolog.LIBCMT ref: 00409A3E

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e2be988a2ed4eac1d18d94ffb3dcbee280352d40f72ce7d9b7b55f505c73744e
Instruction ID: 728224cdcdeea9a50de84ff331f734dd83e0a6071a74e90d77f9a4778d081c57
Opcode Fuzzy Hash: e2be988a2ed4eac1d18d94ffb3dcbee280352d40f72ce7d9b7b55f505c73744e
Instruction Fuzzy Hash: 931182B0A01254DADB09EBAAC1153DDFBF59FA1318F54415F9552732C2CBF82B0487A6

Function 00409070 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409075

Part of subcall function 00402635: __EH_prolog.LIBCMT ref: 0040263A

Part of subcall function 00405620: __EH_prolog.LIBCMT ref: 00405625

Part of subcall function 00413B0D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413B3B

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID:
API String ID: 2062786585-0
Opcode ID: 6c04af95d194b343c6e3b51da39000bbf436754ac2cefe3ed305026ad673936b
Instruction ID: c87fc69b1ce411278b5c4cd36917e57d7785db396d8ca4da128de4c157d2198f
Opcode Fuzzy Hash: 6c04af95d194b343c6e3b51da39000bbf436754ac2cefe3ed305026ad673936b
Instruction Fuzzy Hash: 1601D2B5A402049ECB10EF26C451ADEBBB1FF84314F10852FE896A32E1CB796649CB54

Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004027AC

Part of subcall function 004049F4: CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00405334,?,00000000,?,00000003), ref: 00404A13

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CreateDirectoryH_prolog
String ID:
API String ID: 3554458247-0
Opcode ID: 1d6ed87279fcce4dfaa36ce39d8da3d177537eb6a1ece7d61f11b0fb4062048b
Instruction ID: aa96bd448e9fa33173a2259148c0e22656dcd3e9b7c7d25cba760d9f6e75f00f
Opcode Fuzzy Hash: 1d6ed87279fcce4dfaa36ce39d8da3d177537eb6a1ece7d61f11b0fb4062048b
Instruction Fuzzy Hash: 55F03C729005069BCB05EB5AC8429EEBBB5EF94308F10403FE152775E2DA786986DB94

Function 00406297 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040629C

Part of subcall function 004061BF: __EH_prolog.LIBCMT ref: 004061C4

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6c2e6a82ad44a3596cf000a5615c5b739901b0aaac1cec813de11ba17f646bcd
Instruction ID: d002f29cd99a7d9c36b9a014c837f136803fcb54798139eb5382dd41199f51d8
Opcode Fuzzy Hash: 6c2e6a82ad44a3596cf000a5615c5b739901b0aaac1cec813de11ba17f646bcd
Instruction Fuzzy Hash: 2BF03A72A00218EFDB15DF94CC01BEEB779FB48315F10816AB422E72D0C7798A10CB14

Function 0040C96C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C971

Part of subcall function 0040C9E3: __EH_prolog.LIBCMT ref: 0040C9E8

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 97d13476a1578dbbb8b7321e23e8bd518515a52fd3c7649a69e8943f484a5e8b
Instruction ID: 180fbe891bab88941c19a906eef3a01802dada044b7360aafa1ebd8752043cfb
Opcode Fuzzy Hash: 97d13476a1578dbbb8b7321e23e8bd518515a52fd3c7649a69e8943f484a5e8b
Instruction Fuzzy Hash: 66F0FCB0911640DEC719EB74D1153DDFBB4AF55308F50419E9956736C2CFB81708C765

Function 00405BFB Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00405C13

Part of subcall function 00413B0D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413B3B

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AllocExceptionRaiseString
String ID:
API String ID: 1415472724-0
Opcode ID: 585828f0663470c28d012fa7c31560623ec32af21cf032640c5ea50ac41654d0
Instruction ID: bf266c775eafc0cd132ea201270a7534faa964ceb55315cc87c56e89072e7831
Opcode Fuzzy Hash: 585828f0663470c28d012fa7c31560623ec32af21cf032640c5ea50ac41654d0
Instruction Fuzzy Hash: B7E06D32200708A7CB20AF65D84198B7BE8FF00385B10C43FF949DA240E779E9808BD8

Function 00405800 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405805

Part of subcall function 00405620: __EH_prolog.LIBCMT ref: 00405625

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d031f65d966fd76414b5e485b8cf5b0e5999cd66b44c505832369a9b765ef076
Instruction ID: a0f610f1b5e032532ed1cec3649959bf66a41b4e8af70f58d5593db508bcf515
Opcode Fuzzy Hash: d031f65d966fd76414b5e485b8cf5b0e5999cd66b44c505832369a9b765ef076
Instruction Fuzzy Hash: 46E04FB3D410049ACB05EB65E9527EDB378EF61319F50407FE412735D18B381F09CA58

Function 00405B29 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00405B4C

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f685ec6030a7cae57bc9182c2f64f11e19c4f82e6ad9756b6e5eb0af141a467c
Instruction ID: fda623b9c22c7fd134ddab0a411968f0e63156441233f4ee367e8c40c556ab77
Opcode Fuzzy Hash: f685ec6030a7cae57bc9182c2f64f11e19c4f82e6ad9756b6e5eb0af141a467c
Instruction Fuzzy Hash: 17E0E575640208FBCB11CFA5C801B8E7BF9EB08354F20C169F914AA260D739EA11DF54

Function 0040C931 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C936

Part of subcall function 0040C96C: __EH_prolog.LIBCMT ref: 0040C971

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2f93a48584fc243b76bceec8380402125645ced17a7c1bf7a60211c0ce45116c
Instruction ID: 8adf79bcf0a25fb823e60414124b99f072840e3085735b9c49c9779a3d641231
Opcode Fuzzy Hash: 2f93a48584fc243b76bceec8380402125645ced17a7c1bf7a60211c0ce45116c
Instruction Fuzzy Hash: 6EE01A71811620EBC724EF58C4456DEB7B4EF08725F00875EA4E6B36D1C7B8AE40CB94

Function 004147B4 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004147E9

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 6c939c18724e7789034020813005a1b29b75e21fb5f5d6c1b381c2503cc8d902
Instruction ID: 835638d51d7e690d80ddf8f11569568d1c7a5f433119f1d0283a2071334468ba
Opcode Fuzzy Hash: 6c939c18724e7789034020813005a1b29b75e21fb5f5d6c1b381c2503cc8d902
Instruction Fuzzy Hash: CDE08C32900925AADB223BA1DC06AEE3620AF81394F00002BF8146A5A0DBA88CD186D9

Function 0040F6E0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F6E5

Part of subcall function 0040F449: __EH_prolog.LIBCMT ref: 0040F44E

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0c00a6b9b995e6d122d0d1e5645fdc19a4d57d2469026a55dc4bfd6035115874
Instruction ID: 32d4a89d334c2aba7f1f5d27adfa0c04a02a885b7174eb98eed18e47b0b867f7
Opcode Fuzzy Hash: 0c00a6b9b995e6d122d0d1e5645fdc19a4d57d2469026a55dc4bfd6035115874
Instruction Fuzzy Hash: 1DD012B2515104FBD7109F45D842BDEBBB8EB51369F10813BF00171540D37D5644966A

Function 00405A1D Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000,000000FF,?,00405A68,00000000,?,00000000,?,00405A8E,00000000,?,00000000), ref: 00405A33

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7899785fd51540d5028ce756fcdedcbfaef9db2fe3ec3db1f53401f618f66a8a
Instruction ID: 33e006b7c7266c94de2827aaddd493f3c8d551b448fa911b85e4ce9a1db514e9
Opcode Fuzzy Hash: 7899785fd51540d5028ce756fcdedcbfaef9db2fe3ec3db1f53401f618f66a8a
Instruction Fuzzy Hash: A4E0EC75200208FBCB01CF91CC05FCE7BB9FB49754F208058E90596160C375AA14EB54

Function 004147BF Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004147E9

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 24773d02a99502e401f88b35345ffc50176b794b148236fecf9e645f2ac90187
Instruction ID: b4e95b568d212fcbc8e7df7edbfd3446e029e3f46d4ca6baaecf21535c38ed65
Opcode Fuzzy Hash: 24773d02a99502e401f88b35345ffc50176b794b148236fecf9e645f2ac90187
Instruction Fuzzy Hash: 2AD0A732600E25AAD6223771DC467EF2244AF81795B04012BF818895A0DFA8CDC145DD

Function 00405414 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,000000FF,00405445,000000FF), ref: 0040541F

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f0ce2bef5821c107b9489e8e4dd061de71a9af92eaf728c2451e2811c290832d
Instruction ID: ad963fc5273d8b9d86916b47fb17bcd605870b12c06d71a74b716dd917e87850
Opcode Fuzzy Hash: f0ce2bef5821c107b9489e8e4dd061de71a9af92eaf728c2451e2811c290832d
Instruction Fuzzy Hash: D4D0123151453157CA641E7C7848AD333D99A1637537157AAF4B4D32E0D3749CC34A98

Function 00405905 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,000000FF,004058A0,?,?,00000000), ref: 00405910

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9cbe10086181c6cf337a739c26a2519d1510d6718cc7d35307e3d92904545fb4
Instruction ID: c924a9121967eb2c43d42ee71539138ee39fbcc7c8c6d5ba34c486a20a6e0004
Opcode Fuzzy Hash: 9cbe10086181c6cf337a739c26a2519d1510d6718cc7d35307e3d92904545fb4
Instruction Fuzzy Hash: 93D0127151456197CE742E7C78445C337D8DA463303311B6BF4B0D32E0D3748D835A98

Function 00405AFC Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,00405B26,00000000,00000000,?,00402E13,?), ref: 00405B0A

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 2b6a10e293fa4a8bd52839064a41e39e160aca85d3804aec240939be71bd967c
Instruction ID: 4beff7ba357006865f39a04876becaa9faf69e640e246345c6c1d8862761ec95
Opcode Fuzzy Hash: 2b6a10e293fa4a8bd52839064a41e39e160aca85d3804aec240939be71bd967c
Instruction Fuzzy Hash: 29C04C36159106FF8F120F70CC04D1ABFA2EF99311F10C958B165C5070C7328024EB52

Function 00412FF0 Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 0041468E: CreateThread.KERNELBASE(00000000,00000003,004146F9,00000000,00000000,?), ref: 004146CF
Part of subcall function 0041468E: GetLastError.KERNEL32(?,?,?,00413009,00000000,00000000,004032CA,?,00000000,00000000,?,00402FAB,?,00000000,?), ref: 004146D9

GetLastError.KERNEL32(?,?,00000003,00000000,00000000), ref: 00413018

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ErrorLast$CreateThread
String ID:
API String ID: 665435222-0
Opcode ID: fdfffcc17890bcc66e85f81167f5a4f4e376ab203a2f001e3d39f9f51099ce04
Instruction ID: 8241f09584fde1b7b47d6c8a5a56a0c389c2bf5d01a37efb599b640c9bda9e89
Opcode Fuzzy Hash: fdfffcc17890bcc66e85f81167f5a4f4e376ab203a2f001e3d39f9f51099ce04
Instruction Fuzzy Hash: 4EE086B22042126AE310DF509C05FE76ADCDB94B05F00443EB944C6184EB64CA40C3A9

Function 00410F40 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00020000,00001000,00000004,004103C8), ref: 00410F51

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91e70fcb83806e64083a323eb2e3944731c0f93bc5a264736d7e7e867113384b
Instruction ID: 07720a170ef6d50c918e2da5ca2fe5f7ddfb2e687cae5d42b3df39ad5892c3a5
Opcode Fuzzy Hash: 91e70fcb83806e64083a323eb2e3944731c0f93bc5a264736d7e7e867113384b
Instruction Fuzzy Hash: DDB012B039138075FF7843208C1FFE71200A340B87F0080A8BB05D81C4E7D064C0501C

Function 00410F60 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040664A,?,00406624), ref: 00410F6C

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1327e01bd96d07ee7a5a75ed87afd8ac78764046635013dfe708143c48cadece
Instruction ID: a132bef15ba7b425f1065e5a097c2bb543b957559febc4b94616fea76008790a
Opcode Fuzzy Hash: 1327e01bd96d07ee7a5a75ed87afd8ac78764046635013dfe708143c48cadece
Instruction Fuzzy Hash: 3BB0123424120031ED7807200C1AB5711005701701F10C1183102642C087D4B440450C

Non-executed Functions

Function 004180F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041772A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041BD34,?,0041BD84,?,?,?,Runtime Error!Program: ), ref: 00418102
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041811A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041812B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00418138

Strings

MessageBoxA, xrefs: 00418114
GetActiveWindow, xrefs: 00418125
user32.dll, xrefs: 004180FD
GetLastActivePopup, xrefs: 0041812D

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 595171f737e70550edc5abd38f068ead7bf618b78638dd3ba3c6e0fb0d2712e4
Instruction ID: 415fa372477fd235fe75ca2ef0ffa9dc0df8c28a9075a0eab2fce08d3bc4b09a
Opcode Fuzzy Hash: 595171f737e70550edc5abd38f068ead7bf618b78638dd3ba3c6e0fb0d2712e4
Instruction Fuzzy Hash: F5012572700241BF87219FB5AD849DBBAE9EB49751354443FB504C2220DB7CC9C39B69

Function 0040E38E Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E393

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef3f0dd97c369c2370b5d413364e2112772f158c67037ae1847bc74799d93c78
Instruction ID: 6f1b27b05ce828494dcdc0ca2a3df983f9883c238a6bb878f092976797e95433
Opcode Fuzzy Hash: ef3f0dd97c369c2370b5d413364e2112772f158c67037ae1847bc74799d93c78
Instruction Fuzzy Hash: 68A1EB70E002099BCB18DF96C8919AEB7B2FF94318F14883FE915A7391D738AD52CB55

Function 0041561A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000155D4), ref: 0041561F

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c73d5215fbd9f9fa44ce3c8db65af6300706d886bcb472667e49ab47f89b2735
Instruction ID: 5929198a1c1d143ebb6d47ac1dc9c369120d6613942f0ebcbf50c4dd8c3cbf29
Opcode Fuzzy Hash: c73d5215fbd9f9fa44ce3c8db65af6300706d886bcb472667e49ab47f89b2735
Instruction Fuzzy Hash: 57A001B5A41605DA8A209F60A8095C5BE62A689B42B608166A811E5268DFB812419A69

Function 0041562C Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00415631

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 80fdf592cfe35f6ca0a49e156fc06359dfcc477da488757324292bdf2a3d88f1
Instruction ID: 3aa75b883a8314cf8793ebdd48d7cbf343a2d53b1036c531b3b3a2656884bc9f
Opcode Fuzzy Hash: 80fdf592cfe35f6ca0a49e156fc06359dfcc477da488757324292bdf2a3d88f1
Instruction Fuzzy Hash:

Function 00412480 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction ID: f7c307c9948f0502eef9bcc932476d7ce99f20ff48e31f419bd1d6f291c9dace
Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction Fuzzy Hash: BD023A72A042114BC71DCE18C6902B9BBE2FBD5350F110A3FE496D7A84D7B8D8E5CB99

Function 00416076 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 6f6e9ae2f3605818a2c8e7767e34e4a9399a597c595f09bc79f2493b2d2310b3
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 3EB17C7590120ADFDB15CF04C5D0AE9BBA1FF58318F25C1AEC85A4B382C735EA86CB94

Function 004039C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1b8b3e4e9aa519cc0883e8f2e9399227ae21cf5f78173f93e12a8e0ced7762
Instruction ID: 7f21fa5966f3e8744179bfb474c2758024c7c669c00a9d4920a80f5d7b425c19
Opcode Fuzzy Hash: 8b1b8b3e4e9aa519cc0883e8f2e9399227ae21cf5f78173f93e12a8e0ced7762
Instruction Fuzzy Hash: D621427E370D0607A71C8B6AAD336B921D1E38430A7C8A03DE64BC53C1EE6DD595C60D

Function 00418CC1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 99a347de7b16eca0cbeab8721e5afb4e5ad46217b84f2e64c48f172e38bf97ef
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 2B21C83290062547C702DE6DF4845A7F391FBD4369F134727ED8467291C629A854D6E0

Function 00418D9B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 71e75c779d64757812c6fa0593de5e91038406040dd0a6985e9d44633d38c26d
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: BC2137725105258BC701DF2DF4886B7B3E1FFD4319F638A3BD8818B1C1CA29D881D694

Function 004185ED Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0041BE00,00000001,00000000,00000000,7622E860,004256E4,?,?,?,0041848E,?,?,?,00000000), ref: 0041862F
LCMapStringA.KERNEL32(00000000,00000100,0041BDFC,00000001,00000000,00000000,?,?,0041848E,?,?,?,00000000,00000001), ref: 0041864B
LCMapStringA.KERNEL32(?,?,?,0041848E,?,?,7622E860,004256E4,?,?,?,0041848E,?,?,?,00000000), ref: 00418694
MultiByteToWideChar.KERNEL32(?,VB,?,0041848E,00000000,00000000,7622E860,004256E4,?,?,?,0041848E,?,?,?,00000000), ref: 004186CC
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0041848E,?,00000000,?,?,0041848E,?), ref: 00418724
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0041848E,?), ref: 0041873A
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0041848E,?), ref: 0041876D
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0041848E,?), ref: 004187D5

Strings

VB, xrefs: 004186BD, 004186C8

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: VB
API String ID: 352835431-2416070386
Opcode ID: 003663a998c404720e509784b904756e9dc21287fecc91c3ae78f0538cf30181
Instruction ID: 75fdc42d4ca3b2d5695a32d80f34dcfea13c9c9e1b2be43f5f9a41df7731755a
Opcode Fuzzy Hash: 003663a998c404720e509784b904756e9dc21287fecc91c3ae78f0538cf30181
Instruction Fuzzy Hash: A6515F31900609EFCF218F65CC45EEF7FB5FB48754F20412AF925A12A0D7398991DBA9

Function 004172DF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041496A), ref: 004172FA
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041496A), ref: 0041730E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041496A), ref: 0041733A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041496A), ref: 00417372
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041496A), ref: 00417394
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0041496A), ref: 004173AD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041496A), ref: 004173C0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004173FE

Strings

jIA, xrefs: 004173A8, 0041739A

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: jIA
API String ID: 1823725401-2590053038
Opcode ID: dcd9eacb03994a91aa73d6441958e3731b9086dbddb026e1bfa459d91ea586b1
Instruction ID: 8edd1d2af646b02ed721f394ba4169bf36ee68eca66066dd640126c456dfff16
Opcode Fuzzy Hash: dcd9eacb03994a91aa73d6441958e3731b9086dbddb026e1bfa459d91ea586b1
Instruction Fuzzy Hash: 7631D47250C219AFD7317F689C888FB7ABCE649354715053BFD66C3201E6288CC1E2AD

Function 00417606 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00417673
GetStdHandle.KERNEL32(000000F4,0041BD34,00000000,00000000,00000000,?), ref: 00417749
WriteFile.KERNEL32(00000000), ref: 00417750

Strings

Runtime Error!Program: , xrefs: 004176D9
x*B, xrefs: 00417614
<program name unknown>, xrefs: 00417683
..., xrefs: 004176C5
Microsoft Visual C++ Runtime Library, xrefs: 0041771F

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $x*B
API String ID: 3784150691-2083536112
Opcode ID: 9f3ee68eedca8c04870b7c4ba6519361572a149120d3a6d5458ca0bba870cf42
Instruction ID: d3223577c50248063a34d8f4d7298abe086d5d3d0ee639c6b3bd3f24b9ad2996
Opcode Fuzzy Hash: 9f3ee68eedca8c04870b7c4ba6519361572a149120d3a6d5458ca0bba870cf42
Instruction Fuzzy Hash: 5931D2726002186FDF20DA60DD46FDA377DEF89304F5005ABF544D6181EB78AAC48B5D

Function 0041883C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0041BE00,00000001,?,7622E860,004256E4,?,?,0041848E,?,?,?,00000000,00000001), ref: 0041887B
GetStringTypeA.KERNEL32(00000000,00000001,0041BDFC,00000001,?,?,0041848E,?,?,?,00000000,00000001), ref: 00418895
GetStringTypeA.KERNEL32(?,?,?,?,0041848E,7622E860,004256E4,?,?,0041848E,?,?,?,00000000,00000001), ref: 004188C9
MultiByteToWideChar.KERNEL32(?,VB,?,?,00000000,00000000,7622E860,004256E4,?,?,0041848E,?,?,?,00000000,00000001), ref: 00418901
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0041848E,?), ref: 00418957
GetStringTypeW.KERNEL32(?,?,00000000,0041848E,?,?,?,?,?,?,0041848E,?), ref: 00418969

Strings

VB, xrefs: 004188F2, 004188FD

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: VB
API String ID: 3852931651-2416070386
Opcode ID: f366ae1a1c4feb3856e7e49d67d86268e533ee02966d98845c911f14f75699a6
Instruction ID: 0deb4df31157d4fbbd2276260d368b45192e758527c12e7bc8b96f729eb23429
Opcode Fuzzy Hash: f366ae1a1c4feb3856e7e49d67d86268e533ee02966d98845c911f14f75699a6
Instruction Fuzzy Hash: 85418FB2A00209BFCF209F94DC86EEF7F79EB08754F10452AF915D2250C7389991DB99

Function 00417411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041746F
GetFileType.KERNEL32(?,?,00000000), ref: 0041751A
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0041757D
GetFileType.KERNEL32(00000000,?,00000000), ref: 0041758B
SetHandleCount.KERNEL32 ref: 004175C2

Strings

$YB, xrefs: 004174A9

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: $YB
API String ID: 1710529072-867103119
Opcode ID: 0f20f78b1d243ceb825b791af9b59c2038ed572102f9f62c4ccf998fd163e942
Instruction ID: 9157860cf2e7af3a35f89051d0ae9de0bf945cd889ae2d4a6076f2c4651d7c80
Opcode Fuzzy Hash: 0f20f78b1d243ceb825b791af9b59c2038ed572102f9f62c4ccf998fd163e942
Instruction Fuzzy Hash: B75135716086019FC720CF28D8897B63BB1EB05338F64466EC566CB6E0DB38C986C75D

Function 00415680 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0041569F
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004156D4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415734

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004156CF
__GLOBAL_HEAP_SELECTED, xrefs: 0041570E

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 352f7edc9f3896d13c070371f2d33d0b51665e116eb32c5a0d287e401f1eefe3
Instruction ID: 6eb182bd46f731c3af8b1d07a07b8df2d0194a1b299ff80343aa6f034c3c884c
Opcode Fuzzy Hash: 352f7edc9f3896d13c070371f2d33d0b51665e116eb32c5a0d287e401f1eefe3
Instruction Fuzzy Hash: 56312671945648EDEB3186706C87BDF3B788B46704F6400DBD199D52C2E6398ECA8B2D

Function 00404908 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36filetimeCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000078,.@,00000000,00402AB0,00000000,?,?,?,?), ref: 00404918
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,.@,00000000,00402AB0,00000000,?,?,?,?), ref: 00404934
SetFileTime.KERNEL32(00000000,00000000,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000,?,.@,00000000,00402AB0,00000000), ref: 0040494B
CloseHandle.KERNEL32(00000000,?,40000000,00000003,00000000,00000003,02000000,00000000,?,.@,00000000,00402AB0,00000000,?,?,?), ref: 00404957

Strings

.@, xrefs: 00404911

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: .@
API String ID: 2291555494-2582305824
Opcode ID: 134b82ee1bee937397c61f831c6e8a998fcbb54d8f51f8998ece3d2421389dbd
Instruction ID: b13e78268552c33248838deebc4f257ca571263cc4fefdaa9dfe176c52576776
Opcode Fuzzy Hash: 134b82ee1bee937397c61f831c6e8a998fcbb54d8f51f8998ece3d2421389dbd
Instruction Fuzzy Hash: 66F0E2B12812107BE2201B74BC48F9B6E5CDBCA715F108135B661A21E0C3284D19D7B8

Function 00403A90 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

CharUpperW.USER32(00000000,00000000,?,00000000,00000000,?,00403B58), ref: 00403AAB
GetLastError.KERNEL32(?,00000000,00000000,?,00403B58), ref: 00403AB7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,00000000,00000000,?,00403B58), ref: 00403AD2
CharUpperA.USER32(?,?,00000000,00000000,?,00403B58), ref: 00403AEB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,00000000,00000000,?,00403B58), ref: 00403AFE

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Char$ByteMultiUpperWide$ErrorLast
String ID:
API String ID: 3939315453-0
Opcode ID: 7c2300f256f82e2aee6372cd28c35fbf20af8ddddc15953858da8d33bcd8cfd2
Instruction ID: dd72d820dddc2be4d64e736f5eaa813d5c8cd4bb6d440344005d5656a272e87c
Opcode Fuzzy Hash: 7c2300f256f82e2aee6372cd28c35fbf20af8ddddc15953858da8d33bcd8cfd2
Instruction Fuzzy Hash: D60144B64002187ADB10ABE49C89DEBBE7CEB04259F014472F952E2281E2796E4487A8

Function 004152F3 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,00416CBF,0041798E,00000000,?,?,00000000,00000001), ref: 004152F5
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00415303
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041534F

Part of subcall function 00416CCC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415318,00000001,00000074,?,?,00000000,00000001), ref: 00416DC2

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00415327
GetCurrentThreadId.KERNEL32 ref: 00415338

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 9020ed6c5573c52789434ca8060b3935b73b18465b1892a80f2ba475462c6b54
Instruction ID: c348f308811c55cc6791f5f2c72cac7d5a6c02788d8c3db17f30136ca92006f7
Opcode Fuzzy Hash: 9020ed6c5573c52789434ca8060b3935b73b18465b1892a80f2ba475462c6b54
Instruction Fuzzy Hash: B4F09632600615ABC6312B70AC096DB3A51EB857E1B15413AF951972A0DB78888197DD

Function 0041843D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004256E4), ref: 00418463
InterlockedDecrement.KERNEL32(004256E4), ref: 00418478

Strings

VB, xrefs: 0041845C

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: VB
API String ID: 2172605799-2416070386
Opcode ID: 3f0e7dfc381ab69d5717ddb5ba06b4fa70db5411652d110c580bb33579a080f3
Instruction ID: b2465ecea32c92352f716010131fb348419f683e9d2febfe3e70f5b1b578e6df
Opcode Fuzzy Hash: 3f0e7dfc381ab69d5717ddb5ba06b4fa70db5411652d110c580bb33579a080f3
Instruction Fuzzy Hash: 35F0C232201612EBD720AF56ECC19CF6755EB81326F50843FF00989190DF7899C2995E

Function 0041435F Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56ffb8a6685455f091880630799685eddd8ac587d3428563be9e88dd716d36c
Instruction ID: 1ac5c9ddcf095474d6e2a383ff06e8771fc838f6ee07df02b13506851481717d
Opcode Fuzzy Hash: d56ffb8a6685455f091880630799685eddd8ac587d3428563be9e88dd716d36c
Instruction Fuzzy Hash: C891F671D01618ABCF21AB69CC41ADE7BB9EB857A4F240127F814B6290D73D8DC18A6C

Function 0041636C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00420838,00420838,?,?,00416838,00000000,00000010,00000000,00000009,00000009,?,00413D1F,00000010,00000000), ref: 0041638D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00416838,00000000,00000010,00000000,00000009,00000009,?,00413D1F,00000010,00000000), ref: 004163B1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00416838,00000000,00000010,00000000,00000009,00000009,?,00413D1F,00000010,00000000), ref: 004163CB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00416838,00000000,00000010,00000000,00000009,00000009,?,00413D1F,00000010,00000000,?), ref: 0041648C
HeapFree.KERNEL32(00000000,00000000,?,?,00416838,00000000,00000010,00000000,00000009,00000009,?,00413D1F,00000010,00000000,?,00000000), ref: 004164A3

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 61edb7c5b2a57b73fa0373c8b0061bfd64d3e4def081ef99dbe098b98f3bc666
Instruction ID: 1d273cd761051d77879f543994291e2c1f364a84a1ace75b4c6a1ba38ea4645d
Opcode Fuzzy Hash: 61edb7c5b2a57b73fa0373c8b0061bfd64d3e4def081ef99dbe098b98f3bc666
Instruction Fuzzy Hash: 1D310370640711EFD3309F24DC85BA6B7E4EB84764F12823AE56997791E778E881CB8C

Function 00409504 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409509

Part of subcall function 0040935A: EnterCriticalSection.KERNEL32(?,?,?,00409680), ref: 0040935F
Part of subcall function 0040935A: LeaveCriticalSection.KERNEL32(?,?,?,00409680), ref: 00409369

EnterCriticalSection.KERNEL32(?), ref: 00409536
LeaveCriticalSection.KERNEL32(?), ref: 00409552
__aulldiv.LIBCMT ref: 004095A1

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalSection$EnterLeave$H_prolog__aulldiv
String ID:
API String ID: 3848147900-0
Opcode ID: a35648faa5521048dc7a706a0a4db6dfa1122edae8f5ec55bff1d899094cecd3
Instruction ID: 81a485ad15cb22f282f6c018201ee4179c2b1d1cd2674c5f201a60282c37c453
Opcode Fuzzy Hash: a35648faa5521048dc7a706a0a4db6dfa1122edae8f5ec55bff1d899094cecd3
Instruction Fuzzy Hash: C6315076A00215AFCB11EF65C8819EFBBB5FF88704F00442AE51673692D779AD41CB64

Function 004047A8 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004047AD
FormatMessageA.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 004047D1
FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 00404814
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,00000000), ref: 0040482F

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: FormatMessage$FreeH_prologLocal
String ID:
API String ID: 3392428314-0
Opcode ID: d8114c00c851820dfd69355ab4a5a7d10c3f97c7ff5c1a94d174072509a20bce
Instruction ID: b23ee79e455563f0a2b187c1bc8aea4849c6785c5b1f5abfa42b55bee9ed31b8
Opcode Fuzzy Hash: d8114c00c851820dfd69355ab4a5a7d10c3f97c7ff5c1a94d174072509a20bce
Instruction Fuzzy Hash: 451170B5A00159AFDF01BFA59C419FFBB7DEF44349F00847AE112721E2DB391A01DA68

Function 00409374 Relevance: 6.0, APIs: 4, Instructions: 37windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00413030: SetEvent.KERNEL32(00000000,0040756D), ref: 00413033

GetDlgItem.USER32(?,000003E8), ref: 00409397
LoadIconA.USER32(00000000), ref: 004093B1
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004093C2
SetTimer.USER32(?,00000003,00000064,00000000), ref: 004093D1

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: EventIconItemLoadMessageSendTimer
String ID:
API String ID: 2758541657-0
Opcode ID: 426d8240eb7a06a459b3f470407d996c0274358d2b71b1374ad8138c79f04d47
Instruction ID: 34d2fc59b34559bed7d893ef409eb69d6d7528a9cba69d030baf66432b50efa3
Opcode Fuzzy Hash: 426d8240eb7a06a459b3f470407d996c0274358d2b71b1374ad8138c79f04d47
Instruction Fuzzy Hash: 4D015A30100B00AFD3319F21DD5AB66BBA1FB04721F008A2DF5A7959F0CB75B942CB48

Function 0040D5A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D5A8

Strings

, xrefs: 0040D75F
, xrefs: 0040D787

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: H_prolog
String ID: $
API String ID: 3519838083-227171996
Opcode ID: 74feb26567ea79c8fd9d5f3f589634721b0a9a4a518abdc39c0b6b7ccedab932
Instruction ID: 116f94ee193b6a60a58d4aec76a07daa8eefdeb27c95ac76265691768f75313a
Opcode Fuzzy Hash: 74feb26567ea79c8fd9d5f3f589634721b0a9a4a518abdc39c0b6b7ccedab932
Instruction Fuzzy Hash: CB712431D0020A9FCB24DF99D981AAEB7B1FF48314F20467ED416B7691D734AA8ACF54

Function 00417E5D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00417E71

Strings

, xrefs: 00417EBA
, xrefs: 00417E96

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: be8999de8ad5c30073bbd0379d60ad0f54c653f5d04d814f41e486670cb2e0db
Instruction ID: 669041dcfce0968cbe3c51124f50cac4b21f3f9a56807733dc4743f672ff05a2
Opcode Fuzzy Hash: be8999de8ad5c30073bbd0379d60ad0f54c653f5d04d814f41e486670cb2e0db
Instruction Fuzzy Hash: 65417C312482585AEB219714CC49FFB7FF9DB02714F5404E6D149C7153C2794AC6C7BA

Function 00415ECA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00415C92,00000000,00000000,00000000,00413CC1,00000000,00000000,?,00000000,00000000,00000000), ref: 00415EF2
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00415C92,00000000,00000000,00000000,00413CC1,00000000,00000000,?,00000000,00000000,00000000), ref: 00415F26
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00415F40
HeapFree.KERNEL32(00000000,?), ref: 00415F57

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 712f9e2f9eec85a92a3a672498402ffd9fd7e765c5a6c8233a1a124cbc29739c
Instruction ID: 8f6381cf99308f7e34b2c2e49534b1224184cafd179dea44f4322364d011a6a4
Opcode Fuzzy Hash: 712f9e2f9eec85a92a3a672498402ffd9fd7e765c5a6c8233a1a124cbc29739c
Instruction Fuzzy Hash: A6114C31300A01EFC7308F59EC86DA6BBB5FB85760791462AF156D69B0D3719887CF58

Function 004154B1 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00415292,?,00414944), ref: 004154BE
InitializeCriticalSection.KERNEL32(?,00415292,?,00414944), ref: 004154C6
InitializeCriticalSection.KERNEL32(?,00415292,?,00414944), ref: 004154CE
InitializeCriticalSection.KERNEL32(?,00415292,?,00414944), ref: 004154D6

Memory Dump Source

Source File: 00000004.00000002.3965332390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3965288173.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965398692.000000000041B000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965509440.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965584644.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965653003.0000000000423000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3965720405.0000000000427000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BA002.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: ec7037d00a0fc94f488d53f3a91d2e26ae03bdd42e29aafad6c46e686e3ec5a2
Instruction ID: a8e831e61b8b61633fe4a4176da74b0e9d16ee726bcd83620c475df078586321
Opcode Fuzzy Hash: ec7037d00a0fc94f488d53f3a91d2e26ae03bdd42e29aafad6c46e686e3ec5a2
Instruction Fuzzy Hash: 0AC00231A11138ABCF312B55FC048463FA6EB852A03518072A1045203186612C12EFD8

Analysis Process: installer.exePID: 3352, Parent PID: 1436COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	96

Executed Functions

Function 00FCFE30 Relevance: 113.8, APIs: 5, Strings: 59, Instructions: 1813COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FD0272
___from_strstr_to_strchr.LIBCMT ref: 00FD027F
_strstr.LIBCMT ref: 00FD03E6
_strstr.LIBCMT ref: 00FD0514

Strings

POST, xrefs: 00FCFF83
Failed sending HTTP request, xrefs: 00FD0D3C
Content-Range: bytes %s%I64d/%I64d, xrefs: 00FD08C5
Accept: */*, xrefs: 00FD05F9
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00FD0AB6
Chunky upload is not supported by HTTP 1.0, xrefs: 00FD0190
Content-Length:, xrefs: 00FD0DD1, 00FD0F18, 00FD1111
Referer: %s, xrefs: 00FD0043
Content-Range:, xrefs: 00FD0835
Proxy-Connection: Keep-Alive, xrefs: 00FD09B2
1.1, xrefs: 00FD0912
Accept:, xrefs: 00FD05E7
ftp://%s:%s@%s, xrefs: 00FD0960
Host: %s%s%s:%hu, xrefs: 00FD0394
Referer:, xrefs: 00FD002B
Could not get Content-Type header line!, xrefs: 00FD0F76
Range: bytes=%s, xrefs: 00FD0814
Proxy-Connection:, xrefs: 00FD09A4
GET, xrefs: 00FCFF91
Accept-Encoding: %s, xrefs: 00FD00D4
Failed sending POST request, xrefs: 00FD0FE9, 00FD106C
%s%s, xrefs: 00FD0C78
%s, xrefs: 00FD02DA
Failed sending HTTP POST request, xrefs: 00FD141F
Content-Range: bytes %s/%I64d, xrefs: 00FD08E6
;type=%c, xrefs: 00FD0582
HEAD, xrefs: 00FCFF6D
Transfer-Encoding: chunked, xrefs: 00FD01C2
Content-Length: %I64d, xrefs: 00FD0DE7, 00FD0F33, 00FD1127
Could not seek stream, xrefs: 00FD069B
Content-Range: bytes 0-%I64d/%I64d, xrefs: 00FD0884
%s%s=%s, xrefs: 00FD0C00
Range:, xrefs: 00FD07F0
Content-Length: 0, xrefs: 00FD103E
/, xrefs: 00FD0568
ftp://, xrefs: 00FD04E9
Failed sending PUT request, xrefs: 00FD0E5D
Host: %s%s%s, xrefs: 00FD0362
chunked, xrefs: 00FD012C
Cookie: , xrefs: 00FD0BD0, 00FD0C4C
0, xrefs: 00FD12C1, 00FD1395
%x, xrefs: 00FD1261
Content-Type:, xrefs: 00FD05C0, 00FD1152
100-continue, xrefs: 00FD118E
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00FD14C1
Host:, xrefs: 00FD01DE, 00FD02A8
User-Agent:, xrefs: 00FCFF99
Could only read %I64d bytes from the input, xrefs: 00FD07B5
Cookie:, xrefs: 00FD0083
;type=, xrefs: 00FD050E
Internal HTTP POST error!, xrefs: 00FD0EC5
File already completely uploaded, xrefs: 00FD078F
1.0, xrefs: 00FD090B
Content-Type: application/x-www-form-urlencoded, xrefs: 00FD1164
PUT, xrefs: 00FCFF8A
Accept-Encoding:, xrefs: 00FD009E
Transfer-Encoding:, xrefs: 00FD011A, 00FD0131
%s , xrefs: 00FD0932
Expect:, xrefs: 00FD117C, 00FD1193

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strstr
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%x$/$0$1.0$1.1$100-continue$;type=$;type=%c$Accept-Encoding:$Accept-Encoding: %s$Accept:$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length:$Content-Length: %I64d$Content-Length: 0$Content-Range:$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type:$Content-Type: application/x-www-form-urlencoded$Cookie:$Cookie: $Could not get Content-Type header line!$Could not seek stream$Could only read %I64d bytes from the input$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host:$Host: %s%s%s$Host: %s%s%s:%hu$Internal HTTP POST error!$POST$PUT$Proxy-Connection:$Proxy-Connection: Keep-Alive$Range:$Range: bytes=%s$Referer:$Referer: %s$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent:$chunked$ftp://$ftp://%s:%s@%s$upload completely sent off: %I64d out of %I64d bytes
API String ID: 223351431-3874905768
Opcode ID: c6e2e364933ca2559600ee4855ad8559a678c109aa0e88005a617a23eadae6b8
Instruction ID: 9a63d2e8017b36befa4ae83a1e1850ede262eea553ceb712a0b7620f8dc641e5
Opcode Fuzzy Hash: c6e2e364933ca2559600ee4855ad8559a678c109aa0e88005a617a23eadae6b8
Instruction Fuzzy Hash: 19E20771E00205ABDF14DB64DC85BEEB7B6FF04314F1C416AE849AB342DB35A950EBA1

Function 00FBE920 Relevance: 105.3, APIs: 8, Strings: 52, Instructions: 319
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C), ref: 00FBE978
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00FBE990
GetProcAddress.KERNEL32(00000000), ref: 00FBE997
GetNativeSystemInfo.KERNELBASE(?), ref: 00FBE9A8
GetSystemInfo.KERNEL32(?), ref: 00FBE9B3

Strings

Standard Edition (core installation), xrefs: 00FBEB65
Home Basic Edition, xrefs: 00FBEB0B
Windows Storage Server 2003, xrefs: 00FBEBB1
Windows XP Professional x64 Edition, xrefs: 00FBEBD9
GetNativeSystemInfo, xrefs: 00FBE986
Compute Cluster Edition, xrefs: 00FBEC67
Windows Server 2016 , xrefs: 00FBEA17
Datacenter Edition (core installation), xrefs: 00FBEB33
Windows Server 2008 R2 , xrefs: 00FBEA63
Professional, xrefs: 00FBECCA, 00FBECEA
Web Server Edition, xrefs: 00FBEB6F
Starter Edition, xrefs: 00FBEB1F
Windows Server 2012 R2 , xrefs: 00FBEA9F
Datacenter Edition, xrefs: 00FBEC75
Windows 10 , xrefs: 00FBEA0D
kernel32.dll, xrefs: 00FBE98B, 00FBEAAE
, 64-bit, xrefs: 00FBED8D
Microsoft , xrefs: 00FBE9D8
Enterprise Edition (core installation), xrefs: 00FBEB3D
Enterprise Edition for Itanium-based Systems, xrefs: 00FBEC22
Windows Home Server, xrefs: 00FBEBBF
Windows Vista , xrefs: 00FBEA3F
(build %d), xrefs: 00FBED59
Windows XP , xrefs: 00FBECA9
Small Business Server Premium Edition, xrefs: 00FBEB51
Windows 8 , xrefs: 00FBEA7A
Small Business Server, xrefs: 00FBEB47
GetProductInfo, xrefs: 00FBEAA9
Enterprise x64 Edition, xrefs: 00FBEC4C
Windows Server 2003 R2, , xrefs: 00FBEB9D
Datacenter x64 Edition, xrefs: 00FBEC3C
Windows 8.1 , xrefs: 00FBEA98
Web Edition, xrefs: 00FBEC96
Home Edition, xrefs: 00FBECC3
Windows Server 2012 , xrefs: 00FBEA81
Business Edition, xrefs: 00FBEB15
Home Premium Edition, xrefs: 00FBEB01
Windows Server 2008 , xrefs: 00FBEA46
Standard Edition, xrefs: 00FBEB5B, 00FBEC9D
Standard x64 Edition, xrefs: 00FBEC56
Datacenter Edition for Itanium-based Systems, xrefs: 00FBEC10
Enterprise Edition, xrefs: 00FBEC83
Windows 2000 , xrefs: 00FBECD5
Datacenter Server, xrefs: 00FBECFB
Windows 7 , xrefs: 00FBEA5C
, 32-bit, xrefs: 00FBEDAF
This sample does not support this version of Windows., xrefs: 00FBEDCC
Server, xrefs: 00FBED0D
Ultimate Edition, xrefs: 00FBEAF7
Windows Server 2003, , xrefs: 00FBEBE0
Advanced Server, xrefs: 00FBED06
Cluster Server Edition, xrefs: 00FBEB29

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID: (build %d)$, 32-bit$, 64-bit$Advanced Server$Business Edition$Cluster Server Edition$Compute Cluster Edition$Datacenter Edition$Datacenter Edition (core installation)$Datacenter Edition for Itanium-based Systems$Datacenter Server$Datacenter x64 Edition$Enterprise Edition$Enterprise Edition (core installation)$Enterprise Edition for Itanium-based Systems$Enterprise x64 Edition$GetNativeSystemInfo$GetProductInfo$Home Basic Edition$Home Edition$Home Premium Edition$Microsoft $Professional$Server$Small Business Server$Small Business Server Premium Edition$Standard Edition$Standard Edition (core installation)$Standard x64 Edition$Starter Edition$This sample does not support this version of Windows.$Ultimate Edition$Web Edition$Web Server Edition$Windows 10 $Windows 2000 $Windows 7 $Windows 8 $Windows 8.1 $Windows Home Server$Windows Server 2003 R2, $Windows Server 2003, $Windows Server 2008 $Windows Server 2008 R2 $Windows Server 2012 $Windows Server 2012 R2 $Windows Server 2016 $Windows Storage Server 2003$Windows Vista $Windows XP $Windows XP Professional x64 Edition$kernel32.dll
API String ID: 374719553-4026996278
Opcode ID: 4f6da6c796b00481cfdf45a05e30b4ae3808d19aa3cc4c3c15cba1922739d5b8
Instruction ID: 8e3e05d68b829d7f24c693787b97dd9de56f0896192a375297e8b1461e19659c
Opcode Fuzzy Hash: 4f6da6c796b00481cfdf45a05e30b4ae3808d19aa3cc4c3c15cba1922739d5b8
Instruction Fuzzy Hash: 58B1B131B44317A6DF209713CD46FED762AAB05F14F20458EF886AA141CAF94E85BF53

Function 00FA9D50 Relevance: 84.3, APIs: 9, Strings: 38, Instructions: 2018synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00FA9DD3
GetLastError.KERNEL32 ref: 00FA9DE6

Strings

GenericSetupInstaller_, xrefs: 00FA9DA3
Message, xrefs: 00FAB7A4, 00FABC48
4.5.2, xrefs: 00FAB433
]: , xrefs: 00FAA10F, 00FAA331, 00FAA8FC, 00FAAE0C, 00FAB23E, 00FAB6CC, 00FAB9C8, 00FABBA8
}, xrefs: 00FABC8B
BundleConfig.xml, xrefs: 00FAAC2D
., xrefs: 00FAA621
EventServiceUrl, xrefs: 00FAA6A3
event service url=, xrefs: 00FAA908
<xmlattr>.BundleId, xrefs: 00FAB116
InstallId, xrefs: 00FAAA24
generic setup path=, xrefs: 00FAB9D4
4.0 Client, xrefs: 00FAB36B
., xrefs: 00FAA537
4.6.1, xrefs: 00FAB497
GenericSetup.exe, xrefs: 00FAB89E
4.5, xrefs: 00FAB3CF
configuration.appSettings, xrefs: 00FAA505
BundleId=, xrefs: 00FAB24A
<xmlattr>.value, xrefs: 00FAA6E8, 00FAAA5C
bundle config file path=, xrefs: 00FAAE18
wWinMain, xrefs: 00FAA0DE, 00FAA300, 00FAA8CB, 00FAADDB, 00FAB20E, 00FAB69C, 00FAB998, 00FABB78
<xmlattr>.key, xrefs: 00FAA5E9
., xrefs: 00FAB062
BundleBypass, xrefs: 00FAB7DA
generic setup config file path=, xrefs: 00FAA33D
4.6, xrefs: 00FAB465
installer, xrefs: 00FAA0BA, 00FAA2DC, 00FAA8A7, 00FAADB7, 00FAB1EA, 00FAB678, 00FAB974, 00FABB54
BA002, xrefs: 00FAB13A, 00FAB256
4.0 Full, xrefs: 00FAB39D
4.5.1, xrefs: 00FAB401
4.6.2, xrefs: 00FAB4C9
install id=, xrefs: 00FAA11B
StubError, xrefs: 00FABC75
3.5, xrefs: 00FAB339
run installer complete. exit code=, xrefs: 00FABBB4
BundleConfig, xrefs: 00FAB030
carrier path=, xrefs: 00FAB6D8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: .$.$.$3.5$4.0 Client$4.0 Full$4.5$4.5.1$4.5.2$4.6$4.6.1$4.6.2$<xmlattr>.BundleId$<xmlattr>.key$<xmlattr>.value$BA002$BundleBypass$BundleConfig$BundleConfig.xml$BundleId=$EventServiceUrl$GenericSetup.exe$GenericSetupInstaller_$InstallId$Message$StubError$]: $bundle config file path=$carrier path=$configuration.appSettings$event service url=$generic setup config file path=$generic setup path=$install id=$installer$run installer complete. exit code=$wWinMain$}
API String ID: 1925916568-2272459019
Opcode ID: c2a35d668fe3888732704dce28897a4502471b3223de8b328496533d3c3de1c8
Instruction ID: 33908d58e187a4e98f2bb11d0a8fae352f052382e026b7f45c7aa26efcb1f567
Opcode Fuzzy Hash: c2a35d668fe3888732704dce28897a4502471b3223de8b328496533d3c3de1c8
Instruction Fuzzy Hash: 0603A070D00258DAEF25EBA4CC45BEDBBB4AF15304F104199E4496B282DF786F89EF91

Function 00F87E70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 282
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Strong Cryptographic Provider,00000001,F0000000,?,00000000,05CEC6CE,00000000,00000000), ref: 00F87EE4
___std_exception_copy.LIBVCRUNTIME ref: 00F87F78
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,00000000), ref: 00F87FD0
___std_exception_copy.LIBVCRUNTIME ref: 00F88064
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 00F880D6
___std_exception_copy.LIBVCRUNTIME ref: 00F8816A
CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000010,00000000,?,00000000), ref: 00F8823B

Strings

couldn't acquire crypt context, xrefs: 00F87F20
couldn't crypt hash data, xrefs: 00F88112
class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __cdecl Generator::Md5Hash(const class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > &), xrefs: 00F87FAC, 00F88098, 00F8819E, 00F882A9
Microsoft Strong Cryptographic Provider, xrefs: 00F87ED9
src\generator.cpp, xrefs: 00F87FA7, 00F88093, 00F88199, 00F882A4
couldn't create hash, xrefs: 00F8800C
couldn't crypt get hash param, xrefs: 00F88273

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$Hash___std_exception_copy$AcquireContextCreateDataParam
String ID: Microsoft Strong Cryptographic Provider$class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __cdecl Generator::Md5Hash(const class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > &)$couldn't acquire crypt context$couldn't create hash$couldn't crypt get hash param$couldn't crypt hash data$src\generator.cpp
API String ID: 2846258822-2439808906
Opcode ID: 9165e7233c04b206c4e3681a2351a84bc1eead75c6bdfc7502bd0d11d7a4c1cd
Instruction ID: d8b7f07d9d2b387e9173c394cabde369e9036aadde43bc8b096d7c7292e7ddb5
Opcode Fuzzy Hash: 9165e7233c04b206c4e3681a2351a84bc1eead75c6bdfc7502bd0d11d7a4c1cd
Instruction Fuzzy Hash: 6EC1AB70D003189BDB21EB60DC86BDEB7B8AF14704F504199F585B7281EBB56B88CFA1

Function 01091B5D Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 01091BDF
_free.LIBCMT ref: 01091C03
_free.LIBCMT ref: 01091D8A
GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,010C3258), ref: 01091D9C
WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 01091E14
WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 01091E41
_free.LIBCMT ref: 01091F56

Strings

Eastern Summer Time, xrefs: 01091E3A
Eastern Standard Time, xrefs: 01091E0D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 314583886-239921721
Opcode ID: 999733936e3ff879c86a0b41eac96f4dc4e53918b022bdb362a7b1c09aae6b49
Instruction ID: 1bbe4db921480bb605c303acb8e9be58336797455313bd04fecbf079a0dbc547
Opcode Fuzzy Hash: 999733936e3ff879c86a0b41eac96f4dc4e53918b022bdb362a7b1c09aae6b49
Instruction Fuzzy Hash: 25C12571B0424BABDF21AF7C8860BEEBBF9EF41230F1441DAE5C597285E7318A019B50

Function 00F872E0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 348comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(010BB8B4,00000000,00000001,010BB7E4,00000000,05CEC6CE,?,?), ref: 00F8735E
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?), ref: 00F8746B

Strings

WHERE , xrefs: 00F874CF
ROOT\CIMV2, xrefs: 00F873C0
SELECT * FROM , xrefs: 00F8748F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: BlanketCreateInstanceProxy
String ID: WHERE $ROOT\CIMV2$SELECT * FROM
API String ID: 1899829610-2498882015
Opcode ID: 77afc2d2999f59c118aa822852f4eb77fa72eae9bd2f387dd89457e3499fff84
Instruction ID: a035852696a3717d6f06c0e81010546bcedafeb79729d3d6c870bb8e13e2ce27
Opcode Fuzzy Hash: 77afc2d2999f59c118aa822852f4eb77fa72eae9bd2f387dd89457e3499fff84
Instruction Fuzzy Hash: AFE14D70E04308DFDB24EFA4CC55BEEB7B4AF04704F244499E405AB281DB79AA45DF61

Function 00FCC880 Relevance: 7.8, APIs: 5, Instructions: 296networkCOMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 00FCCB11
WSAGetLastError.WS2_32 ref: 00FCCB20
__WSAFDIsSet.WS2_32(?,?), ref: 00FCCBF5
__WSAFDIsSet.WS2_32(?,?), ref: 00FCCC0C
__WSAFDIsSet.WS2_32(?,?), ref: 00FCCC23

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 70435f240adeec93b4ac2cc6d4b79810453218875fbd55e994e8d423d3e57de5
Instruction ID: bf1c1b02b7914983f41e8eed3aef1621699fe9bab9fe18bcecf7f9c4229ccdce
Opcode Fuzzy Hash: 70435f240adeec93b4ac2cc6d4b79810453218875fbd55e994e8d423d3e57de5
Instruction Fuzzy Hash: E9B1A271E0021A8BCF25CF28D996BA9B7B9EF88320F1445EDD85DD7241DB349E809F80

Function 00FCD610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 00FCD651
WSAGetLastError.WS2_32 ref: 00FCD668

Strings

Recv failure: %s, xrefs: 00FCD68E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s
API String ID: 2514157807-4276829032
Opcode ID: bdfd0051b292ca3f5587ee40a1c86741a5ae238bd1e79f1f6ff18e0d7fd6bcd3
Instruction ID: 0e6cad323de86f24ea1efda5373a5e12f5a2b1588eb0f31be3c2c52a6fdb3a98
Opcode Fuzzy Hash: bdfd0051b292ca3f5587ee40a1c86741a5ae238bd1e79f1f6ff18e0d7fd6bcd3
Instruction Fuzzy Hash: 9F114276601209AFDB109F59EC81FDA7BACFF48365F20402AF94C87341D7759950DBA0

Function 00F97720 Relevance: 4.6, APIs: 3, Instructions: 129timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(0109F433,05CEC6CE,00000000,?,00000000), ref: 00F97755
__aulldiv.LIBCMT ref: 00F97772
__aulldiv.LIBCMT ref: 00F97782

Part of subcall function 00F95220: ___std_exception_copy.LIBVCRUNTIME ref: 00F9527E

Part of subcall function 00F99E40: __CxxThrowException@8.LIBVCRUNTIME ref: 00F99E8E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Time__aulldiv$Exception@8FileSystemThrow___std_exception_copy
String ID:
API String ID: 1498349571-0
Opcode ID: 9a84132a871f4fca37e79f6844d64c9468ab9ab3ec5509bcad2d6dff1eb93901
Instruction ID: b10f21fcc230276c91addb2d7aa24720da600581866c55c63366642e8207fc80
Opcode Fuzzy Hash: 9a84132a871f4fca37e79f6844d64c9468ab9ab3ec5509bcad2d6dff1eb93901
Instruction Fuzzy Hash: 73417F71904209ABEF15EFA4CC42BEEB7B9EF08700F50452AF406E7281DB79A904DB65

Function 00F83EA0 Relevance: 2.6, APIs: 2, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000008), ref: 00F83F76
HeapFree.KERNEL32(00000000), ref: 00F83F7D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 75beda3bbcac00c8683bdf93e6ec93beacef0dde6fb67b27eda7ba4c8184e6fd
Instruction ID: b88cf52636fd2fd579e3cb0c6cc1fec9bfe9026a0ef76a612809f82af97f4b21
Opcode Fuzzy Hash: 75beda3bbcac00c8683bdf93e6ec93beacef0dde6fb67b27eda7ba4c8184e6fd
Instruction Fuzzy Hash: A5314BB0E04209DBDB14EF94C555BEEBBB4FF44B14F10461EE456A7280DBB96B08CBA1

Function 00FA8360 Relevance: 39.5, APIs: 3, Strings: 19, Instructions: 1039
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F93880: new.LIBCMT ref: 00F93896

new.LIBCMT ref: 00FA8673
new.LIBCMT ref: 00FA8686

Strings

data=, xrefs: 00FA8950
Content-Type: application/json, xrefs: 00FA860D
https://flow.lavasoft.com, xrefs: 00FA8A71
]: , xrefs: 00FA84AF, 00FA8944, 00FA8BF2, 00FA8DEF, 00FA8F81, 00FA920F
H, xrefs: 00FA8770
. disable stub events=, xrefs: 00FA84D4
Accept: application/json, xrefs: 00FA8601
Data, xrefs: 00FA86AF
charsets: utf-8, xrefs: 00FA8618
curl easy init failed, xrefs: 00FA921B
url=, xrefs: 00FA8BFE
send event succeeded, xrefs: 00FA8DFB
/v1/event-stat?ProductID=IS&Type=, xrefs: 00FA8AA0
installer, xrefs: 00FA845A, 00FA88EF, 00FA8B9D, 00FA8D9A, 00FA8F2C, 00FA91BA
., xrefs: 00FA86E1
send event failed. curl returned error=, xrefs: 00FA8F8D
SendEvent, xrefs: 00FA847E, 00FA8913, 00FA8BC1, 00FA8DBE, 00FA8F50, 00FA91DE
9, xrefs: 00FA92E0
send event. event name=, xrefs: 00FA84BB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: .$. disable stub events=$/v1/event-stat?ProductID=IS&Type=$9$Accept: application/json$Content-Type: application/json$Data$H$SendEvent$]: $charsets: utf-8$curl easy init failed$data=$https://flow.lavasoft.com$installer$send event failed. curl returned error=$send event succeeded$send event. event name=$url=
API String ID: 0-1052238508
Opcode ID: 5e4a3022e502859118265e259e3425d33d054c852d63a74f8fe1ed006e62b5fc
Instruction ID: 30c41550a7762f8dbd93a81ed1762af589b86d32f7a029915fe70acd92820623
Opcode Fuzzy Hash: 5e4a3022e502859118265e259e3425d33d054c852d63a74f8fe1ed006e62b5fc
Instruction Fuzzy Hash: E592FF70E00219EBEF21EBA5CC05BDDBBB4AF05740F0441A8E8857B281DB786E45EF95

Function 00FC97C0 Relevance: 23.5, APIs: 1, Strings: 12, Instructions: 755COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FC9A2A

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

Strings

memory shortage, xrefs: 00FC9AB0
%s://%s, xrefs: 00FC99A6
Found connection %ld, with requests in the pipe (%zu), xrefs: 00FCA09F
NTLM picked AND auth done set, clear picked!, xrefs: 00FCA21E
We can reuse, but we want a new connection anyway, xrefs: 00FCA0C9
No connections available., xrefs: 00FCA2C7
No more connections allowed to host: %d, xrefs: 00FCA2B9
Re-using existing connection! (#%ld) with %s %s, xrefs: 00FCA170
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00FCA24F
host, xrefs: 00FCA15E
No connections available in cache, xrefs: 00FCA2EE
proxy, xrefs: 00FCA164, 00FCA16C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr___swprintf_l
String ID: %s://%s$Found connection %ld, with requests in the pipe (%zu)$NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host: %d$Re-using existing connection! (#%ld) with %s %s$We can reuse, but we want a new connection anyway$host$memory shortage$proxy
API String ID: 1035537661-616786730
Opcode ID: 3fbb6c367512f22ad5f8e9f2fe683638aa852e90e5d39e171f63048eb685a1bf
Instruction ID: 49162680897f09bb08899320b46d90235795744c32a5fff9916d7cc8af1c1b90
Opcode Fuzzy Hash: 3fbb6c367512f22ad5f8e9f2fe683638aa852e90e5d39e171f63048eb685a1bf
Instruction Fuzzy Hash: 34620570A04747AFDB25CF74C98AFDABBE4BF05308F04012CE85997242D7B96914EB92

Function 00FA7460 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 367
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F93880: new.LIBCMT ref: 00F93896

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00FA7721
GetLastError.KERNEL32 ref: 00FA772F

Strings

run installer without uac. path=, xrefs: 00FA75AD
couldn't create process. error=, xrefs: 00FA7840
installer, xrefs: 00FA754C, 00FA77DF
D, xrefs: 00FA76AC
RunInstallerWithoutUAC, xrefs: 00FA7570, 00FA7803
]: , xrefs: 00FA75A1, 00FA7834
. cmd=, xrefs: 00FA75C3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: . cmd=$D$RunInstallerWithoutUAC$]: $couldn't create process. error=$installer$run installer without uac. path=
API String ID: 2919029540-2793288024
Opcode ID: 0bb8083a7064e3c14468cdcd2b3ceeea8dad32eb2ae8521a04d963dfb6d8f91f
Instruction ID: 929c780f299ea315bb942b754060fe56e61021365d9403a2c06aa43f8b8603a9
Opcode Fuzzy Hash: 0bb8083a7064e3c14468cdcd2b3ceeea8dad32eb2ae8521a04d963dfb6d8f91f
Instruction Fuzzy Hash: 6FE1DDB1E002199BEF20EB65CC05BAEB7B5BF45710F1441ADE849BB381DB386E40DB95

Function 00F95E10 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(05CEC6CE), ref: 00F95E67

Part of subcall function 00FBF7F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,05CEC6CE), ref: 00FBF852
Part of subcall function 00FBF7F0: GetLastError.KERNEL32(00000003,00000001,?,?,?,?,05CEC6CE), ref: 00FBF88B
Part of subcall function 00FBF7F0: ___std_exception_copy.LIBVCRUNTIME ref: 00FBF8F7

Strings

.txt, xrefs: 00F95EEA
%Y.%m.%d_%H.%M.%S.%f_, xrefs: 00F95EAB
ProcessID, xrefs: 00F9618D
LineID, xrefs: 00F961C9
ThreadID, xrefs: 00F96168
en_US.UTF-8, xrefs: 00F960E4
UpTime, xrefs: 00F9619C
_pid=, xrefs: 00F95EBF
$, xrefs: 00F964F4
TimeStamp, xrefs: 00F961A9
Severity, xrefs: 00F961B9

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentErrorFileLastModuleNameProcess___std_exception_copy
String ID: $$%Y.%m.%d_%H.%M.%S.%f_$.txt$LineID$ProcessID$Severity$ThreadID$TimeStamp$UpTime$_pid=$en_US.UTF-8
API String ID: 1340941257-1227853842
Opcode ID: 939f0ab24b77c6627bbb4073177348eeac0a25c62784b02636f12e5b48158601
Instruction ID: 2f391363ed9c2080544fd8442c7583c9fb6c2bb9d1d711235ae704739f3c3f11
Opcode Fuzzy Hash: 939f0ab24b77c6627bbb4073177348eeac0a25c62784b02636f12e5b48158601
Instruction Fuzzy Hash: 6312F174D152AC8ADB21DBA4CC84BCEBBB4AF29304F1081DAD44DA3251EB745B88DF56

Function 0108DD76 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0108DA2C: CreateFileW.KERNELBASE(00000000,00000000,?,0108DE1F,?,?,00000000,?,0108DE1F,00000000,0000000C), ref: 0108DA49

GetLastError.KERNEL32 ref: 0108DE8A
__dosmaperr.LIBCMT ref: 0108DE91
GetFileType.KERNELBASE(00000000), ref: 0108DE9D
GetLastError.KERNEL32 ref: 0108DEA7
__dosmaperr.LIBCMT ref: 0108DEB0
CloseHandle.KERNEL32(00000000), ref: 0108DED0
CloseHandle.KERNEL32(00008109), ref: 0108E01A
GetLastError.KERNEL32 ref: 0108E04C
__dosmaperr.LIBCMT ref: 0108E053

Strings

H, xrefs: 0108DFD8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: e0e79ca0bf3b1c52b2b960dcc91343813578896f80b44812ff56c2aa5fede732
Instruction ID: 3ea1f2c33757d8e0b68e9ddab577c40027b81e806268336a9b9fe8f4d810111b
Opcode Fuzzy Hash: e0e79ca0bf3b1c52b2b960dcc91343813578896f80b44812ff56c2aa5fede732
Instruction Fuzzy Hash: 49A12432A181459FDF29BFBCD8517AE7BE0AB06324F14029DF8D19B2D2DB359812CB51

Function 00FCE4A0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32(?,?,?), ref: 00FCE4FE
WSAGetLastError.WS2_32(?,?,?,?,?,?,00000000), ref: 00FCE508

Part of subcall function 00FD9850: GetLastError.KERNEL32(00000010,00000000,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9856
Part of subcall function 00FD9850: _strncpy.LIBCMT ref: 00FD988A
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98DF
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98FA
Part of subcall function 00FD9850: GetLastError.KERNEL32(?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9912
Part of subcall function 00FD9850: SetLastError.KERNEL32(00000000,?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?), ref: 00FD991D

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

getsockname.WS2_32(?,?,00000080), ref: 00FCE567
WSAGetLastError.WS2_32(?,?,?), ref: 00FCE571

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00FCE651
getpeername() failed with errno %d: %s, xrefs: 00FCE519
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00FCE5D3
getsockname() failed with errno %d: %s, xrefs: 00FCE582

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_strrchr$___swprintf_l_strncpygetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 978289777-670633250
Opcode ID: 8d6f3c42b82bbedf7e1ab8d73982e722540c89403a5e70eb659aa8f5dc61858b
Instruction ID: dc9e1059c0fab8bbbdec6d0df824ecf604cb0eccc5c3746c56fc2a9cc1914fd6
Opcode Fuzzy Hash: 8d6f3c42b82bbedf7e1ab8d73982e722540c89403a5e70eb659aa8f5dc61858b
Instruction Fuzzy Hash: 5351E572A0010AABDB20EB659D46FEAB7BCEF55320F40019AFD8D93101EB396954D7A0

Function 00F83FA0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,05CEC6CE), ref: 00F83FDF

Part of subcall function 00F87E70: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Strong Cryptographic Provider,00000001,F0000000,?,00000000,05CEC6CE,00000000,00000000), ref: 00F87EE4
Part of subcall function 00F87E70: ___std_exception_copy.LIBVCRUNTIME ref: 00F87F78
Part of subcall function 00F87E70: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,00000000), ref: 00F87FD0

Strings

BIOS >> , xrefs: 00F84088
WCID >> , xrefs: 00F84178
MAC >> , xrefs: 00F84145
VIDEO >> , xrefs: 00F84112
+, xrefs: 00F84730
DISK >> , xrefs: 00F840E4
BASE >> , xrefs: 00F840B6
WCID20, xrefs: 00F84191

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHashInitialize___std_exception_copy
String ID: BASE >> $BIOS >> $DISK >> $MAC >> $VIDEO >> $WCID >> $+$WCID20
API String ID: 1990730815-2905442241
Opcode ID: 540a2647d237a3f69599f348e6757f9000fc81c7ceb35930bf221045da2f0887
Instruction ID: d69325170f78c0b1eb038a0e377fa89ebf9d1870f0a2a75a8ec3355fe84b27a6
Opcode Fuzzy Hash: 540a2647d237a3f69599f348e6757f9000fc81c7ceb35930bf221045da2f0887
Instruction Fuzzy Hash: 00225671D002589AEB61EB64CC85BDEBBB4FF15308F1041D9E409E7251EB396E88DFA1

Function 00FCDD30 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L', xrefs: 00FCDE69
Connection failed, xrefs: 00FCDEEE
After %ldms connect time, move on!, xrefs: 00FCDE59
Failed to connect to %s port %ld: %s, xrefs: 00FCE0EA
connect to %s port %ld failed: %s, xrefs: 00FCDF4F
Connection time-out, xrefs: 00FCDDAE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: After %ldms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
API String ID: 0-47163629
Opcode ID: 9372bdaccc61c0c9567efc7d9d5bd81736b96ea1b2ce70f6ef5ceee5c30a1ffd
Instruction ID: 4b6d4c7e0d85154bbbe270e2ebe431edfa29f6cb4288ab708977a6725fa5f30e
Opcode Fuzzy Hash: 9372bdaccc61c0c9567efc7d9d5bd81736b96ea1b2ce70f6ef5ceee5c30a1ffd
Instruction Fuzzy Hash: 30C19E71E0020AAFDF14DFA4DD82FAD7BB5AF05314F14017DE809AB296EB35A841EB51

Function 00FA80B0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 203
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F93880: new.LIBCMT ref: 00F93896

MessageBoxW.USER32(00000002,Administrator rights required for this setup,00000002,00000002), ref: 00FA8334

Strings

Administrator rights required for this setup, xrefs: 00FA832E
installer, xrefs: 00FA818A
]: , xrefs: 00FA81DF
. uac=, xrefs: 00FA8216
RunInstaller, xrefs: 00FA81AE
run installer. path=, xrefs: 00FA81EB
. cmd=, xrefs: 00FA8200

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Message
String ID: . cmd=$. uac=$Administrator rights required for this setup$RunInstaller$]: $installer$run installer. path=
API String ID: 2030045667-2644114103
Opcode ID: ab25b13ab5bdddd6025f1d72377a51963521b138d049f2f474e3d697916a56e5
Instruction ID: 552b9dedbd82c419ca177dcb337f71e9fe167d852f81e8608e62a6a5fb48967e
Opcode Fuzzy Hash: ab25b13ab5bdddd6025f1d72377a51963521b138d049f2f474e3d697916a56e5
Instruction Fuzzy Hash: D571C270E006199BDF10EBA5CC41BAEB7B5AF45BA4F10411DF842BB391DF78AD029B91

Function 0108C796 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b59a11e735bf5de2f38d3e51bcfd413ba375e2899ab1af70c57a52beef0eb39
Instruction ID: 848e33bd991c97e59f97da5e17850ef33bdaa2b541e822a732b5b7804c3daa34
Opcode Fuzzy Hash: 1b59a11e735bf5de2f38d3e51bcfd413ba375e2899ab1af70c57a52beef0eb39
Instruction Fuzzy Hash: 3EC1AF74D0824AAFEB61EFACD944BEDBBB0BF59314F084188E5C0A7281C7359941CB74

Function 01091D32 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,010C3258), ref: 01091D9C
WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 01091E14
WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 01091E41
_free.LIBCMT ref: 01091D8A

Part of subcall function 010872F5: RtlFreeHeap.NTDLL(00000000,00000000,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?), ref: 0108730B
Part of subcall function 010872F5: GetLastError.KERNEL32(?,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?,?), ref: 0108731D

_free.LIBCMT ref: 01091F56

Strings

Eastern Summer Time, xrefs: 01091E3A
Eastern Standard Time, xrefs: 01091E0D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1286116820-239921721
Opcode ID: 0ecd71c1c89a649b8953a4680919208abd834a51ab38791e33f31c238663c7bd
Instruction ID: 6b9ab2e19f8cf815c6074bc02b851de1860773bbf1430c51dcaf11bc1be31eef
Opcode Fuzzy Hash: 0ecd71c1c89a649b8953a4680919208abd834a51ab38791e33f31c238663c7bd
Instruction Fuzzy Hash: E2510971A0020BDBDF20EF699D919EEB7FCFB40334B10029AF5D497684D7318A459B50

Function 00FCCC60 Relevance: 12.3, APIs: 8, Instructions: 296
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(?,?,00000000,?,?), ref: 00FCCEC2
WSAGetLastError.WS2_32 ref: 00FCCECD
__WSAFDIsSet.WS2_32(000000FF,?), ref: 00FCCF84
__WSAFDIsSet.WS2_32(000000FF,?), ref: 00FCCF9B
__WSAFDIsSet.WS2_32(00FC56EF,?), ref: 00FCCFB4
__WSAFDIsSet.WS2_32(00FC56EF,?), ref: 00FCCFC8
__WSAFDIsSet.WS2_32(?,00000000), ref: 00FCCFE4
__WSAFDIsSet.WS2_32(?,?), ref: 00FCCFF8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: a8414d204af38aae79709f3b0e09239c99c1aae3e13d95b32e7c95a1874d180a
Instruction ID: 3988521feea07f2f742a927e981c40a6b41e4eb07d26f0654c1bb2b289c9a155
Opcode Fuzzy Hash: a8414d204af38aae79709f3b0e09239c99c1aae3e13d95b32e7c95a1874d180a
Instruction Fuzzy Hash: 59B16471E0021A8BDF25DF288D51BAD77B9AB49320F1046BED86ED7181D7349E819FD0

Function 0105D030 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 442COMMON

Download Yara Rule

APIs

Part of subcall function 0105CC80: ___std_exception_copy.LIBVCRUNTIME ref: 0105CDB4

Part of subcall function 0104F660: new.LIBCMT ref: 0104F662

Part of subcall function 0105E060: new.LIBCMT ref: 0105E062

Part of subcall function 0106E6F0: LoadLibraryA.KERNEL32(?), ref: 0106E70C

___std_exception_copy.LIBVCRUNTIME ref: 0105D1AC
___std_exception_destroy.LIBVCRUNTIME ref: 0105D201
__Init_thread_footer.LIBCMT ref: 0105D4BE
std::_Xinvalid_argument.LIBCPMT ref: 0105D5C9

Part of subcall function 00FF2308: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FF2314
Part of subcall function 00FF2308: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF2322

Strings

Unable to open message catalog: , xrefs: 0105D161
string too long, xrefs: 0105D5C4

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_exception_copy$Exception@8Init_thread_footerLibraryLoadThrowXinvalid_argument___std_exception_destroystd::_std::invalid_argument::invalid_argument
String ID: Unable to open message catalog: $string too long
API String ID: 1682877864-52554103
Opcode ID: 337f0bd2945a8bd1cd2934c4e9a7376ab802394f2a8e8a3110e8072fa80270b7
Instruction ID: 3948ee2011d2ed4ac3947c9997e7d99208366558080e9aeeab42ec1d06c408b9
Opcode Fuzzy Hash: 337f0bd2945a8bd1cd2934c4e9a7376ab802394f2a8e8a3110e8072fa80270b7
Instruction Fuzzy Hash: 6D02BA70900248EFDF55DFA8C980BDE7BE5EF18308F14815AEC9597291D778EA48CBA1

Function 00FCEBC0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00FCEB60: htons.WS2_32(?), ref: 00FCEB8D

GetLastError.KERNEL32(?,?,?,?,00000010,000001B8,00000007), ref: 00FCEC3A

Part of subcall function 00FD9850: GetLastError.KERNEL32(00000010,00000000,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9856
Part of subcall function 00FD9850: _strncpy.LIBCMT ref: 00FD988A
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98DF
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98FA
Part of subcall function 00FD9850: GetLastError.KERNEL32(?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9912
Part of subcall function 00FD9850: SetLastError.KERNEL32(00000000,?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?), ref: 00FD991D

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

Part of subcall function 00FCDAD0: closesocket.WS2_32(00FC94A9), ref: 00FCDB08

Strings

Trying %s..., xrefs: 00FCEC82
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00FCEC51
Immediate connect fail for %s: %s, xrefs: 00FCEE6E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_strrchr$___swprintf_l_strncpyclosesockethtons
String ID: Trying %s...$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2012154964-3338264681
Opcode ID: 5b6fe4697508290caaaec9c2a620b51166aa995b768de2cd5c2e5086dc3f8028
Instruction ID: 1f90a20a1c9a01b2a50c4d835b988ecc57000e4e3dc7a7a963136fe44067b27c
Opcode Fuzzy Hash: 5b6fe4697508290caaaec9c2a620b51166aa995b768de2cd5c2e5086dc3f8028
Instruction Fuzzy Hash: 3981A371E0111A9BDB24DB64DD86FEEB7B8EF15320F0401AEF90D93241DA395E44DB61

Function 00F94660 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v3.5,00000000,00020019,?), ref: 00F946B5
RegQueryValueExW.KERNELBASE(?,Version,00000000,?,?,00000104), ref: 00F946E4
RegCloseKey.ADVAPI32(?), ref: 00F946F4
RegCloseKey.ADVAPI32(?), ref: 00F946FF

Strings

Version, xrefs: 00F946D9
Software\Microsoft\NET Framework Setup\NDP\v3.5, xrefs: 00F94699

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Software\Microsoft\NET Framework Setup\NDP\v3.5$Version
API String ID: 1607946009-2487358979
Opcode ID: a2756a70a4b31f225b327e26977eed9468a7ad3bb2f69b8af327ed0cd4f38bda
Instruction ID: f015d4aa2e972e646b48d69d6f1315bfad991d71a5d7a90c10cf891809fe322c
Opcode Fuzzy Hash: a2756a70a4b31f225b327e26977eed9468a7ad3bb2f69b8af327ed0cd4f38bda
Instruction Fuzzy Hash: BE41B471A4011DABDF24EBE4DCC4EEE77B9AB25311F0005A9E84996140D735AE429B51

Function 00F940C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Client,00000000,00020019,?), ref: 00F940FA
RegQueryValueExW.KERNELBASE(?,Install,00000000,00000000,00000000,00000004), ref: 00F9411A
RegCloseKey.ADVAPI32(?), ref: 00F94127
RegCloseKey.ADVAPI32(?), ref: 00F9413D

Strings

Software\Microsoft\NET Framework Setup\NDP\v4\Client, xrefs: 00F940E2, 00F94154
Install, xrefs: 00F94112

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Install$Software\Microsoft\NET Framework Setup\NDP\v4\Client
API String ID: 1607946009-4260260141
Opcode ID: a25cbc989bc30528775288adb540cb6902dc93eec7fe5ae5ea551f3833068a20
Instruction ID: 2bf32799264ba1595a1e6ab984f7e4c0d88b204fef7392b6cf697b261736e0d7
Opcode Fuzzy Hash: a25cbc989bc30528775288adb540cb6902dc93eec7fe5ae5ea551f3833068a20
Instruction Fuzzy Hash: A8118FB0E0020CEBEF20EF90DC46FEEB7B8AB14705F500059FA46BA185DA766A44DB50

Function 00F94000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v3.5,00000000,00020019,?), ref: 00F9403A
RegQueryValueExW.KERNELBASE(?,Install,00000000,00000000,00000000,00000004), ref: 00F9405A
RegCloseKey.ADVAPI32(?), ref: 00F94067
RegCloseKey.KERNELBASE(?), ref: 00F9407D

Strings

Software\Microsoft\NET Framework Setup\NDP\v3.5, xrefs: 00F94022, 00F94094
Install, xrefs: 00F94052

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Install$Software\Microsoft\NET Framework Setup\NDP\v3.5
API String ID: 1607946009-1679568285
Opcode ID: c84cc10bcf7f0c0414e58d0dcb4da9fd34b88beb6325943b89672c7608530785
Instruction ID: 6c40eb00c86d1dff2b7a39b061029a5133a3f0aac5b59da911ec9642a682e835
Opcode Fuzzy Hash: c84cc10bcf7f0c0414e58d0dcb4da9fd34b88beb6325943b89672c7608530785
Instruction Fuzzy Hash: 1B116D70E4020CABEF20DF90CC4AFEEB7B8AB14705F004159FA467A181EB766A04DB51

Function 00F94180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F941BA
RegQueryValueExW.KERNELBASE(?,Install,00000000,00000000,00000000,00000004), ref: 00F941DA
RegCloseKey.ADVAPI32(?), ref: 00F941E7
RegCloseKey.ADVAPI32(?), ref: 00F941FD

Strings

Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F941A2, 00F94214
Install, xrefs: 00F941D2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Install$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-105569139
Opcode ID: a4c14a6722535f4f40b7edc545ae8112b11c35cf886dec77452fcebfe2f2b317
Instruction ID: 2577a16c9d42f9bab232737c3ba83f9a29a2cee9bfe3567e0d1779d278d4b3c1
Opcode Fuzzy Hash: a4c14a6722535f4f40b7edc545ae8112b11c35cf886dec77452fcebfe2f2b317
Instruction Fuzzy Hash: 7611BF74A0020DABEF21EF90DC46FEEB7B8AB10705F100059FA467A1C0DA766A44DB50

Function 00F942F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F9432D
RegQueryValueExW.KERNELBASE(?,Release,00000000,00000000,00000000,00000004), ref: 00F9434D
RegCloseKey.ADVAPI32(?), ref: 00F9435A
RegCloseKey.ADVAPI32(?), ref: 00F94371

Strings

Release, xrefs: 00F94345
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F94313

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-1522824743
Opcode ID: c1ead7f3eca9adc6f2fd229c0a79897f8a2f65c52bc24912b66b1e07784b6589
Instruction ID: 520f1025cbff4b8aa4c5f17a18c4b2dbe009774fbc80d2f99d686a93ca5a5fef
Opcode Fuzzy Hash: c1ead7f3eca9adc6f2fd229c0a79897f8a2f65c52bc24912b66b1e07784b6589
Instruction Fuzzy Hash: 82118E71A4020DEFEF10DFA0DC96FEEB7B8EB04701F50405AF946A6184DB769A08DB60

Function 00F94240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F9427D
RegQueryValueExW.KERNELBASE(?,Release,00000000,00000000,00000000,00000004), ref: 00F9429D
RegCloseKey.ADVAPI32(?), ref: 00F942AA
RegCloseKey.ADVAPI32(?), ref: 00F942C1

Strings

Release, xrefs: 00F94295
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F94263

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-1522824743
Opcode ID: 33f4fff0fc65aa040c7da6f03a79e9b02d6918b925d979045c0f7f8ef283c453
Instruction ID: 5808a15eb44025db832a7d75ed0d90294d7d9389ac5d7a40c8d711f02d86207a
Opcode Fuzzy Hash: 33f4fff0fc65aa040c7da6f03a79e9b02d6918b925d979045c0f7f8ef283c453
Instruction Fuzzy Hash: 78118271A4020DEFDF10DFA0DC55BFEB7B8EB04306F50405AF946A6180DB765A08DB60

Function 00F945B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F945ED
RegQueryValueExW.KERNELBASE(?,Release,00000000,00000000,00000000,00000004), ref: 00F9460D
RegCloseKey.ADVAPI32(?), ref: 00F9461A
RegCloseKey.ADVAPI32(?), ref: 00F94631

Strings

Release, xrefs: 00F94605
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F945D3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-1522824743
Opcode ID: 194b9350eebdc490a3b564fc60d0fadaca9ed5ca0174703fb8563059b8146fb0
Instruction ID: 113407fc7d869531de92c25dd6de0d9b2e60f6b71504d4954fb51a34d30547b2
Opcode Fuzzy Hash: 194b9350eebdc490a3b564fc60d0fadaca9ed5ca0174703fb8563059b8146fb0
Instruction Fuzzy Hash: 19115EB1A4020DEBDF10DFA0DC95BEEB7B8EB04705F50405AF946A6185DB7A9A04DB60

Function 00F94500 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F9453D
RegQueryValueExW.KERNELBASE(?,Release,00000000,00000000,00000000,00000004), ref: 00F9455D
RegCloseKey.ADVAPI32(?), ref: 00F9456A
RegCloseKey.ADVAPI32(?), ref: 00F94581

Strings

Release, xrefs: 00F94555
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F94523

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-1522824743
Opcode ID: e21625658d475c71eeaf141e2a5d1a96831ab6300091fbb7e33b48bf2c462f16
Instruction ID: feafe9043c6e1fdaff9d71bc1f7c7561138fbd12dd8a436ff21da0d57cfeb055
Opcode Fuzzy Hash: e21625658d475c71eeaf141e2a5d1a96831ab6300091fbb7e33b48bf2c462f16
Instruction Fuzzy Hash: 01118EB1A4020DEBDF20DFA0DC95BEEB7B8EB04701F50405AF946A6184EB769A04DB60

Function 0107D6F2 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0107D87F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107D89B
__allrem.LIBCMT ref: 0107D8B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107D8D0
__allrem.LIBCMT ref: 0107D8E7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107D905

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 751f8abe2008aafb220b056cd60e34a4dd8e55c36b13598ae224ddcb7106dd44
Instruction ID: abd5aff089e75328886ac9200bc3a64a20749ba084a95ad6a073d92fd640f3fb
Opcode Fuzzy Hash: 751f8abe2008aafb220b056cd60e34a4dd8e55c36b13598ae224ddcb7106dd44
Instruction Fuzzy Hash: 8781C472E00B07ABE725AAADCC40BAAB7E9FF54734F14416AE5D5D7280F770E9008758

Function 00FC49B0 Relevance: 9.1, APIs: 6, Instructions: 65networkCOMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FC49DA

Part of subcall function 00FD94B0: getaddrinfo.WS2_32(?,00000000,?,?), ref: 00FD94CE
Part of subcall function 00FD94B0: freeaddrinfo.WS2_32(?,?), ref: 00FD95BF

WSAGetLastError.WS2_32 ref: 00FC4A02
WSAGetLastError.WS2_32 ref: 00FC4A08
EnterCriticalSection.KERNEL32(?), ref: 00FC4A1E
LeaveCriticalSection.KERNEL32(?), ref: 00FC4A2C
LeaveCriticalSection.KERNEL32(?), ref: 00FC4A4B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CriticalSection$ErrorLastLeave$Enter___swprintf_lfreeaddrinfogetaddrinfo
String ID:
API String ID: 2327269287-0
Opcode ID: 08d6aa653d5ad2309756e1db44d207f73912d3b5e50d07dd94d40eb50cbe2bca
Instruction ID: 4886c8d03f4ce8288ee0cecd1ebded0190f80d359360ffba0fc501a687352dd3
Opcode Fuzzy Hash: 08d6aa653d5ad2309756e1db44d207f73912d3b5e50d07dd94d40eb50cbe2bca
Instruction Fuzzy Hash: 4E116D71900209EFC720EFA4DD85FABB7F9EF48300F14492EF59693605DB39A9049B65

Function 00FC4590 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE0: SetLastError.KERNEL32(0000273F,?,00FC41D2,00000002,00FC300A,?), ref: 00FD7DEE

___swprintf_l.LIBCMT ref: 00FC4612

Strings

getaddrinfo() failed for %s:%d; %s, xrefs: 00FC468A
init_resolve_thread() failed for %s; %s, xrefs: 00FC4655

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast___swprintf_l
String ID: getaddrinfo() failed for %s:%d; %s$init_resolve_thread() failed for %s; %s
API String ID: 2990598187-1389973398
Opcode ID: 0e738bf742c39f88a9f80e658ec24e67983b8aaaa6a2c4f2eae27f28ff563f09
Instruction ID: 1ad6e13c5365d455ecc9c982cf7563427d984936decf6e21db4f9361a290c846
Opcode Fuzzy Hash: 0e738bf742c39f88a9f80e658ec24e67983b8aaaa6a2c4f2eae27f28ff563f09
Instruction Fuzzy Hash: B1318672E00109ABDB00EFA5DD82EFFB7BCEF49211F54006AF909E7241EA356915D7A1

Function 00F991D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

invalid string position, xrefs: 00F9939D
string too long, xrefs: 00F993A7, 00F993B1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: invalid string position$string too long
API String ID: 0-4289949731
Opcode ID: bc94e81014372a6ad7893128fa3c4f1fdd81d8a023952fb9a31f31472fbe8042
Instruction ID: 06631d7ccf7c3035224fc5a24ec5f5b0440d6fc21efe0ba2703f077601e081c8
Opcode Fuzzy Hash: bc94e81014372a6ad7893128fa3c4f1fdd81d8a023952fb9a31f31472fbe8042
Instruction Fuzzy Hash: 1C710732B04205AFEF24CF5CDC80A6EB7EAEF94710B15852DE89587381D7B1DD50A7A0

Function 00FA9910 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 00FBF7F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,05CEC6CE), ref: 00FBF852
Part of subcall function 00FBF7F0: GetLastError.KERNEL32(00000003,00000001,?,?,?,?,05CEC6CE), ref: 00FBF88B
Part of subcall function 00FBF7F0: ___std_exception_copy.LIBVCRUNTIME ref: 00FBF8F7

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00FA9C59

Strings

BundleConfig.<xmlattr>.BundleId, xrefs: 00FA9AB5
., xrefs: 00FA9AED
BundleConfig.xml, xrefs: 00FA994A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorFileIos_base_dtorLastModuleName___std_exception_copystd::ios_base::_
String ID: .$BundleConfig.<xmlattr>.BundleId$BundleConfig.xml
API String ID: 2185223521-2168995269
Opcode ID: 55f7eb94d9cb42dd566ec8ea93fe9ddff4fd85108a47508c54c1cb23b5cd4df7
Instruction ID: 62da717213d2c592803db96f124e2b8907505c246dac524f6f97c6fc44699171
Opcode Fuzzy Hash: 55f7eb94d9cb42dd566ec8ea93fe9ddff4fd85108a47508c54c1cb23b5cd4df7
Instruction Fuzzy Hash: 5CA159B08042589BEB25DB54CC85BEEBBB4FF19304F1041E9E449A7281DBB85BC8DF91

Function 0108D4FB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,00FF309B,?,0108D419,00FF309B,010ED620,0000000C), ref: 0108D551
GetLastError.KERNEL32(?,0108D419,00FF309B,010ED620,0000000C), ref: 0108D55B
__dosmaperr.LIBCMT ref: 0108D586

Strings

Pyi, xrefs: 0108D515

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID: Pyi
API String ID: 490808831-1500441825
Opcode ID: 23a3532394d67992271113d07010a7ffc864d27c57de4bc83d34b8628e3db692
Instruction ID: d780e94247c42c348bbcd132fff7a9fc566dd9925c883672b80ee93dd26d8d46
Opcode Fuzzy Hash: 23a3532394d67992271113d07010a7ffc864d27c57de4bc83d34b8628e3db692
Instruction Fuzzy Hash: 1B016F3351C21059EF6576B874657BE3BDA5B81638F15039EF5C48B2C1CA35C48147B0

Function 00FCE350 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00FCE36E
WSAGetLastError.WS2_32(?,00FCECCE,?,?), ref: 00FCE378

Part of subcall function 00FD9850: GetLastError.KERNEL32(00000010,00000000,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9856
Part of subcall function 00FD9850: _strncpy.LIBCMT ref: 00FD988A
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98DF
Part of subcall function 00FD9850: _strrchr.LIBCMT ref: 00FD98FA
Part of subcall function 00FD9850: GetLastError.KERNEL32(?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9912
Part of subcall function 00FD9850: SetLastError.KERNEL32(00000000,?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?), ref: 00FD991D

Strings

TCP_NODELAY set, xrefs: 00FCE398
Could not set TCP_NODELAY: %s, xrefs: 00FCE386

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_strrchr$_strncpysetsockopt
String ID: Could not set TCP_NODELAY: %s$TCP_NODELAY set
API String ID: 4037253127-1562148346
Opcode ID: 3a32aabe5d2c448f5eaf2d35de485449e0283e3917b5295bbcb11deb30cdcd84
Instruction ID: bae513e9e9b9964ca70ad4052507a461a0826b1697f07ce05ecfdac2f98eceac
Opcode Fuzzy Hash: 3a32aabe5d2c448f5eaf2d35de485449e0283e3917b5295bbcb11deb30cdcd84
Instruction Fuzzy Hash: FFF082762402197ADA102A85EC82FEF7B2CDF817A9F044026FE0C9A181E6BA655556A1

Function 00F8B830 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00F8B8B4

Part of subcall function 0100BF2B: __CxxThrowException@8.LIBVCRUNTIME ref: 0100BF42

Concurrency::cancel_current_task.LIBCPMT ref: 00F8B8C9
new.LIBCMT ref: 00F8B8CF
new.LIBCMT ref: 00F8B8E3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: 6266601a088d40801e29021931ab7db2609b9113c76d0bcbfb8ab9962be113f5
Instruction ID: 583ce3f61a3248c1075482f677aef252846aa512b83694298920f701393c7c10
Opcode Fuzzy Hash: 6266601a088d40801e29021931ab7db2609b9113c76d0bcbfb8ab9962be113f5
Instruction Fuzzy Hash: A941D671A00701DBDB24FF24D8856AAB7F9EB44760F100A2DE567C7390E734E905EBA1

Function 00F83620 Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F83649
SysAllocString.OLEAUT32 ref: 00F83680
_com_issue_error.COMSUPP ref: 00F83696
_com_issue_error.COMSUPP ref: 00F836AF

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _com_issue_error$AllocString
String ID:
API String ID: 245909816-0
Opcode ID: 60aa41d80f345070d566bf8c1b269acea4306d44e78ffc13a4e79bc559b81818
Instruction ID: 764335ef5e0f69f12c065d3010b7f5421ec28b70d77256ad3c0adcaf7ab21624
Opcode Fuzzy Hash: 60aa41d80f345070d566bf8c1b269acea4306d44e78ffc13a4e79bc559b81818
Instruction Fuzzy Hash: 7911C271901756EBE7219F59C804B9AFBE8EF54B20F10872EE854AB780E7B59940CB90

Function 010926EE Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,01092695,?,00000000,00000000,00000000,?,010929C1,00000006,FlsSetValue), ref: 01092720
GetLastError.KERNEL32(?,01092695,?,00000000,00000000,00000000,?,010929C1,00000006,FlsSetValue,010C3750,010C3758,00000000,00000364,?,010900D2), ref: 0109272C
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,01092695,?,00000000,00000000,00000000,?,010929C1,00000006,FlsSetValue,010C3750,010C3758,00000000), ref: 0109273A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 81bdb59c47090a3f0a312b10e02a75e3bc1266d91a76564055768549c1e86032
Instruction ID: 14b7732f823c97001abe74df7ce2b62227b6873408dcf32a92acf62c6477e462
Opcode Fuzzy Hash: 81bdb59c47090a3f0a312b10e02a75e3bc1266d91a76564055768549c1e86032
Instruction Fuzzy Hash: 8201F732615222BBCF314A6C9C94A9FFBE9BF05BA0B104520F985E7184D735D801D7E0

Function 0106E870 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

LCMapStringW.KERNELBASE(00000000,00000400,00000000,?,00000000,00000000,05CEC6CE), ref: 0106E8C5
LCMapStringW.KERNEL32(00000000,00000400,00000000,?,00000000,?,00000001,00000000), ref: 0106E934

Strings

invalid string position, xrefs: 0106EA06

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: String
String ID: invalid string position
API String ID: 2568140703-1799206989
Opcode ID: 2e2d1b26f46f8ed4bddde7aab3ebda3ae261244c138522ba1d1b234e3eb90337
Instruction ID: 6df4df4c298993ea7564e964eb4f48818a1ceb17d6c3676a2306ecb688a69d46
Opcode Fuzzy Hash: 2e2d1b26f46f8ed4bddde7aab3ebda3ae261244c138522ba1d1b234e3eb90337
Instruction Fuzzy Hash: 50713570A00248DFEB24CF98C885BAEBBF9FF48714F14051DE546A7281D774AA45CBA1

Function 00F8A040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8A155

Strings

invalid string position, xrefs: 00F8A13C, 00F8A146
string too long, xrefs: 00F8A150

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: cce338d983c3b90f2414b244ea36df9e293e4f7854656ad9a6712ef536f50e2d
Instruction ID: 8b6d0900a2095589f0f04245cfcb3d7ebb2d9259d9dfa0894b4d9f0e669e7072
Opcode Fuzzy Hash: cce338d983c3b90f2414b244ea36df9e293e4f7854656ad9a6712ef536f50e2d
Instruction Fuzzy Hash: B631AF323047149B9724AF69E88589BF3E9FFD4B21310092FE596C7210DB7198159BA6

Function 00FCD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00FCD6E6
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?), ref: 00FCD6FC

Strings

Send failure: %s, xrefs: 00FCD724

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastsend
String ID: Send failure: %s
API String ID: 1802528911-857917747
Opcode ID: f31035a578ad9b9f1cc9c9842fdc1aa0b63a13a6f0c86707d54d3c04441a7b51
Instruction ID: d36b1edacfb71cfd66d139d4a709a171a3d181c19d8dd6cc5b36a582e5f5c4f3
Opcode Fuzzy Hash: f31035a578ad9b9f1cc9c9842fdc1aa0b63a13a6f0c86707d54d3c04441a7b51
Instruction Fuzzy Hash: BC019E76601105AFDB119F5CEC86EDABBA8EF59375F100176F90897350C375AC209BA1

Function 0108D1C6 Relevance: 4.7, APIs: 3, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828498ee31cd09fbc4e6a9e3a5590fc162009d6449e8e284ea9683baf598a8e1
Instruction ID: 91e33636cebea6eaa9778d0b564e75d9a4c993ce29fa88b1de69d5a720a08f9d
Opcode Fuzzy Hash: 828498ee31cd09fbc4e6a9e3a5590fc162009d6449e8e284ea9683baf598a8e1
Instruction Fuzzy Hash: E351BF71E1820AABDB21BFE8C844FEEBBB4AF55324F044299E5C1B72D1D7359901CB60

Function 00FD94B0 Relevance: 4.6, APIs: 3, Instructions: 126networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,?,?), ref: 00FD94CE
freeaddrinfo.WS2_32(?,?), ref: 00FD95BF
WSASetLastError.WS2_32(00002AF9,?), ref: 00FD961D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfo
String ID:
API String ID: 1817844550-0
Opcode ID: b005753a3c33e118fbf1d352ddd2f5b4f68fc0cabba841d074b2cc1cc4458aa9
Instruction ID: 0d000391a17af53b2133f0d733bed90e1e56ebebb3c7f5a58d559a2d15dcc3c5
Opcode Fuzzy Hash: b005753a3c33e118fbf1d352ddd2f5b4f68fc0cabba841d074b2cc1cc4458aa9
Instruction Fuzzy Hash: 1241AAB1A047019FDB21CFA9E984B5AB7F6BF44320F08413AE849C7305D7B6E954DBA1

Function 00F8B9E0 Relevance: 4.6, APIs: 3, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00F8BA68

Part of subcall function 0100BF2B: __CxxThrowException@8.LIBVCRUNTIME ref: 0100BF42

new.LIBCMT ref: 00F8BA6E
new.LIBCMT ref: 00F8BA82

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_taskException@8Throw
String ID:
API String ID: 3598223435-0
Opcode ID: fec12bd33f0df5e0d5d6032f5c4101b8fdf14038854a89215527f2f4cdc6bbc0
Instruction ID: 464ecfc5fe6733a35fc4a7487af5708aeecaeb1a2f606579db9714b94dc6b384
Opcode Fuzzy Hash: fec12bd33f0df5e0d5d6032f5c4101b8fdf14038854a89215527f2f4cdc6bbc0
Instruction Fuzzy Hash: 0831B371A046019FD728EF28D8807AAB7E9EB45760F500B2DE863CB781D779ED04D7A1

Function 00FB3D00 Relevance: 4.6, APIs: 3, Instructions: 86COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FB3D28
Concurrency::cancel_current_task.LIBCPMT ref: 00FB3DAE

Part of subcall function 0100BF2B: __CxxThrowException@8.LIBVCRUNTIME ref: 0100BF42

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_taskException@8Throw
String ID:
API String ID: 3598223435-0
Opcode ID: 0ac733429f234322b33af8aae44a144107b1436c45ed342b3070bb472d8897e5
Instruction ID: 57b76b2d43da6ac1623b651e68494e8df14afefc5a259cf7e6a3f2175eb43dea
Opcode Fuzzy Hash: 0ac733429f234322b33af8aae44a144107b1436c45ed342b3070bb472d8897e5
Instruction Fuzzy Hash: 4F210872F0011AAFDB05FF79C880AFDB7A5EF593507154139D849CB205E620EE049AE1

Function 01091E8D Relevance: 4.6, APIs: 3, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01091F00
_free.LIBCMT ref: 01091F56

Part of subcall function 01091D32: _free.LIBCMT ref: 01091D8A
Part of subcall function 01091D32: GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,010C3258), ref: 01091D9C
Part of subcall function 01091D32: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 01091E14
Part of subcall function 01091D32: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 01091E41

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 83bfc556b8b96868d57b468993b5d0bf6d6f89101e0709101c8488d7cc5ab0ab
Instruction ID: 88a02f3c0151ab802c99822ba287950d8af0341dc79d4b280e72383a99a74070
Opcode Fuzzy Hash: 83bfc556b8b96868d57b468993b5d0bf6d6f89101e0709101c8488d7cc5ab0ab
Instruction Fuzzy Hash: 9C212932A0411F57DF31A7289C60EEE77B9DB61370F1002D9E4D8A2185EF7049859A90

Function 00FA9600 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(00000000), ref: 00FA968C
UuidToStringA.RPCRT4(00000000,?), ref: 00FA96A1
RpcStringFreeA.RPCRT4(00000000), ref: 00FA96D6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: StringUuid$CreateFree
String ID:
API String ID: 3044360575-0
Opcode ID: 0ab06dae4db5993175347b9316f8ed16427b3672315f500378671001b269c6f0
Instruction ID: 63e035911a208fcbb58bc4cf077ec941649a788d4f36669dd8a73add9e02aff1
Opcode Fuzzy Hash: 0ab06dae4db5993175347b9316f8ed16427b3672315f500378671001b269c6f0
Instruction Fuzzy Hash: 89317FB1904248DFDB24CFA4D948BEEBBF8EF49714F10465EE442A7240D7B95908CBA0

Function 01084D44 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(05CEC6CE,00F83CDE,Function_00104BF0,00000000,?,05CEC6CE), ref: 01084D8D
GetLastError.KERNEL32(?,?,?,?,?,01009DAB,00000000,00000000,01009FC0,?,00000004,?), ref: 01084D99
__dosmaperr.LIBCMT ref: 01084DA0

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: ab17b9b5f74e77b75176cb3dbba52664b8e976c839e39f942858b4ccdceb18f6
Instruction ID: a088b412f4eed8d499dfb854e4157d011822e903587a6c4042d2f422e844c53e
Opcode Fuzzy Hash: ab17b9b5f74e77b75176cb3dbba52664b8e976c839e39f942858b4ccdceb18f6
Instruction Fuzzy Hash: AF019E3650821BABDB65BFA5DC04EDF7BAAEF90320F010168F9C5D6110DF318911C7A0

Function 01084EDC Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,01084E89,?,?,?,?), ref: 01084F15
GetLastError.KERNEL32(?,?,?,?,01084E89,?,?,?,?,?,?,?,?,?,010ED458,0000001C), ref: 01084F1F
__dosmaperr.LIBCMT ref: 01084F26

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 7e6700fd5107d32a0b8fbe03f4e8a0249c584ca1d76efa9918c6da81ce165536
Instruction ID: 8d22cc6595674298519ad10f217961a25fcab38f8f6bc78498f55671c6045c63
Opcode Fuzzy Hash: 7e6700fd5107d32a0b8fbe03f4e8a0249c584ca1d76efa9918c6da81ce165536
Instruction Fuzzy Hash: 2A014033614516AFCB159F99DC0899E3B69EFC5330B24024CF9D4D7181EA72D9018B90

Function 00FCF090 Relevance: 4.5, APIs: 3, Instructions: 36networkCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000000,00000000), ref: 00FCF0A8
getsockopt.WS2_32(00000004,0000FFFF,00001007,00000000,00000004), ref: 00FCF0C3
WSAGetLastError.WS2_32 ref: 00FCF0CD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID:
API String ID: 3033474312-0
Opcode ID: 97b4607cb31a350a291f7a72cd95e6f2a673f36d694faaa09fd196dd03f0d2ef
Instruction ID: efc7e1e6962e696ea77b02f71e50323aaf3eb030da21d20b22661e01f161103d
Opcode Fuzzy Hash: 97b4607cb31a350a291f7a72cd95e6f2a673f36d694faaa09fd196dd03f0d2ef
Instruction Fuzzy Hash: 8FF09C3164410BEBDB208F50D946FFEB7BDAB00B11F208079F94596184D776990CAB50

Function 01084CA4 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 01090084: GetLastError.KERNEL32(?,?,?,0107DA2C,01085FA2,?,0109002E,00000001,00000364,?,01084C15,010ED438,00000010), ref: 01090089
Part of subcall function 01090084: _free.LIBCMT ref: 010900BE
Part of subcall function 01090084: SetLastError.KERNEL32(00000000), ref: 010900F2

ExitThread.KERNEL32 ref: 01084CB6
CloseHandle.KERNEL32(?,?,?,01084DD6,?,?,01084C4D,00000000), ref: 01084CDE
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,01084DD6,?,?,01084C4D,00000000), ref: 01084CF4

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 13d9ec8d4ec058cb111506686786a9d030d0b7fce4146bec8f4e0ba1aaaab884
Instruction ID: 416cbab285078ca1cf5dc0287b5ed87a29c6aeb3a04aea5f4c437805dcef199d
Opcode Fuzzy Hash: 13d9ec8d4ec058cb111506686786a9d030d0b7fce4146bec8f4e0ba1aaaab884
Instruction Fuzzy Hash: 29F0893040460AA7EBB57B39C948B977EECAF00270F084B55FDE4D21A5D735D8418750

Function 01003ACF Relevance: 4.5, APIs: 3, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 01003AD6
_Getvals.LIBCPMT ref: 01003AF2

Part of subcall function 010024C0: __Getcvt.LIBCPMT ref: 010024D2
Part of subcall function 010024C0: std::_Locinfo::_Getdays.LIBCPMT ref: 010024EB
Part of subcall function 010024C0: std::_Locinfo::_Getmonths.LIBCPMT ref: 01002504

__Getdateorder.LIBCPMT ref: 01003AF7

Part of subcall function 01005BA6: ___crtGetLocaleInfoEx.LIBCPMT ref: 01005BC2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Locinfo::_std::_$GetcvtGetdateorderGetdaysGetmonthsGetvalsH_prolog3_catchInfoLocale___crt
String ID:
API String ID: 4028787925-0
Opcode ID: 9033dddff95d67c7d36393df540ac6a4bec3b7fa1f07bd20f805fc64041a8287
Instruction ID: 6793c59e727c839ba04b1856a017aa39f54e04cd7978130385cca4ff6ab230ca
Opcode Fuzzy Hash: 9033dddff95d67c7d36393df540ac6a4bec3b7fa1f07bd20f805fc64041a8287
Instruction Fuzzy Hash: E7E0ECB4C017019FDB61FFB9850468ABEF0FF28250F51892EA099DB640EB709600CF62

Function 00FBAA80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00FBAB3A

Strings

vector<T> too long, xrefs: 00FBAB35

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 909987262-3788999226
Opcode ID: 8894608b2b806145ab5d30daf92cd251959b3b5cfdb60c53a995d4e7fda99f3b
Instruction ID: 984e3d31a44c2f20e855f22b7464dd954387e7e99955e13152d49cfacd146e56
Opcode Fuzzy Hash: 8894608b2b806145ab5d30daf92cd251959b3b5cfdb60c53a995d4e7fda99f3b
Instruction Fuzzy Hash: 5041D075B042499FCB14CF2AC490BA9BBA6BF85320F24C269E825CB381D735DD41DF91

Function 00FCDC10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 00FC4550: GetTickCount.KERNEL32 ref: 00FC4551

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FCDCC4

Strings

Connection time-out, xrefs: 00FCDC52

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CountTickUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Connection time-out
API String ID: 2079752757-165637984
Opcode ID: fdb360bac6b460311097cf95c439d44e6d82f07a0e58c41f657d1b45feb8474a
Instruction ID: ec5da28a20ca0ac4f04245979b660cd92a6884778af8b8c80f0a65a843902a4a
Opcode Fuzzy Hash: fdb360bac6b460311097cf95c439d44e6d82f07a0e58c41f657d1b45feb8474a
Instruction Fuzzy Hash: 6C31CC71B01606AFEB10DF68D942FAABBE4FF44324F10427DE9589B281D775A911ABC0

Function 00F9A490 Relevance: 3.1, APIs: 2, Instructions: 81threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9A4D0
SetEvent.KERNEL32(00000000,?,00000000,?), ref: 00F9A54C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentEventThread
String ID:
API String ID: 2592414440-0
Opcode ID: 561dc9983923268333805758d73636e376a88c528cf114668167a3415771b925
Instruction ID: 74c390519e5dfa2c39df04165f6681d4b57155ce32151878cef69f39eb98f155
Opcode Fuzzy Hash: 561dc9983923268333805758d73636e376a88c528cf114668167a3415771b925
Instruction Fuzzy Hash: 08319E75A0460ADFEF21CF68D840BAEF7F4FB44324F21452EE85A97240D736A900DB91

Function 0108CDE1 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(7408458B,?,?,?,00000000,?,0107E49E,E0830C40,?,0108D31D,00FF30C1,0107E49E,?,0107E49E,0107E49E,00FF30C1), ref: 0108CE7C
GetLastError.KERNEL32(?,0108D31D,00FF30C1,0107E49E,?,0107E49E,0107E49E,00FF30C1,0107E49E,?,010ED600,00000014,0107DEB2,00000000,8304488B,00FF30C1), ref: 0108CEA5

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: c9073f9e98ede55415e1183f13a0c649a218ff7dd91216fd076720158056fb06
Instruction ID: a1288d90499e496a880bf4b505338dab17c3151e5158509375f8442ac7df3ac1
Opcode Fuzzy Hash: c9073f9e98ede55415e1183f13a0c649a218ff7dd91216fd076720158056fb06
Instruction Fuzzy Hash: F321D135A00219DFDB25DF59C980AE9B7F9FB48311F1448AAE9C6D7281D730AE81CF20

Function 01092652 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 010926B2
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 010926BF

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8c15dfc604e4b6e3dddb214470b6aec98543927dc5e9b252cfcf4f77f4e90f1f
Instruction ID: c175483cbce9ab7877060bcbc46564b56a8aa0c12de5f12aee026b22fc702181
Opcode Fuzzy Hash: 8c15dfc604e4b6e3dddb214470b6aec98543927dc5e9b252cfcf4f77f4e90f1f
Instruction Fuzzy Hash: DE112C37600121BB9F329D1CEC6199E77D5AB88260B078161FDD5FBA4CDA32DC0197D0

Function 01009D90 Relevance: 3.0, APIs: 2, Instructions: 41threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,00F83CDE,05CEC6CE), ref: 01009DD1
ResumeThread.KERNELBASE(?,?,?,?,?,00F83CDE,05CEC6CE), ref: 01009DDF

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CloseHandleResumeThread
String ID:
API String ID: 3265327148-0
Opcode ID: 19d974ff608cae4d723fe86ec1dd8e2b68d3101c92ddb7a5f1160fdc54da10a5
Instruction ID: a7a140618a1869ea9d2e20ff08b25f4c22a1fcdb5c27601f04faa85a898a89e2
Opcode Fuzzy Hash: 19d974ff608cae4d723fe86ec1dd8e2b68d3101c92ddb7a5f1160fdc54da10a5
Instruction Fuzzy Hash: 8FF09C712402019FE7119F59DCC0F96B3E8EF44325F14405BFA58D7291D770E8529A50

Function 01084BF0 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(010ED438,00000010), ref: 01084C03
ExitThread.KERNEL32 ref: 01084C0A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: bcd4ea9708a7ea1854312624571ad6a5b5f9a25a3f8cacc8f141dceefd8ecb9f
Instruction ID: 36440f1dfd758df39c408bebdb7dcd540304a451ee05adbb77a3e9cbb05a7648
Opcode Fuzzy Hash: bcd4ea9708a7ea1854312624571ad6a5b5f9a25a3f8cacc8f141dceefd8ecb9f
Instruction Fuzzy Hash: 4DF08C71500206AFDF05BFB0D958BEE3BB8AF54610F100589F4C19B255DB76A910DBA0

Function 00FC01D0 Relevance: 3.0, APIs: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00FC01EF
WSACleanup.WS2_32 ref: 00FC021A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: 4e6a3e3028d458aaea00a1fbf50c865e48f8fe5ca4fb9e71072910991532283e
Instruction ID: f45ffa591aa6b9929982a6508e30d0379e8b8a72c76664c28adc8c6ebd1689be
Opcode Fuzzy Hash: 4e6a3e3028d458aaea00a1fbf50c865e48f8fe5ca4fb9e71072910991532283e
Instruction Fuzzy Hash: E5F05431B4010EDBDF60DF64D95ABEAB3B9DB04311F40059DE84AC7285DD355D06CB40

Function 00FCD020 Relevance: 3.0, APIs: 2, Instructions: 16sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00002726,?,00FCC8D8,00FC1205,00000000), ref: 00FCD031
Sleep.KERNELBASE(00FC1205,?,00FCC8D8,00FC1205,00000000), ref: 00FCD03D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: b7e37a9bdc420964ff3894a2eab44459cfe8671d6980b258df4d8ccfd261a5e0
Instruction ID: d3de8b5c3086c96ef6b7086b28157885cd35d8a3a7cd7227e68d5e9dda17e0d3
Opcode Fuzzy Hash: b7e37a9bdc420964ff3894a2eab44459cfe8671d6980b258df4d8ccfd261a5e0
Instruction Fuzzy Hash: 58D022306D8208879B201ABCE84EE5B37EC6B40B70B004A28F01CC51C9DB25E0009210

Function 00F9F840 Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 01008D90: TlsGetValue.KERNEL32(0000000F,?,01015384,00000000,05CEC6CE,?,?), ref: 01008DA4

new.LIBCMT ref: 00F9F8A9

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ee25d94827a11a2ac45c65bfa4e1ec41f87e94f7c2d2091935f143ddce864a25
Instruction ID: 9c93d82f75fdd5b1cc80bae1d03e867d5666f6782d0dad1bc21b0d531257d7cb
Opcode Fuzzy Hash: ee25d94827a11a2ac45c65bfa4e1ec41f87e94f7c2d2091935f143ddce864a25
Instruction Fuzzy Hash: 88417CB1A00606EFEB05DF68CC40BAABBF8FF55710F14426AE4059B391D775AA05CBE1

Function 00FA6680 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00FAD820: ___std_exception_copy.LIBVCRUNTIME ref: 00FAD87C
Part of subcall function 00FAD820: ___std_exception_copy.LIBVCRUNTIME ref: 00FAD8E7
Part of subcall function 00FAD820: GetCurrentThreadId.KERNEL32 ref: 00FAD922

SetEvent.KERNEL32(00000000,010F9DB8,00000000,000000FF,05CEC6CE), ref: 00FA67FC

Part of subcall function 00F83EA0: GetProcessHeap.KERNEL32(00000000,00000008), ref: 00F83F76
Part of subcall function 00F83EA0: HeapFree.KERNEL32(00000000), ref: 00F83F7D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Heap___std_exception_copy$CurrentEventFreeProcessThread
String ID:
API String ID: 3090538075-0
Opcode ID: 9a94e6681d477201ac35865686eaa4fadfa3490270845f8d6e3678c6125e3e24
Instruction ID: f4a184f98d14fa5a656affb41bd2514cc5d0bf7a471795c5ba73890a52378066
Opcode Fuzzy Hash: 9a94e6681d477201ac35865686eaa4fadfa3490270845f8d6e3678c6125e3e24
Instruction Fuzzy Hash: 4341EFB09102059BEB15EFA8C846BEEBBB4FF42318F24061DE052E72C1CB795944DB91

Function 0107DA81 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0107DB49

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: a6cd855c611d315ab944eac2cf8c37f0c9ba073ef6053b0aee397767115f514a
Instruction ID: 0d9084c32e19bbca3df8bc569a5b5fd2614f806eb239768324889e62ed65095e
Opcode Fuzzy Hash: a6cd855c611d315ab944eac2cf8c37f0c9ba073ef6053b0aee397767115f514a
Instruction Fuzzy Hash: 52212971E101169BEB15BBF89C017BE37917F95334F18838EE0E19A1D5D7749502874D

Function 00FCD9A0 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 00FCDA49

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: a78f70d4c3cf48d925881d901ea14f6f4f3c1adbaebca25d42786f6d83fd1bc1
Instruction ID: 83ea415050a09ee3fa4d218912ed46630accd380a1560e6dbb64480cb492d085
Opcode Fuzzy Hash: a78f70d4c3cf48d925881d901ea14f6f4f3c1adbaebca25d42786f6d83fd1bc1
Instruction Fuzzy Hash: D2219D719087068FE7208E18DE46B56B3E8AB40738F28852DE9A9976D2E335E845DB40

Function 00FCE290 Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00FCE323

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 6bada1fd766663c34dff061a3de679788347f30761ff96a189e5ab4446afc8fc
Instruction ID: 31f9d1cf78689b7efb7dfff4cd75d5612fbbdc96a30969cde6de262e3916ac88
Opcode Fuzzy Hash: 6bada1fd766663c34dff061a3de679788347f30761ff96a189e5ab4446afc8fc
Instruction Fuzzy Hash: 2F214A71A0020ADFDB24CF68C941B96B7F5FF48310F10897DE99ACB295D632E951DB90

Function 00FAF7D0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FAF810

Part of subcall function 00F95E10: GetCurrentProcessId.KERNEL32(05CEC6CE), ref: 00F95E67

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 9e296f4fc6a935f65400cd52e56a51a62cf444b174e4578c57cdece552ccfe06
Instruction ID: 49ca3cce49e1bce8a2799689b6957ddab8cb8361c498500e7150fd0719ad026e
Opcode Fuzzy Hash: 9e296f4fc6a935f65400cd52e56a51a62cf444b174e4578c57cdece552ccfe06
Instruction Fuzzy Hash: 021147B1904649AFDB10CF89C840B9AFBF8FB48714F10816AE81597250D7B66904CB90

Function 01093BD5 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 01085F50: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0109002E,00000001,00000364,?,01084C15,010ED438,00000010), ref: 01085F91

_free.LIBCMT ref: 01093C41

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7054a937415d61fae7d4af767ef2b6b080680736d5c7c993752f17e0158cbaab
Instruction ID: 412d330c74e4166563eed2fa8039420fa39b48d45691c456734391c8f8ddaf9f
Opcode Fuzzy Hash: 7054a937415d61fae7d4af767ef2b6b080680736d5c7c993752f17e0158cbaab
Instruction Fuzzy Hash: A4014E72100349ABE735CF6ADC5599AFBECFB85270F25051DE5D497280EA30A805CB74

Function 00F88630 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00F88680

Part of subcall function 00F8C8E0: __CxxThrowException@8.LIBVCRUNTIME ref: 00F8C92E
Part of subcall function 00F8C8E0: ___std_exception_copy.LIBVCRUNTIME ref: 00F8C95E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_exception_copy$Exception@8Throw
String ID:
API String ID: 3804135023-0
Opcode ID: bc27a7524ab7be4b9994f5e965b3ec9943b12e93c5036c35e66a842f1634ac9d
Instruction ID: 306f4a44512ddd89782dd6770ae66c221390ede9da3ce2b12f7193d4e00755a3
Opcode Fuzzy Hash: bc27a7524ab7be4b9994f5e965b3ec9943b12e93c5036c35e66a842f1634ac9d
Instruction Fuzzy Hash: 8B1130B1D002499FCB00DFA4C941BDEF7F8FB49614F64466AE815B7280EB356A44CBA0

Function 00FB2570 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FB25DF

Part of subcall function 01071273: KiUserExceptionDispatcher.NTDLL(?,?,?,0100BF47,?,?,?,?,?,?,?,?,0100BF47,?,010E0200), ref: 010712D2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: DispatcherExceptionException@8ThrowUser
String ID:
API String ID: 2513928553-0
Opcode ID: e86bf0aacdb2206aa185e37c2f677f6a0ae54809ac6a45c0b542a6b3c359a164
Instruction ID: 4572691cc60aff22dfb79736f781c6a98e103eb91e4feea16b440a84fefad1b7
Opcode Fuzzy Hash: e86bf0aacdb2206aa185e37c2f677f6a0ae54809ac6a45c0b542a6b3c359a164
Instruction Fuzzy Hash: 72016D74900118AFCB08DF65C951FCAB7B8FB08710F208169F555D7795DB38AA05CF80

Function 0107E9BE Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d19793f29929a277516686cf137a3b4d209c8759da157923ef4eeedc34a6fe
Instruction ID: d89fcb30cb90b71d875ccedc508a39824decca2b4f6c9d367a6f8cf21192e873
Opcode Fuzzy Hash: a9d19793f29929a277516686cf137a3b4d209c8759da157923ef4eeedc34a6fe
Instruction Fuzzy Hash: BFF0F932D1261566D6217A6EDC00BDA37A8AF91335F100755F6E4A21D0CB74F5068699

Function 00F95180 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00F951DA

Part of subcall function 00F99BD0: __CxxThrowException@8.LIBVCRUNTIME ref: 00F99C1E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Exception@8Throw___std_exception_copy
String ID:
API String ID: 284963293-0
Opcode ID: 5139a6e865137ff01ff5d785a0e0727878bb41cfb05261e1bf15bfd95313f592
Instruction ID: a6b55687057e7f85dde5af5c2defa06d520bf2a119418941f4faefa8d6cb421a
Opcode Fuzzy Hash: 5139a6e865137ff01ff5d785a0e0727878bb41cfb05261e1bf15bfd95313f592
Instruction Fuzzy Hash: B00180B1D0024D9BCF04DFA4D945BDEB7FCFB18610F50426AE801B3240EB396A48CBA0

Function 00FB0A20 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00FB0A91

Part of subcall function 00FF2B79: std::ios_base::_Tidy.LIBCPMT ref: 00FF2B99

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID:
API String ID: 3167631304-0
Opcode ID: 20928703dc5145022a3c596d2bddb03e42b539e314ed31b282581aff34f4e35c
Instruction ID: e94c99ec3c9618a9c4c4b0c367382285332bb5c639392a0304a845066203f57d
Opcode Fuzzy Hash: 20928703dc5145022a3c596d2bddb03e42b539e314ed31b282581aff34f4e35c
Instruction Fuzzy Hash: 89115BB5940249DFEB11CF49C984E99F7E8FB09318F10899EE88A8B751D736E901CF40

Function 00FA9CC0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00FA9D31

Part of subcall function 00FF2B79: std::ios_base::_Tidy.LIBCPMT ref: 00FF2B99

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID:
API String ID: 3167631304-0
Opcode ID: 2f821d034265deac1d4690fc55d1b255690911fd5b6576b4d0908749cd6c407e
Instruction ID: 5200f852962325330891b8c11cbd88a719eb2af3b8ff7379cf3ad6b5f57a2d48
Opcode Fuzzy Hash: 2f821d034265deac1d4690fc55d1b255690911fd5b6576b4d0908749cd6c407e
Instruction Fuzzy Hash: 42112D75514649DFD711CF68C988E99F7F8FB08708F1046AEE8858B751D736E906CB40

Function 01085F50 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0109002E,00000001,00000364,?,01084C15,010ED438,00000010), ref: 01085F91

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bd29c09503aed86e201f8e88fe95093b56cda61f8116a51b3561f13e845e9058
Instruction ID: 960bc8473607a45a708bb28f95f7399ad3b1716b133d7b19c5bb402d4653bfa4
Opcode Fuzzy Hash: bd29c09503aed86e201f8e88fe95093b56cda61f8116a51b3561f13e845e9058
Instruction Fuzzy Hash: C8F0E93150C6256BEB613A6A9C04FAA3FD8AF90670B1881A1E9D8DA1C6DA30E401C6E0

Function 0108DD05 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0108DD46

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 862e384ef557ebdd8fa533b58788d64487fea705a1ca2161b6858340ff909363
Instruction ID: 4cb154b7f8d3d65d379dbd9dd3f5b927061bd208f7de1817e056e5e6093de747
Opcode Fuzzy Hash: 862e384ef557ebdd8fa533b58788d64487fea705a1ca2161b6858340ff909363
Instruction Fuzzy Hash: FEF05E33514209BBCF11AEE9DC01DDE3B6DEF89371F144255FA94920A0DA32D921A7A0

Function 01086524 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,01090083), ref: 01086556

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 238bcbda2487b5b0326f68e67e8184529fce9c4c1eb483382316b65bd481ab53
Instruction ID: 60149915b9e7813006ddcfaf5674e7569b60043611ae060706ac752f7251955a
Opcode Fuzzy Hash: 238bcbda2487b5b0326f68e67e8184529fce9c4c1eb483382316b65bd481ab53
Instruction Fuzzy Hash: 31E0E53150C22196E6713A699C01B9A3BC8AF912A0F874190ECD2961CCCE22DC00C2F5

Function 0108DA2C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0108DE1F,?,?,00000000,?,0108DE1F,00000000,0000000C), ref: 0108DA49

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cae35316a24999c92b888034418aa3ea85c8a80cf7c65f541ae0a79cf3edcfc4
Instruction ID: d66792070590eabb1066ee36b091d439413aa3cc9d52e72b58d9501c07949b0c
Opcode Fuzzy Hash: cae35316a24999c92b888034418aa3ea85c8a80cf7c65f541ae0a79cf3edcfc4
Instruction Fuzzy Hash: C2D06C3204010DBBDF128F84DC46EDA3BAAFB48714F014000BA5866020C776E821AB90

Function 00FEB850 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,00FCEDA6), ref: 00FEB86A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 268634495a7f070cefbb4a38c74293089d82c75ded5517a586b91be1a866c92e
Instruction ID: 33567f995447908ed1a69a6e2b71c509ff956ff0735ed1bc73b27844feb12d1a
Opcode Fuzzy Hash: 268634495a7f070cefbb4a38c74293089d82c75ded5517a586b91be1a866c92e
Instruction Fuzzy Hash: 0ED0EA7240020DEFCB019FB1D9458DA7BADEA04225B01C43AB9199A124EA39AA64DF95

Function 00FC4A70 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008,?,010B0CB8,?), ref: 00FC4B25

Part of subcall function 00FC4B40: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,010B0CB8,?), ref: 00FC4B82

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CriticalErrorInitializeLastSection
String ID:
API String ID: 3413597225-0
Opcode ID: 28c9a156a213a97c5c868ad28903621c5b1012544dd97de542b8bbf2760e3a19
Instruction ID: 97ba2384e69b74f483bc2012c84b8154d865834404a567a52be146418f3df035
Opcode Fuzzy Hash: 28c9a156a213a97c5c868ad28903621c5b1012544dd97de542b8bbf2760e3a19
Instruction Fuzzy Hash: 0A11E6B1500706ABD7205F64EC46FCB7BE8FF84328F04402DFA5982242E736E8149B69

Non-executed Functions

Function 00FCE690 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 354networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00FCE8CB
bind.WS2_32(00000002,?,00000000), ref: 00FCEA06
htons.WS2_32(?), ref: 00FCEA43
bind.WS2_32(00000002,00000002,00000000), ref: 00FCEA5E
getsockname.WS2_32(00000002,?,00000080), ref: 00FCEA97
WSAGetLastError.WS2_32 ref: 00FCEAA5

Part of subcall function 00FD7DE0: SetLastError.KERNEL32(0000273F,?,00FC41D2,00000002,00FC300A,?), ref: 00FD7DEE

WSAGetLastError.WS2_32 ref: 00FCEAE5

Strings

Couldn't bind to '%s', xrefs: 00FCE9A7
Local port: %hu, xrefs: 00FCEB29
Local Interface %s is ip %s using address family %i, xrefs: 00FCE94B
bind failed with errno %d: %s, xrefs: 00FCEB01
Name '%s' family %i resolved to '%s' family %i, xrefs: 00FCE87A
Couldn't bind to interface '%s', xrefs: 00FCE982
getsockname() failed with errno %d: %s, xrefs: 00FCEAC1
Bind to local port %hu failed, trying next, xrefs: 00FCEA29

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$bindhtons$getsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 2249331600-2769131373
Opcode ID: 0a3ec83f28dd892d832f29bf792a6ce2b241f8cd04a8df2e9bbca658d9edba33
Instruction ID: e8704a73f02efc10586f61af33594db383f5e6dabfa9982d104329374d56d611
Opcode Fuzzy Hash: 0a3ec83f28dd892d832f29bf792a6ce2b241f8cd04a8df2e9bbca658d9edba33
Instruction Fuzzy Hash: 34C1D171A0021AAFDB21DF24DD96FFAB7B8EF05314F0440EDF94997242EA395E44AB50

Function 00FD9850 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,00000000,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9856
_strncpy.LIBCMT ref: 00FD988A
FormatMessageA.KERNEL32(00001000,00000000,00FCE64F,00000000,-0000030C,000000FF,00000000,00FCE64F,00000010,00000000), ref: 00FD98B6
___swprintf_l.LIBCMT ref: 00FD98CD
_strrchr.LIBCMT ref: 00FD98DF
_strrchr.LIBCMT ref: 00FD98FA
GetLastError.KERNEL32(?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?,?), ref: 00FD9912
SetLastError.KERNEL32(00000000,?,?,?,?,00FCE64F,00000010,00000000,?,?,?,?,?,?,?,?), ref: 00FD991D

Strings

Unknown error %d (%#x), xrefs: 00FD98C2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_strrchr$FormatMessage___swprintf_l_strncpy
String ID: Unknown error %d (%#x)
API String ID: 1238453913-2414550090
Opcode ID: 1dbaac229493767c6f3109d0d0f75aa03ee19f71a8362bff32d99fd3a958133d
Instruction ID: 720b5027ecbcba0b647979396bf6f94b4f811f167740de9f02857f6ddf34e5db
Opcode Fuzzy Hash: 1dbaac229493767c6f3109d0d0f75aa03ee19f71a8362bff32d99fd3a958133d
Instruction Fuzzy Hash: 91212B31B482437AE63125B45C45FBF395E8F53B65F080036F989E6386FAD54500A3B2

Function 00FD77E0 Relevance: 13.9, APIs: 4, Strings: 5, Instructions: 399COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00FD799C
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00FD79A6
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00FD79BE
SetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FD79CC

Strings

%02d:%02d:%02d%n, xrefs: 00FD794D
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00FD787F
+, xrefs: 00FD7A42
%02d:%02d%n, xrefs: 00FD797A
<, xrefs: 00FD7BCC

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<
API String ID: 1452528299-2356964677
Opcode ID: 25321eb537932c0355f5b27e8966946a7f4da271f9178e9ca838a8fea8291d4d
Instruction ID: 9aff897d2317de6109b73e4731d28a6353876276e094062f4c74e64771c23ab1
Opcode Fuzzy Hash: 25321eb537932c0355f5b27e8966946a7f4da271f9178e9ca838a8fea8291d4d
Instruction Fuzzy Hash: 5FE1A271D043199BCF14EBA8D8816EDB7B6AF45330F28432BE825AB3D0E7349941AB50

Function 00FEE180 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 433COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FEE21C
___from_strstr_to_strchr.LIBCMT ref: 00FEE22D
___swprintf_l.LIBCMT ref: 00FEE571

Strings

gethostname() failed, continuing without!, xrefs: 00FEE292
user + domain + host name too big, xrefs: 00FEE602

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr$___swprintf_l
String ID: gethostname() failed, continuing without!$user + domain + host name too big
API String ID: 604305841-3375086406
Opcode ID: c3a8d89936bd96bce9fac79b2872e48b5fb30752882a8e47fe1efa721d3b4be0
Instruction ID: 6f887e9e831b47587543167bfb5b7c88cc2eba9463c47e14f31204886fc94209
Opcode Fuzzy Hash: c3a8d89936bd96bce9fac79b2872e48b5fb30752882a8e47fe1efa721d3b4be0
Instruction Fuzzy Hash: 7BF15FB2D00268ABDB20DE55DC41BEAB7F8BB45300F5481D5F58CE7241EA359E85DFA0

Function 00FEEE50 Relevance: 9.1, APIs: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00FEE3C8,?,?), ref: 00FEEE7E
CryptImportKey.ADVAPI32(?,00000208,00000014,00000000,00000000,?), ref: 00FEEED3
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FEEEE1
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000008,00000008), ref: 00FEEF17
CryptDestroyKey.ADVAPI32(?), ref: 00FEEF20
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FEEF2B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID:
API String ID: 3016261861-0
Opcode ID: 63e275976c5cd18f56b37cde8bbdcecb6d884035118835a89c377c3797154269
Instruction ID: 94ff9d93192d780785bd4120926bcd51dfce09cd7449fdf13a64b418d3d4c036
Opcode Fuzzy Hash: 63e275976c5cd18f56b37cde8bbdcecb6d884035118835a89c377c3797154269
Instruction Fuzzy Hash: 02314B71A1020DABDF20DF94DC45BEEBBB8FF08700F204059FA45B6194DB76A944DB54

Function 00FEEB50 Relevance: 9.1, APIs: 6, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00FEEBA4
CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 00FEEBC1
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 00FEEBDB
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00FEEBED
CryptDestroyHash.ADVAPI32(?), ref: 00FEEBF6
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000002B0,-000086A8), ref: 00FEEC01

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: c9468288845205f217b4e91c43c6771b077df034ed3e851f94f9452be7a0310a
Instruction ID: b81f3bded1d13b91761bcc7a030484125b2cc46f1d1826101fb671458f02546b
Opcode Fuzzy Hash: c9468288845205f217b4e91c43c6771b077df034ed3e851f94f9452be7a0310a
Instruction Fuzzy Hash: 06218335900208BBDB319FA5EC0AFDE7BB9FF44710F100465F945E2185D7B6AA14DBA4

Function 01099707 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,01099A26,?,00000000), ref: 010997A0
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,01099A26,?,00000000), ref: 010997C9
GetACP.KERNEL32(?,?,01099A26,?,00000000), ref: 010997DE

Strings

OCP, xrefs: 0109975B
ACP, xrefs: 01099725

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 85e516771e3d7fcc1c160db83656aac7d11b90513728a18b90eb95f315717d1d
Instruction ID: bcc804ced4a873c75a202ec9c5a59f1cea25b859a8ce96af46bafe63f846d58b
Opcode Fuzzy Hash: 85e516771e3d7fcc1c160db83656aac7d11b90513728a18b90eb95f315717d1d
Instruction Fuzzy Hash: 4921A432A00100AAEFB58F59C964ADFF7E6FF44A58B4644ACE989D7205EF32D940D350

Function 010998DB Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

Part of subcall function 01090000: _free.LIBCMT ref: 0109005F
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 0109006C

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 010999E7
IsValidCodePage.KERNEL32(00000000), ref: 01099A42
IsValidLocale.KERNEL32(?,00000001), ref: 01099A51
GetLocaleInfoW.KERNEL32(?,00001001,0108AE1C,00000040,?,0108AF3C,00000055,00000000,?,?,00000055,00000000), ref: 01099A99
GetLocaleInfoW.KERNEL32(?,00001002,0108AE9C,00000040), ref: 01099AB8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: e4d2bdd8aa4cb858af3aa966d3ed57dd63bfb22c68947070628c3e623df53f3a
Instruction ID: 16577d58158b50db0a12cb9cadf6491d32e85574caba8c16c358265dc3da0987
Opcode Fuzzy Hash: e4d2bdd8aa4cb858af3aa966d3ed57dd63bfb22c68947070628c3e623df53f3a
Instruction Fuzzy Hash: C7517F71900207ABEF60DFADCCA0AAEB7B8BF15704F0445ADEA85E7144DB749940DB61

Function 01098FA3 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0108AE23,?,?,?,?,0108A87A,?,00000006), ref: 01099085
_wcschr.LIBVCRUNTIME ref: 01099115
_wcschr.LIBVCRUNTIME ref: 01099123
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0108AE23,00000000,0108AF43), ref: 010991C6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: b030a745093c29649e7b0097ce057faefc23aebf9d45cdabdf343fa2c492ca88
Instruction ID: a5122c72e7c18a4f8a1c70cf258cc7b63c7393bc0ffb5f7be57a4582eeb95d95
Opcode Fuzzy Hash: b030a745093c29649e7b0097ce057faefc23aebf9d45cdabdf343fa2c492ca88
Instruction Fuzzy Hash: 8E612871600206AAEF24AF38CC65BEB77E8FF45314F05406EFA85D7280EA35E540E7A1

Function 00FF0240 Relevance: 6.0, APIs: 4, Instructions: 37encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,00000000,?,?,00FF0380,?,?,?,?,00000000), ref: 00FF025C
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000010,00000000,?,?,00FF0380,?,?,?,?,00000000), ref: 00FF0276
CryptDestroyHash.ADVAPI32(00000000,?,?,00FF0380,?,?,?,?,00000000), ref: 00FF0284
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00FF0380,?,?,?,?,00000000), ref: 00FF0294

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 2c6f629ab1b20e0fdb37bde742a352a5791e38d5e13a0f67d6e7a24e67809258
Instruction ID: 0a8a4aaddb17520e7056fbe01352e3c9bcd9a62d9d1fceceaa7f6804b3a5815a
Opcode Fuzzy Hash: 2c6f629ab1b20e0fdb37bde742a352a5791e38d5e13a0f67d6e7a24e67809258
Instruction Fuzzy Hash: E8F04F34A51308FBEB308F50CD49FAAB7BCEF08751F108045FA45A6185CB71ED00AB60

Function 0100BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0100BF5F

Part of subcall function 01071273: KiUserExceptionDispatcher.NTDLL(?,?,?,0100BF47,?,?,?,?,?,?,?,?,0100BF47,?,010E0200), ref: 010712D2

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0100BF7E

Strings

, xrefs: 0100C0DB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: DispatcherExceptionException@8FeaturePresentProcessorThrowUser
String ID:
API String ID: 562353910-3916222277
Opcode ID: 7d2328e740710c20dde81612588674eb345f8aa1170ddc7f193d3098518044af
Instruction ID: 65b4f74dc13b5528b4a83228cfd7fc72d54640bd093a0e8a2b6eaf80bd5baec0
Opcode Fuzzy Hash: 7d2328e740710c20dde81612588674eb345f8aa1170ddc7f193d3098518044af
Instruction Fuzzy Hash: 6D51CBB1D002049FFB2ACFA8D98679ABBF4FB05310F1482AEE984E7684D3759584CF50

Function 00FDEA40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

bind() failed; %s, xrefs: 00FDEB4F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: bind() failed; %s
API String ID: 0-1141498939
Opcode ID: 6939ef3c13cdd8226426c192d445eb185c5cc8990c33fa453e4dde71efdc6c00
Instruction ID: 3fdcfec15e4f38103d577227b2c082f5c7b624f93dc84261f6e174b3adf91b07
Opcode Fuzzy Hash: 6939ef3c13cdd8226426c192d445eb185c5cc8990c33fa453e4dde71efdc6c00
Instruction Fuzzy Hash: A431F5716007069FE7209F64EC85B96BBE9FF44321F08002BF5588A341D37AA854D7A1

Function 01079047 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0107913F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01079149
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 01079156

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 647d2f6635ac7b80bc40227012bd0c05d1b53bbf524b74e47d2be57b02b68d05
Instruction ID: 8e0eb3a21724180053a231d791181a725f3feb22306a5096b4d6bce3a636fee3
Opcode Fuzzy Hash: 647d2f6635ac7b80bc40227012bd0c05d1b53bbf524b74e47d2be57b02b68d05
Instruction Fuzzy Hash: 2731E774D0121D9BDB61DF68D988BCDBBB8BF18310F5042DAE44CA7290E7349B818F48

Function 01089701 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,010896D7,00000003,010ED518,0000000C,0108982E,00000003,00000002,00000000,?,01086523,00000003), ref: 01089722
TerminateProcess.KERNEL32(00000000,?,010896D7,00000003,010ED518,0000000C,0108982E,00000003,00000002,00000000,?,01086523,00000003), ref: 01089729
ExitProcess.KERNEL32 ref: 0108973B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: be476df1e1487a72f9ee568e5f737c9c0c38fd9856958468d33523acf9236e42
Instruction ID: 10521a1a64509f6a984fab4776e0135e2ed9e39e3281134ed5e8c22639200c12
Opcode Fuzzy Hash: be476df1e1487a72f9ee568e5f737c9c0c38fd9856958468d33523acf9236e42
Instruction Fuzzy Hash: E9E0EC31014209BFCF257F64D99CAAA3F79FF85285F004464F9D99A129DB3AD942DB40

Function 01092AD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0108A87A,?,00000006), ref: 01092B2B

Strings

GetLocaleInfoEx, xrefs: 01092AF3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 85d3d991fd42e29eea2e613d144c74147803309969807680e19c3c115b37b1a1
Instruction ID: a25ee6bbed5c33ab0dba5fef0966979b0ff82fe41e5d93bc69b0961e0832db6f
Opcode Fuzzy Hash: 85d3d991fd42e29eea2e613d144c74147803309969807680e19c3c115b37b1a1
Instruction Fuzzy Hash: 70F0F631601208F7CF21AF51DC59EEF7B69EF28B10F00451DFC856A244CA728910AB91

Function 00FDC1C0 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00FDC8D8), ref: 00FDC1EC
GetCurrentProcessId.KERNEL32(?,?,00FDC53D,0000FF0D,0000B8E8,00000073,00FDC8F8,?,?,?,00FDC8F8,?,00000073,0000FF0D,?), ref: 00FDC223

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentProcesshtons
String ID:
API String ID: 2530476045-0
Opcode ID: 2d489e3a24ea70ba78b3f350a23d2f43a9df3b30cef07ef334a45a7763718012
Instruction ID: ff274c9f1eff2738eff1e5300e5e50188108be26941adf5f8c8b37a00f7564f1
Opcode Fuzzy Hash: 2d489e3a24ea70ba78b3f350a23d2f43a9df3b30cef07ef334a45a7763718012
Instruction Fuzzy Hash: F7015A795143948BCB008F69D4806A6B7A4FF19310F05928AEC889F31AE774E590C7A9

Function 00FF01E0 Relevance: 3.0, APIs: 2, Instructions: 22encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00FF034F,00000000,00000000,00000001,F0000000,00000000,?,00FF034F,?,?,00000000,?,00000000,00000000,?), ref: 00FF01F3
CryptCreateHash.ADVAPI32(00FF034F,00008003,00000000,00000000,00FF0353,?,00FF034F,?,?,00000000,?,00000000,00000000,?), ref: 00FF020C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID:
API String ID: 1914063823-0
Opcode ID: 1ce8166f9d642e1488f095a0e4b4ea5e9947d17329cb95b36f17532fff704daf
Instruction ID: 91183d1cb12e48eef74bcfa386ce8b918eaf0817fc0f29055cd4ece02ea30a5a
Opcode Fuzzy Hash: 1ce8166f9d642e1488f095a0e4b4ea5e9947d17329cb95b36f17532fff704daf
Instruction Fuzzy Hash: E5E01731290318BBFA305A50EC4AFD677ACAB04B50F214411B785BA0C8CBE2B9009BA8

Function 00F8F870 Relevance: 3.0, APIs: 2, Instructions: 14encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F8F87D
CryptDestroyHash.ADVAPI32(?,?,00000000), ref: 00F8F888

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: 9c32661b4c1201ede155c326d938bd29a13283a8fe31296ccd4f81e74f35ec5d
Instruction ID: d56ed056a9909f81da301e9e64bd53f9be381159b8ce2253c35ec762479f07c3
Opcode Fuzzy Hash: 9c32661b4c1201ede155c326d938bd29a13283a8fe31296ccd4f81e74f35ec5d
Instruction Fuzzy Hash: 3AD0C936111214EFCB119F98E848EC6BBF8FF0D7A1F004051FA898B224CB72A810CF91

Function 01099266 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

EnumSystemLocalesW.KERNEL32(0109938E,00000001,00000000,?,0108AE1C,?,010999BB,00000000,?,?,?), ref: 010992D8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2cf201450bf077fb9b8816008a7c9a0659fc9ff34a6dcb8ffbcb5752d272217b
Instruction ID: 7ec68db79daadb7cbeb606bb4e8c1754b32e33a515a26a7f8ed292311ae99454
Opcode Fuzzy Hash: 2cf201450bf077fb9b8816008a7c9a0659fc9ff34a6dcb8ffbcb5752d272217b
Instruction Fuzzy Hash: 8411E5362047059FDF289F39C8A16BAB7A2FF80368B15846CE9C687A40D375A942DB40

Function 01099301 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

EnumSystemLocalesW.KERNEL32(010995DE,00000001,00000006,?,0108AE1C,?,0109997F,0108AE1C,?,?,?,?,?,0108AE1C,?,?), ref: 0109934D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: fe41f43ba10ec097e576e75288f58030dc47e36a5c15c291341ab9a0bdafe8aa
Instruction ID: 17ea9999bbbb136487fef1ed0daab80316e9053628082680581b65d8fcc09214
Opcode Fuzzy Hash: fe41f43ba10ec097e576e75288f58030dc47e36a5c15c291341ab9a0bdafe8aa
Instruction Fuzzy Hash: A9F022322003055FDF255F3998A0AAA7BE4EF8022CF06C06CFA898B680D6719802A700

Function 0109258C Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01085CE5: EnterCriticalSection.KERNEL32(?,?,0108FDA0,?,010ED6E0,00000008,0108FE6E,?,?,?), ref: 01085CF4

EnumSystemLocalesW.KERNEL32(01092546,00000001,010ED800,0000000C), ref: 010925C4

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 498a4dd40862eee2292bcbdd817c43713dd70ee9bb7350902bd25bdd9be2f046
Instruction ID: 152b71c82ad25036a02352c11c2a00cd453b492d9ad4c103055a6f61d28c18ec
Opcode Fuzzy Hash: 498a4dd40862eee2292bcbdd817c43713dd70ee9bb7350902bd25bdd9be2f046
Instruction Fuzzy Hash: ACF06D72A10205EFEB21EFA8D946B9D77F1FB14320F01825AF484DB695CB7A8941DF40

Function 0109921B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

EnumSystemLocalesW.KERNEL32(01099172,00000001,00000006,?,?,010999DD,0108AE1C,?,?,?,?,?,0108AE1C,?,?,?), ref: 01099252

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 608bfdea639c2ecd5f2afa0392fdf8d4a5d0f5ca2ef3023106bbd9904bbf0bda
Instruction ID: 1feb835cf176808b948f1a9ff4d91baf57b7853407a8506e61c725920edd49a8
Opcode Fuzzy Hash: 608bfdea639c2ecd5f2afa0392fdf8d4a5d0f5ca2ef3023106bbd9904bbf0bda
Instruction Fuzzy Hash: 5BF0553630020557CF049F39C8657AB7FA4FFC1A14F06409CFA898B245C2369842D790

Function 00FF0220 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(?,?,?,00000000,?,00FF0374,?,?,00000000,?,?,?,00000000,?,00000000,00000000), ref: 00FF0231

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 5e5db651352df5325914c26d286df752aa353cea707c2471faff2e7f3509ed32
Instruction ID: 63e0133ce2f4a79a8de01bcc0d13b84105b06a97f5dee5397810a9950f7dbbb2
Opcode Fuzzy Hash: 5e5db651352df5325914c26d286df752aa353cea707c2471faff2e7f3509ed32
Instruction Fuzzy Hash: 67C00236150208ABCF115F84DC49F997BA9BB08610F048050BA184A165C772E5209B44

Function 00FD9D10 Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 134COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 00FD9F25

Strings

Bad protocol, xrefs: 00FD9DB1
Bad message size, xrefs: 00FD9DA7
Protocol option is unsupported, xrefs: 00FD9DBB
Not empty, xrefs: 00FD9EA5
Operation not supported, xrefs: 00FD9DD9
Call interrupted, xrefs: 00FD9D43
Host not found, try again, xrefs: 00FD9F15
Connection refused, xrefs: 00FD9E79
Protocol family not supported, xrefs: 00FD9DED
Socket has been shut down, xrefs: 00FD9E5B
Unrecoverable error in call to nameserver, xrefs: 00FD9F0E, 00FD9F23
Remote error, xrefs: 00FD9EC8
Socket is already connected, xrefs: 00FD9E47
Out of file descriptors, xrefs: 00FD9D75
Call would block, xrefs: 00FD9D7F
Loop??, xrefs: 00FD9E83
Winsock library is not ready, xrefs: 00FD9ED6
Bad argument, xrefs: 00FD9D61
Blocking call in progress, xrefs: 00FD9D89
Address already in use, xrefs: 00FD9DF7
Bad quota, xrefs: 00FD9EBA
Too many users, xrefs: 00FD9EB3
Something is stale, xrefs: 00FD9EC1
Descriptor is not a socket, xrefs: 00FD9D93
Socket is not connected, xrefs: 00FD9E51
Network down, xrefs: 00FD9E0B
Winsock version not supported, xrefs: 00FD9EE4
Name too long, xrefs: 00FD9E8D
Address not available, xrefs: 00FD9E01
Network unreachable, xrefs: 00FD9E15
Connection was aborted, xrefs: 00FD9E29
Protocol is unsupported, xrefs: 00FD9DC5
Winsock library not initialised, xrefs: 00FD9EDD
Host not found, xrefs: 00FD9EEB
Host unreachable, xrefs: 00FD9E9E
Host down, xrefs: 00FD9E97
Network has been reset, xrefs: 00FD9E1F
Need destination address, xrefs: 00FD9D9D
Connection was reset, xrefs: 00FD9E33
Bad file, xrefs: 00FD9D4D
Socket is unsupported, xrefs: 00FD9DCF
Process limit reached, xrefs: 00FD9EAC
Timed out, xrefs: 00FD9E6F
Invalid arguments, xrefs: 00FD9D6B
No buffer space, xrefs: 00FD9E3D
Disconnected, xrefs: 00FD9ECF
No data record of requested type, xrefs: 00FD9F07
Too many references, xrefs: 00FD9E65
Address family not supported, xrefs: 00FD9DE3
Bad access, xrefs: 00FD9D57

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 2961919466-3442644082
Opcode ID: b37d2f9593d3773ccff499087f71279ce866ce1c86f26d26a2819179e18aaaf9
Instruction ID: 59a07c501b0abd43f9684f75e0a62b3a79b9850d218130f0250e653f1839ef5d
Opcode Fuzzy Hash: b37d2f9593d3773ccff499087f71279ce866ce1c86f26d26a2819179e18aaaf9
Instruction Fuzzy Hash: E3414223B0D2229245140FDCA6A42A12796F3627107ADCA13F487EB303C7D6CE633392

Function 00FDCF00 Relevance: 66.9, APIs: 22, Strings: 16, Instructions: 381libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDD410: ___swprintf_l.LIBCMT ref: 00FDD481

Part of subcall function 00FDD700: WSAStartup.WS2_32(00000002,?), ref: 00FDD720

Part of subcall function 00FEB880: GetModuleHandleA.KERNEL32(kernel32,?,00FDCF7C,WS2_32.DLL), ref: 00FEB88E

GetLastError.KERNEL32 ref: 00FDCF86

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

GetProcAddress.KERNEL32(00000000,WSACreateEvent), ref: 00FDCFB5
GetLastError.KERNEL32 ref: 00FDCFC2
FreeLibrary.KERNEL32(?), ref: 00FDCFDA

Strings

WSAEnumNetworkEvents failed (%d), xrefs: 00FDD23C
failed to find WSAEventSelect function (%d), xrefs: 00FDD035
, xrefs: 00FDD2D8
failed to find WSAEnumNetworkEvents function (%d), xrefs: 00FDD058
WS2_32.DLL, xrefs: 00FDCF72
WSACreateEvent, xrefs: 00FDCFAF
FreeLibrary(wsock2) failed (%d), xrefs: 00FDD37A
WSAEnumNetworkEvents, xrefs: 00FDD03C
WSACloseEvent, xrefs: 00FDCFF6
failed to find WSACreateEvent function (%d), xrefs: 00FDCFC9
WSACloseEvent failed (%d), xrefs: 00FDD358
WSAEventSelect, xrefs: 00FDD019
failed to find WSACloseEvent function (%d), xrefs: 00FDD012
Time-out, xrefs: 00FDD334
failed to load WS2_32.DLL (%d), xrefs: 00FDCF8D
WSACreateEvent failed (%d), xrefs: 00FDD073

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast___swprintf_l$AddressFreeHandleLibraryModuleProcStartup
String ID: $FreeLibrary(wsock2) failed (%d)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$failed to find WSACloseEvent function (%d)$failed to find WSACreateEvent function (%d)$failed to find WSAEnumNetworkEvents function (%d)$failed to find WSAEventSelect function (%d)$failed to load WS2_32.DLL (%d)
API String ID: 2508201097-2939610961
Opcode ID: ccf75f1ef9ff68f5dfb2ee0a259e22756f25567deef7b80c141a62705da5f033
Instruction ID: 146bc3ecb4fc75dbfd91c30649a7368ad952ac1c245dd15cb2adba5672ae69c5
Opcode Fuzzy Hash: ccf75f1ef9ff68f5dfb2ee0a259e22756f25567deef7b80c141a62705da5f033
Instruction Fuzzy Hash: 86D10A71E00209AFDB159FA4DD89BEEBB7AEF00311F18012AF945E6394D7768C40E751

Function 00FD6890 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 204COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FD68BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD68E3
___swprintf_l.LIBCMT ref: 00FD68F5
__allrem.LIBCMT ref: 00FD691A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6928
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6938
___swprintf_l.LIBCMT ref: 00FD694A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6970
___swprintf_l.LIBCMT ref: 00FD6982
__allrem.LIBCMT ref: 00FD69A4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD69B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD69C2
___swprintf_l.LIBCMT ref: 00FD69D4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD69F9
___swprintf_l.LIBCMT ref: 00FD6A0B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6A30
___swprintf_l.LIBCMT ref: 00FD6A42
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6A59
___swprintf_l.LIBCMT ref: 00FD6A6B

Strings

%2I64d.%0I64dM, xrefs: 00FD6942
%4I64dP, xrefs: 00FD6A63
%2I64d.%0I64dG, xrefs: 00FD69CC
%4I64dT, xrefs: 00FD6A3A
%4I64dM, xrefs: 00FD697A
%5I64d, xrefs: 00FD68B2
%4I64dk, xrefs: 00FD68ED
%4I64dG, xrefs: 00FD6A03

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$___swprintf_l$__allrem
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 2797256748-2102732564
Opcode ID: be2ed80fae07a404ee308e5447fe8f7791723c71939fe606ba3f5869236bb4aa
Instruction ID: 5b9d0b7532bf9ab7c9d61cb994b455f8e2cfd01ea2bb11a3850e418afe508033
Opcode Fuzzy Hash: be2ed80fae07a404ee308e5447fe8f7791723c71939fe606ba3f5869236bb4aa
Instruction Fuzzy Hash: A141D177B8126436E92175492C02FEF321ECBD1FA5F19006AFB44FB2C1D6A5A91112FA

Function 00FDCB60 Relevance: 35.3, APIs: 8, Strings: 12, Instructions: 285COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FDCC1B
___from_strstr_to_strchr.LIBCMT ref: 00FDCC80
___from_strstr_to_strchr.LIBCMT ref: 00FDCC92
___from_strstr_to_strchr.LIBCMT ref: 00FDCCA6
___from_strstr_to_strchr.LIBCMT ref: 00FDCD42
___from_strstr_to_strchr.LIBCMT ref: 00FDCD54
___from_strstr_to_strchr.LIBCMT ref: 00FDCD68
___from_strstr_to_strchr.LIBCMT ref: 00FDCD7D

Strings

default, xrefs: 00FDCCCD, 00FDCCE5, 00FDCDA5, 00FDCDC6
Failed sending DICT request, xrefs: 00FDCC5C, 00FDCD20, 00FDCE0C
/DEFINE:, xrefs: 00FDCBDA
CLIENT libcurl 7.52.1%sQUIT, xrefs: 00FDCC45
/LOOKUP:, xrefs: 00FDCC06
/FIND:, xrefs: 00FDCBC2
/D:, xrefs: 00FDCBF2
lookup word is missing, xrefs: 00FDCCBF, 00FDCD95
/MATCH:, xrefs: 00FDCB8C
/M:, xrefs: 00FDCBAA
CLIENT libcurl 7.52.1MATCH %s %s %sQUIT, xrefs: 00FDCDEC
CLIENT libcurl 7.52.1DEFINE %s %sQUIT, xrefs: 00FDCCFE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.52.1%sQUIT$CLIENT libcurl 7.52.1DEFINE %s %sQUIT$CLIENT libcurl 7.52.1MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 601868998-539049603
Opcode ID: cd9e295a6081f58697d738f75604df81f1be09a10f86cf97e16a6ec1b8c2179c
Instruction ID: 67faa553ad355bc75e5bfc8c371bf77ee1ec6e3b0b7f74e8fbe4533afc3abfce
Opcode Fuzzy Hash: cd9e295a6081f58697d738f75604df81f1be09a10f86cf97e16a6ec1b8c2179c
Instruction Fuzzy Hash: 14816C32F0024627DB2126655D42BAE7F9A9F92B25F0C017AFD48EB342F6655E01E3D1

Function 00FCAF30 Relevance: 31.9, APIs: 4, Strings: 14, Instructions: 369COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00FCAF50
___from_strstr_to_strchr.LIBCMT ref: 00FCB081
___from_strstr_to_strchr.LIBCMT ref: 00FCB179

Strings

Please URL encode %% as %%25, see RFC 6874., xrefs: 00FCB109
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 00FCB046
https, xrefs: 00FCAF66
No valid port number in proxy string (%s), xrefs: 00FCB1CC
socks4a, xrefs: 00FCAFBD
socks, xrefs: 00FCAFEF
%25, xrefs: 00FCB0F8
Invalid IPv6 address format, xrefs: 00FCB166
socks5, xrefs: 00FCAF9F
http:, xrefs: 00FCB003
://, xrefs: 00FCAF3C
socks4, xrefs: 00FCAFDB
Unsupported proxy scheme for '%s', xrefs: 00FCB015
socks5h, xrefs: 00FCAF81

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_strstr
String ID: %25$://$Invalid IPv6 address format$No valid port number in proxy string (%s)$Please URL encode %% as %%25, see RFC 6874.$Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$http:$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 2668852316-741215929
Opcode ID: b8f046a0ca28ddd57aef0bdfe234fa8e3702e6baa479b0eff4fd99ba96e6f2a1
Instruction ID: d7b3f604bc37c908ffde0caeb6c4eb37be24b1674f4a78eadff3479e71742739
Opcode Fuzzy Hash: b8f046a0ca28ddd57aef0bdfe234fa8e3702e6baa479b0eff4fd99ba96e6f2a1
Instruction Fuzzy Hash: 03C16879E403466BDB301E24ED87FAF7BA59F11364F08006DFC899A242E3758905E7A2

Function 010190B0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,05CEC6CE,00691A68,0101537C,?,?,0101537C,05CEC6CE), ref: 010190DD
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 010190F9
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0101910B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0101911E
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 01019131
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 01019140
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0101914F
new.LIBCMT ref: 01019159
new.LIBCMT ref: 010191B3

Strings

InitializeSRWLock, xrefs: 010190F3
kernel32.dll, xrefs: 010190D8
AcquireSRWLockExclusive, xrefs: 01019105
WakeAllConditionVariable, xrefs: 01019149
ReleaseSRWLockExclusive, xrefs: 01019118
SleepConditionVariableSRW, xrefs: 0101913A
InitializeConditionVariable, xrefs: 0101912B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$InitializeConditionVariable$InitializeSRWLock$ReleaseSRWLockExclusive$SleepConditionVariableSRW$WakeAllConditionVariable$kernel32.dll
API String ID: 667068680-3190095727
Opcode ID: 5e732f0e38022f61460ba85eaefdf2efa9cc634760a3825dbf641a0a13af9031
Instruction ID: f466cab8d0ef3cd8df2b26c70d736ccfddac36d7a36d3a6ae0d33ff540063f5e
Opcode Fuzzy Hash: 5e732f0e38022f61460ba85eaefdf2efa9cc634760a3825dbf641a0a13af9031
Instruction Fuzzy Hash: 7241B3B1A40B159BE7219F69C895B9BFBF8FF04A14F00062EE985E7740D7B9D5048BD0

Function 00FEBF20 Relevance: 25.0, APIs: 2, Strings: 12, Instructions: 476COMMON

Download Yara Rule

Strings

%s, xrefs: 00FEC1F8
couldn't open file "%s", xrefs: 00FEC42F
, xrefs: 00FEC228
Content-Disposition: form-data; name=", xrefs: 00FEC06E
%s; boundary=%s, xrefs: 00FEBFB9
Content-Type: %s, xrefs: 00FEC1BC
--%sContent-Disposition: attachment, xrefs: 00FEC152
--%s--, xrefs: 00FEC4A6
--%s, xrefs: 00FEC04F
--%s--, xrefs: 00FEC46C
Content-Type: multipart/form-data, xrefs: 00FEBFB0, 00FEBFB8
Content-Type: multipart/mixed; boundary=%s, xrefs: 00FEC10C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: $%s$--%sContent-Disposition: attachment$--%s--$--%s--$Content-Type: %s$Content-Type: multipart/mixed; boundary=%s$%s; boundary=%s$--%s$Content-Disposition: form-data; name="$Content-Type: multipart/form-data$couldn't open file "%s"
API String ID: 0-530302859
Opcode ID: dbc28f13c096eec68dbaf68c56c14dd0c4a2f6a4375e9eb35b740445cb85c7d1
Instruction ID: 24908868418e59c40720564ca4ba7a1c27e51e2b8c869c138b89eeaafe2d798a
Opcode Fuzzy Hash: dbc28f13c096eec68dbaf68c56c14dd0c4a2f6a4375e9eb35b740445cb85c7d1
Instruction Fuzzy Hash: 8FF1B272D4026D9BCF21DA55CC89BEA73B8AB54710F0405E9FD48A7242E735DE829FE0

Function 00FDF690 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 282networkCOMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FDF79E
___swprintf_l.LIBCMT ref: 00FDF804
___swprintf_l.LIBCMT ref: 00FDF855
___swprintf_l.LIBCMT ref: 00FDF898
sendto.WS2_32(?,?,octet,00000000,00000000,?), ref: 00FDF8E5
WSAGetLastError.WS2_32 ref: 00FDF8EF

Strings

timeout, xrefs: 00FDF8A3
%s%c%s%c, xrefs: 00FDF78F
netascii, xrefs: 00FDF6B0
tsize, xrefs: 00FDF81D
%I64d, xrefs: 00FDF7F9
blksize, xrefs: 00FDF860
octet, xrefs: 00FDF6A6, 00FDF784, 00FDF825, 00FDF83B, 00FDF868, 00FDF881, 00FDF8AB, 00FDF8C1, 00FDF8DB
tftp_send_first: internal error, xrefs: 00FDF98A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l$ErrorLastsendto
String ID: %I64d$%s%c%s%c$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
API String ID: 1708266137-1778150644
Opcode ID: 06d60955f22a731b78f9993761b1378a7ef592c48da182c716ada28fc28bd3e0
Instruction ID: 5a5f15a8c3f7a7b07b5063c65636e8195d2544f147ff6ba112e7b4a28c9360a9
Opcode Fuzzy Hash: 06d60955f22a731b78f9993761b1378a7ef592c48da182c716ada28fc28bd3e0
Instruction Fuzzy Hash: 89912DB2A00204AFD721EF64DC46FEB77BAEF45310F08056AF94ADB342DA35A905D761

Function 01008E70 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215libraryloadertimeCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0000000F,05CEC6CE,7622DF60,010A48B4), ref: 01008EDD
TlsGetValue.KERNEL32(0000000F), ref: 01008EF2
TlsGetValue.KERNEL32(0000000F), ref: 01008F0E
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 01008F3E
GetModuleHandleA.KERNEL32(KERNEL32.DLL,SetWaitableTimerEx), ref: 01008F88
GetProcAddress.KERNEL32(00000000), ref: 01008F8F
WaitForMultipleObjectsEx.KERNEL32(00000000,?,00000000,00000000,00000000,05CEC6CE,7622DF60,010A48B4), ref: 01009019
CloseHandle.KERNEL32(00000000), ref: 01009077
TlsGetValue.KERNEL32(0000000F), ref: 010090AA
ResetEvent.KERNEL32(?), ref: 010090B3
__CxxThrowException@8.LIBVCRUNTIME ref: 010090C2
CloseHandle.KERNEL32(00000000), ref: 010090D8

Strings

SetWaitableTimerEx, xrefs: 01008F7E
KERNEL32.DLL, xrefs: 01008F83

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Value$Handle$Close$AddressCreateEventException@8ModuleMultipleObjectsProcResetThrowTimerWaitWaitable
String ID: KERNEL32.DLL$SetWaitableTimerEx
API String ID: 888221587-2877992516
Opcode ID: 0550cb4b256944e252dae36e00b0f012c952c7042306eddaf2dcd5b7cfd63a5b
Instruction ID: 0dd4d311cb5e908cb320d65943bfa52cceac4dbdce0913c328e1543ecb536eb7
Opcode Fuzzy Hash: 0550cb4b256944e252dae36e00b0f012c952c7042306eddaf2dcd5b7cfd63a5b
Instruction Fuzzy Hash: 4F71A570E002099FEB66CFA8D884BEE7BB9BF44324F14471AF5A6E72C5D73499418B50

Function 00FDE370 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 198networkCOMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FDE42E
___swprintf_l.LIBCMT ref: 00FDE4B5
___swprintf_l.LIBCMT ref: 00FDE4EC
send.WS2_32(?,?,00000006,00000000), ref: 00FDE50D
WSAGetLastError.WS2_32 ref: 00FDE517
___swprintf_l.LIBCMT ref: 00FDE599
send.WS2_32(?,?,?,00000000), ref: 00FDE5B1
WSAGetLastError.WS2_32 ref: 00FDE5BB

Strings

%c%c, xrefs: 00FDE4DD
%c%c%c%c, xrefs: 00FDE41D
%127[^,],%127s, xrefs: 00FDE47B
%c%c%c%c%s%c%c, xrefs: 00FDE583
Sending data failed (%d), xrefs: 00FDE51E, 00FDE5C2
%c%s%c%s, xrefs: 00FDE4A6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l$ErrorLastsend
String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
API String ID: 1939966535-3318542072
Opcode ID: 74c7a4b644dee5687b68baf11365a5cc7122b0bcf49566ee419bdd24d244f96b
Instruction ID: a5588fbfddb86178aa21a8d0ddb34ddd404722d3cbea693b06fdb240a30ea4f9
Opcode Fuzzy Hash: 74c7a4b644dee5687b68baf11365a5cc7122b0bcf49566ee419bdd24d244f96b
Instruction Fuzzy Hash: 8F610CB5A402056FE730EA14CC86FF7736DAF44744F0841A9F689EB283DA757A049B50

Function 00FA7C80 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 299synchronizationCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,05CEC6CE), ref: 00FA7CB4
ShellExecuteExW.SHELL32(0000003C), ref: 00FA7D24
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FA7D33
CloseHandle.KERNEL32(?), ref: 00FA7D3C
GetLastError.KERNEL32 ref: 00FA7D4D

Part of subcall function 00F93880: new.LIBCMT ref: 00F93896

Strings

installer, xrefs: 00FA7DF7, 00FA7F7F
@, xrefs: 00FA7CDD
]: , xrefs: 00FA7E4C, 00FA7FD4
shell execute ex failed. err=, xrefs: 00FA7E58
RunInstallerWithUAC::<lambda_54f122fa2d586c8735354f7e2e6d282c>::operator (), xrefs: 00FA7E1B, 00FA7FA3
failed coinitializeex. result=, xrefs: 00FA7FE0
<, xrefs: 00FA7CD6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CloseErrorExecuteHandleInitializeLastObjectShellSingleWait
String ID: <$@$RunInstallerWithUAC::<lambda_54f122fa2d586c8735354f7e2e6d282c>::operator ()$]: $failed coinitializeex. result=$installer$shell execute ex failed. err=
API String ID: 2044801028-2639624214
Opcode ID: d7a1d089eb94df66ba979b092e879a27a8dcd1a149ef14381ef2429057dea039
Instruction ID: 56e1dea454b0932fdd0159acb6f38102230753e7a00561ed6992b7c8f47478c0
Opcode Fuzzy Hash: d7a1d089eb94df66ba979b092e879a27a8dcd1a149ef14381ef2429057dea039
Instruction Fuzzy Hash: 36B1B0B0E00349ABEF10EBA5CC45BAEBBB9BF01754F10412DE8417B281DB786E45DB95

Function 00FECFA0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 290COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FED054

Part of subcall function 00FEE030: ___swprintf_l.LIBCMT ref: 00FEE04D

Strings

%s, algorithm="%s", xrefs: 00FED2D7
%s:%s, xrefs: 00FED13B, 00FED169
%s, opaque="%s", xrefs: 00FED2AE
auth, xrefs: 00FED256
%s:%s:%s, xrefs: 00FED0A2, 00FED0FB, 00FED1DB
%s:%s:%08x:%s:%s:%s, xrefs: 00FED1C2
username="%s", realm="%s", nonce="%s", uri="%s", response="%s", xrefs: 00FED284
d41d8cd98f00b204e9800998ecf8427e, xrefs: 00FED163
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s", xrefs: 00FED24C
%08x%08x%08x%08x, xrefs: 00FED04C
auth-int, xrefs: 00FED151

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %08x%08x%08x%08x$%s, algorithm="%s"$%s, opaque="%s"$%s:%s$%s:%s:%08x:%s:%s:%s$%s:%s:%s$auth$auth-int$d41d8cd98f00b204e9800998ecf8427e$username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"$username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
API String ID: 48624451-3873893103
Opcode ID: e10822820cfece33384d16975526cbfbac06a63f491e9ef19534d4362e17f7b0
Instruction ID: 3b333ed624be4164cec269cba4c9031d05cfdd3543ab93152e0515a708158309
Opcode Fuzzy Hash: e10822820cfece33384d16975526cbfbac06a63f491e9ef19534d4362e17f7b0
Instruction Fuzzy Hash: AEA181B1E00219AFDF20AFA5CC85FEAB7BDEF04314F040195FA08A7605E7359E559BA1

Function 00FDD410 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 198COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FDD481
_strncpy.LIBCMT ref: 00FDD53E
_strncpy.LIBCMT ref: 00FDD583

Strings

XDISPLOC, xrefs: 00FDD561
BINARY, xrefs: 00FDD63F
Unknown telnet option %s, xrefs: 00FDD698
USER,%s, xrefs: 00FDD476
NEW_ENV, xrefs: 00FDD5A6
%127[^= ]%*[ =]%255s, xrefs: 00FDD4FE
%hu%*[xX]%hu, xrefs: 00FDD616
Syntax error in telnet option: %s, xrefs: 00FDD6B1
TTYPE, xrefs: 00FDD51C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _strncpy$___swprintf_l
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 1627702573-748038847
Opcode ID: ea99f694fbd7d59e4ba122c2c9a214c8dfc2a1c8ef7a70b0308d105dd23876cb
Instruction ID: c9e970cd475176c22765b70aa4d0b23a47fe5f13f89d461b92dc3ea9de7fd8af
Opcode Fuzzy Hash: ea99f694fbd7d59e4ba122c2c9a214c8dfc2a1c8ef7a70b0308d105dd23876cb
Instruction Fuzzy Hash: 2A71D672D00209ABDF21EB64DC41FDAB3A9AF04304F4444AAE58DD7242EE35FA54AB91

Function 0101A0C0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000004,00000004,01019D4B,05CEC6CE,00000004,00000004,00000004,010A66A8,000000FF,?,01016931,05CEC6CE,00000000), ref: 0101A0C7
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0101A0DF
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0101A0F0
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0101A101
GetProcAddress.KERNEL32(00000000,AcquireSRWLockShared), ref: 0101A112
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockShared), ref: 0101A123

Strings

InitializeSRWLock, xrefs: 0101A0D9
kernel32.dll, xrefs: 0101A0C2
AcquireSRWLockShared, xrefs: 0101A10C
AcquireSRWLockExclusive, xrefs: 0101A0EA
ReleaseSRWLockExclusive, xrefs: 0101A0FB
ReleaseSRWLockShared, xrefs: 0101A11D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$AcquireSRWLockShared$InitializeSRWLock$ReleaseSRWLockExclusive$ReleaseSRWLockShared$kernel32.dll
API String ID: 667068680-2154951675
Opcode ID: 07293d2a04cb59e20e673482c590e9fb336b0fe97e67e9b295fb07a8e30b351f
Instruction ID: 361cc553cd824654b6a2b180c9d9b07279966bac5b24484a9a9aaafb17788b4b
Opcode Fuzzy Hash: 07293d2a04cb59e20e673482c590e9fb336b0fe97e67e9b295fb07a8e30b351f
Instruction Fuzzy Hash: EC0196702027129657717F2AAC5EA86BAE8BF5966CB05007DF5C0D760CE77DC001CF95

Function 0109792F Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0109794C

Part of subcall function 010872F5: RtlFreeHeap.NTDLL(00000000,00000000,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?), ref: 0108730B
Part of subcall function 010872F5: GetLastError.KERNEL32(?,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?,?), ref: 0108731D

_free.LIBCMT ref: 0109795E
_free.LIBCMT ref: 01097970
_free.LIBCMT ref: 01097982
_free.LIBCMT ref: 01097994
_free.LIBCMT ref: 010979A6
_free.LIBCMT ref: 010979B8
_free.LIBCMT ref: 010979CA
_free.LIBCMT ref: 010979DC
_free.LIBCMT ref: 010979EE
_free.LIBCMT ref: 01097A00
_free.LIBCMT ref: 01097A12
_free.LIBCMT ref: 01097A24

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 339bf1772065d8308d6ce1f2792c71d8708f5e37cc09d38a48951f44fc4e0ce3
Instruction ID: 87654d2bdba9556839f2acf23d0d1c3111933eab28705b9c9227219398b61434
Opcode Fuzzy Hash: 339bf1772065d8308d6ce1f2792c71d8708f5e37cc09d38a48951f44fc4e0ce3
Instruction Fuzzy Hash: 7E212A73918301AB9BB0EA6DE492D6A77FAFB503107640889F1C5D7D4DCE39F8818E24

Function 00FA5CA0 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 312COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FA5F29

Strings

Dynamic exception type: , xrefs: 00FA5F4C
): , xrefs: 00FA5EA4
Throw location unknown (consider using BOOST_THROW_EXCEPTION), xrefs: 00FA5E70
std::exception::what: , xrefs: 00FA600D
Throw in function , xrefs: 00FA5ED2
Unknown exception., xrefs: 00FA5CF3
H, xrefs: 00FA5DB9
(unknown), xrefs: 00FA5EF5

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: (unknown)$): $Dynamic exception type: $H$Throw in function $Throw location unknown (consider using BOOST_THROW_EXCEPTION)$Unknown exception.$std::exception::what:
API String ID: 1734802720-3314828008
Opcode ID: 2a3929e2bf86a0980d397eb23ad1f022d3f0c51c45ae1251b056053ca09e1640
Instruction ID: d0ef9665df0b21152c90e3718e9daeb6fe94c7d25b135d54c1c339f4d54ab32a
Opcode Fuzzy Hash: 2a3929e2bf86a0980d397eb23ad1f022d3f0c51c45ae1251b056053ca09e1640
Instruction Fuzzy Hash: 0AC1E4B1D00319AFEF20DB60CC45BDEB7B8AF51704F0445A9E54DAB242EB749A88DF61

Function 01008A30 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 185libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetTickCount64), ref: 01008A6D
GetProcAddress.KERNEL32(00000000), ref: 01008A74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01008B6D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01008B94
__allrem.LIBCMT ref: 01008B9F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01008BC6
__allrem.LIBCMT ref: 01008BD1
SystemTimeToFileTime.KERNEL32(0000003C,?,00000000,?,0000003C,00000000,?,?,000F4240,00000000,03938700,00000000,D693A400,00000000), ref: 01008BE5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01008C3B

Strings

GetTickCount64, xrefs: 01008A63
KERNEL32.DLL, xrefs: 01008A68

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Time__allrem$AddressFileHandleModuleProcSystem
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 2537731104-3320051239
Opcode ID: e4fe9a4a31411b777b96b223ff6e83c646564c7932713e453534dd3cb2397d2c
Instruction ID: 89dee0fc25b9211ce44bd98aa3f49824e1a7b76223c4bf9cdb7078120ef96600
Opcode Fuzzy Hash: e4fe9a4a31411b777b96b223ff6e83c646564c7932713e453534dd3cb2397d2c
Instruction Fuzzy Hash: A451A0B5618301ABEB15EF64CC45B9F77E8BF98700F04891EB589D3280EB78E544C796

Function 01098591 Relevance: 18.1, APIs: 12, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010985CA

Part of subcall function 010872F5: RtlFreeHeap.NTDLL(00000000,00000000,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?), ref: 0108730B
Part of subcall function 010872F5: GetLastError.KERNEL32(?,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?,?), ref: 0108731D

Part of subcall function 0109792F: _free.LIBCMT ref: 0109794C
Part of subcall function 0109792F: _free.LIBCMT ref: 0109795E
Part of subcall function 0109792F: _free.LIBCMT ref: 01097970
Part of subcall function 0109792F: _free.LIBCMT ref: 01097982
Part of subcall function 0109792F: _free.LIBCMT ref: 01097994
Part of subcall function 0109792F: _free.LIBCMT ref: 010979A6
Part of subcall function 0109792F: _free.LIBCMT ref: 010979B8
Part of subcall function 0109792F: _free.LIBCMT ref: 010979CA
Part of subcall function 0109792F: _free.LIBCMT ref: 010979DC
Part of subcall function 0109792F: _free.LIBCMT ref: 010979EE
Part of subcall function 0109792F: _free.LIBCMT ref: 01097A00
Part of subcall function 0109792F: _free.LIBCMT ref: 01097A12
Part of subcall function 0109792F: _free.LIBCMT ref: 01097A24

_free.LIBCMT ref: 010985EC
_free.LIBCMT ref: 01098601
_free.LIBCMT ref: 0109860C
_free.LIBCMT ref: 0109862E
_free.LIBCMT ref: 01098641
_free.LIBCMT ref: 0109864F
_free.LIBCMT ref: 0109865A
_free.LIBCMT ref: 01098692
_free.LIBCMT ref: 01098699
_free.LIBCMT ref: 010986B6
_free.LIBCMT ref: 010986CE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 631e234a4374a9d8dd39722cd6cfd92d09598023d68eab1183561729c88b2bd1
Instruction ID: f184adcb5f5886dae1f675e7d7719f9dccfbd433aa8279032931d9c2ee410120
Opcode Fuzzy Hash: 631e234a4374a9d8dd39722cd6cfd92d09598023d68eab1183561729c88b2bd1
Instruction Fuzzy Hash: 01316D3160820A9FEF71AA3DD854BAA77F9FF05210F20849EE5C9DB655DF34E8409B50

Function 01008420 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?), ref: 01008500
OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 0100851A
CloseHandle.KERNEL32(00000000), ref: 0100852F
ResetEvent.KERNEL32(00000000), ref: 01008539
CloseHandle.KERNEL32(00000000,05CEC6CE,7622DF20,00000000), ref: 0100857A

Strings

e-flag, xrefs: 010084BB, 010085E1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CloseEventHandle$CurrentOpenProcessReset
String ID: e-flag
API String ID: 485013868-538632313
Opcode ID: d180cbf0aff0cfe782fefe22441436375d2d2fcdaf92da3d89d19fbdf756a98c
Instruction ID: 727a6d1ac9d64179e14f0081537e8bba3d70e78fc9ccbd3edb30d9f830b95f07
Opcode Fuzzy Hash: d180cbf0aff0cfe782fefe22441436375d2d2fcdaf92da3d89d19fbdf756a98c
Instruction Fuzzy Hash: 3271AF74C043489FEB22CBA8D8447EDBBB4BF19710F148259F898B7285E7356945CB51

Function 01019A50 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 176COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 01019AB2
__Init_thread_footer.LIBCMT ref: 01019B74
__Init_thread_footer.LIBCMT ref: 01019CAB

Strings

Channel, xrefs: 01019AD1
ProcessID, xrefs: 01019B04
LineID, xrefs: 01019AEA
ThreadID, xrefs: 01019B11
Message, xrefs: 01019ADD
TimeStamp, xrefs: 01019AF7
Severity, xrefs: 01019AC7

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footer
String ID: Channel$LineID$Message$ProcessID$Severity$ThreadID$TimeStamp
API String ID: 1385522511-3293327833
Opcode ID: 1430cbbad26c6154f2fe42bdbdd6fcab4217becac26b9867a23850ce3aacb637
Instruction ID: 028dec42405c18956b805fb2374e09c9032fc4eed6086d9846a473671524d388
Opcode Fuzzy Hash: 1430cbbad26c6154f2fe42bdbdd6fcab4217becac26b9867a23850ce3aacb637
Instruction Fuzzy Hash: 3471DE70D0021A9FDB20DF68C946BEDBBF4FB45718F1442ACE6D55B284C739AA05CBA1

Function 00FD6A80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6ABF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6AFD
___swprintf_l.LIBCMT ref: 00FD6B55
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6B6D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6BA2
___swprintf_l.LIBCMT ref: 00FD6BB7
___swprintf_l.LIBCMT ref: 00FD6BD2

Strings

%2I64d:%02I64d:%02I64d, xrefs: 00FD6B4B
%3I64dd %02I64dh, xrefs: 00FD6BAD
%7I64dd, xrefs: 00FD6BC8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$___swprintf_l
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 2070094197-564197712
Opcode ID: ddf31af0b17b1d22c2ed53d6a98c18ffcef8137bc60394b50f01db37241d3796
Instruction ID: 42cb86424c57527bd59ee5b544667be415bda383be413ef97a57afac30f6e63a
Opcode Fuzzy Hash: ddf31af0b17b1d22c2ed53d6a98c18ffcef8137bc60394b50f01db37241d3796
Instruction Fuzzy Hash: 2C411673B402187AEB216D6D8C41FEF766ADBD4B50F094166FD08EB281E9729D5092D0

Function 00FEB880 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,?,00FDCF7C,WS2_32.DLL), ref: 00FEB88E
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00FEB8A8

Strings

AddDllDirectory, xrefs: 00FEB8F0
LoadLibraryExA, xrefs: 00FEB8A2
kernel32, xrefs: 00FEB887

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 1646373207-3327535076
Opcode ID: 554ced59c4401daf8aedcaa214f95affb64e6d6508bb49e4061aa7a5c55f4b11
Instruction ID: c20a4dcb345dc36f9322e6aa5ea727889710f55cc48c85866ab19af5ad7c2b39
Opcode Fuzzy Hash: 554ced59c4401daf8aedcaa214f95affb64e6d6508bb49e4061aa7a5c55f4b11
Instruction Fuzzy Hash: 89416831B003455BDB244E6AAC85BAEB7A9DF41325F1401BAFE85A7206DB7289069760

Function 0107D5C3 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,05CEC6CE,000000FF,00000000,00000000,?,00000010,?,00000010,00000000,05CEC6CE), ref: 0107D61B
GetLastError.KERNEL32 ref: 0107D628
__dosmaperr.LIBCMT ref: 0107D62F
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?,?), ref: 0107D65B
GetLastError.KERNEL32 ref: 0107D665
__dosmaperr.LIBCMT ref: 0107D66C
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 0107D6AF
GetLastError.KERNEL32 ref: 0107D6B9
__dosmaperr.LIBCMT ref: 0107D6C0
_free.LIBCMT ref: 0107D6CC
_free.LIBCMT ref: 0107D6D3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: a2d368379a7ebc9b1b625c299c2b8847794d21f0a857b8c00e52182e7e39def1
Instruction ID: 941a04b5db7f4c80da39f8ff97a944c8afa15af1efcf8a99b3090cad27d58dd4
Opcode Fuzzy Hash: a2d368379a7ebc9b1b625c299c2b8847794d21f0a857b8c00e52182e7e39def1
Instruction Fuzzy Hash: C0319F72D0420AAFEF21AFE8DC449EF3FB9EF09264F100259F99496194DA36C911CB74

Function 00FDF440 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 00FDF4DA
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 00FDF56A
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 00FDF644

Strings

Timeout waiting for block %d ACK. Retries = %d, xrefs: 00FDF59C
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00FDF51A
tftp_rx: internal error, xrefs: 00FDF657
Received last DATA packet block %d again., xrefs: 00FDF496

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: sendto
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1876886790-1785996722
Opcode ID: a1184b60f0d09788057b85aed70bb0043894a9a1d5ff2679ef8faf76d0fe8e99
Instruction ID: 44a8dd542d684a44570b68d172b7b7ccc02dc5d4ca0ba0351345e7aa889d5a38
Opcode Fuzzy Hash: a1184b60f0d09788057b85aed70bb0043894a9a1d5ff2679ef8faf76d0fe8e99
Instruction Fuzzy Hash: D451CFB2300512BBE7116F64EC82FEAB369FF04315F040126F659C6691E73AF5649BE1

Function 00FCB430 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 188COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FCB47F
_strrchr.LIBCMT ref: 00FCB4A2
___swprintf_l.LIBCMT ref: 00FCB536

Strings

%s://%s%s%s:%hu%s%s%s, xrefs: 00FCB58B
], xrefs: 00FCB465
Illegal port number, xrefs: 00FCB657
Port number out of range, xrefs: 00FCB683
;type=%c, xrefs: 00FCB52B
[%*45[0123456789abcdefABCDEF:.]%c, xrefs: 00FCB44D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr___swprintf_l_strrchr
String ID: %s://%s%s%s:%hu%s%s%s$;type=%c$Illegal port number$Port number out of range$[%*45[0123456789abcdefABCDEF:.]%c$]
API String ID: 2016915833-2294455819
Opcode ID: 090037895117928762d89ec7ef8f6579cccfdaadc293be9463269b4d0acd0ce8
Instruction ID: ad86b4464fcb03bd0b8183a493841ad6fdf0a222607d1af515a6c582f356df06
Opcode Fuzzy Hash: 090037895117928762d89ec7ef8f6579cccfdaadc293be9463269b4d0acd0ce8
Instruction Fuzzy Hash: EF617D70B043479BEB15DB74CC83BFAB7E4EF41310F08046EE98A86282DB795944D751

Function 00F9E520 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 00F9E55E
__Getcvt.LIBCPMT ref: 00F9E596
Concurrency::cancel_current_task.LIBCPMT ref: 00F9E5BE
Concurrency::cancel_current_task.LIBCPMT ref: 00F9E5FC
Concurrency::cancel_current_task.LIBCPMT ref: 00F9E63C
numpunct.LIBCPMT ref: 00F9E644
__CxxThrowException@8.LIBVCRUNTIME ref: 00F9E64D

Strings

true, xrefs: 00F9E629, 00F9E654
false, xrefs: 00F9E5E9, 00F9E603

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Getcvt$Exception@8Thrownumpunct
String ID: false$true
API String ID: 3191441162-2658103896
Opcode ID: 9b5f77ff45513b39f07a6c1b0b3f0bccdb2d599fea2489ca7b102673d6dfe29f
Instruction ID: 2c68963eb45a53f4d4830f4cb97dbb5123074299534f2f056c545b1903250983
Opcode Fuzzy Hash: 9b5f77ff45513b39f07a6c1b0b3f0bccdb2d599fea2489ca7b102673d6dfe29f
Instruction Fuzzy Hash: 0D414631E042458FEF20DF64C440BAEBBA1EF95324F1981ADD9859B382DB769905CBA0

Function 00FD1A20 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FD1AC4
___from_strstr_to_strchr.LIBCMT ref: 00FD1BB7

Strings

Content-Type:, xrefs: 00FD1B3A
Host:, xrefs: 00FD1B15
Transfer-Encoding:, xrefs: 00FD1BA0
Content-Length, xrefs: 00FD1B5C
%s, xrefs: 00FD1BFB
Connection, xrefs: 00FD1B7E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s$Connection$Content-Length$Content-Type:$Host:$Transfer-Encoding:
API String ID: 601868998-3301244629
Opcode ID: 4b05a285ab5acfc1c7ea53765b2e932f3ee8bac8d83b78c27c63e3b73186ab61
Instruction ID: 5bb0aa471959cd2a46a10465f35765825b7db274170a49fc54581cd23fb1c15c
Opcode Fuzzy Hash: 4b05a285ab5acfc1c7ea53765b2e932f3ee8bac8d83b78c27c63e3b73186ab61
Instruction Fuzzy Hash: A3512430E49342BBDF219E609944BE97BA3BF11310F1C816BEC894A342F7368951FB51

Function 00F8BEA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F8BED6
std::_Lockit::_Lockit.LIBCPMT ref: 00F8BEF9
std::_Lockit::~_Lockit.LIBCPMT ref: 00F8BF19
__CxxThrowException@8.LIBVCRUNTIME ref: 00F8BF8F
std::_Facet_Register.LIBCPMT ref: 00F8BFA5
std::_Lockit::~_Lockit.LIBCPMT ref: 00F8BFB0

Strings

ti, xrefs: 00F8BEE8, 00F8BF99
bad cast, xrefs: 00F8BF88

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast$ti
API String ID: 2536120697-1216798792
Opcode ID: ac6943ae5e67bf178295616cdb0377809ccd28b4c577fe3b988db3ba31933849
Instruction ID: 3b6abca20f67e9059ef936bb082877a08a76c651d0336eb5cf86472352e05b17
Opcode Fuzzy Hash: ac6943ae5e67bf178295616cdb0377809ccd28b4c577fe3b988db3ba31933849
Instruction Fuzzy Hash: 8931BA72E042199FCF21EF94D881AEEB7B4FF08324F14411AE945B7291DB39A845DF91

Function 0107054F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 01070570
FindSITargetTypeInstance.LIBVCRUNTIME ref: 01070594
FindMITargetTypeInstance.LIBVCRUNTIME ref: 010705A9

Part of subcall function 01070110: PMDtoOffset.LIBCMT ref: 010701DA

FindVITargetTypeInstance.LIBVCRUNTIME ref: 010705B0
PMDtoOffset.LIBCMT ref: 010705C1
std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 010705EB
__CxxThrowException@8.LIBVCRUNTIME ref: 010705FB

Strings

Bad dynamic_cast!, xrefs: 010705E2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Find$InstanceTargetType$Offset$CompleteException@8ObjectThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Bad dynamic_cast!
API String ID: 528452320-2956939130
Opcode ID: cf47e3c5f92032f1263ee9c2a17a86ff67e98709b00d12eab2fb5fd7d5a19823
Instruction ID: 106110bc302b5e40c1d553d72c2ba9c6956fd6a8f927eae8ff2a3eb4c2952b69
Opcode Fuzzy Hash: cf47e3c5f92032f1263ee9c2a17a86ff67e98709b00d12eab2fb5fd7d5a19823
Instruction Fuzzy Hash: 4621F3B2E0030ADFDB11DFA8C941AEF77A8AB0A710F104149F594A7285DB70EA00CBA4

Function 00FDA1C0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 376COMMON

Download Yara Rule

Strings

Accept-ranges: bytes, xrefs: 00FDA32D
failed to resume file:// transfer, xrefs: 00FDA603
Content-Length: %I64d, xrefs: 00FDA2FD
Can't get the size of file., xrefs: 00FDA400
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00FDA393

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CountTick___from_strstr_to_strchr
String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$failed to resume file:// transfer
API String ID: 3886785706-4054300160
Opcode ID: 66480c97e4634da9cf6e628f59d46a8961bc21c0d9d31c9e18dcd247dd7ddcc5
Instruction ID: 14e6ff75ecefccc0df822bc0f18c12433c0193a25225670a7620dc3149d52f03
Opcode Fuzzy Hash: 66480c97e4634da9cf6e628f59d46a8961bc21c0d9d31c9e18dcd247dd7ddcc5
Instruction Fuzzy Hash: 73D1D471E002099BDF11DFA8DC85BEDBBB6EF45310F1C407AE849AB342EA359940EB55

Function 0108B529 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01090000: GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
Part of subcall function 01090000: _free.LIBCMT ref: 01090037
Part of subcall function 01090000: SetLastError.KERNEL32(00000000), ref: 01090078
Part of subcall function 01090000: _abort.LIBCMT ref: 0109007E

_memcmp.LIBVCRUNTIME ref: 0108B7D3
_free.LIBCMT ref: 0108B844
_free.LIBCMT ref: 0108B85D
_free.LIBCMT ref: 0108B88F
_free.LIBCMT ref: 0108B898
_free.LIBCMT ref: 0108B8A4

Strings

C, xrefs: 0108B691

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 2449ebdedee7b82eb77dc16f769aa3dbc9f41b3c2f9f083fee584be82427e74e
Instruction ID: 3ee76c3d264de0d3e033dc292ebd7b5b7567fa2b7f6e77c0a8c60443fd2a9e0d
Opcode Fuzzy Hash: 2449ebdedee7b82eb77dc16f769aa3dbc9f41b3c2f9f083fee584be82427e74e
Instruction Fuzzy Hash: 49B12775A0521ADFDB65EF18C884BADB7B4FB08314F1445EAE989A7350DB31AA90CF40

Function 00FDF9D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FDFA35
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FDFA9B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FDFAF6

Strings

set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00FDFB17
gfff, xrefs: 00FDFABD
gfff, xrefs: 00FDFA4D
Connection time-out, xrefs: 00FDFA09

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 885266447-870032562
Opcode ID: fd839ee69d66d669650fefbb970ba4b452f6b91211a7179eda75678c15dbd46f
Instruction ID: bc17afce4027b7ddd6ad61a670633fbb18555215774e4cf49f095ca550ec3065
Opcode Fuzzy Hash: fd839ee69d66d669650fefbb970ba4b452f6b91211a7179eda75678c15dbd46f
Instruction Fuzzy Hash: 51418471B006066FD7049F29DD81B55B6AAFB98314F08413AE949C7B80E779F8649B90

Function 00FDE0C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00FDE11C
htons.WS2_32(?), ref: 00FDE12A
send.WS2_32(?,?,00000003,00000000), ref: 00FDE1B3
WSAGetLastError.WS2_32 ref: 00FDE1BD
send.WS2_32(?,?,00000002,00000000), ref: 00FDE1F5
WSAGetLastError.WS2_32 ref: 00FDE200

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

Strings

Sending data failed (%d), xrefs: 00FDE1C4, 00FDE207

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLasthtonssend$___swprintf_l
String ID: Sending data failed (%d)
API String ID: 2196354059-2319402659
Opcode ID: c3e86059b1fc3730511e4381e2975ed2fd16fae5ca156802ad2de019fea141ad
Instruction ID: f619f408331bcbe43d9fbd879335cd105f8be5b369fc1a5e0fd63521f0198baa
Opcode Fuzzy Hash: c3e86059b1fc3730511e4381e2975ed2fd16fae5ca156802ad2de019fea141ad
Instruction Fuzzy Hash: 6341E3346451429FDB02AF64C881AEA7B7AFF19350F2801A6EE65DF382D7305911DB61

Function 00FB0570 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FB05A6
std::_Lockit::_Lockit.LIBCPMT ref: 00FB05C9
std::_Lockit::~_Lockit.LIBCPMT ref: 00FB05E9
__CxxThrowException@8.LIBVCRUNTIME ref: 00FB065F
std::_Facet_Register.LIBCPMT ref: 00FB0675
std::_Lockit::~_Lockit.LIBCPMT ref: 00FB0680

Strings

bad cast, xrefs: 00FB0658

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: ac035777c4c37cd95a2c9caaa5c0e1336db163a5a35b8908a4b03e9f8c953635
Instruction ID: 9b30c399dbd76d14cfc117fcc95903211593447f82b60f8e75cf435fbffc0f11
Opcode Fuzzy Hash: ac035777c4c37cd95a2c9caaa5c0e1336db163a5a35b8908a4b03e9f8c953635
Instruction Fuzzy Hash: 1331AA72D0021A8FCB21DF95D881AEEB7B5FF58724F14421EE851A7291DB3AAC05DF90

Function 00F9A7B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F9A7E6
std::_Lockit::_Lockit.LIBCPMT ref: 00F9A809
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9A829
__CxxThrowException@8.LIBVCRUNTIME ref: 00F9A89F
std::_Facet_Register.LIBCPMT ref: 00F9A8B5
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9A8C0

Strings

bad cast, xrefs: 00F9A898

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: 4e530e7ebe06629ae24b0f8a6321ac706f3ff877eedad4c5e6987805f9753f29
Instruction ID: f8c133735fbe58686a66e45af22624b2ff819b53d065cb87802f8649ad2c79d5
Opcode Fuzzy Hash: 4e530e7ebe06629ae24b0f8a6321ac706f3ff877eedad4c5e6987805f9753f29
Instruction Fuzzy Hash: 5F31CE71D002199BEF21DF94D881AAEB7B4EF48724F14412EE851A7241DB396C46CBD2

Function 00F9A990 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F9A9C6
std::_Lockit::_Lockit.LIBCPMT ref: 00F9A9E9
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9AA09
__CxxThrowException@8.LIBVCRUNTIME ref: 00F9AA7F
std::_Facet_Register.LIBCPMT ref: 00F9AA95
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9AAA0

Strings

bad cast, xrefs: 00F9AA78

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: 9a9f974a1ac8f27dbfcedf3503580f22edec8701259175855d070a94dae5949e
Instruction ID: 16160c2e276c352f3c1f309c8823190374f537a65216b41f74d4255c285874a8
Opcode Fuzzy Hash: 9a9f974a1ac8f27dbfcedf3503580f22edec8701259175855d070a94dae5949e
Instruction Fuzzy Hash: 3431EE72D0021ACFDF21DF94D881AAEB7B4EF48324F10811EE852B7291DB396841DBD1

Function 00F9ACD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F9AD06
std::_Lockit::_Lockit.LIBCPMT ref: 00F9AD29
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9AD49
__CxxThrowException@8.LIBVCRUNTIME ref: 00F9ADBF
std::_Facet_Register.LIBCPMT ref: 00F9ADD5
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9ADE0

Strings

bad cast, xrefs: 00F9ADB8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: 7670a3a5397f6cef35cec9d2965eeaa8086a374e8fb4cf1c803356328af03f20
Instruction ID: 56838f75a66afaa26930a86edad834d6d0b1dd77c8f6d462859ff9b8ad90ec9f
Opcode Fuzzy Hash: 7670a3a5397f6cef35cec9d2965eeaa8086a374e8fb4cf1c803356328af03f20
Instruction Fuzzy Hash: 7C31B172D00219CFDF25DF94D881AAEB7B4EF08724F14811EE851B7A91DB396805DBD2

Function 00F932E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F93316
std::_Lockit::_Lockit.LIBCPMT ref: 00F93339
std::_Lockit::~_Lockit.LIBCPMT ref: 00F93359
__CxxThrowException@8.LIBVCRUNTIME ref: 00F933CF
std::_Facet_Register.LIBCPMT ref: 00F933E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00F933F0

Strings

bad cast, xrefs: 00F933C8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: 10b8acb3cf881d53f651538a600e571a04f1cfd80af86ff9bd17c55f6949db50
Instruction ID: b0a2afc187784be8592acd2bf4cae375bf85152b5c905bd9505ec5f41cd23c96
Opcode Fuzzy Hash: 10b8acb3cf881d53f651538a600e571a04f1cfd80af86ff9bd17c55f6949db50
Instruction Fuzzy Hash: 0531AD72D00219DFDF21DFA4D881AAEB7B4EF08724F14421EE951B7291DB3AAD05DB90

Function 00F93420 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F93456
std::_Lockit::_Lockit.LIBCPMT ref: 00F93479
std::_Lockit::~_Lockit.LIBCPMT ref: 00F93499
__CxxThrowException@8.LIBVCRUNTIME ref: 00F9350F
std::_Facet_Register.LIBCPMT ref: 00F93525
std::_Lockit::~_Lockit.LIBCPMT ref: 00F93530

Strings

bad cast, xrefs: 00F93508

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: dd284ffbcc4fc3b18ba7742e0f0288760149418626fb1ce215ae6df98bb9160a
Instruction ID: cba85faab75a7c69ce8f1ac7bc6c4383f6f057865b87c5dc532780d54f4cc21b
Opcode Fuzzy Hash: dd284ffbcc4fc3b18ba7742e0f0288760149418626fb1ce215ae6df98bb9160a
Instruction Fuzzy Hash: 3E31DFB1D002199FDF21DF98D881AEEB7B4EF08720F16411EE851B7251DB39AE05CB91

Function 00FA15E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FA1616
std::_Lockit::_Lockit.LIBCPMT ref: 00FA1639
std::_Lockit::~_Lockit.LIBCPMT ref: 00FA1659
__CxxThrowException@8.LIBVCRUNTIME ref: 00FA16CF
std::_Facet_Register.LIBCPMT ref: 00FA16E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00FA16F0

Strings

bad cast, xrefs: 00FA16C8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: bad cast
API String ID: 2536120697-3145022300
Opcode ID: 93e2fa53a7bd767b10504b032fb61b45a8818e182d91257d2aec3b3933148b98
Instruction ID: 8762c4c23c77656cfa6bf9fc79106c5bee2369239666f78d249349b8401cb855
Opcode Fuzzy Hash: 93e2fa53a7bd767b10504b032fb61b45a8818e182d91257d2aec3b3933148b98
Instruction Fuzzy Hash: C031DDB2D002198FCB20DF94D881AAEB7B8FF09724F19421EE851B7391DB396C05CB90

Function 00F82FE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F83015
__CxxThrowException@8.LIBVCRUNTIME ref: 00F83042
__CxxThrowException@8.LIBVCRUNTIME ref: 00F8306F
__CxxThrowException@8.LIBVCRUNTIME ref: 00F8309C

Strings

ios_base::eofbit set, xrefs: 00F83079
ios_base::badbit set, xrefs: 00F8301F
ios_base::failbit set, xrefs: 00F8304C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: af7c038e5dde48ec195f7fc5e82df9ab82f8f93791e6cebe47e8e03c504e8e65
Instruction ID: 560849583b1aac79628768717f00cd1f4547f302c8f4579bcac0bb6106de5cad
Opcode Fuzzy Hash: af7c038e5dde48ec195f7fc5e82df9ab82f8f93791e6cebe47e8e03c504e8e65
Instruction Fuzzy Hash: E21194B094830A6EDA00FB65CC57FEE77D4AF60B54F00481CBAC49A0D1D774A555DB1A

Function 00F94450 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F9448D
RegQueryValueExW.ADVAPI32(?,Release,00000000,00000000,00000000,00000004), ref: 00F944AD
RegCloseKey.ADVAPI32(?), ref: 00F944BA
RegCloseKey.ADVAPI32(?), ref: 00F944D1

Strings

Release, xrefs: 00F944A5
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F94473
O, xrefs: 00F944D7

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: O$Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-934053027
Opcode ID: 63f6e8f767ecc086de8011a42c25e860784e7bcd45572ad22de7919b9535dced
Instruction ID: 5b97c6d33025e5fe1f6ccbc1209b0a4cfb718dc18f742e5c245b5c4f44c160f2
Opcode Fuzzy Hash: 63f6e8f767ecc086de8011a42c25e860784e7bcd45572ad22de7919b9535dced
Instruction Fuzzy Hash: 57118271A4020DEBEF10DFA4DC55BFEB7B8EB04305F50405AF946A6181DB7A5A04DB60

Function 00FA79B0 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93880: new.LIBCMT ref: 00F93896

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA7C47
HeapFree.KERNEL32(00000000), ref: 00FA7C4E

Strings

run installer with uac. path=, xrefs: 00FA7AEB
installer, xrefs: 00FA7A8A
]: , xrefs: 00FA7ADF
RunInstallerWithUAC, xrefs: 00FA7AAE
. cmd=, xrefs: 00FA7B00

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: . cmd=$RunInstallerWithUAC$]: $installer$run installer with uac. path=
API String ID: 3859560861-4270199412
Opcode ID: c9fcffe856286836aacd7db1e4769eb9c6cdf44c808981d2530560f7d0505bbe
Instruction ID: e3abaa4113da3693ff856962554eb78b7b854a71ae82dbfd17fbe6d30356a389
Opcode Fuzzy Hash: c9fcffe856286836aacd7db1e4769eb9c6cdf44c808981d2530560f7d0505bbe
Instruction Fuzzy Hash: ED81BBB0E00219EBDF10EBA5C845BEEB7B5BF45710F04811DE8567B381DB786A05DB91

Function 00FD4E70 Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00FD4E98
___from_strstr_to_strchr.LIBCMT ref: 00FD4EB7
_strrchr.LIBCMT ref: 00FD4ECE
___from_strstr_to_strchr.LIBCMT ref: 00FD4EE0
_strrchr.LIBCMT ref: 00FD4F27

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strrchr$_strstr
String ID:
API String ID: 4240772140-0
Opcode ID: 1bd55b01a2bd08333483354c44b9a0956764d3f3f3e8ba3e6809990476a5dabe
Instruction ID: 386cb2eb300402e339b2c8a725de33c9f9697062c61cbc2d5588286398ca036b
Opcode Fuzzy Hash: 1bd55b01a2bd08333483354c44b9a0956764d3f3f3e8ba3e6809990476a5dabe
Instruction Fuzzy Hash: D15148A1D043826BEB324B34AC45B663B9B9F51364F1C4176EC888B356F775E904A361

Function 00FECD30 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FECE4A
___swprintf_l.LIBCMT ref: 00FECE77

Strings

%c%c%c%c, xrefs: 00FECE40
%c%c==, xrefs: 00FECE92
%c%c%c=, xrefs: 00FECE6D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %c%c%c%c$%c%c%c=$%c%c==
API String ID: 48624451-3943651191
Opcode ID: a617ea45632c836ea085508775ecd65b3a2f7ff7370d1fafce1ac31d36e9a3b6
Instruction ID: 1c42cabde7be6001f75615a35df38ed1d86b578090a004120a874a119efeb48d
Opcode Fuzzy Hash: a617ea45632c836ea085508775ecd65b3a2f7ff7370d1fafce1ac31d36e9a3b6
Instruction Fuzzy Hash: 8A510871D046A49FDB21CF699C95BFB7FA89B06311F0401E6FCA0CF252D669C912DBA0

Function 0108CB4B Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0107E49E,E0830C40,?,?,?,?,?,?,0108D2C0,00FF30C1,0107E49E,?,0107E49E,0107E49E,00FF30C1), ref: 0108CB8D
__fassign.LIBCMT ref: 0108CC08
__fassign.LIBCMT ref: 0108CC23
WideCharToMultiByte.KERNEL32(?,00000000,0107E49E,00000001,?,00000005,00000000,00000000), ref: 0108CC49
WriteFile.KERNEL32(?,?,00000000,0108D2C0,00000000,?,?,?,?,?,?,?,?,?,0108D2C0,00FF30C1), ref: 0108CC68
WriteFile.KERNEL32(?,00FF30C1,00000001,0108D2C0,00000000,?,?,?,?,?,?,?,?,?,0108D2C0,00FF30C1), ref: 0108CCA1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9e64455095c7957284b930aec11baffc319267bfa8280abc782a013381d2eea6
Instruction ID: 054615201546a09aa125d573f23f073ba336c28fc0ba4d5a55f568d880aa7726
Opcode Fuzzy Hash: 9e64455095c7957284b930aec11baffc319267bfa8280abc782a013381d2eea6
Instruction Fuzzy Hash: C451F4B0A042099FEB10DFA8D991AEEBBF8FF09310F18415AF9D5E7285D7309941CB64

Function 00FBD1A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FBD21B
new.LIBCMT ref: 00FBD232
Concurrency::cancel_current_task.LIBCPMT ref: 00FBD308
Concurrency::cancel_current_task.LIBCPMT ref: 00FBD30D
std::_Xinvalid_argument.LIBCPMT ref: 00FBD317

Strings

deque<T> too long, xrefs: 00FBD312

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 2406272785-309773918
Opcode ID: e846cbc3e18287c6ac86d5b59d70cca83edac3e5219307044f1afa14793214e9
Instruction ID: 84122eb7c3b4f33788f7549f3f7dd6e447526278926fbc1491251848f15f13a6
Opcode Fuzzy Hash: e846cbc3e18287c6ac86d5b59d70cca83edac3e5219307044f1afa14793214e9
Instruction Fuzzy Hash: 5E41FC72E00206AFDB14DFA9CD80EDEF7B9EF94310F154669E854EB241E630E901DBA1

Function 00FBF7F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,05CEC6CE), ref: 00FBF852
GetLastError.KERNEL32(00000003,00000001,?,?,?,?,05CEC6CE), ref: 00FBF88B
___std_exception_copy.LIBVCRUNTIME ref: 00FBF8F7

Strings

class boost::filesystem::path __cdecl ProcessHelper::GetCurrentProcessPath(void), xrefs: 00FBF928
couldn't get module file name. error=, xrefs: 00FBF898
src\process_helper.cpp, xrefs: 00FBF923

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorFileLastModuleName___std_exception_copy
String ID: class boost::filesystem::path __cdecl ProcessHelper::GetCurrentProcessPath(void)$couldn't get module file name. error=$src\process_helper.cpp
API String ID: 3319920476-2431939473
Opcode ID: 6c80089102e7f5a3627e666dd90ef9501367ef1158cc7e88366edf5a54b448e9
Instruction ID: 0c9f4ef85090e4dfef0257c2dc338100466b0c0f375d90dda11e4ed6f818ce11
Opcode Fuzzy Hash: 6c80089102e7f5a3627e666dd90ef9501367ef1158cc7e88366edf5a54b448e9
Instruction Fuzzy Hash: BB41C471D41319ABDB24EF60CC49BDEB7B8AF14704F0046AAF449A7291EB745B88CF90

Function 00FBEF80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,05CEC6CE,00000000), ref: 00FBEFE0
GetLastError.KERNEL32(00000003,00000001,?,?,?,?,05CEC6CE,00000000), ref: 00FBF019
___std_exception_copy.LIBVCRUNTIME ref: 00FBF085

Strings

couldn't get current directory. error=, xrefs: 00FBF026
src\path_helper.cpp, xrefs: 00FBF0B1
class boost::filesystem::path __cdecl PathHelper::GetCurrentDir(void), xrefs: 00FBF0B6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentDirectoryErrorLast___std_exception_copy
String ID: class boost::filesystem::path __cdecl PathHelper::GetCurrentDir(void)$couldn't get current directory. error=$src\path_helper.cpp
API String ID: 898297047-775352103
Opcode ID: 3e226a149efa1737a6123ed4722c234f9ead5ac8010c5e1a5fb5470c4b82f26e
Instruction ID: ecf71b84711d22c2c4bab42108690ffd0478f25fe833b91af6d82120ab2a5c7e
Opcode Fuzzy Hash: 3e226a149efa1737a6123ed4722c234f9ead5ac8010c5e1a5fb5470c4b82f26e
Instruction Fuzzy Hash: 0441C471D402199ADB24EF60CC49BDEB7B8AF14704F0046AAF449A7291EB755A88CF90

Function 00FD1C40 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 96COMMON

Download Yara Rule

Strings

%s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00FD1CF0
If-Unmodified-Since: %s, xrefs: 00FD1D21
If-Modified-Since: %s, xrefs: 00FD1D29
Last-Modified: %s, xrefs: 00FD1D19
Invalid TIMEVALUE, xrefs: 00FD1C9B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since: %s$If-Unmodified-Since: %s$Invalid TIMEVALUE$Last-Modified: %s
API String ID: 0-2575227759
Opcode ID: bb46e03972450e94ca6cd7e9ea7033f4d499ecf4c753adbc9574ac2996c26a41
Instruction ID: 70b3dba9571d28518fe59488c6bace709934a6c5fc38217dcd95a1a5f5739174
Opcode Fuzzy Hash: bb46e03972450e94ca6cd7e9ea7033f4d499ecf4c753adbc9574ac2996c26a41
Instruction Fuzzy Hash: 0231B832F0010EBBCB01EAA8ED91AEDB7B6FB18360F140126F949A7341D7365D14E790

Function 010943C4 Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2feac6c6fc1cf6145e83ab7640093162738152626775a0450571e4420181b3e1
Instruction ID: 8d6578886c0dd1c8236318b99ff9d50766c4e989b0fd8614b451ec358a1fda50
Opcode Fuzzy Hash: 2feac6c6fc1cf6145e83ab7640093162738152626775a0450571e4420181b3e1
Instruction Fuzzy Hash: 9A110332918216BBDF21AFBA9D54DAF3AACEF81770B004254F8D1D7240DE3588029770

Function 01098327 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0109806E: _free.LIBCMT ref: 01098097

_free.LIBCMT ref: 01098375

Part of subcall function 010872F5: RtlFreeHeap.NTDLL(00000000,00000000,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?), ref: 0108730B
Part of subcall function 010872F5: GetLastError.KERNEL32(?,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?,?), ref: 0108731D

_free.LIBCMT ref: 01098380
_free.LIBCMT ref: 0109838B
_free.LIBCMT ref: 010983DF
_free.LIBCMT ref: 010983EA
_free.LIBCMT ref: 010983F5
_free.LIBCMT ref: 01098400

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c7c186f875e9bf851825eba51c2093702d337b9ba73b7df1bcccc61af93c6a46
Instruction ID: 8d66d90b7462ac860d0dcdcc646b264ff31acc48ea1c639bccf790f9a9e7cd93
Opcode Fuzzy Hash: c7c186f875e9bf851825eba51c2093702d337b9ba73b7df1bcccc61af93c6a46
Instruction Fuzzy Hash: 5D117C31540B0AAEDA70FBB0CC05FCB7BACAF52700F508916B2D9A6290EEA4F5149751

Function 00FD3A40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FD3A66
___from_strstr_to_strchr.LIBCMT ref: 00FD3A81
___from_strstr_to_strchr.LIBCMT ref: 00FD3A96

Strings

The requested URL returned error: %s, xrefs: 00FD3AA5
HTTP, xrefs: 00FD3A51
The requested URL returned error: %d, xrefs: 00FD3AC6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: HTTP$The requested URL returned error: %d$The requested URL returned error: %s
API String ID: 601868998-4174864708
Opcode ID: 8e5d2e14e52e459e7d47aae2d15cd7120ac08f1f509297865bfdbb2cdc27f180
Instruction ID: 248952c616a8c688141ac8e086b291c718bed6bad157cce4658e42d36b2bc38d
Opcode Fuzzy Hash: 8e5d2e14e52e459e7d47aae2d15cd7120ac08f1f509297865bfdbb2cdc27f180
Instruction Fuzzy Hash: F101442AB4036132D71176646C02BCE7F984F92231F0C4076FECC9A302E669AA4583F7

Function 00F943A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\NET Framework Setup\NDP\v4\Full,00000000,00020019,?), ref: 00F943DD
RegQueryValueExW.ADVAPI32(?,Release,00000000,00000000,00000000,00000004), ref: 00F943FD
RegCloseKey.ADVAPI32(?), ref: 00F9440A
RegCloseKey.ADVAPI32(?), ref: 00F94421

Strings

Release, xrefs: 00F943F5
Software\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F943C3

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Release$Software\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 1607946009-1522824743
Opcode ID: c2522852b528338ae3d0ec150c3b269a6fd95d6be3ae4006d1d8350a45183965
Instruction ID: 946ca3c57006e25659042b9eb40dc6d675cba50e89e06fe3c3b54666f0d63d5f
Opcode Fuzzy Hash: c2522852b528338ae3d0ec150c3b269a6fd95d6be3ae4006d1d8350a45183965
Instruction Fuzzy Hash: 36118271A4020DEFEF10DFA4DC95BEEB7B8EB04305F50405AF946A6180DB765A08DB60

Function 01090221 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0107B8BC,0107B8BC,?,?,?,01090472,00000001,00000001,30E85006), ref: 0109027B
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,01090472,00000001,00000001,30E85006,?,?,?), ref: 01090301
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,30E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010903FB
__freea.LIBCMT ref: 01090408

Part of subcall function 01086524: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,01090083), ref: 01086556

__freea.LIBCMT ref: 01090411
__freea.LIBCMT ref: 01090436

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 90ad7d5c07fe223cc3d1ad5dd274b3dbc5462fa180696eb2d285098acf73e7c5
Instruction ID: be3116e5a66aeff027722bf28ea8ab01e8bdfe90aeceededadf2fe681fbab852
Opcode Fuzzy Hash: 90ad7d5c07fe223cc3d1ad5dd274b3dbc5462fa180696eb2d285098acf73e7c5
Instruction Fuzzy Hash: AB51E5B2610216ABEF258E68CC50EBF7BEDEF40650F1546A9FE84E6148DB34DC90D660

Function 01085D56 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 01085D82
__cftoe.LIBCMT ref: 01085DB4

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 6536a987134b8aba64de10f8bbd34f3d449b3ab9b543f347dd0f3d45a16746e6
Instruction ID: 6017a77e55a160e25e8b81f9042dcd29e954b85d111d4d6a12fa0eff4728b7ec
Opcode Fuzzy Hash: 6536a987134b8aba64de10f8bbd34f3d449b3ab9b543f347dd0f3d45a16746e6
Instruction Fuzzy Hash: 1C512932908206ABEB75BF6DCC45EEE7BF8EF48320F10425AF9D4961C1EB31D5018A64

Function 00F93190 Relevance: 9.1, APIs: 6, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F931CD
std::_Lockit::_Lockit.LIBCPMT ref: 00F931ED
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9320D
new.LIBCMT ref: 00F93256
std::_Facet_Register.LIBCPMT ref: 00F932B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00F932BD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a3bdae011c705e81faf4ec6ab69c71cb56d2ce802e5c66569c459b2749bc2f3b
Instruction ID: 94672d9642447e3d194f49044df60d205e1713d545e7463a7e4147bcabdaf12f
Opcode Fuzzy Hash: a3bdae011c705e81faf4ec6ab69c71cb56d2ce802e5c66569c459b2749bc2f3b
Instruction Fuzzy Hash: C041EF72A00208CBDF24DF84C881BAEB7B4EF04724F14406EE846AB341DB39AE45DBD1

Function 00FEB9D0 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000004,?,?,00000000), ref: 00FEBAAB
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000004), ref: 00FEBAB2
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000005,?,00000001,00000004), ref: 00FEBABF
VerSetConditionMask.KERNEL32(00000000,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004), ref: 00FEBAC6
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004), ref: 00FEBAD2
VerifyVersionInfoA.KERNEL32(0000009C,00000033,00000000), ref: 00FEBADF

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 3446e9a474dc63b8da387c3ef4b245ce6f3e54352fba7e02fc504ca6cd22af7d
Instruction ID: 224a4ba0b24d5cf61913bd3d433d81eb2ff4ac1d63a2bb961445cfa1b3fe26a2
Opcode Fuzzy Hash: 3446e9a474dc63b8da387c3ef4b245ce6f3e54352fba7e02fc504ca6cd22af7d
Instruction Fuzzy Hash: F4317570B04358EEEF20CA25CC45FAF7BB8EB46704F4400D9F58D67281C6B55E449B22

Function 00FA22D0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA22EA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA22FE
__allrem.LIBCMT ref: 00FA2309
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA231D
__allrem.LIBCMT ref: 00FA2328
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA233D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
String ID:
API String ID: 632788072-0
Opcode ID: ec57bf6a0eb131a96af06d472c3d3006e996052973ab624af99d2562a55864f8
Instruction ID: fee9af566925e2d18361c1d1ecdd36f5cec064b969d87a8d0e27cb10e9a7bf68
Opcode Fuzzy Hash: ec57bf6a0eb131a96af06d472c3d3006e996052973ab624af99d2562a55864f8
Instruction Fuzzy Hash: 2301D8B52402057EFB116F648C02F73BB69EF54710F204165BB04AA1D1DBA2F92097D8

Function 0100252D Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01002534
std::_Lockit::_Lockit.LIBCPMT ref: 0100253E

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

collate.LIBCPMT ref: 01002578
__CxxThrowException@8.LIBVCRUNTIME ref: 01002595
std::_Facet_Register.LIBCPMT ref: 010025B4
std::_Lockit::~_Lockit.LIBCPMT ref: 010025BD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
String ID:
API String ID: 2363045490-0
Opcode ID: 465f7b21093711aa95bfa66b536dca20fc9e8b81e1b8041ebf737d9e21026140
Instruction ID: e573c4c780932cdb6aceb89f1ecb2a0e758d34c9db2c01f8df1c5d5e95741c19
Opcode Fuzzy Hash: 465f7b21093711aa95bfa66b536dca20fc9e8b81e1b8041ebf737d9e21026140
Instruction Fuzzy Hash: CC01ED76D0052A8BDF02FBA0CC65AFEB3B6BF54720F100009E5416B2D1DF38AA0097A6

Function 010025CA Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010025D1
std::_Lockit::_Lockit.LIBCPMT ref: 010025DB

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

messages.LIBCPMT ref: 01002615
__CxxThrowException@8.LIBVCRUNTIME ref: 01002632
std::_Facet_Register.LIBCPMT ref: 01002651
std::_Lockit::~_Lockit.LIBCPMT ref: 0100265A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmessages
String ID:
API String ID: 438560357-0
Opcode ID: cab30d95a8a1e8a183123f927612f27a848232925b70b09b0ec9e8cff41517df
Instruction ID: cb103dd27c4013e75f4303eb49da238956c3c84b5bae26123ab49a8f44ace009
Opcode Fuzzy Hash: cab30d95a8a1e8a183123f927612f27a848232925b70b09b0ec9e8cff41517df
Instruction Fuzzy Hash: F301C075D006299BDF03FBA4CC55AFEB3B5BF94720F14040AE6906B2D1DF38AA41A791

Function 010027A1 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010027A8
std::_Lockit::_Lockit.LIBCPMT ref: 010027B2

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

moneypunct.LIBCPMT ref: 010027EC
__CxxThrowException@8.LIBVCRUNTIME ref: 01002809
std::_Facet_Register.LIBCPMT ref: 01002828
std::_Lockit::~_Lockit.LIBCPMT ref: 01002831

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
String ID:
API String ID: 113178234-0
Opcode ID: 5326eeb0f39ab343e7b10193e5e9f02c4587020ef8e4cd7c1d49abe633834d12
Instruction ID: c8c2ef0bd6880c4b7f1e02da4a693fe868695abcad6295930928b259f92b0bf5
Opcode Fuzzy Hash: 5326eeb0f39ab343e7b10193e5e9f02c4587020ef8e4cd7c1d49abe633834d12
Instruction Fuzzy Hash: F301AD7990011E9BDF06FBA4CC55AFEB3B5BF48760F14040AE550AB2D0DF38AA05DB95

Function 0100283E Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01002845
std::_Lockit::_Lockit.LIBCPMT ref: 0100284F

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

moneypunct.LIBCPMT ref: 01002889
__CxxThrowException@8.LIBVCRUNTIME ref: 010028A6
std::_Facet_Register.LIBCPMT ref: 010028C5
std::_Lockit::~_Lockit.LIBCPMT ref: 010028CE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
String ID:
API String ID: 113178234-0
Opcode ID: e2d0e1b05039fd7fb7eb1f9ab3302d38c56f62cffde376a28cef0b546fafe204
Instruction ID: ee3eeb002c0f2794801689b1883753bd1e2a4df18c29c0ccf92a98835a762425
Opcode Fuzzy Hash: e2d0e1b05039fd7fb7eb1f9ab3302d38c56f62cffde376a28cef0b546fafe204
Instruction Fuzzy Hash: 2C01ED39D0111A8BDF02FBA0CC16AFDB3B5BF54720F10040AF5806B2D0DF38AA019BA1

Function 01090000 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01084C15,010ED438,00000010), ref: 01090004
_free.LIBCMT ref: 01090037
_free.LIBCMT ref: 0109005F
SetLastError.KERNEL32(00000000), ref: 0109006C
SetLastError.KERNEL32(00000000), ref: 01090078
_abort.LIBCMT ref: 0109007E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 910a8eca23123c80e1f848b4b15c0c799efc5558cf0fefc3e4cc056f6b7f17f8
Instruction ID: 8bea52d9ce3aabe2a56f0de7921ec76d384cfc86621a2bb6fdf744122306c5e6
Opcode Fuzzy Hash: 910a8eca23123c80e1f848b4b15c0c799efc5558cf0fefc3e4cc056f6b7f17f8
Instruction Fuzzy Hash: E4F0C83550860266DB72727D6C19BBF36BE9FD17B1F210128F5DC9218DEE2688425620

Function 00FEB5B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 248COMMON

Download Yara Rule

Strings

/../, xrefs: 00FEB6C8
/./, xrefs: 00FEB673
/.., xrefs: 00FEB6F4
../, xrefs: 00FEB657

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: ../$/..$/../$/./
API String ID: 0-456519384
Opcode ID: be3ed873188e9124b5f108261b7549844ec1b66c4acb64380bf37af9bf42794e
Instruction ID: 2096c906f7445fea7bb8c037723b501800a9a824a3e13c538d58a15935944faa
Opcode Fuzzy Hash: be3ed873188e9124b5f108261b7549844ec1b66c4acb64380bf37af9bf42794e
Instruction Fuzzy Hash: 39712666E081C65ADB220E3A5C957B7BF979FE2364F1C04E9DCC587642E3238C09A352

Function 01023820 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 01023822

Strings

deque<T> too long, xrefs: 01023989
list<T> too long, xrefs: 01023A17

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: deque<T> too long$list<T> too long
API String ID: 0-27806271
Opcode ID: 985cd4361d3d7eef8003b1a8f8d93b940b4e3962e614023d66a09237fd014e5b
Instruction ID: 4d3bef209a50d95f85ba2ba833c0382b824f0bb8b711bb4b60094c4ea61d2ad1
Opcode Fuzzy Hash: 985cd4361d3d7eef8003b1a8f8d93b940b4e3962e614023d66a09237fd014e5b
Instruction Fuzzy Hash: 08516975600316AFD704DF28C994EAABBE9FF88704F14892DF9898B340D634ED05CBA1

Function 00FCA960 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FCAA6A

Strings

No valid port number in connect to host string (%s), xrefs: 00FCAAAE
Please URL encode %% as %%25, see RFC 6874., xrefs: 00FCA9FA
Invalid IPv6 address format, xrefs: 00FCAA57
%25, xrefs: 00FCA9E9

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 601868998-2404041592
Opcode ID: 7724df7619f8e8ad4289dd8cd099bfeb9e7220de632ec689f33f5e60c66fe01d
Instruction ID: 7812a44e39b591aa860f0ca2d902cbc76d63251c58fcf72b606a6a5040e6d1d5
Opcode Fuzzy Hash: 7724df7619f8e8ad4289dd8cd099bfeb9e7220de632ec689f33f5e60c66fe01d
Instruction Fuzzy Hash: 6751F9B0D0424BABDB315E68AE43FA67B959F12338F14006DFCC986142E239ED51E753

Function 00FD41B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

Read callback asked for PAUSE when not supported!, xrefs: 00FD424F
operation aborted by callback, xrefs: 00FD420B
read function returned funny value, xrefs: 00FD42AD
%x%s, xrefs: 00FD430A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %x%s$Read callback asked for PAUSE when not supported!$operation aborted by callback$read function returned funny value
API String ID: 48624451-1291304620
Opcode ID: ed675b62c9af46b50fb8da564bb629680b335c9d30684d38ce178f9920b5b8a2
Instruction ID: b699ccd09b74ba962e962137f45cc6c79c96a5641d422711a55a3c0b950addac
Opcode Fuzzy Hash: ed675b62c9af46b50fb8da564bb629680b335c9d30684d38ce178f9920b5b8a2
Instruction Fuzzy Hash: AF512931B002099FDB20DF68D885BEEB7E5EF55320F0405AEE89997281DB796D44DB90

Function 00F936B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 00F936F1
__Getcvt.LIBCPMT ref: 00F93748
Concurrency::cancel_current_task.LIBCPMT ref: 00F93770

Strings

true, xrefs: 00F937AD
false, xrefs: 00F93797

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Getcvt$Concurrency::cancel_current_task
String ID: false$true
API String ID: 1267538876-2658103896
Opcode ID: c8f558bb9c201063fa67684a55dfe495c548f443bc0b8a05d236d1d837cfa5e9
Instruction ID: 418a894ade2a82d3c2e7641a5757dfccfed0832c4b8fb3073ff27aa15fa44c73
Opcode Fuzzy Hash: c8f558bb9c201063fa67684a55dfe495c548f443bc0b8a05d236d1d837cfa5e9
Instruction Fuzzy Hash: 6E51B6B1D002499FDF00DFA4C841BFEBBB8FF49714F14825AE845AB241E7759A45CBA1

Function 00FB4500 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FB460A

Strings

" failed, xrefs: 00FB4620
conversion of data to type ", xrefs: 00FB45DA
class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::string_path<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct boost::property_tree::id_transla, xrefs: 00FB4521
class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std, xrefs: 00FB464D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: " failed$class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std$class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::string_path<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct boost::property_tree::id_transla$conversion of data to type "
API String ID: 1734802720-1946069150
Opcode ID: 0598ecea0f42e71c95539c5a92ea608392ef0175e7f11e89298ba2eb42b893f1
Instruction ID: a635043fbb639ed4f7c829aa74eef4c8a74eecabfe22a178ca21b99381bd71b8
Opcode Fuzzy Hash: 0598ecea0f42e71c95539c5a92ea608392ef0175e7f11e89298ba2eb42b893f1
Instruction Fuzzy Hash: 7841EF70904248ABEF15EFA5CC05BDEBBB8EF05310F14415DE491B72C2DB786A08DB61

Function 010097F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetTickCount64,00000000,05CEC6CE,7622DF60,010A48B4), ref: 01009830
GetProcAddress.KERNEL32(00000000), ref: 01009837

Strings

GetTickCount64, xrefs: 01009826
KERNEL32.DLL, xrefs: 0100982B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1646373207-3320051239
Opcode ID: 3749ba52434213230b0ab095aa8774eea4afba86af2f3097020730b676ce9d7c
Instruction ID: d752f425a158666e454562b1bd3a99ef45e3375ac8f0a3778beec5bd4f36466b
Opcode Fuzzy Hash: 3749ba52434213230b0ab095aa8774eea4afba86af2f3097020730b676ce9d7c
Instruction Fuzzy Hash: CA31E531A047018FE726DB2CC880B9A7BD1EFD4324F188A6EF1EA872D2D771D9448791

Function 00FAD820 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94threadCOMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FAD87C

Part of subcall function 00FAF1D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00FAF224

Part of subcall function 00F95930: CloseHandle.KERNEL32(00000000,05CEC6CE), ref: 00F95985
Part of subcall function 00F95930: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,05CEC6CE,?,?,?,05CEC6CE,?,0100943D,05CEC6CE), ref: 00F95997

___std_exception_copy.LIBVCRUNTIME ref: 00FAD8E7
GetCurrentThreadId.KERNEL32 ref: 00FAD922

Part of subcall function 0100AD40: __Init_thread_footer.LIBCMT ref: 0100ADA3

Strings

$, xrefs: 00FAD8EF
boost unique_lock owns already the mutex, xrefs: 00FAD8CF, 00FAD8E1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_exception_copy$CloseCurrentException@8HandleInit_thread_footerObjectSingleThreadThrowWait
String ID: $$boost unique_lock owns already the mutex
API String ID: 169746467-1517442662
Opcode ID: 9a4470e595cabb04609e5fcd727f8581b63968da8402e8aa725e862f0aab1bba
Instruction ID: 36bb7b70aefdf5b070f36d007251ef7b2022efeb745af5c2370a4734766f7450
Opcode Fuzzy Hash: 9a4470e595cabb04609e5fcd727f8581b63968da8402e8aa725e862f0aab1bba
Instruction Fuzzy Hash: 9E415BB1D00349DFDB21DFA4C8847DEBBF8AF19714F20422EE8556B641D7796948CBA0

Function 00FCEEE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00FCEF14
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00FCEF8D
WSAGetLastError.WS2_32 ref: 00FCEF97

Strings

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00FCEF9F
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00FCEF1F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorIoctlLastsetsockopt
String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 1819429192-277924715
Opcode ID: 3b5666d29635fc78b695a9bd25adc0591d36734ba6c5770c38e8c15e3b7d4551
Instruction ID: 82171c8e1af8c7b661c3eefc39f9b49241464183b50c17bc7b18c8bce6ee9c9e
Opcode Fuzzy Hash: 3b5666d29635fc78b695a9bd25adc0591d36734ba6c5770c38e8c15e3b7d4551
Instruction Fuzzy Hash: F321A171A40209ABEB10DF64DC42FEF77B8EB44701F10406EF945EA1C1DA756A0497A1

Function 00F825B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F825E7
___std_exception_copy.LIBVCRUNTIME ref: 00F82653
__CxxThrowException@8.LIBVCRUNTIME ref: 00F8266B

Part of subcall function 01071273: KiUserExceptionDispatcher.NTDLL(?,?,?,0100BF47,?,?,?,?,?,?,?,?,0100BF47,?,010E0200), ref: 010712D2

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F82672

Strings

bad locale name, xrefs: 00F8263F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$DispatcherExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_ThrowUser___std_exception_copy
String ID: bad locale name
API String ID: 2355598456-1405518554
Opcode ID: 5c03c8ceb1a75c3f7904e2ab95a8c62017310d3b95a715d33d1cb129d54133d2
Instruction ID: ee4ac397a3fafa8a6637a07fd6e73498ca14acf95bc32c52dc054e5426a0ac72
Opcode Fuzzy Hash: 5c03c8ceb1a75c3f7904e2ab95a8c62017310d3b95a715d33d1cb129d54133d2
Instruction Fuzzy Hash: D8218DB1804748DECB20DFA9C945BDFBBF8EF19710F10461EE485A7640E775A608CBA5

Function 00FCD260 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FCD2D7

Strings

[%s %s %s], xrefs: 00FCD2C6
Header, xrefs: 00FCD2AD, 00FCD2B9, 00FCD2C5
Data, xrefs: 00FCD29C
from, xrefs: 00FCD2B2, 00FCD2C4

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: Data$Header$[%s %s %s]$from
API String ID: 48624451-3178933089
Opcode ID: a72ed7f358f49b2315a063cea54f5d2622a1ddc2eedc132953db7a30e1d617f6
Instruction ID: 2e96839cc68c980cfadb84f2fca00633fadc9fa41218db4a00a9e1f3f08ca7dd
Opcode Fuzzy Hash: a72ed7f358f49b2315a063cea54f5d2622a1ddc2eedc132953db7a30e1d617f6
Instruction Fuzzy Hash: 6D112735E00349ABDB14EE19DD52FFEB368EF81350F4401ADF94587242D771AE019792

Function 010856F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0108570A

Strings

.com, xrefs: 0108574A
.cmd, xrefs: 01085728
.exe, xrefs: 01085717
.bat, xrefs: 01085739

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: ced8c7b6dda36a58ae26a2a84af4288a74d95f0e0b0ff086f00a19de34867773
Instruction ID: 91befcb0862d4ecca01113edcedf1b88eda794c086f69e50bc8776d450cb03c2
Opcode Fuzzy Hash: ced8c7b6dda36a58ae26a2a84af4288a74d95f0e0b0ff086f00a19de34867773
Instruction Fuzzy Hash: F5F0F63614DB17A5FF143519BC12AEA37C8AF62D70B24409EE6C89A0D2EF61E0435194

Function 01089786 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01089737,00000003,?,010896D7,00000003,010ED518,0000000C,0108982E,00000003,00000002), ref: 010897A6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010897B9
FreeLibrary.KERNEL32(00000000,?,?,?,01089737,00000003,?,010896D7,00000003,010ED518,0000000C,0108982E,00000003,00000002,00000000), ref: 010897DC

Strings

mscoree.dll, xrefs: 0108979F
CorExitProcess, xrefs: 010897B1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6870cca51faa5e9acae7fcfc1d450c6d1ab853022e4794dd8d8b69494571c9c2
Instruction ID: f8229a9aa919a00008c13c6cf80131f7e347f6a1d290325b8a8c7212db41a7a7
Opcode Fuzzy Hash: 6870cca51faa5e9acae7fcfc1d450c6d1ab853022e4794dd8d8b69494571c9c2
Instruction Fuzzy Hash: 21F0C830601209BBDB25BF55DC89BEFBFF9EF44B15F4040A8F985A2544DB354A40CB50

Function 01070631 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 0107064D
__CxxThrowException@8.LIBVCRUNTIME ref: 0107065D

Part of subcall function 01071273: KiUserExceptionDispatcher.NTDLL(?,?,?,0100BF47,?,?,?,?,?,?,?,?,0100BF47,?,010E0200), ref: 010712D2

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 01070688

Strings

Bad read pointer - no RTTI data!, xrefs: 0107067F
Attempted a typeid of nullptr pointer!, xrefs: 01070644

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::__non_rtti_object::__construct_from_string_literal$DispatcherExceptionException@8ThrowUser
String ID: Attempted a typeid of nullptr pointer!$Bad read pointer - no RTTI data!
API String ID: 2590406442-4195314292
Opcode ID: 4e01e2ac0c193c593b42574196c7a042f4318a479c1589b0d2c919c1fb4612b6
Instruction ID: 40e8b7fcd41c9fa527b006cdfdbc7cd287290145128bb0599226f196e574e721
Opcode Fuzzy Hash: 4e01e2ac0c193c593b42574196c7a042f4318a479c1589b0d2c919c1fb4612b6
Instruction Fuzzy Hash: 0CF09071A00309AEEB00DBE6C959ECD73E8AB09610F204199F180AB180DB71EA008728

Function 010947B2 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4b48f6035430eb4e56cc6197692db394ee0b03841668973f140387b3f642e6
Instruction ID: 83c32e32f1f07c7b76eb5d0ffe5aba95a08c4c6f7a1d1609f79239587cc36eed
Opcode Fuzzy Hash: aa4b48f6035430eb4e56cc6197692db394ee0b03841668973f140387b3f642e6
Instruction Fuzzy Hash: 7371C0319042569BDF218F98CAA4ABFBBB5FF45320F1442A9E9D1E7281D7708943D7A0

Function 0101E880 Relevance: 7.7, APIs: 5, Instructions: 195COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0101E8CE

Part of subcall function 01071273: KiUserExceptionDispatcher.NTDLL(?,?,?,0100BF47,?,?,?,?,?,?,?,?,0100BF47,?,010E0200), ref: 010712D2

Part of subcall function 0101C770: ___std_exception_copy.LIBVCRUNTIME ref: 0101C797

__CxxThrowException@8.LIBVCRUNTIME ref: 0101E92E

Part of subcall function 0101C7E0: ___std_exception_copy.LIBVCRUNTIME ref: 0101C807

__CxxThrowException@8.LIBVCRUNTIME ref: 0101E98E

Part of subcall function 0101C850: ___std_exception_copy.LIBVCRUNTIME ref: 0101C877

__CxxThrowException@8.LIBVCRUNTIME ref: 0101E9EE

Part of subcall function 0101C8E0: ___std_exception_copy.LIBVCRUNTIME ref: 0101C907

__CxxThrowException@8.LIBVCRUNTIME ref: 0101EA4E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Exception@8Throw$___std_exception_copy$DispatcherExceptionUser
String ID:
API String ID: 2581116207-0
Opcode ID: 490ea87df8b4250310346d58fef055eafd348a69c39c8cf20c85ace9c765ea68
Instruction ID: dfcbea8a77a8f56b34f44ca55a5682479420099e4264aa908613c7d3099e16c0
Opcode Fuzzy Hash: 490ea87df8b4250310346d58fef055eafd348a69c39c8cf20c85ace9c765ea68
Instruction Fuzzy Hash: B9412AB5D4024DBBCB01EBE5CD45FCEBBBCEB04614F408A25F950E7684E779A2088B64

Function 0108B0AB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01086524: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,01090083), ref: 01086556

_free.LIBCMT ref: 0108B1B6
_free.LIBCMT ref: 0108B1CD
_free.LIBCMT ref: 0108B1EC
_free.LIBCMT ref: 0108B207
_free.LIBCMT ref: 0108B21E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 02ff6710f2e332ee6acd4f07ba94e9c1a514f4bec3c9ab8277a0e95a94cee803
Instruction ID: c73122d4ef1c5a36ae973372f029c2bd731e2d69aa209e79274bdd5110558c4b
Opcode Fuzzy Hash: 02ff6710f2e332ee6acd4f07ba94e9c1a514f4bec3c9ab8277a0e95a94cee803
Instruction Fuzzy Hash: 5A51B071A04605AFDB21EF69D841BAABBF4EF48720F1406ADE9C9DB650E731D901CB40

Function 0108A1A4 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0108A216
_free.LIBCMT ref: 0108A236

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6736c26bc2cae9fa3c5a2c8360ee8bfb3a7dc89175e13622104372674ed3300f
Instruction ID: b84c262dcbe532e2d59877838f273c114ccfce0db1cedffef50d7998123c01ac
Opcode Fuzzy Hash: 6736c26bc2cae9fa3c5a2c8360ee8bfb3a7dc89175e13622104372674ed3300f
Instruction Fuzzy Hash: 7141A632B04210DFDB25EFBCC880A5DB7F5EF88714F15859AE595EB785DA31A901CB40

Function 01018F30 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 01018F54

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaad4eb22c64e0f0c2d51649a5108a8aa622e0cc0be837775b34097788093e0f
Instruction ID: d444c8f8eab0278eaa17b5efe7c9d4cafafe8136a84f7b42b63def7353920e9c
Opcode Fuzzy Hash: eaad4eb22c64e0f0c2d51649a5108a8aa622e0cc0be837775b34097788093e0f
Instruction Fuzzy Hash: AD215B71A006059BE716FB68C800BAEB3D9EF10764F14862FF996C7285EB3DDA01C791

Function 01090084 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0107DA2C,01085FA2,?,0109002E,00000001,00000364,?,01084C15,010ED438,00000010), ref: 01090089
_free.LIBCMT ref: 010900BE
_free.LIBCMT ref: 010900E5
SetLastError.KERNEL32(00000000), ref: 010900F2
SetLastError.KERNEL32(00000000), ref: 010900FB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: acc71050e9ba6327dafb65fd62381a4b74045baec859019890d0b334ace9fd68
Instruction ID: 362b484aeb2fd4aee5a1b688ab88b58f2bf9a0f959a6706fe005c0b913005f42
Opcode Fuzzy Hash: acc71050e9ba6327dafb65fd62381a4b74045baec859019890d0b334ace9fd68
Instruction Fuzzy Hash: F6012D366497036B9F32757D5C94AAF35BDABD17B0F200128F5C9A218DEF7584016270

Function 01002704 Relevance: 7.6, APIs: 5, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100270B
std::_Lockit::_Lockit.LIBCPMT ref: 01002715

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

__CxxThrowException@8.LIBVCRUNTIME ref: 0100276C
std::_Facet_Register.LIBCPMT ref: 0100278B
std::_Lockit::~_Lockit.LIBCPMT ref: 01002794

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
String ID:
API String ID: 651022567-0
Opcode ID: 8a0fd3d3c6065b8debdae838e23ef52ae7b596d7014cb52c5be69b8aa165e432
Instruction ID: 9615281054e8a2c0a55ef36e8e51d9132de54d876bdc9be1fdb86a82cb82c5ad
Opcode Fuzzy Hash: 8a0fd3d3c6065b8debdae838e23ef52ae7b596d7014cb52c5be69b8aa165e432
Instruction Fuzzy Hash: AE01C475D0021A9BDF42FBA4CC55AFDB3B5BF44750F54040AE5946B2D1DF38AA00D791

Function 01002667 Relevance: 7.6, APIs: 5, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100266E
std::_Lockit::_Lockit.LIBCPMT ref: 01002678

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

__CxxThrowException@8.LIBVCRUNTIME ref: 010026CF
std::_Facet_Register.LIBCPMT ref: 010026EE
std::_Lockit::~_Lockit.LIBCPMT ref: 010026F7

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
String ID:
API String ID: 651022567-0
Opcode ID: 8eec6af0cac1ac74e8cd91231ea0e945204fba729271db04a6ed88e6974dc16c
Instruction ID: 67799236f1f22f7ff858ff2db128c4e33b41d2d1fd7c6ecad21f209354c8674e
Opcode Fuzzy Hash: 8eec6af0cac1ac74e8cd91231ea0e945204fba729271db04a6ed88e6974dc16c
Instruction Fuzzy Hash: FF010475D005198BDF06FBA0CC45AFEB3B1BF54720F10040AE6506B2D1DF38AA019B91

Function 010028DB Relevance: 7.6, APIs: 5, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010028E2
std::_Lockit::_Lockit.LIBCPMT ref: 010028EC

Part of subcall function 00F827E0: std::_Lockit::_Lockit.LIBCPMT ref: 00F827FD
Part of subcall function 00F827E0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F82819

__CxxThrowException@8.LIBVCRUNTIME ref: 01002943
std::_Facet_Register.LIBCPMT ref: 01002962
std::_Lockit::~_Lockit.LIBCPMT ref: 0100296B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
String ID:
API String ID: 651022567-0
Opcode ID: d613d32cb0d7cd0c5c1b7a64d33e23183887774eceecdef8875bc2a3b74e2582
Instruction ID: 4dcf84d69dba92b5f072d4b9c654273897451210df8df1958f0ab46f3e652d91
Opcode Fuzzy Hash: d613d32cb0d7cd0c5c1b7a64d33e23183887774eceecdef8875bc2a3b74e2582
Instruction Fuzzy Hash: 26010036D0011A8BDF02FBA0CC49AFDB3B1BF44760F10080AE6806B2D1DF38AA01DB91

Function 01097DE9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01097E01

Part of subcall function 010872F5: RtlFreeHeap.NTDLL(00000000,00000000,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?), ref: 0108730B
Part of subcall function 010872F5: GetLastError.KERNEL32(?,?,0109809C,?,00000000,?,00000000,?,01098340,?,00000007,?,?,01098729,?,?), ref: 0108731D

_free.LIBCMT ref: 01097E13
_free.LIBCMT ref: 01097E25
_free.LIBCMT ref: 01097E37
_free.LIBCMT ref: 01097E49

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 275d130d9d812db59f9c3fb03c978fe929a93d2ac63b878a3f2a9f3e024326f8
Instruction ID: 9eda9ff38f0b2d6c4685d082ba61c60c8344eda00b545db64fa0a33d540fd30c
Opcode Fuzzy Hash: 275d130d9d812db59f9c3fb03c978fe929a93d2ac63b878a3f2a9f3e024326f8
Instruction Fuzzy Hash: C9F0EC33918201AB9AB0EB6DE492D6A7BFAFB547107644889F1C8D7909CE35FC809E54

Function 00F8E350 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 406COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8E76D
std::_Xinvalid_argument.LIBCPMT ref: 00F8E777

Strings

invalid string position, xrefs: 00F8E754, 00F8E75E
string too long, xrefs: 00F8E768, 00F8E772

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: d00cab2b0e2ca8f3ab83b5f5ece1ddd90774e2350fb76affd52ba75d1f4d46b6
Instruction ID: 57800f4664f7be5cd2097f7fce25e65c8e3e08cdbe434741774d07b773b82fbb
Opcode Fuzzy Hash: d00cab2b0e2ca8f3ab83b5f5ece1ddd90774e2350fb76affd52ba75d1f4d46b6
Instruction Fuzzy Hash: 1DE13D71B0020ADFCB24EF58D9C09DEB3BAFF987447204569E855CB215E730EA55EBA0

Function 00F99630 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 391COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F999F7
std::_Xinvalid_argument.LIBCPMT ref: 00F99A01

Strings

invalid string position, xrefs: 00F999DE, 00F999E8
string too long, xrefs: 00F999F2, 00F999FC

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 1e21ace09cd299847205d3b351f0117c42a3b5e990d136c0887fa9d04c010678
Instruction ID: 42d78f83ec629760405170aefe65c54f6e612a823ea600bdbd2a11cebb3d77a7
Opcode Fuzzy Hash: 1e21ace09cd299847205d3b351f0117c42a3b5e990d136c0887fa9d04c010678
Instruction Fuzzy Hash: BCD17271B08205DBEF28CF4CD880A9A77B6EF85700B65491DE896CB341C771E991EBA1

Function 01088351 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 01088503
__freea.LIBCMT ref: 01088521

Part of subcall function 00FF5508: _free.LIBCMT ref: 00FF551E

Strings

a/p, xrefs: 010885E8
am/pm, xrefs: 01088584

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0138cc9b91275a05168cca07a3e01361b586256ceeb34f110b065455aecc778c
Instruction ID: 0c90103f13ef771e6d83c836d61f3ee03db5313157c5540575568e9fbf12b08c
Opcode Fuzzy Hash: 0138cc9b91275a05168cca07a3e01361b586256ceeb34f110b065455aecc778c
Instruction Fuzzy Hash: F0D1F135908206CAEB65BF6CC944ABEBBF1FF04700F94819BE6C1AB255D335D990CB60

Function 01061650 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 325COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 01061721
new.LIBCMT ref: 0106183E
std::_Xinvalid_argument.LIBCPMT ref: 010618E2

Part of subcall function 0105E0C0: new.LIBCMT ref: 0105E0C2

Part of subcall function 0105E030: new.LIBCMT ref: 0105E032

Part of subcall function 0100B0AE: __onexit.LIBCMT ref: 0100B0B4

Strings

list<T> too long, xrefs: 010618DD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footerXinvalid_argument__onexitstd::_
String ID: list<T> too long
API String ID: 3927684510-4027344264
Opcode ID: 215a52df1a55671ecb277ba1c7cb9fde088d051303b9e8e2b2effd32e68057c7
Instruction ID: 2644b70c30e953ea324ff9aa24d20392a2fa0bcaf052a126b08640782d0e0290
Opcode Fuzzy Hash: 215a52df1a55671ecb277ba1c7cb9fde088d051303b9e8e2b2effd32e68057c7
Instruction Fuzzy Hash: 52D17C74A00209EFDB14CF58C481BADBBF9FB88718F19815DE995AB780D776AD04CB90

Function 00F8DB70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

invalid string position, xrefs: 00F8DD76
string too long, xrefs: 00F8DD80, 00F8DD8A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: invalid string position$string too long
API String ID: 0-4289949731
Opcode ID: 50f1b0fe086398fac97ca0b1cd25fffe4f6e7b1c7783f59d454bf37a9735797b
Instruction ID: bfd38825fdc7288019b793bc6beacbbbce7dd86e2f0a08b1d4041f992bb26532
Opcode Fuzzy Hash: 50f1b0fe086398fac97ca0b1cd25fffe4f6e7b1c7783f59d454bf37a9735797b
Instruction Fuzzy Hash: 30715F32B042099BCB24EF5CD8809AEB7B6FF89310710496EE956C7390DB71E910DBA4

Function 00F8DF00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8E0A3
std::_Xinvalid_argument.LIBCPMT ref: 00F8E0AD

Strings

invalid string position, xrefs: 00F8E08A, 00F8E094
string too long, xrefs: 00F8E09E, 00F8E0A8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: e9129c2a808aaa056cde1ba8287aad78120afd9d44d74befaee423d12c4d5387
Instruction ID: 177f0a80c0b64f1b7a5613eaf13120f52d3e87e345448ee0e46350904348d1a8
Opcode Fuzzy Hash: e9129c2a808aaa056cde1ba8287aad78120afd9d44d74befaee423d12c4d5387
Instruction Fuzzy Hash: EC51C47170020ADFCB24EF58D8C08AA73E9FF94745720492EF946CB251EB71E954EBA1

Function 00FBA780 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00FBA902
std::_Xinvalid_argument.LIBCPMT ref: 00FBA90C

Strings

invalid string position, xrefs: 00FBA8E9, 00FBA8F3
string too long, xrefs: 00FBA8FD, 00FBA907

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 099a51e713173551136a110b6e2391f4346ceeb57024d1e3baf17737cd712d00
Instruction ID: bb998ce62bd180c025893b376e4b0758ea2428e29b9005a8d6226c69d1a98dba
Opcode Fuzzy Hash: 099a51e713173551136a110b6e2391f4346ceeb57024d1e3baf17737cd712d00
Instruction Fuzzy Hash: C251D472B002059FD724DF1ED880ADAB7A5EF94740720492EF492CB651DB71D841EFA2

Function 00FDF230 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,8B5B5FBB,?,00000000,?,?), ref: 00FDF286

Strings

%s, xrefs: 00FDF3A6
Received too short packet, xrefs: 00FDF2CE
Internal error: Unexpected packet, xrefs: 00FDF3DE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: recvfrom
String ID: %s$Internal error: Unexpected packet$Received too short packet
API String ID: 846543921-1418437813
Opcode ID: 9cc3bd19b5f9b00a4561a864df4016cca6ff3d91c513c88130f5f52e5c1dcabe
Instruction ID: 505030e9cbb851da51f007d6b900e161e06083311804516fb29626caf949aedc
Opcode Fuzzy Hash: 9cc3bd19b5f9b00a4561a864df4016cca6ff3d91c513c88130f5f52e5c1dcabe
Instruction Fuzzy Hash: E7513B71A00205ABDB10EB24DC81FEEB3B9FF00315F44417BF44ED6241DB39A958ABA1

Function 0105F1B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0105F20A
std::_Xinvalid_argument.LIBCPMT ref: 0105F2A0

Part of subcall function 00FF2308: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FF2314
Part of subcall function 00FF2308: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF2322

std::_Xinvalid_argument.LIBCPMT ref: 0105F30A

Strings

vector<T> too long, xrefs: 0105F205, 0105F29B, 0105F305

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
String ID: vector<T> too long
API String ID: 1284171080-3788999226
Opcode ID: b96f0f72ba1ebcca562b11db82b2e5e87883b51337be6ae4afa2e33121a90354
Instruction ID: 93a92a8c3f02d1d40754ca3df29ff8098e14db941bd293a8ab605be7a95b38a0
Opcode Fuzzy Hash: b96f0f72ba1ebcca562b11db82b2e5e87883b51337be6ae4afa2e33121a90354
Instruction Fuzzy Hash: 9F4118373002260B875CDD3EDD9446EBADB9BD866132DCA3EE985DB788C970F8414690

Function 00F8DDA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8DEE6
std::_Xinvalid_argument.LIBCPMT ref: 00F8DEF0

Strings

CPU >> , xrefs: 00F8DDB4, 00F8DDCC, 00F8DDE1, 00F8DDEC, 00F8DEA8
string too long, xrefs: 00F8DEE1, 00F8DEEB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: CPU >> $string too long
API String ID: 909987262-599734533
Opcode ID: 72536754f1c77016a92e6731274f487bcd2479f95243d6334eec6687ebdddada
Instruction ID: 0d8aeb0f8cdf7271caa99dad44db17d3f3b13270c37a777bfa3d50d7c3b9685d
Opcode Fuzzy Hash: 72536754f1c77016a92e6731274f487bcd2479f95243d6334eec6687ebdddada
Instruction Fuzzy Hash: 0141A9327042158B8634FE58E8909BEB3F6FFE5751720092EE582CB690DB219C45A7A4

Function 00FE96F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FE97A8

Strings

%.*s, xrefs: 00FE97B8
Proxy-, xrefs: 00FE9821, 00FE9829
%sAuthorization: Digest %s, xrefs: 00FE982A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %.*s$%sAuthorization: Digest %s$Proxy-
API String ID: 601868998-541442569
Opcode ID: add2384533a424fc089dc415820ff6f6a505717c321fba5261f4fc7ba0145513
Instruction ID: 0eaeeb005059acac3eb6acb62c5ebc7fcf3c452b6fef49870579ff7b2f9296c3
Opcode Fuzzy Hash: add2384533a424fc089dc415820ff6f6a505717c321fba5261f4fc7ba0145513
Instruction Fuzzy Hash: 3041D176A00108AFDB10CF59DC45BEA7BA5EF49324F0880A9FD48DB351DB759D10DBA1

Function 00F92CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F92DF6
std::_Xinvalid_argument.LIBCPMT ref: 00F92E00

Strings

invalid string position, xrefs: 00F92DE7
string too long, xrefs: 00F92DF1, 00F92DFB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 70ecb664db1bc1f97a5d98149b7ac59f9b095f9366328f9e32e65cc148e0fa37
Instruction ID: cc35415384b26452889d818713dd56b28287f2827e45f68b08c924c1e6c8518f
Opcode Fuzzy Hash: 70ecb664db1bc1f97a5d98149b7ac59f9b095f9366328f9e32e65cc148e0fa37
Instruction Fuzzy Hash: 0831C132304319ABAB24EF58E88186EB3E9EF94754310492FE556CB660DB31E9059BA4

Function 00F99A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F99B07
std::_Xinvalid_argument.LIBCPMT ref: 00F99B11

Strings

invalid string position, xrefs: 00F99AF8
string too long, xrefs: 00F99B02, 00F99B0C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 3fb23a4ea83f119bdf2a95a8edba6e6566f2465b241cd80a0f8c032d24cf81b1
Instruction ID: b25fde33a528fa216749eeb117a46548978eed7bbdf62d274be3d87c063ae0d9
Opcode Fuzzy Hash: 3fb23a4ea83f119bdf2a95a8edba6e6566f2465b241cd80a0f8c032d24cf81b1
Instruction Fuzzy Hash: A931D4323043049FEB25DF5DE881A6AB7A9EFD4B60B11492EF555CB351C7B5E8009BA0

Function 00F8AF70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8B068
std::_Xinvalid_argument.LIBCPMT ref: 00F8B072

Strings

invalid string position, xrefs: 00F8B059
string too long, xrefs: 00F8B063, 00F8B06D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 0034f28ca37594dd71f321220aa1fd853fbea94f98835a0abb38927fab431ede
Instruction ID: a05e78249108c0a361095fdbbfd4e9bdee6985f6f67f8de4848caa2c8d746dc1
Opcode Fuzzy Hash: 0034f28ca37594dd71f321220aa1fd853fbea94f98835a0abb38927fab431ede
Instruction Fuzzy Hash: FE318F327043098B8B28EF5DE8819ABB3E9FF95711310092EE566CB621D731E9149BA5

Function 00FB65D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FB66C6

Strings

void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_, xrefs: 00FB670C
conversion of type ", xrefs: 00FB669C
" to data failed, xrefs: 00FB66DC

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: " to data failed$conversion of type "$void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_
API String ID: 1734802720-3578818472
Opcode ID: 854e17182bfbb97a432cd0121bfc1f24fe1f872c6921b3cbc2ecd0e057e76d9c
Instruction ID: da0f7b1a4ad25cf0009e247873e1ded4170b6bf5f7e60732c0d46a96dc872f6b
Opcode Fuzzy Hash: 854e17182bfbb97a432cd0121bfc1f24fe1f872c6921b3cbc2ecd0e057e76d9c
Instruction Fuzzy Hash: 21410370D04248AFEB15EFA4CC45BEEBBB9EF01710F10415DE441AB282DB796A08DBA1

Function 00FB6720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FB6816

Strings

conversion of type ", xrefs: 00FB67EC
void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_, xrefs: 00FB685C
" to data failed, xrefs: 00FB682C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: " to data failed$conversion of type "$void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_
API String ID: 1734802720-3578818472
Opcode ID: b747b4eff2c1fe86c9a43397a7b824af44b62fa1981c00929d7c0e5b3feb62fe
Instruction ID: de5c7199f573e3dc800f78c9d9592724f5817becd83719fde1a30f23f768e431
Opcode Fuzzy Hash: b747b4eff2c1fe86c9a43397a7b824af44b62fa1981c00929d7c0e5b3feb62fe
Instruction Fuzzy Hash: 5B410370904248AFEB15EFA4CC45BEEBBB9EF11714F20415DE441AB281DF796A08DBA1

Function 00FB6390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FB6488

Strings

conversion of type ", xrefs: 00FB645E
void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_, xrefs: 00FB64CE
" to data failed, xrefs: 00FB649E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: " to data failed$conversion of type "$void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_
API String ID: 1734802720-3578818472
Opcode ID: f5481256081d9da89c3596ebc2685965a23dd2241b0839b1950b722f56d0bee5
Instruction ID: c2bc68cbbcd5bdc1453c3ce8783a01d5769aca224e3d850399e45c7b0e4c850f
Opcode Fuzzy Hash: f5481256081d9da89c3596ebc2685965a23dd2241b0839b1950b722f56d0bee5
Instruction Fuzzy Hash: 5141D071904248EFEB11EFA4CC45BEEBBB8EF11714F10815DE441AB282DB795A08DBA1

Function 00F8A670 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8A758
std::_Xinvalid_argument.LIBCPMT ref: 00F8A762

Strings

invalid string position, xrefs: 00F8A749
string too long, xrefs: 00F8A753, 00F8A75D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 8704fb63f2653974ae26bbf4bb6902a0f88a7fb1ee744b9a5524c45816ca708c
Instruction ID: 9198c53f59e0db98d666b578d92a5b65608061ae3da99e833057963ee9455d6c
Opcode Fuzzy Hash: 8704fb63f2653974ae26bbf4bb6902a0f88a7fb1ee744b9a5524c45816ca708c
Instruction Fuzzy Hash: E131A2323017048FEB24EF5DEC41AAEB3B5EF95751B10492FE551CB251D771D800A7A6

Function 00FB4EF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

___std_type_info_name.LIBVCRUNTIME ref: 00FB4FC3

Strings

conversion of type ", xrefs: 00FB4F99
" to data failed, xrefs: 00FB4FD6
void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_, xrefs: 00FB5006

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___std_type_info_name
String ID: " to data failed$conversion of type "$void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_
API String ID: 1734802720-3578818472
Opcode ID: 79b944d5b977f25598390551a5e0552dbc104b1131c6a47b2035b273fd202207
Instruction ID: 30ef7bd0ebfbe2da2d6f22dbc9587e987ff796e6d5d17c398e742c10d2d402e7
Opcode Fuzzy Hash: 79b944d5b977f25598390551a5e0552dbc104b1131c6a47b2035b273fd202207
Instruction Fuzzy Hash: 4131F471D04248AADF01EBA5CC45FEEBBBCEB05710F108159F051B7282DF795A08DBA1

Function 00FD3540 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FD359C

Strings

%s:%s, xrefs: 00FD3589
%sAuthorization: Basic %s, xrefs: 00FD35FF
Proxy-, xrefs: 00FD35F6, 00FD35FE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
API String ID: 48624451-2961970465
Opcode ID: e7cfaaa78a1db60735de067a9a66b12bc58212fd33dd5fdde06f9088b72f6d22
Instruction ID: b1dedce3dd82de00572358c9d5c8b426f98ca5a65c5be2e2e501787f25830247
Opcode Fuzzy Hash: e7cfaaa78a1db60735de067a9a66b12bc58212fd33dd5fdde06f9088b72f6d22
Instruction Fuzzy Hash: 7721E7B5A00105AFDB10DF64D845BE977FAEF84310F1841BAE9489B301E7369E009BA1

Function 0100D800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,05CEC6CE), ref: 0100D832
GetCurrentDirectoryW.KERNEL32(00000000,00000000,00FA13B8), ref: 0100D86D
GetLastError.KERNEL32 ref: 0100D877

Strings

boost::filesystem::current_path, xrefs: 0100D881

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast
String ID: boost::filesystem::current_path
API String ID: 1128942804-4026011040
Opcode ID: 0b8de264612b3a085bd6a93e6efcd9d7cabea6905ae76c38673c8b6cca6a61e2
Instruction ID: 7b25775c8084fa838e5ea1972bd648debfebcff586ce35485272328a61aa935a
Opcode Fuzzy Hash: 0b8de264612b3a085bd6a93e6efcd9d7cabea6905ae76c38673c8b6cca6a61e2
Instruction Fuzzy Hash: 3C210B71604245ABE7159FA8DC05BABB7F9EF44710F044529F846DB3C4D7B9EA00C7A0

Function 00FDD700 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,?), ref: 00FDD720
WSACleanup.WS2_32 ref: 00FDD74D

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

Strings

WSAStartup failed (%d), xrefs: 00FDD72B
insufficient winsock version to support telnet, xrefs: 00FDD775

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CleanupStartup___swprintf_l
String ID: WSAStartup failed (%d)$insufficient winsock version to support telnet
API String ID: 3683242764-1763879679
Opcode ID: 8822cc7a800178fd45b26f78b7fe2c24fee8a0729cc3a99782be97d0883d560e
Instruction ID: 14c0f257de242d17b085963dd9598d1d812785bb4adb8fc19743ab5f5a4b235c
Opcode Fuzzy Hash: 8822cc7a800178fd45b26f78b7fe2c24fee8a0729cc3a99782be97d0883d560e
Instruction Fuzzy Hash: 84019271B0011DABDF10EB68AD56FEE7369CF44215F4000EAFC4A97281DE295E058695

Function 00F83580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F835A9
_com_util::ConvertStringToBSTR.COMSUPP ref: 00F835E2
_com_issue_error.COMSUPP ref: 00F835FF

Strings

WQL, xrefs: 00F835CF

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ConvertString_com_issue_error_com_util::
String ID: WQL
API String ID: 729922077-1249411209
Opcode ID: 2fb919df270f7d69d9e402737626ef81430fd72426a4bdb5b9300ec30a2fad8a
Instruction ID: 0f64c190f6ca52ee80722890e0015441fcb4fcfd241a41c693f9173a24471394
Opcode Fuzzy Hash: 2fb919df270f7d69d9e402737626ef81430fd72426a4bdb5b9300ec30a2fad8a
Instruction Fuzzy Hash: CE01D671944756EBD3219F95C801B9AF7E8EF54B20F20871EE8516B780E7B5594087D0

Function 0102CAF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(00000000,010188DE,00000000), ref: 0102CAF3
TlsFree.KERNEL32(?,05CEC6CE,00000000,0109D640,000000FF,?,libs\log\src\thread_specific.cpp,00000029,TLS capacity depleted,0000000C), ref: 0102CB44

Strings

TLS capacity depleted, xrefs: 0102CB06
libs\log\src\thread_specific.cpp, xrefs: 0102CB0D

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AllocFree
String ID: TLS capacity depleted$libs\log\src\thread_specific.cpp
API String ID: 265982327-1379514790
Opcode ID: adc86f5e1269eb2d96f80dd8c08e7e85b6ee9bd1b6010337cd36516d819997b2
Instruction ID: 87baa3561b0f9fbb0b1601b90119cffaded64ec35aceff30940461c9f9a217b7
Opcode Fuzzy Hash: adc86f5e1269eb2d96f80dd8c08e7e85b6ee9bd1b6010337cd36516d819997b2
Instruction Fuzzy Hash: 7EF0E931644254AFD7249F68EC45F96B7A8EB09A20F100B6EF8A5D77C4D77688008780

Function 00FDDFA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000003,00000000), ref: 00FDDFC9
WSAGetLastError.WS2_32(?,00FDDEAF,?,000000FE,?,?,?,00FDE710,?,?,?,RCVD,000000FB,?), ref: 00FDDFD3

Part of subcall function 00FCD340: ___swprintf_l.LIBCMT ref: 00FCD382

Strings

SENT, xrefs: 00FDDFEC
Sending data failed (%d), xrefs: 00FDDFDA

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast___swprintf_lsend
String ID: SENT$Sending data failed (%d)
API String ID: 2728857167-3459338696
Opcode ID: 5f6e709085a8d7691f796e52ec3654a56c0f12cc3973094a87591d20229de420
Instruction ID: 48f07b899f238ade2655cefdad14990cfe73b43b0475e85c1062593e21818e17
Opcode Fuzzy Hash: 5f6e709085a8d7691f796e52ec3654a56c0f12cc3973094a87591d20229de420
Instruction Fuzzy Hash: 71F0C236200248BFDB11AF59DC81EDB3B6DAF48790F044019F9988B242D235A61087A1

Function 01090A52 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01090ADD
__alldvrm.LIBCMT ref: 01090CDE
__alldvrm.LIBCMT ref: 01090D00

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 9d93e61f19b96296c0ae5d052b078a61c056aa9b66824bfbf5dd4f31dc1b7d83
Instruction ID: 582e75270636c500ff2674964c8cd65d44a7f57efc704cd65b12150d5a3a892e
Opcode Fuzzy Hash: 9d93e61f19b96296c0ae5d052b078a61c056aa9b66824bfbf5dd4f31dc1b7d83
Instruction Fuzzy Hash: F9A16672A0438A9FEF22CF1CC8A07AEBFE9EF15314F1841A9F5D59B285C2389941D750

Function 01085264 Relevance: 6.2, APIs: 4, Instructions: 174pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000000,00000000,00000000), ref: 01085289

Part of subcall function 01085688: __dosmaperr.LIBCMT ref: 010856CB

GetLastError.KERNEL32 ref: 010853B4
__dosmaperr.LIBCMT ref: 010853BB
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 010853F8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 3955570002-0
Opcode ID: e9867c84cb008403a38f827d6850ea5cc0ae0ac97b3e7fa61a7cc0a2fa25c82f
Instruction ID: 760f4e438ef404c5e8a028f3e6df7ad6d6b6eb8347833e3834f8ac8ae29b5ea0
Opcode Fuzzy Hash: e9867c84cb008403a38f827d6850ea5cc0ae0ac97b3e7fa61a7cc0a2fa25c82f
Instruction Fuzzy Hash: 0F51B272904609AFDB64EFB8CC419EFBBF9EF48324F148929E5D6D3550EB3498418B50

Function 01013250 Relevance: 6.2, APIs: 4, Instructions: 167COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 010132B2
new.LIBCMT ref: 010132C9
__Init_thread_footer.LIBCMT ref: 0101333B
__Init_thread_footer.LIBCMT ref: 01013472

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 350f99dcba5bb25760efd1739260973bee56d92bb312e502a57e1ac148619048
Instruction ID: f71590f523ee862b522b0a55867b292a6ab8409f78d3ad418fd1490ce64002be
Opcode Fuzzy Hash: 350f99dcba5bb25760efd1739260973bee56d92bb312e502a57e1ac148619048
Instruction Fuzzy Hash: DD61DE70900216CFDB11DBA8C946BADB7F4FB44324F1042A9F596AB3C4DB395A04CBA5

Function 0109A0A1 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0109A1D0

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fd071277f79cdf534464ad6480795ffe1ab926528ee0a34a838631ac29915c4b
Instruction ID: da42ee4b1370f0c4294dee2f2d8aa55037cdc684729603f2fe9257bc2864894d
Opcode Fuzzy Hash: fd071277f79cdf534464ad6480795ffe1ab926528ee0a34a838631ac29915c4b
Instruction Fuzzy Hash: E1412571B04112EADF25BABD9C54AEE3AF4FF953B0F140295F8E8D7290EA358540A361

Function 00FF2CD6 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 00FF2D2E
MultiByteToWideChar.KERNEL32(00F8FB61,00000009,00000000,00000002,?,00000000,00000000,00000001,?), ref: 00FF2D7C
MultiByteToWideChar.KERNEL32(00F8FB61,00000009,?,030A7EC0,?,00000000,00000000,00000001,?), ref: 00FF2DEE
MultiByteToWideChar.KERNEL32(00F8FB61,00000009,?,00000001,?,00000000,00000000,00000001,?), ref: 00FF2E16

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: 48c154875ea33ce801d8574a1c00f3d2b492a2a6b73364c1a8e9d25f6ced1234
Instruction ID: db31eea1e826363364055d537593ac824534501cd18aeab17f0a346360cbda2f
Opcode Fuzzy Hash: 48c154875ea33ce801d8574a1c00f3d2b492a2a6b73364c1a8e9d25f6ced1234
Instruction Fuzzy Hash: 9041B231A1034AEFEB618F64D841BBEBBB9EF45320F244469F9519B2A0D7759840EB50

Function 010848D8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1873da40ba067929def9ca62e76533391b5624dd88800f77440407b7f2780da
Instruction ID: 1d0aca5728457b193bd88c55324b1a7a816a864fe37c22bbc4ca096e613c1fcb
Opcode Fuzzy Hash: c1873da40ba067929def9ca62e76533391b5624dd88800f77440407b7f2780da
Instruction Fuzzy Hash: 9941D771A0431ABFD725EF78CC40BEABBE9EB98720F10856AE1D5DB2C0D671A5418784

Function 0105FA30 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0105FA54

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc37d2f6184032bf3131da2bf0fe894ac3aea1319f9c4cffccb5a8d037a80ca
Instruction ID: a53f631beedfbfdf409f4b56a4a4af668de7f04c031e6433bd3d0fa8d9b966a5
Opcode Fuzzy Hash: fbc37d2f6184032bf3131da2bf0fe894ac3aea1319f9c4cffccb5a8d037a80ca
Instruction Fuzzy Hash: 7F31C0B93003028FD350DF69C480AABB3E5EF94321F14C96AE999C7291D734E861CB92

Function 01094DC8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000006,00000000,0000007F,010C2A30,00000000,00000000,8B56FF8B,0108A87A,?,00000006,00000001,010C2A30,0000007F,?,8B56FF8B,00000001), ref: 01094E15
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01094E9E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 01094EB0
__freea.LIBCMT ref: 01094EB9

Part of subcall function 01086524: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,01090083), ref: 01086556

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7802550853bc438e7d2ec9cbc9bf411c586d819e34e6d391a1a642399426a0f2
Instruction ID: 2fe906bf314639bdec59d1d1320964d961cf56cae5983881cc7a0fa5f2244738
Opcode Fuzzy Hash: 7802550853bc438e7d2ec9cbc9bf411c586d819e34e6d391a1a642399426a0f2
Instruction Fuzzy Hash: E631CD32A0021AABEF259F69DC94DEF7BE5EB40310F054268FC44D7290E735D951DBA0

Function 010096A0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00F95930: CloseHandle.KERNEL32(00000000,05CEC6CE), ref: 00F95985
Part of subcall function 00F95930: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,05CEC6CE,?,?,?,05CEC6CE,?,0100943D,05CEC6CE), ref: 00F95997

ReleaseSemaphore.KERNEL32(?,?,00000000,05CEC6CE,?,?,?,?,00000000,010A4942,000000FF,?,01009537), ref: 010096F4
ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,00000000,010A4942,000000FF,?,01009537), ref: 01009715
CloseHandle.KERNEL32(?), ref: 01009757
SetEvent.KERNEL32(00000000), ref: 01009791

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 3698072468-0
Opcode ID: 9f33081d45d35a39c5a94a8b88834a955b8fcd6dfa86df4ecb4ae5ae8e874d72
Instruction ID: fcec26839bb20d61fec632008d835621c62534ff82397f0be53fc4714134e085
Opcode Fuzzy Hash: 9f33081d45d35a39c5a94a8b88834a955b8fcd6dfa86df4ecb4ae5ae8e874d72
Instruction Fuzzy Hash: A9317E75600604DFEB2A8F58C884B6ABBE8FB04728F1446A9FD5DDB2C6D736D811CB50

Function 00F9F000 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F9F036
Concurrency::cancel_current_task.LIBCPMT ref: 00F9F0A0

Part of subcall function 0100BF2B: __CxxThrowException@8.LIBVCRUNTIME ref: 0100BF42

Concurrency::cancel_current_task.LIBCPMT ref: 00F9F0A5

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: c71de1e03615bb84a90a173c55549aeba09db768fe47eb91aa969a41973d9e73
Instruction ID: f56300d714512a35bbc8816dda4d72ae6cd82d8a99d0205c267f9e91fb4b5487
Opcode Fuzzy Hash: c71de1e03615bb84a90a173c55549aeba09db768fe47eb91aa969a41973d9e73
Instruction Fuzzy Hash: 3A11E6B6A00103AFEB19EF68C8819BAB3ACEF54310B10463DE959C3251E731ED18C7A0

Function 00F9F0B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F9F0E6
Concurrency::cancel_current_task.LIBCPMT ref: 00F9F152

Part of subcall function 0100BF2B: __CxxThrowException@8.LIBVCRUNTIME ref: 0100BF42

Concurrency::cancel_current_task.LIBCPMT ref: 00F9F157

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: ddbd4eac951e155764efa1d3510aa374e82febe5be42ac7467a40f177048762b
Instruction ID: ee4cd06ce4256fc95186a53bfa668d39f2176ebfa5d1930810c5245be7c873bd
Opcode Fuzzy Hash: ddbd4eac951e155764efa1d3510aa374e82febe5be42ac7467a40f177048762b
Instruction Fuzzy Hash: 281103B6A00107AFEB19EF68C88087AB3A8EF54310B14463AE919C7250E731AD15CBD1

Function 01033070 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 01033094

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a0e99cf817a150b3c63b627bcc16b7be7712f93396f2bea078e8a87903d690
Instruction ID: 4fc8f6e1b0b94201c270ac0ee7c326f66a502fa88f24779af54346585364d474
Opcode Fuzzy Hash: f3a0e99cf817a150b3c63b627bcc16b7be7712f93396f2bea078e8a87903d690
Instruction Fuzzy Hash: FE01D6716002024B9724EB39D9D49AEF3ECFFD0221705466EF4A6CF651DB20E841C752

Function 01085420 Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,?,00000000), ref: 0108544E
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01085462
GetLastError.KERNEL32 ref: 010854AA
__dosmaperr.LIBCMT ref: 010854B1

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
String ID:
API String ID: 593088924-0
Opcode ID: 15475a2be43686a7129093c73f653712109a0711ffe411b1bfc20e3a2efc001b
Instruction ID: 20a69ae299eb82e0fd67bc70034beebbfcaa8007d46bedbc45bf00e9407610f1
Opcode Fuzzy Hash: 15475a2be43686a7129093c73f653712109a0711ffe411b1bfc20e3a2efc001b
Instruction Fuzzy Hash: 1A216072A0410DABCB11EFE8CC84AEF77BCAF08321F505656F596E2080DF39D6048B61

Function 00FAEAE0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FAEB13

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77515ad65b2b41654a9843b87c8fa7ab20286e32492c19d137f0fd6c4c121d4
Instruction ID: acc7c0f3373d0e1bf958bae4c6243babc54c6f6c00de75c3c80d4dd300a2b524
Opcode Fuzzy Hash: d77515ad65b2b41654a9843b87c8fa7ab20286e32492c19d137f0fd6c4c121d4
Instruction Fuzzy Hash: EBF082F2A002054AEB1DFB6498A6ABE7758CB71350F00013EE51BCB590F622E964D6A9

Function 0105F9C0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0105F9E7

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436ff046126941eeec54348df4088f2425809747f70c0628ff03eda104265074
Instruction ID: 06e65400060de4666682f95d7795d7bd9428fcc2d31fd15926de9854a7ed9c0d
Opcode Fuzzy Hash: 436ff046126941eeec54348df4088f2425809747f70c0628ff03eda104265074
Instruction Fuzzy Hash: 87F027F1A002034AE7A5F7789844EBF33D85F20254F02017ADCC7DB092EB29C954C653

Function 00F8BE40 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F8BE6A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a7451a62a4b2ee75dfba380583b36b9ef1f5812cad444a02974a9c022dbea8
Instruction ID: 881d42a62893414c2e9f55769dc1f766c44e3d9c1288dc9d55077d2240f5b736
Opcode Fuzzy Hash: d2a7451a62a4b2ee75dfba380583b36b9ef1f5812cad444a02974a9c022dbea8
Instruction Fuzzy Hash: 1CF0A0F2B042094FA709F774A8569FE73988B34360B14023EF61ECB2D1FA22E9549659

Function 00F9F160 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F9F18B

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f22e6bf2c0fdcebda5b651e1c09446586ffb2276ce4ade469a68fbc7b52885c
Instruction ID: 20a823b7fba247c68e6a1cba523c1f562d9b13f711e0e38bb8732e11790c89cb
Opcode Fuzzy Hash: 6f22e6bf2c0fdcebda5b651e1c09446586ffb2276ce4ade469a68fbc7b52885c
Instruction Fuzzy Hash: 4CF0A0B2A042058BBB19F774D85297E73988B34360B00063FF52BCB2D1F522E999D699

Function 00FB1E80 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FB1EAB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ed98ddada49c7321db007dd077195e7b8ad118fe783375149292d5aa19183d
Instruction ID: 4e77e587297f99ae8f7d11f349d2f7752c70db04032a6e710e2539feaedf6ac9
Opcode Fuzzy Hash: 76ed98ddada49c7321db007dd077195e7b8ad118fe783375149292d5aa19183d
Instruction Fuzzy Hash: 71F05CB3B002094BAA19F7759821CBE73849B30360B40023FF81BCB2C0F632F910D955

Function 0105F950 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0105F980

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fe75a867870fb9d20ca8abb7671582ad89bb34b65130aa0c7ebe8461e2e6eb
Instruction ID: a4b0f73db81b7d4e63d3fdf5cbde958fc54e6c529224db599a39a8b8638cd1f1
Opcode Fuzzy Hash: 77fe75a867870fb9d20ca8abb7671582ad89bb34b65130aa0c7ebe8461e2e6eb
Instruction Fuzzy Hash: 62F05971A0090356F7ADF7B49950BBF32E48F60205F01403E9DC7CB081EB28D515C217

Function 00F8BDE0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00F8BE0E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970908b49473d7ef28af1614abfa152ea2e8798d69a80794042a91427aa07e5e
Instruction ID: 76b02e6c44a8222a15757936db3e0249761e3140ac3b213545cbc89203bf223c
Opcode Fuzzy Hash: 970908b49473d7ef28af1614abfa152ea2e8798d69a80794042a91427aa07e5e
Instruction Fuzzy Hash: 3DF0E2B2A042094FA619F7689441DFE73D8CB74360B00403FF10ACB280FB32E914D759

Function 0105CC80 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

Part of subcall function 0105E090: new.LIBCMT ref: 0105E092

Part of subcall function 0106E6F0: LoadLibraryA.KERNEL32(?), ref: 0106E70C

___std_exception_copy.LIBVCRUNTIME ref: 0105CDB4
___std_exception_destroy.LIBVCRUNTIME ref: 0105CE09

Strings

Unable to open message catalog: , xrefs: 0105CD69

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: LibraryLoad___std_exception_copy___std_exception_destroy
String ID: Unable to open message catalog:
API String ID: 2927770020-3361316291
Opcode ID: 29aa8e8def19ce010fb0e20f8ec9a976f5c82b877cb6f0743ff6cd3e495667eb
Instruction ID: f36b51f40579c846dca2dcdbe94960327034485ab16bd17eaccdb806991c3af2
Opcode Fuzzy Hash: 29aa8e8def19ce010fb0e20f8ec9a976f5c82b877cb6f0743ff6cd3e495667eb
Instruction Fuzzy Hash: 34C1ED70D00348DFEF55DFA8C988BDEBBF8AF15314F244159D886AB281D7349A48CBA1

Function 0105F400 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0105F45A

Strings

punct, xrefs: 0105F650
vector<bool> too long, xrefs: 0105F455

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: punct$vector<bool> too long
API String ID: 909987262-458764811
Opcode ID: 8c332d9dbce7c02a79c717453a32bf70485abccddd11689a334d8c941bab4c4d
Instruction ID: 2d73c974e79840d2daf6404f7bdc4b254b082f96d20454f4ff9ca2e1a76b482b
Opcode Fuzzy Hash: 8c332d9dbce7c02a79c717453a32bf70485abccddd11689a334d8c941bab4c4d
Instruction Fuzzy Hash: 31C12A7550060AEFDB54DF54C884BDFBBF8FF14354F10816AE8869B690DB78AA48CB90

Function 00FDA8B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FDA8D8

Part of subcall function 00FC4550: GetTickCount.KERNEL32 ref: 00FC4551

Strings

Can't open %s for writing, xrefs: 00FDA969
Can't get the size of %s, xrefs: 00FDA9E2

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: CountTick___from_strstr_to_strchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 3886785706-3544860555
Opcode ID: b040ba51bc52bd68b8ccf211b7e9e1929315ed4be12a47200a47c61f2ae87173
Instruction ID: 4711c61889e57a9dfe3ab902777bbf598d127ddc4deb42e6a1af9fba506cc3ec
Opcode Fuzzy Hash: b040ba51bc52bd68b8ccf211b7e9e1929315ed4be12a47200a47c61f2ae87173
Instruction Fuzzy Hash: DE818071E002099BDF00EF98CCC5AADB7B6FF48310F18417AE8099B345EA359D06DB56

Function 00F8A540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

string too long, xrefs: 00F8A64F, 00F8A659

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: 79a234c5934f64ca7360916f3793885b6a59185b47a1fb7861fdcac39e603fa2
Instruction ID: 8d7dc808ef0d4aa1a2924ec258f62b2ecc15aee9e022d5c5c07d916910451c69
Opcode Fuzzy Hash: 79a234c5934f64ca7360916f3793885b6a59185b47a1fb7861fdcac39e603fa2
Instruction Fuzzy Hash: D1310B323007108FF724BE5CEC809AAF3A5EF95721718492FE591CB655D771DC84A7A2

Function 00F8E0C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

string too long, xrefs: 00F8E1CF, 00F8E1D9

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: 5327e880ce7cc8c3639f9ab7f4746b86f6046a497f39efe450d1445aa798c471
Instruction ID: ff4b70570a051a9c68607894e64cedcc3fe04b42af7885b3dde96f947bb88970
Opcode Fuzzy Hash: 5327e880ce7cc8c3639f9ab7f4746b86f6046a497f39efe450d1445aa798c471
Instruction Fuzzy Hash: 9331D232704B149B8B34FE5CEC848AAF3F9FF95721320492FE196C7620D731A80597A5

Function 00F8A360 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8A47B

Strings

invalid string position, xrefs: 00F8A462, 00F8A46C
string too long, xrefs: 00F8A476

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: d03e7d4b3f0e182f8ebf1ebfb05117ae9bb48cfb99c5866ac3e589e08d8b11dd
Instruction ID: 7b52d442fe7a2dcd772cceb1d603cba86c9f803e5cc764795254c02666df0e66
Opcode Fuzzy Hash: d03e7d4b3f0e182f8ebf1ebfb05117ae9bb48cfb99c5866ac3e589e08d8b11dd
Instruction Fuzzy Hash: DA31D6323007148BEB20EF5CEC44B9AF7E9EB95B61F10452FE595CB252D7B2984097E2

Function 00FB7500 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00F8BB70: std::ios_base::_Addstd.LIBCPMT ref: 00F8BC19

Part of subcall function 00F8B2B0: new.LIBCMT ref: 00F8B2DE
Part of subcall function 00F8B2B0: std::locale::_Init.LIBCPMT ref: 00F8B2F5

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00FB76E0

Strings

H, xrefs: 00FB7580
RunInstaller failed to execute., xrefs: 00FB7633

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::ios_base::_$AddstdInitIos_base_dtorstd::locale::_
String ID: H$RunInstaller failed to execute.
API String ID: 3640179778-3820714907
Opcode ID: 06c1145b8613ae71a10b0cafef507ccf04e6b67fb8a1fa6a44c73eda703cab8d
Instruction ID: e5a5c1d7018c6e959917c7d0b6740de6ef76c6272f57412312020f9388a92d16
Opcode Fuzzy Hash: 06c1145b8613ae71a10b0cafef507ccf04e6b67fb8a1fa6a44c73eda703cab8d
Instruction Fuzzy Hash: 16516BB0A04359DFEF14DF98C848BDEBBF4AF45314F108099E449AB291DB789A88CF51

Function 00FB7710 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00F8BB70: std::ios_base::_Addstd.LIBCPMT ref: 00F8BC19

Part of subcall function 00F8B2B0: new.LIBCMT ref: 00F8B2DE
Part of subcall function 00F8B2B0: std::locale::_Init.LIBCPMT ref: 00F8B2F5

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00FB78F0

Strings

H, xrefs: 00FB7790
Executing Carrier Exe Directly, xrefs: 00FB7843

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: std::ios_base::_$AddstdInitIos_base_dtorstd::locale::_
String ID: Executing Carrier Exe Directly$H
API String ID: 3640179778-1476402511
Opcode ID: 826e3e9844e6b8cd87d0a9407b5332dc2a9a2f4b59dd766e4000dfa1afb8233a
Instruction ID: d9cb75f73c9428349d27df37f9791f87c66df30a3f08397f7e387c3fa979f2e1
Opcode Fuzzy Hash: 826e3e9844e6b8cd87d0a9407b5332dc2a9a2f4b59dd766e4000dfa1afb8233a
Instruction Fuzzy Hash: 5A516BB0A04359DFEF14DF94C848BDEBBF4AF45314F108099E449AB291DB789A88DF51

Function 00FAD5E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00FAD671
std::_Xinvalid_argument.LIBCPMT ref: 00FAD6D5

Strings

vector<T> too long, xrefs: 00FAD66C, 00FAD6D0

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 909987262-3788999226
Opcode ID: 29b14ffd9ff21498fb0d252fa43b39749220d82d86878b4f46ae0bae73729237
Instruction ID: 5ab9da98ab91b96370e9dde375159d5672b12bb9487886f1b2f9588741a35b64
Opcode Fuzzy Hash: 29b14ffd9ff21498fb0d252fa43b39749220d82d86878b4f46ae0bae73729237
Instruction Fuzzy Hash: 743103737006188FC718DE2DD98199AB7EAEBD8760B14C12EE94ACF745DA34E84097D0

Function 00F984B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F98565
std::_Xinvalid_argument.LIBCPMT ref: 00F9856F

Strings

string too long, xrefs: 00F98560, 00F9856A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: d9d3a44a4fbcacf2f62b9fe060b75071f75c63ac5b770c56a527bb7cc1e3192b
Instruction ID: 981a41a2169055bed2bc2efcc370dbce1181c2a32276779328c7a4211bc0eaba
Opcode Fuzzy Hash: d9d3a44a4fbcacf2f62b9fe060b75071f75c63ac5b770c56a527bb7cc1e3192b
Instruction Fuzzy Hash: B4312E327003548BDF319A5CA8005AAFBA89FA37B1F15052FE5D587351DA72D80AD7F1

Function 00F92E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F92EE3
std::_Xinvalid_argument.LIBCPMT ref: 00F92EED

Strings

string too long, xrefs: 00F92EDE, 00F92EE8

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: d2629fd073db27710f640b66eab372a849fa90f2e880a81721439fa2d5019a84
Instruction ID: ecc54d2e97fc629af79dea7d55733aa8d3db940d1fd28ade35078664dade9cdf
Opcode Fuzzy Hash: d2629fd073db27710f640b66eab372a849fa90f2e880a81721439fa2d5019a84
Instruction Fuzzy Hash: EA21F132314314ABAF78BF68A8C0469B3E4FF18725320492FF692C7760D7329814E7A5

Function 00FBE410 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00FBE489
std::_Xinvalid_argument.LIBCPMT ref: 00FBE49B

Strings

string too long, xrefs: 00FBE484, 00FBE496

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 37ecd1a02400714b4a81baf5d19c3a2e3a8fb5b7d134b9205f76de51c6c75924
Instruction ID: 229d360ca5d8e5d02326c595ac46346fb25392e90151b7d4b24329b686535e21
Opcode Fuzzy Hash: 37ecd1a02400714b4a81baf5d19c3a2e3a8fb5b7d134b9205f76de51c6c75924
Instruction Fuzzy Hash: F0319D79604704DFCB21CF1AC881BDABBF5EB48724F148A5DE56A8B342D775A900DFA0

Function 00FEC590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FEC5BA
___from_strstr_to_strchr.LIBCMT ref: 00FEC5C9

Strings

; filename="%s", xrefs: 00FEC63F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: ; filename="%s"
API String ID: 601868998-4174338374
Opcode ID: 14f78475b18f6f0758a0cebe8384c0381891be972d923bfbfd66cca7a6e29efe
Instruction ID: 140fe8eaf94cfa072c4077f6f65eed19ca7e506844a100ede36eeaa83aca2a05
Opcode Fuzzy Hash: 14f78475b18f6f0758a0cebe8384c0381891be972d923bfbfd66cca7a6e29efe
Instruction Fuzzy Hash: 15212B71D003905BEB311F6AAC44BAB7B999F96374F0800ACF8C98B217D6669C0397D4

Function 00FCAB10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FCAB82

Strings

Connecting to port: %d, xrefs: 00FCABD6
Connecting to hostname: %s%s%s, xrefs: 00FCABA6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Connecting to hostname: %s%s%s$Connecting to port: %d
API String ID: 601868998-2189567200
Opcode ID: 58c7834dbb8a7b6771ea04343a68858e55d2e3490a35f31a499848fe6b361e47
Instruction ID: 1e3d88376d85a6d6c5156fd8c90e99e987b72bbbcda50119c2c934c0f10dc2d6
Opcode Fuzzy Hash: 58c7834dbb8a7b6771ea04343a68858e55d2e3490a35f31a499848fe6b361e47
Instruction Fuzzy Hash: F2314771E00249AFDB10CF58DD42F9E7BA9AF95728F08026DFC549B281D370ED009BA2

Function 01098E02 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0109905D,?,00000050,?,?,?,?,?), ref: 01098EDD

Strings

OCP, xrefs: 01098E56
ACP, xrefs: 01098E20

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 0e94103fdfd46a327cd6236fad290481a047a0335c6add6f5166746d341ec36c
Instruction ID: fd65cca867bc8a8333aa588294e42a6566ec0d57a17e13aad24c2f099eacb141
Opcode Fuzzy Hash: 0e94103fdfd46a327cd6236fad290481a047a0335c6add6f5166746d341ec36c
Instruction Fuzzy Hash: 9021D862A00109A6EFB5CB59C9307AB72E6EB56F10F46C4A6E9C9D7301E732D900D390

Function 00F91200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F912A8
std::_Xinvalid_argument.LIBCPMT ref: 00F912B2

Strings

string too long, xrefs: 00F912A3, 00F912AD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: e1d264348ddea51da2b81f6b97f9219cde6b093821949decd7060eb2a10e8c98
Instruction ID: 7538d4613be2e19df9447ee5455d6e38f06707d0ef84fa393cacb3e4ad1be3c3
Opcode Fuzzy Hash: e1d264348ddea51da2b81f6b97f9219cde6b093821949decd7060eb2a10e8c98
Instruction Fuzzy Hash: 9E11D3323043159B6B24BF9DFC4146AF3E9FFA9B61310093FE296C7660DB61A80497A5

Function 01013C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 01013C9F
std::_Xinvalid_argument.LIBCPMT ref: 01013CB1

Strings

string too long, xrefs: 01013C9A, 01013CAC

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 03f35a9ac3c0fcad28578f665a0a965215c934246a0da3d03b02919678576e78
Instruction ID: 9ff2eda99a79dce9a0dff0c02899655223753172f04beac4e3bd3517265a109f
Opcode Fuzzy Hash: 03f35a9ac3c0fcad28578f665a0a965215c934246a0da3d03b02919678576e78
Instruction Fuzzy Hash: 7F31CD70608748DBC321DF18D881B5ABBF5FB01A20F540A9EE4D28B345C779A90487A2

Function 00F8A490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00F8A525
std::_Xinvalid_argument.LIBCPMT ref: 00F8A52F

Strings

string too long, xrefs: 00F8A520, 00F8A52A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 120e7d033df16e457e05759c698d94faae51ab5b5dd5f094d0d1d2d692033824
Instruction ID: 80be6f7f54fa6a7407e4c9ad6b79a552ef25ac30d42d83236be0ed1e67c6d091
Opcode Fuzzy Hash: 120e7d033df16e457e05759c698d94faae51ab5b5dd5f094d0d1d2d692033824
Instruction Fuzzy Hash: 5111E9323003104FE731BE5DAC406AAF7E8EFA1B71F14092FE6918B651C7B1984497A1

Function 0105F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0105F14A
std::_Xinvalid_argument.LIBCPMT ref: 0105F1AA

Part of subcall function 00FF2308: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FF2314
Part of subcall function 00FF2308: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF2322

Strings

vector<T> too long, xrefs: 0105F145, 0105F1A5

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
String ID: vector<T> too long
API String ID: 1284171080-3788999226
Opcode ID: 41282928e92a2f334b42c248b735a5a0fe1ac80a574ff00f08a32e53742fb3ed
Instruction ID: 2438c64418a508a60b9c4124265f33f52e28979ce16a6ff9daee350a0a328efb
Opcode Fuzzy Hash: 41282928e92a2f334b42c248b735a5a0fe1ac80a574ff00f08a32e53742fb3ed
Instruction Fuzzy Hash: DD11D3723012125B876C9D3EDC858ABB7C7ABD826132CCF3EE9C6C3788C874E8414254

Function 00FD7E10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FD7E3F

Strings

0123456789, xrefs: 00FD7E37, 00FD7E55
., xrefs: 00FD7E80

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: .$0123456789
API String ID: 601868998-4187921772
Opcode ID: c7491b25ec24d24fd569bed6cdd17d3c173c02f78da39c4d1dc25268cbe35984
Instruction ID: 3c32b486a78ee4f7e6dae119151c8b755fb640437bab1a9df586af64f7a22d8e
Opcode Fuzzy Hash: c7491b25ec24d24fd569bed6cdd17d3c173c02f78da39c4d1dc25268cbe35984
Instruction Fuzzy Hash: F521C636D083155ADB35AA29C4903BABFA69F42331F1900EBDC89CF340F631DD4592A1

Function 0100E770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,010242D9,?,00000000,05CEC6CE), ref: 0100E79C
GetLastError.KERNEL32(?,?,?,010242D9,?,00000000,05CEC6CE), ref: 0100E7A6

Strings

boost::filesystem::file_size, xrefs: 0100E7B0, 0100E7E6

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: boost::filesystem::file_size
API String ID: 1799206407-1937220381
Opcode ID: d20f106e39e9206fa91a4835905708afa43858171f5d78f68eaf7d5437aa367b
Instruction ID: dde15431d92ca2a6003af453cde3465dcc73aed9e13a7a00f625a91a726791b9
Opcode Fuzzy Hash: d20f106e39e9206fa91a4835905708afa43858171f5d78f68eaf7d5437aa367b
Instruction Fuzzy Hash: 0911E731614200ABE611AB39DC46FAF77E4EF98624F840E4DF5D9E72C5E234E9418752

Function 00FDA120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FDA159
SetLastError.KERNEL32(0000001C,?,?,?,?,?,?,?), ref: 00FDA1A2

Strings

%d.%d.%d.%d, xrefs: 00FDA14E

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ErrorLast___swprintf_l
String ID: %d.%d.%d.%d
API String ID: 2990598187-3491811756
Opcode ID: 67ec56facf1811048f65653bbfc5c9606e371852af1632bba10af27ac2b12b88
Instruction ID: 9bb41df62fc2d061e6c0aa26335f1228a20fbaae7bc903cbb310feaca999f7dd
Opcode Fuzzy Hash: 67ec56facf1811048f65653bbfc5c9606e371852af1632bba10af27ac2b12b88
Instruction Fuzzy Hash: 67113B35604149ABCF14DF78C450AFEBBB98F59200F5841DEE886DB282D9279A06DB61

Function 00FE1580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FE15C5

Strings

%c%03d, xrefs: 00FE15BD
%s %s, xrefs: 00FE15CE

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %c%03d$%s %s
API String ID: 48624451-883683383
Opcode ID: 40508db383a90814553faf8f53ae32032547de3758013c4931404b4f5aaf92ba
Instruction ID: 95841d66c5a777aa7a4f7ddeb685e91c9fd578d6156b192b07e6d44c3bdb4843
Opcode Fuzzy Hash: 40508db383a90814553faf8f53ae32032547de3758013c4931404b4f5aaf92ba
Instruction Fuzzy Hash: 6D014CB760121477D710AB8ADCC5EE7736DEFC4364F08007AFA0987201E535E91646E5

Function 01032BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 01032C38

Part of subcall function 00FF2308: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FF2314
Part of subcall function 00FF2308: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF2322

Strings

si, xrefs: 01032BF6
vector<T> too long, xrefs: 01032C33

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: si$vector<T> too long
API String ID: 1419379543-3992844397
Opcode ID: 6cc059799081d9df59a3dfa6906e453d1038abb3adfbfaab394d4e65907ca37b
Instruction ID: 975a31478054560b3f4ffdaa21ae9e47a9f298e6672286a879c111ed9b497a27
Opcode Fuzzy Hash: 6cc059799081d9df59a3dfa6906e453d1038abb3adfbfaab394d4e65907ca37b
Instruction Fuzzy Hash: 8B118FB1904308AFC720CF99C841B9ABBF8FF48720F108A2EE99993740D735A504CBA0

Function 00FCE1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(00004020,0000FFFF,00001001,00000000,00000004), ref: 00FCE25B
setsockopt.WS2_32(00004020,0000FFFF,00001001,00004020,00000004), ref: 00FCE280

Strings

@, xrefs: 00FCE1FB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: getsockoptsetsockopt
String ID: @
API String ID: 194641219-2726393805
Opcode ID: c2e1de0791c3e502613da0c1f3d85e6eb4558c38d5c6566fb389c9628fb6444c
Instruction ID: 19461f6283ada6c0b0ad56c37445a77cf2b8c776b2997118b150c4e547f06bae
Opcode Fuzzy Hash: c2e1de0791c3e502613da0c1f3d85e6eb4558c38d5c6566fb389c9628fb6444c
Instruction Fuzzy Hash: CB014071D4020AAAEF30DF80DD47FEE777DEB00714F4041A9FA44AA1D5D7B69A58AB40

Function 00FDEC80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00FDEC9F
_strstr.LIBCMT ref: 00FDECB6

Strings

;mode=, xrefs: 00FDEC88, 00FDECAB

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: _strstr
String ID: ;mode=
API String ID: 2882301372-3534008939
Opcode ID: 6d91ab98a6a1cc04b4dbda77275df1cb6261d75eefafea4775c6d66eb3441686
Instruction ID: 785dcb8dfb61cc401a2e804fbbeee77c68b62be3022afd5db9ea6c6826cb303b
Opcode Fuzzy Hash: 6d91ab98a6a1cc04b4dbda77275df1cb6261d75eefafea4775c6d66eb3441686
Instruction Fuzzy Hash: 30F04C71A002456ED7112279AC047C6FFD96B11364F0C4077F4CCDE351E7B1A911E3A1

Function 00FB91E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100B0AE: __onexit.LIBCMT ref: 0100B0B4

__Init_thread_footer.LIBCMT ref: 00FB9252

Strings

<xmlattr>, xrefs: 00FB922D
<xmlattr>, xrefs: 00FB9239, 00FB925A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footer__onexit
String ID: <xmlattr>$<xmlattr>
API String ID: 1881088180-1173264415
Opcode ID: 64206a5c307474f62020577d202126d47bf9e77dbc8114b847bbb5198eacfc62
Instruction ID: 668b0d0237e3c3e676e439f54e7a628131fe43e491e59abc4e61c1fbc65d3fd7
Opcode Fuzzy Hash: 64206a5c307474f62020577d202126d47bf9e77dbc8114b847bbb5198eacfc62
Instruction Fuzzy Hash: D201F475E80604EFD710CF95D843B89B3A9F718B24F50422DF6A69BB80C77AA800CF52

Function 00FB9390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100B0AE: __onexit.LIBCMT ref: 0100B0B4

__Init_thread_footer.LIBCMT ref: 00FB9402

Strings

<xmlcomment>, xrefs: 00FB93E9, 00FB940A
<xmlcomment>, xrefs: 00FB93DD

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footer__onexit
String ID: <xmlcomment>$<xmlcomment>
API String ID: 1881088180-1672645029
Opcode ID: c215a76842da2554105043a254282929e02851d3bd5e069b4bb12e39c3e94300
Instruction ID: 6b7ba092e219a9534b1cc8e6dad9bd3cdd786ebbc17ab0b4547582e50376e453
Opcode Fuzzy Hash: c215a76842da2554105043a254282929e02851d3bd5e069b4bb12e39c3e94300
Instruction Fuzzy Hash: 50014471A00604DFC310DF59C802F8873A4FB48B24F50422CF6918BB90D77FAC048B12

Function 00FB9300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100B0AE: __onexit.LIBCMT ref: 0100B0B4

__Init_thread_footer.LIBCMT ref: 00FB9372

Strings

<xmltext>, xrefs: 00FB934D
<xmltext>, xrefs: 00FB9359, 00FB937A

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Init_thread_footer__onexit
String ID: <xmltext>$<xmltext>
API String ID: 1881088180-2748583472
Opcode ID: 1d4a3d6db99cd21a4ef1238bce10cd1d4f60ff1720bfbf5cd714ca9ab4d13311
Instruction ID: 296fed4342add53f6aeccec67f25e11485dd1eb1642184d4fda15a44cd9d6948
Opcode Fuzzy Hash: 1d4a3d6db99cd21a4ef1238bce10cd1d4f60ff1720bfbf5cd714ca9ab4d13311
Instruction Fuzzy Hash: 1E01F476A40604DBC720DFD9D842FC873A4F745B24F54462DFAA29BBC0D77AA8008B51

Function 0109389D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01093933
GetLastError.KERNEL32(?,00000000), ref: 01093941
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,?,00000000,?,00000000), ref: 0109399C

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 511c9a83e123c12f39a4cc9d1d6ce2fe7eb49002b4ff4d805edcdfca6def61c4
Instruction ID: 84dd3811564106a4e92691b13c02dd4848fc2c53ffc50a29438291ece7093438
Opcode Fuzzy Hash: 511c9a83e123c12f39a4cc9d1d6ce2fe7eb49002b4ff4d805edcdfca6def61c4
Instruction Fuzzy Hash: A841F330A00246AFDF228F79C864BAABBF4FF41320F144298E9D99F195DB308901DF60

Function 01009180 Relevance: 5.1, APIs: 4, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,7622DF60), ref: 01009255
HeapFree.KERNEL32(00000000), ref: 01009262
GetProcessHeap.KERNEL32(00000000,010A48B4,?,00000000,?,?,?,?,?,?,?,?,00000000,010A48B4,000000FF), ref: 01009295
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,010A48B4,000000FF), ref: 0100929C

Part of subcall function 01009610: GetProcessHeap.KERNEL32(00000000,010A4706,?,?,010A4706,000000FF), ref: 01009672
Part of subcall function 01009610: HeapFree.KERNEL32(00000000,?,?,010A4706,000000FF), ref: 01009679

Part of subcall function 01008E70: TlsGetValue.KERNEL32(0000000F,05CEC6CE,7622DF60,010A48B4), ref: 01008EDD
Part of subcall function 01008E70: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 01008F3E
Part of subcall function 01008E70: GetModuleHandleA.KERNEL32(KERNEL32.DLL,SetWaitableTimerEx), ref: 01008F88
Part of subcall function 01008E70: GetProcAddress.KERNEL32(00000000), ref: 01008F8F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Heap$FreeProcess$AddressCreateHandleModuleProcTimerValueWaitable
String ID:
API String ID: 79733456-0
Opcode ID: 882c61dde5e20323d462da22b31eaa51eb8f2cff0b05513d18726a27a1d4b256
Instruction ID: 168e82060a947b0f9b2c23da5b75ab5ac45a40e0160128fef99c3f090b3e525a
Opcode Fuzzy Hash: 882c61dde5e20323d462da22b31eaa51eb8f2cff0b05513d18726a27a1d4b256
Instruction Fuzzy Hash: 08310631D086449BEB11CFA8C844BDEB7B8FF55720F10430AF465A72C5DB345940CB90

Function 010092C0 Relevance: 5.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00F83F3F,?,00000008,00000000,010AA35C,000000FF,?,00F83F3F,05CEC6CE), ref: 01009319
HeapFree.KERNEL32(00000000,?,00000008,00000000,010AA35C,000000FF,?,00F83F3F,05CEC6CE), ref: 01009320
GetProcessHeap.KERNEL32(00000000,00F83F3F,?,00000008,00000000,010AA35C,000000FF,?,00F83F3F,05CEC6CE), ref: 01009358
HeapFree.KERNEL32(00000000,?,00000008,00000000,010AA35C,000000FF,?,00F83F3F,05CEC6CE), ref: 0100935F

Memory Dump Source

Source File: 00000006.00000002.3966733204.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000006.00000002.3966660737.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967078418.00000000010B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967204671.00000000010F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967244347.00000000010F2000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967313597.00000000010F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967340083.00000000010FA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3967397150.00000000010FC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f80000_installer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6c09c58b940e750fb99c132523ab12209bc69691ab9ae5dc3ebb81dea5298a33
Instruction ID: 5f076d13a977746b20e29b3d4d018a3044e302d9eb9ee63ae8c9b1563871c200
Opcode Fuzzy Hash: 6c09c58b940e750fb99c132523ab12209bc69691ab9ae5dc3ebb81dea5298a33
Instruction Fuzzy Hash: ED11B432A05714ABEB218F98D805B9ABBF8FF05B24F00865AF959972C0DB755800CB90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\BurnAware Free\AudioCD.exe (copy)

C:\Program Files (x86)\BurnAware Free\BurnAware.exe (copy)

C:\Program Files (x86)\BurnAware Free\BurnImage.exe (copy)

C:\Program Files (x86)\BurnAware Free\CopyImage.exe (copy)

C:\Program Files (x86)\BurnAware Free\DataDisc.exe (copy)

C:\Program Files (x86)\BurnAware Free\DiscInfo.exe (copy)

C:\Program Files (x86)\BurnAware Free\Dos622.img (copy)

C:\Program Files (x86)\BurnAware Free\EraseDisc.exe (copy)

C:\Program Files (x86)\BurnAware Free\MakeISO.exe (copy)

C:\Program Files (x86)\BurnAware Free\MediaDisc.exe (copy)

C:\Program Files (x86)\BurnAware Free\SpanDisc.exe (copy)

C:\Program Files (x86)\BurnAware Free\UnpackISO.exe (copy)

C:\Program Files (x86)\BurnAware Free\VerifyDisc.exe (copy)

Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.2818.3154.4230.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre