Edit tour

Windows Analysis Report
Setup_x86.exe

Overview

General Information

Sample name:	Setup_x86.exe
Analysis ID:	1510208
MD5:	082affcde6ca901604f231478fa478bc
SHA1:	6d99b489ae327ee594e6e32cce43c5ccbeae103a
SHA256:	c1be908ddb3f7fb95aa3f6e53ac6c6415cb344ccc528719462d95b05a95d0339
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup_x86.exe (PID: 5700 cmdline: "C:\Users\user\Desktop\Setup_x86.exe" MD5: 082AFFCDE6CA901604F231478FA478BC)

msiexec.exe (PID: 5052 cmdline: msiexec.exe /i "MATRIX.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5972 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7120 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 08F32C09D8E409B79A08038C54E7DD5E C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}\MATRIX.msi

Avira: detection malicious, Label: APPL/TFTPD.wdona

Multi AV Scanner detection for submitted file

Source: Setup_x86.exe

ReversingLabs: Detection: 58%

Source: Setup_x86.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Setup_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: Setup_x86.exe, 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: Setup_x86.exe, 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: MATRIX.msi.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: MATRIX.msi.0.dr, nsh4356.tmp.0.dr	String found in binary or memory: http://community.installshield.com/showthread.php?t=125455&highlight=update
Source: nsh4356.tmp.0.dr	String found in binary or memory: http://dennisbareis.com/makemsi.htm)
Source: MATRIX.msi.0.dr, nsh4356.tmp.0.dr	String found in binary or memory: http://dennisbareis.com/ppwizard.htm
Source: Setup_x86.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Setup_x86.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: MATRIX.msi.0.dr, nsh4356.tmp.0.dr	String found in binary or memory: http://www.installsite.org/pages/en/msi/articles/MultiListBox/index.htm
Source: MATRIX.msi.0.dr, nsh4356.tmp.0.dr	String found in binary or memory: http://www.scientaomicron.com/ARPURLINFOABOUTProductVersionMATRIX

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_0040515D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040515D

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403217

Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_00406310		0_2_00406310
Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_0040499C		0_2_0040499C

Source: Setup_x86.exe, 00000000.00000000.2048711336.000000000042D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup.exe4 vs Setup_x86.exe
Source: Setup_x86.exe	Binary or memory string: OriginalFilenameSetup.exe4 vs Setup_x86.exe

Source: Setup_x86.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Setup_x86.exe

Binary or memory string: !!.sLnE

Source: classification engine

Classification label: mal56.winEXE@6/5@0/0

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Setup_x86.exe

File created: C:\Users\user\AppData\Local\Scienta Omicron

Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe

Mutant created: \Sessions\1\BaseNamedObjects\Setup.exe

Source: C:\Users\user\Desktop\Setup_x86.exe

File created: C:\Users\user\AppData\Local\Temp\nsr420D.tmp

Jump to behavior

Source: Setup_x86.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup_x86.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup_x86.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Setup_x86.exe

File read: C:\Users\user\Desktop\Setup_x86.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup_x86.exe "C:\Users\user\Desktop\Setup_x86.exe"
Source: C:\Users\user\Desktop\Setup_x86.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "MATRIX.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08F32C09D8E409B79A08038C54E7DD5E C
Source: C:\Users\user\Desktop\Setup_x86.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "MATRIX.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08F32C09D8E409B79A08038C54E7DD5E C	Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Setup_x86.exe

Static file information: File size 49308734 > 1048576

Source: Setup_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: Setup_x86.exe, 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: Setup_x86.exe, 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: MATRIX.msi.0.dr

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_10002D30 push eax; ret

0_2_10002D5E

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Setup_x86.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup_x86.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup_x86.exe	File created: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Setup_x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\Setup_x86.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: Setup_x86.exe

Binary or memory string: 9hgfSw

Source: C:\Users\user\Desktop\Setup_x86.exe	API call chain: ExitProcess graph end node			graph_0-4008
Source: C:\Users\user\Desktop\Setup_x86.exe	API call chain: ExitProcess graph end node			graph_0-4175

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Setup_x86.exe

Code function: 0_2_00405D58 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D58

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup_x86.exe	58%	ReversingLabs	Win32.PUA.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}\MATRIX.msi	100%	Avira	APPL/TFTPD.wdona
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
http://dennisbareis.com/ppwizard.htm	0%	Avira URL Cloud	safe
http://www.installsite.org/pages/en/msi/articles/MultiListBox/index.htm	0%	Avira URL Cloud	safe
http://www.scientaomicron.com/ARPURLINFOABOUTProductVersionMATRIX	0%	Avira URL Cloud	safe
http://community.installshield.com/showthread.php?t=125455&highlight=update	0%	Avira URL Cloud	safe
http://dennisbareis.com/makemsi.htm)	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scientaomicron.com/ARPURLINFOABOUTProductVersionMATRIX	MATRIX.msi.0.dr, nsh4356.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://dennisbareis.com/ppwizard.htm	MATRIX.msi.0.dr, nsh4356.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://community.installshield.com/showthread.php?t=125455&highlight=update	MATRIX.msi.0.dr, nsh4356.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Setup_x86.exe	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Setup_x86.exe	false	URL Reputation: safe	unknown
http://www.installsite.org/pages/en/msi/articles/MultiListBox/index.htm	MATRIX.msi.0.dr, nsh4356.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://dennisbareis.com/makemsi.htm)	nsh4356.tmp.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1510208
Start date and time:	2024-09-12 17:18:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup_x86.exe
Detection:	MAL
Classification:	mal56.winEXE@6/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: Setup_x86.exe

Simulations

Behavior and APIs

Time	Type	Description
11:19:29	API Interceptor	1x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll	ORDER.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ORDER.exe	Get hash	malicious	Unknown	Browse
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse
	fJuwM4Bwi7.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ulACwpUCSU.exe	Get hash	malicious	GuLoader	Browse
	fJuwM4Bwi7.exe	Get hash	malicious	GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	FormBook, GuLoader	Browse
	anebilledes.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	GuLoader	Browse
	anebilledes.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll	3443424611#U00b7pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	UTN RFP_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	RFQ_22Q7305A-N23A-01#U00b7pdf.exe	Get hash	malicious	Remcos	Browse
	PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	#U5e33#U55ae#U767c#U7968_200548224648#U00b7pdf.exe	Get hash	malicious	Remcos	Browse
	LHDNM TAKSIRAN 2023#U00b7pdf.exe	Get hash	malicious	Remcos	Browse
	faktura_7171503997#U00b7pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Document BT24#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	Quote Request (Tupy S.A.) 523AM - 924BR#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	windows.10.codec.pack.v2.2.0.setup.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}\MATRIX.msi

Download File

Process:	C:\Users\user\Desktop\Setup_x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Keywords: Installer,MSI,Database, Code page: 1252, Name of Creating Application: MakeMsi version 11.087, a free tool by Dennis Bareis (http://dennisbareis.com/makemsi.htm), Security: 0, Revision Number: {FFD19FF1-CCA4-46B5-B657-67A96BD11AF3}, Template: Intel;1033, Number of Pages: 301, Title: MATRIX - V3.2.4, Subject: 00.00.00000.78 (created Thu Jul 2 2020 at 3:02:58pm), Number of Words: 2, Create Time/Date: Thu Jul 2 14:04:25 2020, Total Editing Time: Thu Jul 2 14:04:25 2020, Comments: This is the MATRIX Control System software., Author: Scienta Omicron GmbH, Last Saved By: Scienta Omicron GmbH
Category:	dropped
Size (bytes):	51146752
Entropy (8bit):	7.97957091801813
Encrypted:	false
SSDEEP:	1572864:kh91bDtxIr++knNw0Fdezv3ovM6zehC7vKvOj:kh91bDTI6+xkYzv3qgCcOj
MD5:	EE371347338C4533D6F4CBC99AD38CA8
SHA1:	453FD87D53D3BF666F8BEA66FC132F0E36B784E4
SHA-256:	A0AAD548683197D90B03316BA272C2CE5FB2B0CCB3AEC6A969001CD8BD5AED32
SHA-512:	94C9060B1A2C30C05D561E9178DD41C17B954E87480279C93358E50957E23A2E069F075B2CA7E2FF43CF549FBC59F231E1800D32F0224C889F61D991A42DA2DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	......................>............................................6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5.............................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\nsh4356.tmp

Download File

Process:	C:\Users\user\Desktop\Setup_x86.exe
File Type:	data
Category:	dropped
Size (bytes):	51220270
Entropy (8bit):	7.978955184192779
Encrypted:	false
SSDEEP:	1572864:+h91bDtxIr++knNw0Fdezv3ovM6zehC7vKvOjG:+h91bDTI6+xkYzv3qgCcOjG
MD5:	58CAC049BB5250F8BBEC7B4862578DD4
SHA1:	A58264E995A7691926B1FE00A153FEFF8F2E2046
SHA-256:	2A675534598BEEC94B9F2281D0ABD55A59C6BFDDD6688E0F0BF267502CB51008
SHA-512:	7E7DA6FBEFC97903235ED756BC7AEE7811835A085B5E85853EE6052F7C9C628219DE6CA889C5694951C687444502D2AE7DE2B58C62E0DA35974BDF1E2E931435
Malicious:	false
Reputation:	low
Preview:	+.......,.......,.......D...n...L...............+...........................................................................................................................................................................................................................................J...h...........-...................V.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Setup_x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.779474184733856
Encrypted:	false
SSDEEP:	96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
MD5:	6F5257C0B8C0EF4D440F4F4FCE85FB1B
SHA1:	B6AC111DFB0D1FC75AD09C56BDE7830232395785
SHA-256:	B7CCB923387CC346731471B20FC3DF1EAD13EC8C2E3147353C71BB0BD59BC8B1
SHA-512:	A3CC27F1EFB52FB8ECDA54A7C36ADA39CEFEABB7B16F2112303EA463B0E1A4D745198D413EEBB3551E012C84A20DCDF4359E511E51BC3F1A60B13F1E3BAD1AA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ORDER.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: ulACwpUCSU.exe, Detection: malicious, Browse Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse Filename: ulACwpUCSU.exe, Detection: malicious, Browse Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse Filename: anebilledes.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse Filename: anebilledes.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....\.U...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\Setup_x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.287401211095633
Encrypted:	false
SSDEEP:	48:qK94n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSn15gaoFU:5a4ZxKQruHkJwvcVyo4FU
MD5:	8EF0E4EB7C89CDD2B552DE746F5E2A53
SHA1:	820F681E7CEC409A02B194A487D1C8AF1038ACF0
SHA-256:	41293B9F6588E0FBDC8FCF2A9BD8E2B244CD5FF038FC13033378DA337219C9DC
SHA-512:	A68533E8A19637D0D44219549B24BABA0DC4824424842F125600FDA3EDCAFC4BB6BB340D57A00815F262D82373B440D58D6E4E5B2CEB29BB3F6BC4CBDE66C3C5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 3443424611#U00b7pdf.exe, Detection: malicious, Browse Filename: UTN RFP_24-0676#U00b7pdf.exe, Detection: malicious, Browse Filename: RFQ_22Q7305A-N23A-01#U00b7pdf.exe, Detection: malicious, Browse Filename: PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exe, Detection: malicious, Browse Filename: #U5e33#U55ae#U767c#U7968_200548224648#U00b7pdf.exe, Detection: malicious, Browse Filename: LHDNM TAKSIRAN 2023#U00b7pdf.exe, Detection: malicious, Browse Filename: faktura_7171503997#U00b7pdf.exe, Detection: malicious, Browse Filename: Document BT24#U00b7pdf.exe, Detection: malicious, Browse Filename: Quote Request (Tupy S.A.) 523AM - 924BR#U00b7pdf.exe, Detection: malicious, Browse Filename: windows.10.codec.pack.v2.2.0.setup.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....\.U...........!................i........ ...............................P...................................... "......L ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...x....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll

Download File

Process:	C:\Users\user\Desktop\Setup_x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	7.558597682232844
Encrypted:	false
SSDEEP:	384:6Qx38r8QfiLpVjOXf4Rrd2IpZn8LI2EdGZ5D6PDo3rsyfyC8n:6Qx38r8Qgp1OvYd2zqGZ5D6PDmXf98
MD5:	FBE588B15EB1BD86DEFADE69F796B56F
SHA1:	2F63CF44039ADDDDB22C2C0497673B49E6B3AD7A
SHA-256:	31144E8B156FE87317073C48A09ABCB033FDA8DBDD96986C4ABEA8C00C00355F
SHA-512:	E1A9E29E4C62E77A2EC2C539344F0B5A8CD67CA3FD8DFEFB0B0666A992EB2FABADB0034D439C4ADBBDFFD9C9439F23EE5757FAC0ED669D3C9DB48F50C677143D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P........................@.......................... ..................................................<...................................................................................................................UPX0....................................UPX1.....P.......N..................@....rsrc................R..............@..............................................................................................................................................................................................................................................................................................................................................................................3.09.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999987432656561
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup_x86.exe
File size:	49'308'734 bytes
MD5:	082affcde6ca901604f231478fa478bc
SHA1:	6d99b489ae327ee594e6e32cce43c5ccbeae103a
SHA256:	c1be908ddb3f7fb95aa3f6e53ac6c6415cb344ccc528719462d95b05a95d0339
SHA512:	f41959d70de2be46de824e2db44414910769cf3c54ee63c1eb9eda6fb3a50fa3478080e278c179a79cd92498fe1d7b3b35ecd2c619c0940f2a3071a74d44e493
SSDEEP:	786432:oE2PdrfsvL6tFEmg3XZO0vSpXIWB3StPAuy0wNJcrXKIwud5Brl5KLJJk:F2Ppsvetpg3JO06pY2+P/y0FaIB5BTUG
TLSH:	44B73312E021E2A7DB1F6072E248AA9E0DC174D979E7CFD306FBC6E3444BC561D58DA2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................^...........2.......p....@

File Icon


Icon Hash:	3371d2d0d0607117

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x55C15CE3 [Wed Aug 5 00:46:27 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007F4E24822A3Ah
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007F4E248226E4h
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007F4E248226D2h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007F4E2481FC3Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F4E24822162h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F4E2481FCF5h
cmp cl, 00000020h
jne 00007F4E2481FC38h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F4E2481FC2Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x4e38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c3a	0x5e00	e5e7adda692e6e028f515fe3daa2b69f	False	0.658951130319149	data	6.410406825129756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	cc58d0a55ac015d8f1470ea90f440596	False	0.615234375	data	5.02661163746607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x9000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x4e38	0x5000	e04a8a273d60b54c0adfa06ccf472574	False	0.378515625	data	6.0726778819197165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2d208	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3491701244813278
RT_ICON	0x2f7b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45145403377110693
RT_ICON	0x30858	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5614754098360656
RT_ICON	0x311e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6436170212765957
RT_DIALOG	0x31648	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x316a8	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x316e8	0x3fc	data	English	Great Britain	0.4627450980392157
RT_MANIFEST	0x31ae8	0x34a	XML 1.0 document, ASCII text, with very long lines (842), with no line terminators	English	United States	0.5522565320665083

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
English	Great Britain

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 12, 2024 17:20:05.769892931 CEST	53	59395	162.159.36.2	192.168.2.5
Sep 12, 2024 17:20:06.251652002 CEST	53	60701	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	11:19:20
Start date:	12/09/2024
Path:	C:\Users\user\Desktop\Setup_x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup_x86.exe"
Imagebase:	0x400000
File size:	49'308'734 bytes
MD5 hash:	082AFFCDE6CA901604F231478FA478BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:19:28
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i "MATRIX.msi"
Imagebase:	0xfa0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:19:29
Start date:	12/09/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff76b450000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:19:29
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 08F32C09D8E409B79A08038C54E7DD5E C
Imagebase:	0xfa0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.5%
Total number of Nodes:	1467
Total number of Limit Nodes:	27

Executed Functions

Function 00403217 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Setup_x86.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Setup_x86.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
OleUninitialize.OLE32(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Setup_x86.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,00424000,?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\Setup_x86.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

Error launching installer, xrefs: 0040348E
SeShutdownPrivilege, xrefs: 00403626
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
TMP, xrefs: 0040340F
TEMP, xrefs: 00403407
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 004034B3
C:\Users\user\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F
NSIS Error, xrefs: 00403278
", xrefs: 004032EA
C:\Users\user\Desktop\Setup_x86.exe, xrefs: 00403589
"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 0040328D, 00403293, 0040344C
\Temp, xrefs: 004033D9
~nsu.tmp, xrefs: 004034FC
Low, xrefs: 004033F5
1033, xrefs: 00403423
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 004033A7, 004034A8, 00403527, 00403530

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Setup_x86.exe"$1033$C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}$C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Setup_x86.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-3820123011
Opcode ID: a00b215820a1fa6a230efcb39fea29283eff6eac4ca07d0765cafeb017810fa6
Instruction ID: 3d26bb40307c87b2cd60c260c775e6d0301d96a10e68b952128d49a18977981a
Opcode Fuzzy Hash: a00b215820a1fa6a230efcb39fea29283eff6eac4ca07d0765cafeb017810fa6
Instruction Fuzzy Hash: 85B107706082517AE721AF659D8DA2B3EACEB41706F04447FF541BA1E2C77C9E01CB6E

Function 00405D58 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,0041F4D8,00000000,00405057,0041F4D8,00000000), ref: 00405E09
GetSystemDirectoryA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,00000400), ref: 00405E84
GetWindowsDirectoryA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,00000400), ref: 00405E97
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405ED3
SHGetPathFromIDListA.SHELL32(00000000,msiexec.exe /i "MATRIX.msi" ), ref: 00405EE1
CoTaskMemFree.OLE32(00000000), ref: 00405EEC
lstrcatA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F0E
lstrlenA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,?,0041F4D8,00000000,00405057,0041F4D8,00000000), ref: 00405F60

Strings

msiexec.exe /i "MATRIX.msi" , xrefs: 00405D7F, 00405E51, 00405E6E, 00405E83, 00405E96, 00405EB2, 00405EDD, 00405F0D, 00405F13, 00405F2B, 00405F3E, 00405F59, 00405F5F, 00405F6A, 00405F94
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F08

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$msiexec.exe /i "MATRIX.msi"
API String ID: 900638850-605872798
Opcode ID: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
Instruction ID: 9c0e267699f90c8e910d98bdf84d4b8f2614ab6024826f89c9d009b20b1e8bc4
Opcode Fuzzy Hash: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
Instruction Fuzzy Hash: 10610571A04905ABDF215F64DC84B7B3BA8DB55304F10813BE641B62D1D33C4A42DF9E

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040561F
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405667
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405688
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040568E
FindFirstFileA.KERNEL32(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040569F
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040574C
FindClose.KERNEL32(00000000), ref: 0040575D

Strings

"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 004055F6
\*.*, xrefs: 00405661
C:\Users\user\AppData\Local\Temp\, xrefs: 00405604

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3171667911
Opcode ID: 2c0e135ab85e8c1b684459b6fe88bffee4ab9643b255028ced496145508b1eab
Instruction ID: a1a18f6d4a87cf364f513f4d5348cf8987bf6841df45d5f239a42b9e89fe31fb
Opcode Fuzzy Hash: 2c0e135ab85e8c1b684459b6fe88bffee4ab9643b255028ced496145508b1eab
Instruction Fuzzy Hash: 8051D230905A04FADB216B618C89BBF7AB8DF42714F54803BF445721D2D73C4942EE6E

Function 00406310 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction ID: 49e2905b870d629617cd54a3ad4ea64d750052a334705c7e6b68d35cedeefd19
Opcode Fuzzy Hash: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction Fuzzy Hash: 28F17970D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D3785A96CF45

Function 0040603A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,00421548,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,004058F7,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406045
FindClose.KERNEL32(00000000), ref: 00406051

Strings

C:\Users\user\AppData\Local\Temp\nsm4376.tmp, xrefs: 0040603A

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsm4376.tmp
API String ID: 2295610775-259832687
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: ffb9975cce6792308ede9dbdbab0a2e32819aea082b360212a672f9e7c6ece7a
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 7BD012319490306BC3106B787C0C85B7A599F573317118A33B56AF12F0C7389C7286ED

Function 00406061 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: 2c1b19e4de550b622e70843c6ca25527790cfa0381149662c4593fbace01eca7
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 00E0C232A04211ABC321AB749D48D3B73ACAFD8751309493EF50AF6150D734AC21EBBA

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

lstrcatA.KERNEL32(1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923410,"C:\Users\user\Desktop\Setup_x86.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,?,?,?,msiexec.exe /i "MATRIX.msi" ,00000000,C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9},1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(msiexec.exe /i "MATRIX.msi" ), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}), ref: 004038DE

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNEL32(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

RichEd32, xrefs: 004039B5
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
.DEFAULT\Control Panel\International, xrefs: 004037ED
RichEdit20A, xrefs: 004039C2, 004039C8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403793
msiexec.exe /i "MATRIX.msi" , xrefs: 00403845, 0040384D, 0040385A, 004038A4, 004038AA
"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 0040378B
_Nb, xrefs: 004038FA, 00403962
.exe, xrefs: 00403884
1033, xrefs: 004037A7, 004037FD
RichEd20, xrefs: 004039AA
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
RichEdit, xrefs: 004039D1

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$msiexec.exe /i "MATRIX.msi"
API String ID: 914957316-3522456079
Opcode ID: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
Instruction ID: 361ceaa5e45529a70bb989737ed67fdedcb7c759bf8cf29c3cde223c60b7be46
Opcode Fuzzy Hash: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
Instruction Fuzzy Hash: E661E6B16442007EE720AF659D45F273E6CEB8475AF40407FF941B22E2D67C9D02DA6E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Setup_x86.exe,00000400), ref: 00402CA9

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Setup_x86.exe,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39

Strings

Error launching installer, xrefs: 00402CC9
C:\Users\user\Desktop\Setup_x86.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 00402C79
Null, xrefs: 00402D72
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
Inst, xrefs: 00402D60
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
soft, xrefs: 00402D69
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Setup_x86.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2960337637
Opcode ID: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction ID: 2a27acbe37a486d3f9fadad6f2898e15cdcbef103c1943e89973ac3215dbffb0
Opcode Fuzzy Hash: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction Fuzzy Hash: BC61C671A40205ABDF20AF64DE89B9A76B4EF00315F20413BF904B72D1D7BC9E418BAD

Function 0040173F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,msiexec.exe /i "MATRIX.msi" ,C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9},00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,msiexec.exe /i "MATRIX.msi" ,msiexec.exe /i "MATRIX.msi" ,00000000,00000000,msiexec.exe /i "MATRIX.msi" ,C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9},00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Strings

msiexec.exe /i "MATRIX.msi" , xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 0040176C
C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll, xrefs: 0040180C, 00401828

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}$C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll$msiexec.exe /i "MATRIX.msi"
API String ID: 1941528284-3721251280
Opcode ID: cec972a2b1698894bf5ae45e109c831223027fdbe68364e7f7d85183dc249dda
Instruction ID: 7da2985f373e49f587e0f88560f455237d5d3a700d2e38046b33ad83bb6d7614
Opcode Fuzzy Hash: cec972a2b1698894bf5ae45e109c831223027fdbe68364e7f7d85183dc249dda
Instruction Fuzzy Hash: 0341B871910515BACF10BFA5DC46DAF3679DF41369F20823BF511F10E1D63C8A419A6E

Function 0040303A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,00412435,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(030CB337,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Strings

5$A, xrefs: 0040310B, 00403124

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 5$A
API String ID: 2146148272-768765641
Opcode ID: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction ID: 01a25493adf58fb9a894681412e440a2e883d4234beea4965eba9eb13e735820
Opcode Fuzzy Hash: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction Fuzzy Hash: CC414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389D52CB5E

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9},00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}
API String ID: 3751793516-3830421350
Opcode ID: 2a622bc09443ca50187ba2ee159019b7cd2e59548df6293550867165e211735f
Instruction ID: decf54c0780f34986dcb1f6dc2400c6331eb5c21fa926316ee50895bb5337331
Opcode Fuzzy Hash: 2a622bc09443ca50187ba2ee159019b7cd2e59548df6293550867165e211735f
Instruction Fuzzy Hash: CE11E931908150ABDB217F755D4496F67B4EA62365728473FF891B22D2C23C4D42E62E

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405A0A
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A24

Strings

"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 004059F6
C:\Users\user\AppData\Local\Temp\, xrefs: 004059F9, 004059FD
nsa, xrefs: 00405A01

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-329392158
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 2f7b9810ed7c5924072585cf2130ed1295747d9915b618abfa336aedeca5813d
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: C1F0E2327482487BDB008F1ADC44B9B7B9CDF91710F00C03BF904AA280D2B0A8008B68

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 1000258D: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
Opcode Fuzzy Hash: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60

Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 9e9a7f8751caddec8a7bc4708f41f8174cbfb9b9be016fb447ac8878fba62911
Instruction ID: 23a464ffe6ca8440643a385a127484fd4ee8ad6b227fb7efa4d26ad3fc5b3ac3
Opcode Fuzzy Hash: 9e9a7f8751caddec8a7bc4708f41f8174cbfb9b9be016fb447ac8878fba62911
Instruction Fuzzy Hash: D7210872904211BACF107FA48E49A6E39B0AB44358F60823BF601B62D1D7BC4941AA6E

Function 004054E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
CloseHandle.KERNEL32(?), ref: 0040551B

Strings

Error launching installer, xrefs: 004054F8

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction ID: 0ae392a05d3974bec86de51aa2f8a5c28ff0ee3cdd976454f3eed0d5dd72dd2a
Opcode Fuzzy Hash: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction Fuzzy Hash: 2BE0BFB4A00209BFEB109FA4ED05F7B76ADEB14745F508561BD11F2160E774A9108A79

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040601B

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 00403204

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A
1033, xrefs: 0040320B

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction ID: 89773af62672bbf6302d30782f314b1c1bc42d6855f09756152acd8bf908297a
Opcode Fuzzy Hash: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction Fuzzy Hash: 24D0C71290AD3066D5513B6A7C46FCF050C8F4675DF11807BF904751C58F6C555395EF

Function 00406745 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction ID: d3f30c549e8eaa155af2d8805db43d359078549a114e1d1e4cfdde4495a9482f
Opcode Fuzzy Hash: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction Fuzzy Hash: 13A14471E00228CBDF28DFA8C8447ADBBB1FB45305F15816ED816BB281D7785A96DF44

Function 00406946 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction ID: 66af66db22d428e7cee4185570621c0262e28a8f97ef0091af547b150b1cef7f
Opcode Fuzzy Hash: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction Fuzzy Hash: 7F912170E00228CBDF28DF98C8947ADBBB1FB45305F15816ED816BB281C7786A96DF44

Function 0040665C Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction ID: 36158da5dd70985ab85e2c4d41886ca33cae813362c0b87a96f868d92fb05337
Opcode Fuzzy Hash: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction Fuzzy Hash: 65815771D00228CFDF24CFA8C8847ADBBB1FB45305F25816AD816BB281D778A996DF15

Function 00406161 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction ID: 1715bfb1c3d5716620224504c503b3d15fe2aa0a2bbcc08a305e6ffc6cb4203b
Opcode Fuzzy Hash: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction Fuzzy Hash: 53817771D00228DBDF24CFA8C8447ADBBB0FB44301F2581AED856BB281D7786A96DF45

Function 004065AF Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction ID: 032b7c8430df6362c90b97cb5f8c3133674bcd2d0f853081a3cdcc23126a0f5c
Opcode Fuzzy Hash: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction Fuzzy Hash: 87711371D00228CFDF24CF98C8847ADBBB1FB48305F15806AD816BB281D7785996DF45

Function 004066CD Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction ID: 3e9dbefe820a1d4baf734be7fb741bb2fb66d8e6f9ed59188b506b6c9edb630d
Opcode Fuzzy Hash: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction Fuzzy Hash: AB711371E00228CBDF28CF98C884BADBBB1FB44305F15816ED816BB281D7786996DF45

Function 00406619 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction ID: 1812ff5f5430a706778d8acc512246fd3c212bc7acfdfbe5d0fa3af8c8d1a12f
Opcode Fuzzy Hash: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction Fuzzy Hash: AD712471E00228CBDF28DF98C844BADBBB1FB44305F15806ED856BB291C7786A96DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction ID: 3b6e370e410e3f669d4a968ba26e16673121f6254c39c59cd6eb20204b18cf3c
Opcode Fuzzy Hash: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction Fuzzy Hash: 14313931502259FFDF20DF55DD44A9E3BA8EF04395F20403AF908A61D0D2789A41EBA9

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Part of subcall function 004054E5: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
Part of subcall function 004054E5: CloseHandle.KERNEL32(?), ref: 0040551B

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: c7546c7acf1ab707d2e8ca4c0905e090d58f4ec16d430388d15c8422db244cfe
Instruction ID: a57a420adebbec2e463a2757bf84d9d81012cc1a8c5c1569ff173e75ada2264d
Opcode Fuzzy Hash: c7546c7acf1ab707d2e8ca4c0905e090d58f4ec16d430388d15c8422db244cfe
Instruction Fuzzy Hash: 66014031904114FBDF21AFA1DD859EE7B71EB40345F10857BFA01B51E1C3794A81EBAA

Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE(00000000), ref: 100028AB
GetLastError.KERNEL32 ref: 100029B2

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004059C7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 004059CB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004055BA,?,?,00000000,0040579D,?,?,?,?), ref: 004059A7
SetFileAttributesA.KERNEL32(?,00000000), ref: 004059BB

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: a98ca5448702c3e829ea1667e49b0be7f6aa4c87fef4348ac0342a167d80fd98
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 19D0C9B2918120EBC2102728AD0889BBF69EB542717018B31F865A22B0C7304C52DAA9

Function 00405A3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A53

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: 55609983f428609d3339a900fe5ea2c3161a13bcf9e808ef2cae39733250456b
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: F7E08C3231025AABDF109EA09C40AEB3B6CEB00760F084432FA14E2040D230E9218FA5

Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 1000272D

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Non-executed Functions

Function 0040499C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049B4
GetDlgItem.USER32(?,00000408), ref: 004049BF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A09
LoadBitmapA.USER32(0000006E), ref: 00404A1C
SetWindowLongA.USER32(?,000000FC,00404F93), ref: 00404A35
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A49
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A5B
SendMessageA.USER32(?,00001109,00000002), ref: 00404A71
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A7D
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A8F
DeleteObject.GDI32(00000000), ref: 00404A92
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404ABD
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404AC9
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5E
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B89
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B9D
GetWindowLongA.USER32(?,000000F0), ref: 00404BCC
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404BDA
ShowWindow.USER32(?,00000005), ref: 00404BEB
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CE8
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D4D
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D62
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D86
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DA6
ImageList_Destroy.COMCTL32(?), ref: 00404DBB
GlobalFree.KERNEL32(?), ref: 00404DCB
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E44
SendMessageA.USER32(?,00001102,?,?), ref: 00404EED
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EFC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F1C
ShowWindow.USER32(?,00000000), ref: 00404F6A
GetDlgItem.USER32(?,000003FE), ref: 00404F75
ShowWindow.USER32(00000000), ref: 00404F7C

Strings

, xrefs: 00404F54
M, xrefs: 00404B45
N, xrefs: 00404C26

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
Instruction ID: ec1b41ef9246f4b5ca9c31e675ea93c5522bc938a585a88f05d0904c7564d9ec
Opcode Fuzzy Hash: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
Instruction Fuzzy Hash: 7A025FB0900209AFEB10DF94DC85AAE7BB5FB84315F10817AFA10B62E1D7789D42DF58

Function 0040515D Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004051BC
GetDlgItem.USER32(?,000003EE), ref: 004051CB
GetClientRect.USER32(?,?), ref: 00405208
GetSystemMetrics.USER32(00000002), ref: 0040520F
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405230
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405241
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405254
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405262
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405275
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405297
ShowWindow.USER32(?,00000008), ref: 004052AB
GetDlgItem.USER32(?,000003EC), ref: 004052CC
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052DC
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052F5
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405301
GetDlgItem.USER32(?,000003F8), ref: 004051DA

Part of subcall function 00404021: SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 0040531D
CreateThread.KERNEL32(00000000,00000000,Function_000050F1,00000000), ref: 0040532B
CloseHandle.KERNEL32(00000000), ref: 00405332
ShowWindow.USER32(00000000), ref: 00405355
ShowWindow.USER32(?,00000008), ref: 0040535C
ShowWindow.USER32(00000008), ref: 004053A2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
CreatePopupMenu.USER32 ref: 004053E7
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053FC
GetWindowRect.USER32(?,000000FF), ref: 0040541C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405435
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405471
OpenClipboard.USER32(00000000), ref: 00405481
EmptyClipboard.USER32 ref: 00405487
GlobalAlloc.KERNEL32(00000042,?), ref: 00405490
GlobalLock.KERNEL32(00000000), ref: 0040549A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054AE
GlobalUnlock.KERNEL32(00000000), ref: 004054C7
SetClipboardData.USER32(00000001,00000000), ref: 004054D2
CloseClipboard.USER32 ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 5fccc0b628b5d146bb46abdfcf0f3fd18cc91aed4c2004e16f4bf8579c4053ce
Instruction ID: 24acf85f457993e5d1a00f4a74fbc0a00d7f38a893508f9c9f1f5035b4e63235
Opcode Fuzzy Hash: 5fccc0b628b5d146bb46abdfcf0f3fd18cc91aed4c2004e16f4bf8579c4053ce
Instruction Fuzzy Hash: 5FA15BB1900208BFDB219FA0DD89AAE7F79FB08355F10407AFA04B61A0C7B55E51DF69

Function 0040442A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(msiexec.exe /i "MATRIX.msi" ,0041FCF8), ref: 00404591
lstrcatA.KERNEL32(?,msiexec.exe /i "MATRIX.msi" ), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 0040552E: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 00405541

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040601B

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404687

Part of subcall function 004047E0: lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
Part of subcall function 004047E0: wsprintfA.USER32 ref: 00404886
Part of subcall function 004047E0: SetDlgItemTextA.USER32(?,0041FCF8), ref: 00404899

Strings

A, xrefs: 0040454D
msiexec.exe /i "MATRIX.msi" , xrefs: 0040458B, 00404590, 0040459B
C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 0040457A

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}$msiexec.exe /i "MATRIX.msi"
API String ID: 2624150263-601605399
Opcode ID: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
Instruction ID: 5a451af96f6c61f8b8aedc9e732e962e3b59a2a539d705b9404eba0a1a8e20eb
Opcode Fuzzy Hash: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
Instruction Fuzzy Hash: A6A162B1900208ABDB11AFA6CD45AEFB7B9EF85314F10843BF611B72D1D77C89418B69

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}
API String ID: 123533781-3830421350
Opcode ID: 6766bdf138d9a3476f59e6ec973922d24ccafdcf77b7cead4b35a4f15cd1a772
Instruction ID: 1053df79af30500630abfeafbcf843dcec04d0d4e3091bc204b5fde3a4f6985c
Opcode Fuzzy Hash: 6766bdf138d9a3476f59e6ec973922d24ccafdcf77b7cead4b35a4f15cd1a772
Instruction Fuzzy Hash: 3B416D71A00209BFCB40EFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8c73969c0d40863ae126986d1f1e8202bdf4bd21bda08d418c229d82633c171d
Instruction ID: 2b7524724565807a685c72c68d6b6eabb337ae57375c882a310f3ed35d4a28aa
Opcode Fuzzy Hash: 8c73969c0d40863ae126986d1f1e8202bdf4bd21bda08d418c229d82633c171d
Instruction Fuzzy Hash: D4F0EC72504110EBD700EBB4994DAEE77B8DF51314F60457BE141F21C1D3B84945E72E

Function 00403B19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
EnableWindow.USER32(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(0041FCF8,?,0041FCF8,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,0041FCF8), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
Instruction ID: 1f8690e76de68066656ca8d54ad2d010e53819933bf2384d883f7e4ba9537b83
Opcode Fuzzy Hash: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
Instruction Fuzzy Hash: 17C1C071A04205BBDB21AF21ED48D2B7EBCFB44706F40443EF601B11E1C7799942AB6E

Function 00404135 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393

Strings

msiexec.exe /i "MATRIX.msi" , xrefs: 00404303
open, xrefs: 0040433B
N, xrefs: 004042C6

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$msiexec.exe /i "MATRIX.msi" $open
API String ID: 3615053054-459888845
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: 47d1c741c4840d0b501b4796cf3fe0e3440e9ec9cd7b0debe1a5eac4f9bfffd7
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 8F61A0B1A40309BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A6E Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405A7E
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405AA2
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405AAB

Part of subcall function 0040592C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
Part of subcall function 0040592C: lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405AC8
wsprintfA.USER32 ref: 00405AE6
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405B21
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B30
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BBE
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405BD0
GlobalFree.KERNEL32(00000000), ref: 00405BD7
CloseHandle.KERNEL32(00000000), ref: 00405BDE

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Strings

%s=%s, xrefs: 00405ADC
NUL, xrefs: 00405A78
[Rename], xrefs: 00405B50, 00405B62

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
Instruction ID: 2d1e09aab0418ff75005a817fdb93eb8b9645243d234663ae25a64343302d3c0
Opcode Fuzzy Hash: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
Instruction Fuzzy Hash: BE41DEB1604A15BFD6206B219C49F6B3A6CDF45718F14053BBE01FA2D2EA7CB8018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405FA1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 00405FF9
CharNextA.USER32(?,?,?,00000000), ref: 00406006
CharNextA.USER32(?,"C:\Users\user\Desktop\Setup_x86.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040600B
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 0040601B

Strings

*?|<>/":, xrefs: 00405FE9
"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 00405FDD
C:\Users\user\AppData\Local\Temp\, xrefs: 00405FA2, 00405FA7

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2386977304
Opcode ID: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction ID: 96a923a8ee4f60b6f191beee89bac6a1f57d38d5d4ddb578b75945660f6dc773
Opcode Fuzzy Hash: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction Fuzzy Hash: 57110451908B9229FB325A284C40B777F99CF5A760F18047FE5C1722C2C67C5C529B6E

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B9
GlobalFree.KERNEL32(00000000), ref: 100024F3

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction ID: 552098977e22cffcc29eaacdabede243c0f20e1b5d71923adfcfca28e3e686eb
Opcode Fuzzy Hash: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction Fuzzy Hash: 63318DB1C00118BFCF216FA5CD89DAE7E79EF09364F10423AF520762E1C6795D419BA9

Function 0040501F Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
Instruction ID: 2b33129011dff48d1edd85efe61027b37dbb0349f6b457de8e93b882053e083c
Opcode Fuzzy Hash: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
Instruction Fuzzy Hash: C2219071900508BBDB119FA5CD84ADFBFB9EF14354F14807AF544B6290C2794E45DFA8

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(00000000,00000064,0000489A), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 71ceea4fecd240b715e1583c6742d443c774c4b1fc767c2b6efff362cb3abd53
Instruction ID: 53b2eec8c243fd5a5b591a6d8e7090b5e500d3da6e0592f5c5af2241ed808ea0
Opcode Fuzzy Hash: 71ceea4fecd240b715e1583c6742d443c774c4b1fc767c2b6efff362cb3abd53
Instruction Fuzzy Hash: AB0188B0949614ABDB216F64AE4DE9F7B7CFB017057148037FA01B11E1C6B8D541CBAE

Function 004048EA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404905
GetMessagePos.USER32 ref: 0040490D
ScreenToClient.USER32(?,?), ref: 00404927
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404939
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040495F

Strings

f, xrefs: 0040493B

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 7baaa9b85802c8a5173365c44ed2834cc31749f5d024e9fb4d2ec5e64c2f69ce
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: E40140B1D00218BADB01DBA4DC85FFFBBBCAB95721F10412BBA10B61D0C7B469018BA5

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

unpacking data: %d%%, xrefs: 00402B7F
verifying installer: %d%%, xrefs: 00402B86, 00402B8F

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction ID: 4b4d840d1cf11f9656568dd8641bec75cd76f4f3bd4f461a87d93eb2d0bf3f96
Opcode Fuzzy Hash: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction Fuzzy Hash: F7F01D70900208BBEF215F61DD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction ID: 97b6efd1b10b48d7ee9b7c7fbc92de58723c24235f199e6d6d25645bb0e8c5d4
Opcode Fuzzy Hash: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction Fuzzy Hash: DC512532D04159AEFB55DFB488A4AEEBBF6EF453C0F12416AE841B315DCA306E4087D2

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
Instruction ID: 1cfc72d501241f28ff1c9237e437913a5e8660848d06dce24e2e83bd327c9a1b
Opcode Fuzzy Hash: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
Instruction Fuzzy Hash: EA114F71A00108FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0DBB49E559F69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: feff7bd0ac8b8d98e410c971607266924d1cc5c353d4854e70ab97e8d29ee8d5
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: feff7bd0ac8b8d98e410c971607266924d1cc5c353d4854e70ab97e8d29ee8d5
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
Instruction ID: b452d76144ce78c1ea2c31cbd89393ff29a213aa8dcca448cc35c7c7cb6754f7
Opcode Fuzzy Hash: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
Instruction Fuzzy Hash: F8011271948340AFE701DBB0AE0EB9A7F74EB19705F108535F141B72E2C6B954159B2F

Function 004047E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
wsprintfA.USER32 ref: 00404886
SetDlgItemTextA.USER32(?,0041FCF8), ref: 00404899

Strings

%u.%u%s%s, xrefs: 00404868

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
Instruction ID: 8631c14a921e8479d2aaee063571767324bc63c1cfe9171b6f21c1c007081b9c
Opcode Fuzzy Hash: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
Instruction Fuzzy Hash: 90112433A441283BDB0065AD9C49EAF328CDF81334F244637FA25F61D1E9788C1292E8

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 004036F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004036C9,75923410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(00535C20), ref: 00403713

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403704
\S, xrefs: 004036F3, 0040371E

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: \S$C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-1999665533
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 004057C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 004057CC
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,004033C9), ref: 004057D5
lstrcatA.KERNEL32(?,00409014), ref: 004057E6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057C6

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: c144259923a6e848a034fe90771ae4f3275bad2fdba58d127270a3e6eafdfb33
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 00D0A962606A306BD20222168C09E8F6A08CF06300B044033F204B62B2C63C0D418FFE

Function 0040231C Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(00409BC8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,00409BC8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,00409BC8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: b5d2e43241cc5f1c643ac0585cf0187cb16dde17b219008d57ea00b15267c4df
Instruction ID: 937c1904c824b73ffe337d2eacc138a1f8ac1658d2030852d1a46e58dbdf142b
Opcode Fuzzy Hash: b5d2e43241cc5f1c643ac0585cf0187cb16dde17b219008d57ea00b15267c4df
Instruction Fuzzy Hash: D71172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction ID: 9791f4c70c1528f8983e13c97e2cb0ced061aec02aec85b9ff59acd402aedfa8
Opcode Fuzzy Hash: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction Fuzzy Hash: A0117071901209BEDF01EFA5DD85DAEBBB9EF04344B20807AF505F61A1D7388E55DB28

Function 0040585F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040586D
CharNextA.USER32(00000000), ref: 00405872
CharNextA.USER32(00000000), ref: 00405886

Strings

C:\Users\user\AppData\Local\Temp\nsm4376.tmp, xrefs: 00405860

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsm4376.tmp
API String ID: 3213498283-259832687
Opcode ID: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction ID: 725a23b4e930c3b6c27a7d0cd0e333612dd42f6c53d199a680129a9385ae8045
Opcode Fuzzy Hash: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction Fuzzy Hash: 74F06253914F516AFB3276645C44B7B5A8CCF56361F188477EE40A62C2C2BC4C618F9A

Function 00403A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

"C:\Users\user\Desktop\Setup_x86.exe", xrefs: 00403A4D
1033, xrefs: 00403A50, 00403A5A, 00403ACB

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Setup_x86.exe"$1033
API String ID: 530164218-2672335317
Opcode ID: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
Instruction ID: 694a286dd4981efc18ef326c294584d4bec2a1602357d8abc11fec8a6f834ca0
Opcode Fuzzy Hash: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
Instruction Fuzzy Hash: EC11D4B1B046109BCB24DF15DC809337BBDEB8471A329813BE941A73A1C73D9E029A98

Function 00404F93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FC2
CallWindowProcA.USER32(?,?,?,?), ref: 00405013

Part of subcall function 00404038: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404FA3

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction ID: 01da3f5901ddaf9404fa7d81b8fd4ad62d8e53e58d7af57a61279808ed2d7cb1
Opcode Fuzzy Hash: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction Fuzzy Hash: EA018F7110020DABDF209F11DC85E9F3B6AF784758F208037FA04752D1D77A8C92AAAE

Function 004058B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm4376.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405907
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,C:\Users\user\AppData\Local\Temp\nsm4376.tmp,?,?,75922EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405917

Strings

C:\Users\user\AppData\Local\Temp\nsm4376.tmp, xrefs: 004058BA, 004058BF, 004058C5, 00405900, 00405906, 0040590E, 00405916

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm4376.tmp
API String ID: 3248276644-259832687
Opcode ID: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction ID: cee4b60d78671bb78a10d3fddc0396ac835ea714c96625339261d657e7680c9f
Opcode Fuzzy Hash: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction Fuzzy Hash: 0AF02823105D6026C63233391C09AAF1B95CE86368B24853FFC51B22D1DB3C8863DE7E

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll
API String ID: 427699356-3374748803
Opcode ID: 940008227e3000e27693e8b891f8179a8cfec3dced6337216f9b89fca6ff3594
Instruction ID: 4826b5ec7f58a8945af1d05ae4e09a11cd1e532a13e769836b40841c5f4177c7
Opcode Fuzzy Hash: 940008227e3000e27693e8b891f8179a8cfec3dced6337216f9b89fca6ff3594
Instruction Fuzzy Hash: 80F054B2A54244BFDB40ABA19E499EB66A4DB40309F10443FB141F61C2D5BC4941A66A

Function 0040580D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Setup_x86.exe,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 00405813
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Setup_x86.exe,C:\Users\user\Desktop\Setup_x86.exe,80000000,00000003), ref: 00405821

Strings

C:\Users\user\Desktop, xrefs: 0040580D

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: ba052d51ab232c33a65bcd29671eceb75c11827358d6bb1c4ef4a0a5cf44e1aa
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 94D0A77341AD701EE30372109C04B8F6A48CF16300F098462E440B61A0C2780C414BED

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.3311204738.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3311181301.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311228891.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3311315344.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Setup_x86.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 0040592C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
lstrcmpiA.KERNEL32(00405B5B,00000000), ref: 00405954
CharNextA.USER32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 00405965
lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

Memory Dump Source

Source File: 00000000.00000002.3309433404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3309414506.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309461480.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309479994.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3309636714.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_x86.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 6acf3bc3cda9f3bfd2525b0ac34aa546eab038af588102683640af0afc927a81
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 27F0C232604518FFC7129BA4DD40D9FBBA8EF06360B2500AAE800F7250D274EE019FAA

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup_x86.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Scienta Omicron\Installer\{4B7066F8-B6E1-4A46-BF42-5395F35020B9}\MATRIX.msi

C:\Users\user\AppData\Local\Temp\nsh4356.tmp

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nsm4376.tmp\version.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
Setup_x86.exe

Function 00403217 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 337
stringfilecomCOMMON

Function 00405D58 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00406310 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 0040603A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040303A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004054E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON