Edit tour

Windows Analysis Report
w4Xl662CE7.exe

Overview

General Information

Sample name:	w4Xl662CE7.exe renamed because original name is a hash value
Original sample name:	7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7.exe
Analysis ID:	1554996
MD5:	d350f9d68867c04a5834d40ed20435a6
SHA1:	7e9e9a5454d780a0df486519470c01db978ec6fc
SHA256:	7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7
Tags:	ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	47
Range:	0 - 100

Signatures

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

w4Xl662CE7.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\w4Xl662CE7.exe" MD5: D350F9D68867C04A5834D40ED20435A6)

msiexec.exe (PID: 7604 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7500 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7552 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7664 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:10:25.554052+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.8	49713	TCP
2024-11-13T10:11:02.999228+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.8	49715	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: w4Xl662CE7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: w4Xl662CE7.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: w4Xl662CE7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: w4Xl662CE7.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: w4Xl662CE7.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: w4Xl662CE7.exe

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA43B0 FindFirstFileW,GetLastError,FindClose,	0_2_00FA43B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FC2380 FindFirstFileW,FindClose,	0_2_00FC2380
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00FC14D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_00FA3DE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FAC0B0 FindFirstFileW,FindClose,FindClose,	0_2_00FAC0B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FBE3A0 FindFirstFileW,FindClose,	0_2_00FBE3A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCE610 FindFirstFileW,FindClose,	0_2_00FCE610
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FCB3D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCB7D0 FindFirstFileW,FindClose,	0_2_00FCB7D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FA3A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FDFB20

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00FCA620

Networking

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49713
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49715

Source: w4Xl662CE7.exe	String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: w4Xl662CE7.exe, 00000000.00000000.1415579672.00000000010B8000.00000002.00000001.01000000.00000003.sdmp, w4Xl662CE7.exe, 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: shi8B2.tmp.0.dr	String found in binary or memory: http://.css
Source: shi8B2.tmp.0.dr	String found in binary or memory: http://.jpg
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi8B2.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

System Summary

Contains functionality to call native functions

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FE15E0 NtdllDefWindowProc_W,	0_2_00FE15E0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F61FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00F61FB0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F00010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00F00010
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB2250 NtdllDefWindowProc_W,	0_2_00EB2250
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EBC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00EBC4F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB8720 NtdllDefWindowProc_W,	0_2_00EB8720
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00EB8890
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EAEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00EAEBE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F00BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,	0_2_00F00BAA
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F00CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,	0_2_00F00CE3
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F00C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,	0_2_00F00C22
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EF6EE0 NtdllDefWindowProc_W,	0_2_00EF6EE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EAF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_00EAF190
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00ECD320 NtdllDefWindowProc_W,	0_2_00ECD320
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EC15F0 NtdllDefWindowProc_W,	0_2_00EC15F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00EB1670
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EAF7C0 NtdllDefWindowProc_W,	0_2_00EAF7C0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB1C90 NtdllDefWindowProc_W,	0_2_00EB1C90
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F47F20 NtdllDefWindowProc_W,	0_2_00F47F20

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b0e6e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI115C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11CB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI122A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1259.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI115C.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EBA950	0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FDB350	0_2_00FDB350
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FB7D70	0_2_00FB7D70
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EC6070	0_2_00EC6070
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EC41B0	0_2_00EC41B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EBE290	0_2_00EBE290
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0103E2BE	0_2_0103E2BE
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0103E64C	0_2_0103E64C
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_01058B95	0_2_01058B95
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F82A50	0_2_00F82A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EB8CD0	0_2_00EB8CD0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EA2F40	0_2_00EA2F40
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00ED52F0	0_2_00ED52F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0101D550	0_2_0101D550
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EC35A0	0_2_00EC35A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EC7630	0_2_00EC7630
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F7B7A0	0_2_00F7B7A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EFFA40	0_2_00EFFA40
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0104DD6A	0_2_0104DD6A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00F13FC0	0_2_00F13FC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00F9E770 appears 31 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00EA8800 appears 223 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00ED3810 appears 90 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00EA9390 appears 41 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00EA7070 appears 53 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00EA99C0 appears 69 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00EA6FF0 appears 46 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: String function: 00F9E6D0 appears 60 times

Sample file is different than original file name gathered from version info

Source: w4Xl662CE7.exe, 00000000.00000000.1415673595.0000000001166000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameInstaller.exe4 vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1418093781.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDecoder.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe	Binary or memory string: OriginalFileNameInstaller.exe4 vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs w4Xl662CE7.exe

Uses 32bit PE files

Source: w4Xl662CE7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shi8B2.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: clean9.winEXE@8/13@0/0

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FA2230 FormatMessageW,GetLastError,

0_2_00FA2230

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FCC990 GetDiskFreeSpaceExW,

0_2_00FCC990

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FE6D50 CoCreateInstance,

0_2_00FE6D50

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00F3AB40 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_00F3AB40

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD

Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

File created: C:\Users\user\AppData\Local\Temp\shi8B2.tmp

Jump to behavior

Source: w4Xl662CE7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

File read: C:\Users\user\Desktop\w4Xl662CE7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\w4Xl662CE7.exe "C:\Users\user\Desktop\w4Xl662CE7.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI=""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34	Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

PE / OLE file has a valid certificate

Source: w4Xl662CE7.exe

Static PE information: certificate valid

PE file has a big code size

Source: w4Xl662CE7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: w4Xl662CE7.exe

Static file information: File size 49206760 > 1048576

PE file has a big raw section

Source: w4Xl662CE7.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00

PE file contains a mix of data directories often seen in goodware

Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: w4Xl662CE7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: w4Xl662CE7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: w4Xl662CE7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: w4Xl662CE7.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: w4Xl662CE7.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: w4Xl662CE7.exe

PE file contains a valid data directory to section mapping

Source: w4Xl662CE7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: w4Xl662CE7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: w4Xl662CE7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: w4Xl662CE7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: w4Xl662CE7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: shi8B2.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FA2350 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00FA2350

PE file contains sections with non-standard names

Source: shi8B2.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi8B2.tmp.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016ABF70 push ecx; ret	0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4F push es; iretd	0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5C4D push es; retf	0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AA741 push FFFFFFBFh; iretd	0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016AD633 push es; ret	0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_3_016A5819 push es; ret	0_3_016A5C3A

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File created: C:\Users\user\AppData\Local\Temp\shi8B2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI122A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11CB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File created: C:\Users\user\AppData\Local\Temp\MSI93F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI115C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAD7.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI122A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI115C.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect virtual machines (STR)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_3_0168C160 str word ptr [eax+40764612h]

0_3_0168C160

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8B2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI122A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI11CB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI93F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI115C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD7.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Evaded block: after key decision

graph_0-67916

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-69824

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA43B0 FindFirstFileW,GetLastError,FindClose,	0_2_00FA43B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FC2380 FindFirstFileW,FindClose,	0_2_00FC2380
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00EBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00FC14D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_00FA3DE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FAC0B0 FindFirstFileW,FindClose,FindClose,	0_2_00FAC0B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FBE3A0 FindFirstFileW,FindClose,	0_2_00FBE3A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCE610 FindFirstFileW,FindClose,	0_2_00FCE610
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FCB3D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FCB7D0 FindFirstFileW,FindClose,	0_2_00FCB7D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FA3A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00FDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FDFB20

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00FCA620

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_0103365A VirtualQuery,GetSystemInfo,

0_2_0103365A

Source: w4Xl662CE7.exe	Binary or memory string: &VmCi
Source: Installer.msi.0.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: w4Xl662CE7.exe, 00000000.00000003.1532941791.000000000166B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\rod_VMware_SATA_CD00#4&22

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_0103AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0103AD13

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FD77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00FD77C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FA2350 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00FA2350

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0104C66D mov ecx, dword ptr fs:[00000030h]	0_2_0104C66D
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0105783E mov eax, dword ptr fs:[00000030h]	0_2_0105783E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_01035CA1 mov esi, dword ptr fs:[00000030h]	0_2_01035CA1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_01035D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_01035D0D

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_00ED21E0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00ED21E0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_01036738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01036738
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: 0_2_0103AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0103AD13

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\w4xl662ce7.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488867 " ai_euimsi=""
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\w4xl662ce7.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488867 " ai_euimsi=""			Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FCEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_00FCEAB0

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx,	0_2_00FC4050
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,	0_2_01050186
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,	0_2_010541E6
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0105430F
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,	0_2_01054415
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_010544E4
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_01053B80
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,	0_2_01053D7B
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: EnumSystemLocalesW,	0_2_0104FC09
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: EnumSystemLocalesW,	0_2_01053F08
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_01053F93
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: EnumSystemLocalesW,	0_2_01053E22
Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Code function: EnumSystemLocalesW,	0_2_01053E6D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\w4Xl662CE7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FDBB20 CreateNamedPipeW,CreateFileW,

0_2_00FDBB20

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_010372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_010372F4

Source: C:\Users\user\Desktop\w4Xl662CE7.exe

Code function: 0_2_00FDA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,

0_2_00FDA240

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
w4Xl662CE7.exe	3%	ReversingLabs
w4Xl662CE7.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI93F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI93F.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIAD7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi8B2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll	0%	ReversingLabs
C:\Windows\Installer\MSI115C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI11CB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI122A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1259.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr	false	high
http://html4/loose.dtd	shi8B2.tmp.0.dr	false	high
https://www.advancedinstaller.com	w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	false	high
https://www.thawte.com/cps0/	w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	false	high
http://.css	shi8B2.tmp.0.dr	false	high
http://.jpg	shi8B2.tmp.0.dr	false	high
https://www.thawte.com/repository0W	w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554996
Start date and time:	2024-11-13 10:09:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	w4Xl662CE7.exe renamed because original name is a hash value
Original Sample Name:	7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7.exe
Detection:	CLEAN
Classification:	clean9.winEXE@8/13@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 58% Number of executed functions: 69 Number of non-executed functions: 191
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\shi8B2.tmp	setup.exe	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	VirtualDesktop.Streamer.Setup.exe	Get hash	malicious	Unknown	Browse
	VirtualDesktop.Streamer.Setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	Step 3 - Setup_Install.exe	Get hash	malicious	Xmrig	Browse
	http://downloads.ciscocems.com/downloads/CeDAR/Setup_Cedar%208.05.08.zip	Get hash	malicious	Unknown	Browse
	Bill Details.exe	Get hash	malicious	UltraVNC	Browse
	Bill Details.exe	Get hash	malicious	UltraVNC	Browse
	teracopy.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI93F.tmp	IM-vL5WWvBl.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSI93F.tmp

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453088
Entropy (8bit):	6.413087895399404
Encrypted:	false
SSDEEP:	6144:PBtBN+l8CKvSHJSTHLntEToqi/9rpiAO+7lMhZeBajAt7fgcY:PB/0l1K7HLnt5DgMlgZ7AtDgcY
MD5:	FBC6CCCA9154D017D647938190E4AD8D
SHA1:	E753F1511F27427616E98762BA2F45D67C3D90D4
SHA-256:	D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
SHA-512:	D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: IM-vL5WWvBl.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............\|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAD7.tmp

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	919520
Entropy (8bit):	6.451407326378623
Encrypted:	false
SSDEEP:	24576:1x90VXSK4fSa6HXr1iWn8Zlb2h4ntHurpllQ6a:Pq4Fb6HXr1iWnU84ntHurpllQ6a
MD5:	064278F42704CDCE52C8C527CF9AFBC7
SHA1:	007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
SHA-256:	070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
SHA-512:	9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIb1285.LOG

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4214271430805328
Encrypted:	false
SSDEEP:	6:QmQlfuV3ecOYrsfc/okjxaaOEqQbr62avKpnKBlv2K84UlUlxSlYH:QmQ1u9Zsc/7aFEVbr62aInKT8fYH
MD5:	403DB5CE9921B7532A18C8AB2E21D85A
SHA1:	841EB9C870DC61EEEF2FF246E23E0226FC35ABA8
SHA-256:	37D719DC5E04DAEFF910E15FD19CE0B893A40A6543CF77D94A17BD6E7DD342A4
SHA-512:	32FADE9B6D63D40F8C59E0ED2ABCEE168CF1516E0CEAD1FABD7114286357E58A9A2C3C27849AB2C0BFFBBBC77790BE52B259DBBBC3751F29DE856D31AE22509E
Malicious:	false
Reputation:	low
Preview:	..C.o.n.s.o.l.e.H.Q. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .s.y.s.t.e.m.s. .w.i.t.h. .s.c.r.e.e.n. .r.e.s.o.l.u.t.i.o.n. .s.m.a.l.l.e.r. .t.h.a.n. .1.3.6.0. .x. .7.6.8.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.3./.1.1./.2.0.2.4. . .0.4.:.1.0.:.2.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\shi8B2.tmp

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse Filename: VirtualDesktop.Streamer.Setup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Bill Details.exe, Detection: malicious, Browse Filename: Bill Details.exe, Detection: malicious, Browse Filename: teracopy.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {84D7A21E-4D81-4C2F-85D0-A76E4089EC98}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2200576
Entropy (8bit):	6.507737123370175
Encrypted:	false
SSDEEP:	49152:0SVYVKjlgZcDgcYrAvq4Fb6HXr1iWnU84ntHurpllQ6aSHCP1N0ZqgJtmpxl:JY4jluAjFnWnq1
MD5:	2584927FC211D36448829C05282D4EFB
SHA1:	8264B7B225D50E5CF90064BC0392EE905AC0354F
SHA-256:	DAE1BFC5C3B8DC01F9B43158A6FF31985F30943EECF095BE74A3C699C5F3A277
SHA-512:	0BFC377BBD082F1C4FFCDCCE7B4865DF1E9FB3BEA1C59A776E04B64BDB177E4865EE7CE46BA580726E4F42D8148478E4F3D36DDEF0E6760E53D0E1A2CF49537B
Malicious:	false
Preview:	......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)......4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`......a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	6.447659228395253
Encrypted:	false
SSDEEP:	3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
MD5:	A5FFDCF45D3D123139C49017B22F444E
SHA1:	7B3D3D293F9A34570FC91500A6580496147C7658
SHA-256:	8F49245444B02BF0E103C5A5850A0B2FB1F2880C917261D146E3B8BC3C166E40
SHA-512:	5FF195A70825EFCED761ACEEEC5A6F0D0E18C1A4074482F584EFABEF7166C957C728D71D6185E3487A1405C608D820EFA4E07C584D60A8D51625E5D8A9A89397
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..a..2..2..2..3 ..2..3...2x.3...2x.3:..2x.3?..2..3?..2..3-..2..2...2..3v..2..3+..2..^2+..2.62+..2..3+..2Rich..2................PE..L...?..b.........."!.....`...................p............................................@......................... ...........<....p.. .......................0 ......p...........................`...@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc..0 ......."..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\w4Xl662CE7.exe
File Type:	data
Category:	dropped
Size (bytes):	162168468
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	2DBC0818CDB52345791955E058A40132
SHA1:	3CEC7455FB8C8F57FABA2B065BA7BEEBCECBA565
SHA-256:	896FBF58598F1376DC47013E0CCDF5422A54C28460F858ABD25B871DC02D5509
SHA-512:	8173DAE9455BD4D200E0C5D3A25014AA879FF3FC9A9001C02F91BB0F1EA10D226BFFD6C8E19BA2F7A37A646749E82C5A70CF62A7C461660A188343C8A19E77CB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6b0e6e.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {84D7A21E-4D81-4C2F-85D0-A76E4089EC98}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD, Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2200576
Entropy (8bit):	6.507737123370175
Encrypted:	false
SSDEEP:
MD5:	2584927FC211D36448829C05282D4EFB
SHA1:	8264B7B225D50E5CF90064BC0392EE905AC0354F
SHA-256:	DAE1BFC5C3B8DC01F9B43158A6FF31985F30943EECF095BE74A3C699C5F3A277
SHA-512:	0BFC377BBD082F1C4FFCDCCE7B4865DF1E9FB3BEA1C59A776E04B64BDB177E4865EE7CE46BA580726E4F42D8148478E4F3D36DDEF0E6760E53D0E1A2CF49537B
Malicious:	false
Preview:	......................>..................."...................................f...............................1...2...3...4...5...6...7...8...9...:...;...<...=...>...C...D...E...F...G...H...I...J...K...................................................................................................................................................................................................................................................................................................................................N...............................:...<........................................................................... ...!..."...#...$...%...&...'...(...)......4...,...-......./...0...1...2...3.......5...6...7...8...9...=...;...D...F...>...?...@...A...B...C.......E...K...G...H...I...J.......L...M...O..._...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...`......a...b...c...d...e...........h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI115C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453088
Entropy (8bit):	6.413087895399404
Encrypted:	false
SSDEEP:
MD5:	FBC6CCCA9154D017D647938190E4AD8D
SHA1:	E753F1511F27427616E98762BA2F45D67C3D90D4
SHA-256:	D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
SHA-512:	D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............\|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI11CB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453088
Entropy (8bit):	6.413087895399404
Encrypted:	false
SSDEEP:
MD5:	FBC6CCCA9154D017D647938190E4AD8D
SHA1:	E753F1511F27427616E98762BA2F45D67C3D90D4
SHA-256:	D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
SHA-512:	D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............\|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI122A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453088
Entropy (8bit):	6.413087895399404
Encrypted:	false
SSDEEP:
MD5:	FBC6CCCA9154D017D647938190E4AD8D
SHA1:	E753F1511F27427616E98762BA2F45D67C3D90D4
SHA-256:	D0C9F193D5FB108035C24CD16495D8471295C8AE4A507CC939DCD3C31ED70836
SHA-512:	D72A7B6BE718E09B0B6B2A6C32888FB29BBE34D34D1965CCE017162224DB20D4BADAAE507244E16E7A72B84A15139FC9CB6EA703925666906F73420684E0D49D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.b7...d...d...d..e...d..e...dQ..e...dQ..e...dQ..eK..d..e...d..e...d..e...d...dP..d...eV..d...e...d...d...d..d...d...e...dRich...d................PE..L......b.........."!.........R.......................................................-....@.........................._.......f..........0........................L..H...p...............................@...............4............................text............................... ..`.rdata..............................@..@.data....!...........j..............@....rsrc...0............\|..............@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1259.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	919520
Entropy (8bit):	6.451407326378623
Encrypted:	false
SSDEEP:
MD5:	064278F42704CDCE52C8C527CF9AFBC7
SHA1:	007C2A1C946EB62886AC26ADFC7C6B41EECD4D41
SHA-256:	070155314AE1035E0A74729231EA97053744EC3B0D5E8D8AF0D000448924D5A9
SHA-512:	9D7AE27229317F07CFD051AB8A7E4E7AC4071593FB0329BFF21CFB812086CA00CFFEBBC950A4849C233D8B2EE3D306E9A3338415DEB48CEE09C5B94704A01A70
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#S..#S..#S]. R..#S].&R;.#S.'R..#S. R..#S.&R..#S].'R..#S]."R..#S.."S..#S2.*R..#S2.#R..#S2..S..#S..S..#S2.!R..#SRich..#S........PE..L...P..b.........."!.....X...................p...............................@......{9....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362963806596687
Encrypted:	false
SSDEEP:
MD5:	0C9FCF4EC6BC722AB29119DB00D7591B
SHA1:	7C2C8717CECD5F9F389CD78D8DB2519269D19522
SHA-256:	543C2AF9807BD57ABF3E7B0E7EB932D123629E5CBF403BB3CF543E0E316A6236
SHA-512:	75CA30F608725767FD6F1E7FA2DFED2008D87EE802F24CB4265CEA8FFF11E6A4977AED4C3D67CF92C020D54318E97E1CCDF3E2A713EE8437D5A7EC4E69094CA1
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.976625930658511
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	w4Xl662CE7.exe
File size:	49'206'760 bytes
MD5:	d350f9d68867c04a5834d40ed20435a6
SHA1:	7e9e9a5454d780a0df486519470c01db978ec6fc
SHA256:	7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7
SHA512:	98757f367bb77388ffe3391cf4c10101ee19d079e9efb4af5498d46d09340e7f5bfdde6909eab8136b79801b0646a7a223138e75c322b3bfdbef93845afdd28b
SSDEEP:	786432:kVGExzYbFwhkPMvMGp+X7l+AOeMlcft9qjpsP7qLr3HbpGwCTPxtYVqbqR0/pNj1:SUBowMvMl+ot9Wpsz2rXbpDCTptDJx+U
TLSH:	64B73330364AC52BDA6615B0292C9A9F552D7E750F71A8C7B3CC2D2E1BB49C34732E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.\|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

File Icon


Icon Hash:	9713331b4d3b2f0c

Static PE Info

General

Entrypoint:	0x596c64
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6213B2EE [Mon Feb 21 15:42:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	836688c7d21e39394af41ce9a8c2d728

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/08/2024 08:25:00 30/08/2025 08:25:00
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=ConsolHQ LTD, SERIALNUMBER=12800651, O=ConsolHQ LTD, L=Erith, C=GB
Version:	3
Thumbprint MD5:	E4ED28FFAC43E82D3DB5467DE244B770
Thumbprint SHA-1:	787863161875446360E7486D3CF5E34E15DC8009
Thumbprint SHA-256:	CA814262219EF4B9EF1CC76050E02D41B34F87AEF05D34FA378DAE913F4C784C
Serial:	740833F89CC52CAE8CEA1984A66DBB66

Entrypoint Preview

Instruction
call 00007FA1751982ADh
jmp 00007FA175197A4Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FA1751970A3h
jmp 00007FA175197BB2h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0069E01Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29cb94	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a7000	0x3d55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2eeb5d0	0x2018
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e5000	0x256bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x246778	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x246800	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x219f38	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x218000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x299f88	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x216c3f	0x216e00	b670db57563315716440578ee99e5466	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x218000	0x85b8c	0x85c00	59a6fbcfc1f150b26bf16fdd47452e43	False	0.3120947721962617	data	4.605894063170113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29e000	0x89f0	0x6a00	1cea180402edcf39ea7c6193312cce32	False	0.14180424528301888	DOS executable (block device driver 0aY)	2.8670521481443174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2a7000	0x3d55c	0x3d600	9c215b5617dafedde9588bb2401248ca	False	0.2635724287169043	data	5.856059532970926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e5000	0x256bc	0x25800	08f0f06260e93e98732bfb4145f07cca	False	0.446171875	data	6.512576488264422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE_FILE	0x2a7bf0	0x6	ISO-8859 text, with no line terminators	English	United States	2.1666666666666665
IMAGE_FILE	0x2a7bf8	0x6	ISO-8859 text, with no line terminators	English	United States	2.1666666666666665
RTF_FILE	0x2a7c00	0x2e9	Rich Text Format data, version 1, ANSI, code page 1252	English	United States	0.5503355704697986
RTF_FILE	0x2a7eec	0xa1	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	English	United States	0.906832298136646
RT_BITMAP	0x2a7f90	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x2a80d0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x2a88f8	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x2ad1a0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x2adc0c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x2add60	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x2ae588	0x7c5a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9958534899792675
RT_ICON	0x2b61e4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.142848692771797
RT_ICON	0x2c6a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.29470954356846474
RT_ICON	0x2c8fb4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3621013133208255
RT_ICON	0x2ca05c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.45819672131147543
RT_MENU	0x2ca9e4	0x5c	data	English	United States	0.8478260869565217
RT_MENU	0x2caa40	0x2a	data	English	United States	1.0714285714285714
RT_DIALOG	0x2caa6c	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x2cab18	0x2a6	data	English	United States	0.5132743362831859
RT_DIALOG	0x2cadc0	0x3b4	data	English	United States	0.43248945147679324
RT_DIALOG	0x2cb174	0xbc	data	English	United States	0.7180851063829787
RT_DIALOG	0x2cb230	0x204	data	English	United States	0.560077519379845
RT_DIALOG	0x2cb434	0x282	data	English	United States	0.48598130841121495
RT_DIALOG	0x2cb6b8	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x2cb784	0x146	data	English	United States	0.5736196319018405
RT_DIALOG	0x2cb8cc	0x226	data	English	United States	0.4690909090909091
RT_DIALOG	0x2cbaf4	0x388	data	English	United States	0.45464601769911506
RT_DIALOG	0x2cbe7c	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x2cc030	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x2cc168	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x2cc1b4	0x45c	data	English	United States	0.3844086021505376
RT_STRING	0x2cc610	0x344	data	English	United States	0.37320574162679426
RT_STRING	0x2cc954	0x2f8	data	English	United States	0.4039473684210526
RT_STRING	0x2ccc4c	0x598	data	English	United States	0.2807262569832402
RT_STRING	0x2cd1e4	0x3aa	StarOffice Gallery theme i, 1627418368 objects, 1st n	English	United States	0.4211087420042644
RT_STRING	0x2cd590	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x2cdb50	0x568	data	English	United States	0.32875722543352603
RT_STRING	0x2ce0b8	0x164	data	English	United States	0.5421348314606742
RT_STRING	0x2ce21c	0x520	data	English	United States	0.39176829268292684
RT_STRING	0x2ce73c	0x1a0	data	English	United States	0.45913461538461536
RT_STRING	0x2ce8dc	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x2cea68	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x2cec80	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x2cf2a4	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x2cf904	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x2cfbe8	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0x2cfc34	0x2dc	data	English	United States	0.453551912568306
RT_HTML	0x2cff10	0x37c8	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08291316526610644
RT_HTML	0x2d36d8	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x2d49f0	0x4fa	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3626373626373626
RT_HTML	0x2d4eec	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x2db9bc	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x2dc060	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x2dd0ac	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x2de660	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x2e06bc	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x2e3d4c	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, CreateThread, WaitForSingleObject, GetProcAddress, LoadLibraryExW, Sleep, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FormatMessageW, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:10:09
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\w4Xl662CE7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\w4Xl662CE7.exe"
Imagebase:	0xea0000
File size:	49'206'760 bytes
MD5 hash:	D350F9D68867C04A5834D40ED20435A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:10:13
Start date:	13/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff65b6a0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:10:14
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C
Imagebase:	0x910000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:10:15
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI=""
Imagebase:	0x910000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:10:16
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34
Imagebase:	0x910000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	102

Executed Functions

Function 00FB7D70 Relevance: 24.5, APIs: 2, Strings: 11, Instructions: 1745COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00FB7F67
SetEvent.KERNEL32(?), ref: 00FB7FC5

Part of subcall function 00FC2AB0: DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,8CB281B6), ref: 00FC2ADB

Strings

%hu, xrefs: 00FB82DD
Language used for UI:, xrefs: 00FB85CE
Language of a related product is:, xrefs: 00FB849C
Advinst_Extract_, xrefs: 00FB7DC5, 00FB7DD7, 00FB7DE1
Code returned to Windows by setup:, xrefs: 00FB8121
A valid language was received from commnad line. This is:, xrefs: 00FB82AF
Languages of setup:, xrefs: 00FB907D
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00FB8434
AI_BOOTSTRAPPERLANGS, xrefs: 00FB8E29, 00FB8E3B, 00FB8E45
Software\Caphyon\Advanced Installer\, xrefs: 00FB8420
Language selected programatically for UI:, xrefs: 00FB8552

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: EventInit_thread_footer$DeleteFileFindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 4144826820-297406034
Opcode ID: 06216b2e15a2f405a58ecc0df188a003d9f7fd70f1630d877c3be9403b178e66
Instruction ID: 35e3f9227afc93d7fca581edce0be4c4fbf1481029853604a4bdddaf842a4187
Opcode Fuzzy Hash: 06216b2e15a2f405a58ecc0df188a003d9f7fd70f1630d877c3be9403b178e66
Instruction Fuzzy Hash: 56E2B130A0060ADFDB10DBA9CC45BEEB7F9EF45324F188269E415AB292DB349D05DF90

Function 00FDB350 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SELECT `Value` FROM `Property` WHERE `Property` = '%s', xrefs: 00FDB3BE
PackageCode, xrefs: 00FDB69B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: PackageCode$SELECT `Value` FROM `Property` WHERE `Property` = '%s'
API String ID: 0-2409377028
Opcode ID: 2a3f9bab3325e56c7374c761f68ab66c9e2ceaa340509b871f74000c01276bd4
Instruction ID: e6c9b92470d8d4e35f43bfcc913fc8bc102e3ac87c18b54c7be517cad61c560b
Opcode Fuzzy Hash: 2a3f9bab3325e56c7374c761f68ab66c9e2ceaa340509b871f74000c01276bd4
Instruction Fuzzy Hash: 91120171A00205DFDB10DF68DC48BAEBBE9FF45320F19416AE915AB391DB75E900DBA0

Function 00EBA950 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00EBAA5F
PathIsUNCW.SHLWAPI(00000001,*.*), ref: 00EBAAC3
FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 00EBAD0C
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00EBAD26
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 00EBAD5A
FindClose.KERNEL32(00000000), ref: 00EBADCB
SetLastError.KERNEL32(0000007B), ref: 00EBADD5
PathIsUNCW.SHLWAPI(?,?,8CB281B6,?,00000000), ref: 00EBB00E

Strings

\\?\UNC\, xrefs: 00EBAAE3, 00EBABFF, 00EBB02E, 00EBB13A
*.*, xrefs: 00EBAA8A, 00EBAA94
\\?\, xrefs: 00EBAC1A, 00EBACD0, 00EBB155, 00EBB209

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: d4766fc26d99b4c29273289425bc8f54a62914b75a6826a204d3368334a0b709
Instruction ID: 72fc5f50d4a1af23f3bd30a731aab84f4725aade87eb0f5cdf4d2c434ea2e661
Opcode Fuzzy Hash: d4766fc26d99b4c29273289425bc8f54a62914b75a6826a204d3368334a0b709
Instruction Fuzzy Hash: F762F431A006069FDB14DF68C888BAFB7E5FF84314F148669E815EB3A1DB71AD40CB91

Function 00FCEAB0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FCEAF8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FCEB05
GetLastError.KERNEL32 ref: 00FCEB0F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00FCEB39
GetLastError.KERNEL32 ref: 00FCEB3F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00FCEB65
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FCEB98
EqualSid.ADVAPI32(00000000,?), ref: 00FCEBA7
FreeSid.ADVAPI32(?), ref: 00FCEBB6
CloseHandle.KERNEL32(00000000), ref: 00FCEBF0

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: 7d756cd9d58ce4edeaeaf4a752e26ef23fe34ea9ff5d38cb8bfc8762be8dcf05
Instruction ID: d787b799d063a152da5430e684509a794200871fe7fea7db3ceda863f27c83d9
Opcode Fuzzy Hash: 7d756cd9d58ce4edeaeaf4a752e26ef23fe34ea9ff5d38cb8bfc8762be8dcf05
Instruction Fuzzy Hash: 96411A75D0020AABDF24DFA4CD89BEEBBB8FF18714F104029E411B6290D779AA44DB64

Function 00FC14D0 Relevance: 15.7, APIs: 10, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 65e1b2504b43387f1a9a755e598f6a65bcb189993e0d394fcedfad89b28c1cc8
Instruction ID: 7ad4439647fa500c6e8463e0b35eb1bf52fa11ac4f4364e84081156016aa708e
Opcode Fuzzy Hash: 65e1b2504b43387f1a9a755e598f6a65bcb189993e0d394fcedfad89b28c1cc8
Instruction Fuzzy Hash: 6C62AD30E0024ACFDB10CFA8C985B9EBBF5BF46314F14829DE415AB292DB74AE55DB50

Function 00FC4050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

GetLocaleInfoW.KERNEL32(?,00000002,010C337C,00000000), ref: 00FC40C1
GetLocaleInfoW.KERNEL32(?,00000002,00FC3B85,-00000001,00000078,-00000001), ref: 00FC40FD
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00FC4181
PeekMessageW.USER32(?,00000000), ref: 00FC41C7
TranslateMessage.USER32(00000000), ref: 00FC41D2
DispatchMessageW.USER32(00000000), ref: 00FC41D9
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00FC41EB

Strings

%d-%s, xrefs: 00FC4107

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Message$InfoInit_thread_footerLocaleMultipleObjectsWait$DispatchHeapPeekProcessTranslate
String ID: %d-%s
API String ID: 445213441-1781338863
Opcode ID: bf1506d0c05c786ebbdb89f6dcd439bcbbc2de619a8516ca6caf27b23ed44ce1
Instruction ID: f7f505aecd4d02cbd20cb9894650e263c2eabe7d0c57e4b41a0f708e3b2919ab
Opcode Fuzzy Hash: bf1506d0c05c786ebbdb89f6dcd439bcbbc2de619a8516ca6caf27b23ed44ce1
Instruction Fuzzy Hash: 9B510771A40206ABE710DF54CD46FAEBBF8EF49724F10462DF614AB2C1DB71A944CBA0

Function 00FDA240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00FDA2CE
GetLastError.KERNEL32 ref: 00FDA2D4
GetUserNameW.ADVAPI32(00000000,?), ref: 00FDA31C
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00FDA352
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00FDA39C

Strings

UserDomain, xrefs: 00FDA34D, 00FDA397

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: EnvironmentNameUserVariable$ErrorLast
String ID: UserDomain
API String ID: 3567734997-2275544873
Opcode ID: 3c0b92b0b39a0d5a73cb6c3c99f9b7f3ad64b4af837891155025e93141dae4db
Instruction ID: 353ee3f30ea4489f831fe31ba0eb5d894979d06d0eabbb701f7299ac7ea7af90
Opcode Fuzzy Hash: 3c0b92b0b39a0d5a73cb6c3c99f9b7f3ad64b4af837891155025e93141dae4db
Instruction Fuzzy Hash: 7F610671A00209DFDB24DFA8C895BEEBBF5FF08714F14412AE401A7280DB756A45CBA5

Function 00FA2350 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,8CB281B6,00000000,?,00000000), ref: 00FA238E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FA23B1
FreeLibrary.KERNEL32(00000000), ref: 00FA242F

Strings

LoadIconMetric, xrefs: 00FA23AB
ComCtl32.dll, xrefs: 00FA2382

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 145871493-764666640
Opcode ID: ffb0804f27fde2c405c072016f87b421bca236843d9bf18a55c01af45c28c563
Instruction ID: e42658f8e0540a666879e808eea801fdc6182094f289b305539d555bdf651a2b
Opcode Fuzzy Hash: ffb0804f27fde2c405c072016f87b421bca236843d9bf18a55c01af45c28c563
Instruction Fuzzy Hash: 9E3175B1A04359ABDF148F99CC45BAFBFF8EB49764F00412AF915A7280D77989408B90

Function 00F61FB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F61FF1

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

_wcschr.LIBVCRUNTIME ref: 00F620AF

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 00F620C4

Strings

Kernel32.dll, xrefs: 00F61FCC, 00F6209F, 00F620A0, 00F62134

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem_wcschr
String ID: Kernel32.dll
API String ID: 1122257418-1926710522
Opcode ID: 51871dd6ef72ccd349777cd81e876e5b2ef83a45ef1de645083eabda95784310
Instruction ID: 3d236067ea1345c3629b1ad083a2ce20aa201fdfde02b3cd6dab3ed41e6bea43
Opcode Fuzzy Hash: 51871dd6ef72ccd349777cd81e876e5b2ef83a45ef1de645083eabda95784310
Instruction Fuzzy Hash: 82A1AFB0900B45EFE714CF24C818B9ABBF4FF04318F14825DD8599B681D7BAA618CF91

Function 00FCC990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FCCA6A

Strings

\, xrefs: 00FCC9EC
\, xrefs: 00FCCA0E
\, xrefs: 00FCC9E4

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 0b0c7b2173c1b85c706af7510ef3ca3fe6aefb81f1b1098069ab67c20f5fa63a
Instruction ID: 5611fada584507a4f1284772c2561237a722b22ce3248d44efa31f2dca39eb86
Opcode Fuzzy Hash: 0b0c7b2173c1b85c706af7510ef3ca3fe6aefb81f1b1098069ab67c20f5fa63a
Instruction Fuzzy Hash: F441F422D0421A8ACB30DF24855AFABB7F4FF95364F154A2EE8DD93040E3348D85A3C6

Function 01035D0D Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,00EB0DC7,?,?,00EB0B74,?), ref: 01035D12
HeapAlloc.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035D19
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00EB0B74,?), ref: 01035D5F
HeapFree.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035D66

Part of subcall function 01035BAB: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,01035D55,00000000,?,?,00EB0B74,?), ref: 01035BCF
Part of subcall function 01035BAB: HeapAlloc.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035BD6

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 40a962ee03c4d668322177b39079d7c04579383e50b894015a994769df6387a3
Instruction ID: 33cd1998514a88696a848ceedcb1a8ae3cd4c34a80a1284b2ae155e260c81d47
Opcode Fuzzy Hash: 40a962ee03c4d668322177b39079d7c04579383e50b894015a994769df6387a3
Instruction Fuzzy Hash: FFF0E932614B1257C7B53FBCBC4CA9F2AADEFC06A17018419F1C6C6168DF34C4024B60

Function 00FA43B0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00FA444F
FindClose.KERNEL32(00000000), ref: 00FA44AE

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 4a2ad43b8f21c9b4868498a05ead448df42bce4538321c00958d57674b62b244
Instruction ID: df76503a431d7a02e9455fd27bd48ef399c97b80e25f2d066c1f840693d763bb
Opcode Fuzzy Hash: 4a2ad43b8f21c9b4868498a05ead448df42bce4538321c00958d57674b62b244
Instruction Fuzzy Hash: FC31E4B5D01218DBCB38DF54C888BAAB7B4FB89324F20865AED5997380D3B16D44DB90

Function 00FC2380 Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 5c70d483fab87c8c5ffb8178108f8aefdfa239dc8f285372d81b888a00a050f2
Instruction ID: 5b23839e9a0389ccff19f0400cda87376b9c6f0dd476567422bd56f5a135070e
Opcode Fuzzy Hash: 5c70d483fab87c8c5ffb8178108f8aefdfa239dc8f285372d81b888a00a050f2
Instruction Fuzzy Hash: AAE17C30A0060A9FDB14CFA8CD85FAEBBF5FF44324F14816DE815AB292DB74A905DB50

Function 00FA3DE0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc6e2c359fdc24e0eed145e52c6c0014b2fee5f554f8600cf617f8a3bffe2f0
Instruction ID: 0c9e70295af059f917df1c857ead41d8bc67329f483936d746a0ac0d03a6f13e
Opcode Fuzzy Hash: 6fc6e2c359fdc24e0eed145e52c6c0014b2fee5f554f8600cf617f8a3bffe2f0
Instruction Fuzzy Hash: F0419D71A11249DFDB28DF68C8957EEB3B4FF11320F148229F8259B291EB34AE04DB50

Function 00FDBB20 Relevance: 3.1, APIs: 2, Instructions: 85filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,8CB281B6,8CB281B6,?,?,?,00000000,010A6015), ref: 00FDBBA8
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,8CB281B6,8CB281B6,?,?,?,00000000,010A6015,000000FF), ref: 00FDBBCA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 19b98bf1d9ad8855693317b1e5f873e5c4ccc8efeddc7016ab97d419831855fa
Instruction ID: 52cfa92df0e84c053e23da36a16de052c5453c6391ef85453baa37b6991d66ee
Opcode Fuzzy Hash: 19b98bf1d9ad8855693317b1e5f873e5c4ccc8efeddc7016ab97d419831855fa
Instruction Fuzzy Hash: 3F31E131A84745AFD7308F14CC01B96BBA5EB05B20F14866FF9A5AB7D0CB76A900DB40

Function 00ED21E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00ED21F8
SetUnhandledExceptionFilter.KERNEL32(00FA0760), ref: 00ED220E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 79da2a0ecdd37aeaa94d6f9a281eed6e75d7c419b6d7ce8c83e130306103ff30
Instruction ID: 3290810f6688b291f6d3b0ecc2d49b1a58b325ef75b560b490df26f1611a94d3
Opcode Fuzzy Hash: 79da2a0ecdd37aeaa94d6f9a281eed6e75d7c419b6d7ce8c83e130306103ff30
Instruction Fuzzy Hash: 33E026BA9002002BC7226350AC09F8A3F68ABE3B11F084019F24823251C771A448D762

Function 00FE6D50 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA2890: __Init_thread_footer.LIBCMT ref: 00FA2970

CoCreateInstance.COMBASE(010C31D8,00000000,00000001,010DF490,000000B0), ref: 00FE6DCE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateInit_thread_footerInstance
String ID:
API String ID: 3436645735-0
Opcode ID: fb956baad856bcadd467c4b309fb7a04e84cfbf6550d03bf3744e0d47bea64a8
Instruction ID: 8fea3089bcdbafb5e5b99129c447fbebe13ceb3c30637cecceaabb8a62ca0546
Opcode Fuzzy Hash: fb956baad856bcadd467c4b309fb7a04e84cfbf6550d03bf3744e0d47bea64a8
Instruction Fuzzy Hash: C311AD75A04745EFD724CF59D805B4ABBF8EB45B20F10865EF8659B780C7BAA404CB90

Function 00FE15E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$CreateHeapInstanceProcess
String ID:
API String ID: 3807588171-0
Opcode ID: 0d97ec93fbae2bf057e6b686830218f13de5bd2f67d8632774eeaee45494a2a1
Instruction ID: 7763deb99b77bf50d75c664738b25ea19d0500b598c37e2e90e9de2eaf3c59e0
Opcode Fuzzy Hash: 0d97ec93fbae2bf057e6b686830218f13de5bd2f67d8632774eeaee45494a2a1
Instruction Fuzzy Hash: DD6165B4500745CFE720CF65C44839ABBE0FF09318F248A5DD88A9B782D7B9A609DB90

Function 00FA2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00FA2C0E
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00FA2C55
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00FA2C74
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00FA2CA3
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00FA2D18
RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00FA2D81
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00FA2DE4
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00FA2E36
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00FA2ED3
GetProcAddress.KERNEL32(00000000), ref: 00FA2EDA
__Init_thread_footer.LIBCMT ref: 00FA2EEE
GetCurrentProcess.KERNEL32(?), ref: 00FA2F11
IsWow64Process.KERNEL32(00000000), ref: 00FA2F18
RegCloseKey.ADVAPI32(00000000), ref: 00FA2F52

Strings

rs_prerelease, xrefs: 00FA2DA1
IsWow64Process, xrefs: 00FA2EC9
BuildBranch, xrefs: 00FA2D76
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00FA2C04
kernel32, xrefs: 00FA2ECE
CurrentVersion, xrefs: 00FA2C98
CurrentBuildNumber, xrefs: 00FA2D0D
ReleaseId, xrefs: 00FA2DD9
CurrentMajorVersionNumber, xrefs: 00FA2C4A
CSDVersion, xrefs: 00FA2E2B
CurrentMinorVersionNumber, xrefs: 00FA2C69
co_release, xrefs: 00FA2D89

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 1906320730-525127412
Opcode ID: 6911a12c41d2371e64bbb93a4be0a9618ae3515a08b5c161e76bca09259dff9c
Instruction ID: 2caa214b8ca409788fae9e754816a9afef2e46f791a8e0c08285acc1adc88400
Opcode Fuzzy Hash: 6911a12c41d2371e64bbb93a4be0a9618ae3515a08b5c161e76bca09259dff9c
Instruction Fuzzy Hash: 8AA170B5E00328DFDB64DF14CC45BDAB7F8FB05B15F0041AAE488A6184EB759A84CF90

Function 00FA2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00FA2FF0
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00FA302B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00FA30A6
RegCloseKey.KERNEL32(00000000), ref: 00FA327E

Strings

Enterprise, xrefs: 00FA30F9
Storage Server, xrefs: 00FA3205
ProductType, xrefs: 00FA3020
BackOffice, xrefs: 00FA3112
Terminal Server, xrefs: 00FA3144
CommunicationServer, xrefs: 00FA312B
Small Business, xrefs: 00FA30E0
Blade, xrefs: 00FA31C0
DataCenter, xrefs: 00FA318F
Small Business(Restricted), xrefs: 00FA315D
Compute Server, xrefs: 00FA321C
Personal, xrefs: 00FA31A9
WinNT, xrefs: 00FA3031
ServerNT, xrefs: 00FA3054
EmbeddedNT, xrefs: 00FA3176
Security Appliance, xrefs: 00FA31EE
Embedded(Restricted), xrefs: 00FA31D7
ProductSuite, xrefs: 00FA309B
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00FA2FE6

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: bdb6c58a1261255c22981f617751d6d1de8ea213966f0632228b4d74ddccdf56
Instruction ID: 81069bf422c8235eba8cb847598f735cb1cbd556c0cbbf387656ed42d3de405c
Opcode Fuzzy Hash: bdb6c58a1261255c22981f617751d6d1de8ea213966f0632228b4d74ddccdf56
Instruction Fuzzy Hash: A17119B5F043499BDB209B24CC457AA72A5FF43754F1080B9F906AB685EB78DE45FB00

Function 00FC4960 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00FC49DC

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Part of subcall function 00EB2970: RaiseException.KERNEL32(?,?,00000000,00000000,01035A3C,C000008C,00000001,?,01035A6D,00000000,?,00EA91C7,00000000,8CB281B6,00000001,?), ref: 00EB297C

__Init_thread_footer.LIBCMT ref: 00FC4A2C

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

Strings

ProgramFiles, xrefs: 00FC6960, 00FC6975, 00FC697D
ProgramFiles64Folder, xrefs: 00FC6008
AppDataFolder, xrefs: 00FC69C8, 00FC6A05
WindowsVolume, xrefs: 00FC6424, 00FC6439, 00FC6443
Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64, xrefs: 00FC4A64
SHGetFolderPathW, xrefs: 00FC6707
APPDATA, xrefs: 00FC6A57, 00FC6A5F
System32Folder, xrefs: 00FC625D, 00FC6272, 00FC627C
shfolder.dll, xrefs: 00FC66D6
Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86, xrefs: 00FC4B03
ProgramFilesFolder, xrefs: 00FC68E7
Shlwapi.dll, xrefs: 00FC6877
ProgramW6432, xrefs: 00FC6064
SystemFolder, xrefs: 00FC613F, 00FC6154, 00FC615E
TempFolder, xrefs: 00FC64BF
WindowsFolder, xrefs: 00FC6344, 00FC6359, 00FC6363
PROGRAMFILES, xrefs: 00FC6A3D
SETUPEXEDIR, xrefs: 00FC654C
Shell32.dll, xrefs: 00FC68A3

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AllocateConditionExceptionHeapRaiseVariableWake
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64/Windows 11 x64$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2519272855-3044903971
Opcode ID: e11ee53c41f187ae785e56ac24831a8dbba4f9ceb72a1f88e9c528d0c3696528
Instruction ID: 5e0f52e3cdd78b0407bfa81efdd289249ab569c93163b5e45cf8fabeb96895f7
Opcode Fuzzy Hash: e11ee53c41f187ae785e56ac24831a8dbba4f9ceb72a1f88e9c528d0c3696528
Instruction Fuzzy Hash: 11712371D002079FDB10EBA8CA53FEEB3A0AF61724F10456CE466AB291E735ED01E751

Function 00FB64D0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 495
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

GetTickCount.KERNEL32 ref: 00FB6554
__Xtime_get_ticks.LIBCPMT ref: 00FB655C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB65A6
__Init_thread_footer.LIBCMT ref: 00FB67A1
GetCurrentProcess.KERNEL32 ref: 00FB6B06
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FB6B16
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00FB6B42
CloseHandle.KERNEL32(00000000), ref: 00FB6B83

Strings

\/:*?"<>|, xrefs: 00FB6763

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 3363527671-3830478854
Opcode ID: 428c099397436e6f40c83afcac2a85d39b69a9629273d7cf47519bef0e4670a0
Instruction ID: 4812d4a107624e0990143950d9bd59cc781f03ddb29341ac41093114d85edfcb
Opcode Fuzzy Hash: 428c099397436e6f40c83afcac2a85d39b69a9629273d7cf47519bef0e4670a0
Instruction Fuzzy Hash: A522AF74D00218DFDB24DF68C855BEEBBB4BF45314F1481A9E449AB282DB78AE44DF90

Function 00FDF7B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,00FC181B,?,?,?,?,?), ref: 00FDF7C5

Strings

ExtractAllFiles, xrefs: 00FDF817
InitExtraction, xrefs: 00FDF7FD
EndExtraction, xrefs: 00FDF829
GetTotalFilesSize, xrefs: 00FDF805

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: LibraryLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
API String ID: 1029625771-3462492388
Opcode ID: 981ef37437e5874e02edbcb3947326574b0fa3c7326925a138bfa1d42b185d7d
Instruction ID: edaae8a5bf86e0b2dd3ce5d67c7303288537b1f2429641295dbbb15d16182101
Opcode Fuzzy Hash: 981ef37437e5874e02edbcb3947326574b0fa3c7326925a138bfa1d42b185d7d
Instruction Fuzzy Hash: 7401527AD043169BCB789B25E8188497F62BB54722700843BF5A38732DC7354896DF91

Function 00F8DDA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,8CB281B6,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00F8DDE3
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00F8DE0C
RegCreateKeyExW.KERNEL32(?,)r,00000000,00000000,00000000,?,00000000,00000000,?,8CB281B6,?,?,?,00000000,?,Function_001BDD00), ref: 00F8DE59
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00F8DE6C

Strings

RegCreateKeyTransactedW, xrefs: 00F8DE06
Advapi32.dll, xrefs: 00F8DDDE
)r, xrefs: 00F8DDBD, 00F8DDF2
)r, xrefs: 00F8DE53, 00F8DE2B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: )r$)r$Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2784544694
Opcode ID: 4978b8f79e4230d733470dcabf43a0c450b5f82c57a094dc451d14be55ffedd6
Instruction ID: 5813372794538139ca62b03637b61089a0e8c79595a6ffada339fbbc533d419c
Opcode Fuzzy Hash: 4978b8f79e4230d733470dcabf43a0c450b5f82c57a094dc451d14be55ffedd6
Instruction Fuzzy Hash: C1318272B40209AFDB249F45DC45FE7B7A8FF54B60F10812AF9159A2C0E771A810D794

Function 01035A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,01035DE5,01144C90,?,?,?,00F000E6,?,8CB281B6,?,?,?,00F481B7), ref: 01035AB1
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,01035DE5,01144C90,?,?,?,00F000E6,?,8CB281B6,?,?), ref: 01035AC6
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F481B7), ref: 01035B42

Strings

AtlThunk_InitData, xrefs: 01035AEE
AtlThunk_FreeData, xrefs: 01035B1C
atlthunk.dll, xrefs: 01035AC1
AtlThunk_DataToCode, xrefs: 01035B05
AtlThunk_AllocateData, xrefs: 01035AD7

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: a26a5db78421eaf7b299dfa0e30c51edc3503eed196f8fb455856436004ed4d1
Instruction ID: 5df9d24f4309b566c2924b65fb7008d779bffa71b7b8d0c8b5df4da8d168eb05
Opcode Fuzzy Hash: a26a5db78421eaf7b299dfa0e30c51edc3503eed196f8fb455856436004ed4d1
Instruction Fuzzy Hash: C00122B0601300BBEB7957279C43FDA7BDD5B51A4AF080098FDC27B362E79185048AAA

Function 00FE0BE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FA29D0: __Init_thread_footer.LIBCMT ref: 00FA2AA2

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,8CB281B6,00000000,00000000), ref: 00FE0C34
GetTempPathW.KERNEL32(00000104,?), ref: 00FE0CC9
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00FE0CFA
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00FE0D2D
CopyFileW.KERNEL32(?,?,00000000), ref: 00FE0D4F
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FE0D7E

Strings

shim_clone, xrefs: 00FE0CEE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
String ID: shim_clone
API String ID: 4264308349-3944563459
Opcode ID: c6f1af83c4e9e5be00d8596ce9ab2af92624d55f8f0ee90a1c42c5f9a0dff8b0
Instruction ID: e315b991eab3a01f871bf83bae5d4ec7afff9c9ea70a923a8e8ee89b8e572fed
Opcode Fuzzy Hash: c6f1af83c4e9e5be00d8596ce9ab2af92624d55f8f0ee90a1c42c5f9a0dff8b0
Instruction Fuzzy Hash: 8E512430A402589ADB34DB65CC44BEEB7B9EF94B10F1481AAF545972C0DFB5AF84CB90

Function 00FC2810 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00FC29D1
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00FC2A30
SetEndOfFile.KERNEL32(?), ref: 00FC2A39
CloseHandle.KERNEL32(?), ref: 00FC2A52

Strings

Not enough disk space to extract file:, xrefs: 00FC28DB
%sholder%d.aiph, xrefs: 00FC29AD

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$CloseCreateHandlePointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 22866420-929304071
Opcode ID: 633a789b48e83b3c4ac367d03aab294fab79a0d2ed89865617ac6dee223dcf85
Instruction ID: b0971faecaca8955bcd665cd022ad6baaf4663ddc1cf998337e270a71d5cb815
Opcode Fuzzy Hash: 633a789b48e83b3c4ac367d03aab294fab79a0d2ed89865617ac6dee223dcf85
Instruction Fuzzy Hash: B181A271A0020A9FDB10DF68CD46BAEB7A4FF49720F14862DF915AB291DB35AD01DB90

Function 00FDF2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,-00000400,?,00000002,00000400,8CB281B6,?,?,?,?,?), ref: 00FDF396
GetLastError.KERNEL32(?,?,?,?), ref: 00FDF3A4
ReadFile.KERNEL32(?,00000000,00000400,000000FF,00000000,?,?,?,?), ref: 00FDF3BF

Strings

ADVINSTSFX, xrefs: 00FDF3F3, 00FDF4AE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: 8b37e0e8909c63294262a7398625c9471da3958ebd0bd0fd1e227989782b69e2
Instruction ID: e5de492744d215810f6d96c93a664291419e3bc1407e1a5f52833302a433d99a
Opcode Fuzzy Hash: 8b37e0e8909c63294262a7398625c9471da3958ebd0bd0fd1e227989782b69e2
Instruction Fuzzy Hash: 2861B371E001099BDB10CF68C885FAFB7BAFF46320F288666E516A7381D7359D49DB60

Function 00EB27B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00EB2850
GetWindowLongW.USER32(?,000000FC), ref: 00EB2865
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00EB287B
GetWindowLongW.USER32(?,000000FC), ref: 00EB2895
SetWindowLongW.USER32(?,000000FC,?), ref: 00EB28A5

Strings

$, xrefs: 00EB27F9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: aa37455db426d531bf48a5ef786e4531eb1acf87b9bdd0f69bc461d68fbeca59
Instruction ID: c56367a4c0c740ad0f4c3b04e051ad1bffb8d7250054e3c2700b07953c2a5c37
Opcode Fuzzy Hash: aa37455db426d531bf48a5ef786e4531eb1acf87b9bdd0f69bc461d68fbeca59
Instruction Fuzzy Hash: C5412371508700AFC724DF19D884A5BBBF4FF89B24F105A2DF5A6936A0C772E8448F51

Function 00F6D900 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,8CB281B6,?,?,?,?,?,Function_001BDD00,000000FF,?,00F9EE1C,?,?,000000FF), ref: 00F6D943
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00F6D96C
RegOpenKeyExW.KERNEL32(?,8CB281B6,00000000,?,00000000,8CB281B6,?,?,?,?,?,Function_001BDD00,000000FF,?,00F9EE1C,?), ref: 00F6D9A5
RegCloseKey.ADVAPI32(00000000,?,?,?,Function_001BDD00,000000FF,?,00F9EE1C,?,?,000000FF), ref: 00F6D9B8

Strings

Advapi32.dll, xrefs: 00F6D93E
RegOpenKeyTransactedW, xrefs: 00F6D966

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: e2aea97538f1879707d5798d0948bcd69123a952124aeb8168ff6a3b5bd51620
Instruction ID: 8a215c7b302ceddb1272c308eb9062fe6674893e04c7ea25d9798bb94afb3782
Opcode Fuzzy Hash: e2aea97538f1879707d5798d0948bcd69123a952124aeb8168ff6a3b5bd51620
Instruction Fuzzy Hash: DF219572F04205EFDB248F45DC45BABBBB8FB45B60F04852AF815DB280E775A800DB50

Function 00FBD210 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00FBD230
GetWindowRect.USER32(00000000,?), ref: 00FBD246
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00FBCFF7,?,00000000), ref: 00FBD25F
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00FBCFF7,?), ref: 00FBD26A
GetDlgItem.USER32(?,000003E9), ref: 00FBD27C
GetWindowRect.USER32(00000000,?), ref: 00FBD292
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206), ref: 00FBD2D8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 009152ad4663014339474de667ebceb922e1a0e8e41e928f62755178f245cf6d
Instruction ID: 2415cf31f7bac8c050a867bf59591382cbfdab8b71107170a2a4546e0a733ee5
Opcode Fuzzy Hash: 009152ad4663014339474de667ebceb922e1a0e8e41e928f62755178f245cf6d
Instruction Fuzzy Hash: 97218D74614300AFD314DF34D849B6BBBE8EF89714F04862DF8699A281E770ED85CB92

Function 00FC0FF0 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,8CB281B6,?,?,00000002,?,?,?,?,?,?,00000000,010A0932), ref: 00FC1047
GetLastError.KERNEL32(?,00000002), ref: 00FC12D9
GetLastError.KERNEL32(?,00000002), ref: 00FC1383
GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,010A0932,000000FF,?,00FBFF4A,00000010), ref: 00FC1056

Part of subcall function 00FA2230: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,8CB281B6,00000008,00000000), ref: 00FA227B
Part of subcall function 00FA2230: GetLastError.KERNEL32 ref: 00FA2285

ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00FC1118
ReadFile.KERNEL32(?,8CB281B6,00000000,00000000,00000000,00000001,?,00000002), ref: 00FC1195

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: a0caeaf80c14adf500d8fa783286b5948f8447f968f353ab7e296910988cbe2f
Instruction ID: c4b7d2619fe1f688edecbd47eb0661ab671e80872c5aa6dc79d85c35b69244b2
Opcode Fuzzy Hash: a0caeaf80c14adf500d8fa783286b5948f8447f968f353ab7e296910988cbe2f
Instruction Fuzzy Hash: 08D1A171D0020ADFDB00DFA8C985BAEF7B5FF45324F148269E815AB392E734A915DB90

Function 00FE1080 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,8CB281B6,8CB281B6,?,01144C50,?,?,00FC3989,?,8CB281B6,?,?,?,00000000,010A10D5), ref: 00FE10E5
GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,01144C50,?,?,00FC3989,?,8CB281B6,?,?,?,00000000), ref: 00FE1133

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 00FE119D
\VarFileInfo\Translation, xrefs: 00FE1167
ProductName, xrefs: 00FE1193

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 57b46db9aa4ac88da68facab1d47f6261208dc0752b406f8ab919194d0b8cfe7
Instruction ID: 30a178f7f2e49fe6891b725484c1d3a0efd0ad13da41635ca5d3d4eab3e51f5b
Opcode Fuzzy Hash: 57b46db9aa4ac88da68facab1d47f6261208dc0752b406f8ab919194d0b8cfe7
Instruction Fuzzy Hash: 3671BE71D002499BDB14DFAACC49AAEBBF9FF45324F148169E911EB291DB349D00DBA0

Function 00FE0F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE0BE0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,8CB281B6,00000000,00000000), ref: 00FE0C34
Part of subcall function 00FE0BE0: GetTempPathW.KERNEL32(00000104,?), ref: 00FE0CC9
Part of subcall function 00FE0BE0: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00FE0CFA
Part of subcall function 00FE0BE0: Wow64DisableWow64FsRedirection.KERNEL32(00000000,?), ref: 00FE0D2D

GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,8CB281B6,00000000,?,?,00000000,010A70A5,000000FF,Shlwapi.dll,00FE0F26,?,?,00000010), ref: 00FE0FBD
GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,00000010), ref: 00FE0FE9
GetLastError.KERNEL32(?,00000010), ref: 00FE102E
DeleteFileW.KERNEL32(?), ref: 00FE1041

Strings

Shlwapi.dll, xrefs: 00FE0F70, 00FE0FA8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$InfoPathTempVersionWow64$DeleteDisableErrorFolderLastNameRedirectionSize
String ID: Shlwapi.dll
API String ID: 1841109139-1687636465
Opcode ID: 3f32a9873ac0a1eb60572619a848df36776f3d1c6df95182b4d22052471fd687
Instruction ID: eedb9c118ac8970a337a0c7c9db6c8900eb4cb6445926dc79d09fa42908bb6b7
Opcode Fuzzy Hash: 3f32a9873ac0a1eb60572619a848df36776f3d1c6df95182b4d22052471fd687
Instruction Fuzzy Hash: B231A671D00249EBDB25CFA6C844BEFBBB8FF44760F14412AE511A7240D7359A41DBA1

Function 00FE0810 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,8CB281B6,?,?,00000000,?,?,?,?,010A6FED,000000FF,?,00FC1C3D), ref: 00FE0850
CreateThread.KERNEL32(00000000,00000000,00FE0BD0,?,00000000,?), ref: 00FE0886
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FE098F
GetExitCodeThread.KERNEL32(00000000,?), ref: 00FE099A
CloseHandle.KERNEL32(00000000), ref: 00FE09BA

Part of subcall function 00EB2970: RaiseException.KERNEL32(?,?,00000000,00000000,01035A3C,C000008C,00000001,?,01035A6D,00000000,?,00EA91C7,00000000,8CB281B6,00000001,?), ref: 00EB297C

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
String ID:
API String ID: 3595790897-0
Opcode ID: 7202c448fab0b76de233194bc7ff564db08d13e795237a5aeabd3e89f7ef61b8
Instruction ID: 123062b57cdc7aac514f32aace8ae83d7bece5323620e683b0b93b9085ed3ffc
Opcode Fuzzy Hash: 7202c448fab0b76de233194bc7ff564db08d13e795237a5aeabd3e89f7ef61b8
Instruction Fuzzy Hash: 38516A74A007099FDB24CF69C884BAEB7F4FF48710F248659E956A7352D770E880CB50

Function 00FA45A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

PathIsUNCW.SHLWAPI(?,?), ref: 00FA4736
_wcschr.LIBVCRUNTIME ref: 00FA4752

Strings

\\?\UNC\, xrefs: 00FA4631, 00FA46A9, 00FA46AF
\\?\, xrefs: 00FA4718, 00FA471E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess_wcschr
String ID: \\?\$\\?\UNC\
API String ID: 660126660-3019864461
Opcode ID: a4a14339e80133ed4caebd7560380374665b83cd5bec05886006e9f9c5b7ce6a
Instruction ID: 2b7a4a79c0353b3b106b7492d53cf8faffcb69061f81707a6ad60c795f47df57
Opcode Fuzzy Hash: a4a14339e80133ed4caebd7560380374665b83cd5bec05886006e9f9c5b7ce6a
Instruction Fuzzy Hash: 17C18371A006499FDB00DBA8CC45BAEF7F9FF85324F148269E415E72D1DB78A904DBA0

Function 00FBDCC0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,8CB281B6,?,00000010,?), ref: 00FBDF8A

Part of subcall function 00FCEAB0: GetCurrentProcess.KERNEL32 ref: 00FCEAF8
Part of subcall function 00FCEAB0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FCEB05
Part of subcall function 00FCEAB0: GetLastError.KERNEL32 ref: 00FCEB0F
Part of subcall function 00FCEAB0: CloseHandle.KERNEL32(00000000), ref: 00FCEBF0

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

Strings

[WindowsVolume], xrefs: 00FBDD50, 00FBDD62, 00FBDD6C
Extraction path set to:, xrefs: 00FBDFDD
\\?\, xrefs: 00FBDF97

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 699919280-3538578949
Opcode ID: 386208f60713655a01db338c163a823e6350bff7205b64088ff285c6883348e2
Instruction ID: 05cb986f4ca676600080ccee70a602ff70d74e001668cb98e3cc25c70d4deaa8
Opcode Fuzzy Hash: 386208f60713655a01db338c163a823e6350bff7205b64088ff285c6883348e2
Instruction Fuzzy Hash: A2C1B130A016069FDB14EF69C884BEEF7F4AF45324F148268E415AB292EB70ED05DF91

Function 00FDC240 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(?,00000000,8CB281B6,?,000000FF,?,00000000,010A62A6,000000FF,?,00FDC45A,000000FF,?,00000001), ref: 00FDC27A
GetLastError.KERNEL32(?,00FDC45A,000000FF,?,00000001), ref: 00FDC284

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,8CB281B6,?,000000FF,?,00000000,010A62A6,000000FF,?,00FDC45A,000000FF,?), ref: 00FDC2C7

Strings

\\.\pipe\ToServer, xrefs: 00FDC4E4, 00FDC4F5, 00FDC4FF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
String ID: \\.\pipe\ToServer
API String ID: 2973225359-63420281
Opcode ID: d8d5d41af1a0bf4b025fdb64954458694dea1ca4ff18aa1b0e950ae667432f14
Instruction ID: b3bc4929247d20f8b04b4ae1072e42030e792700d36a3a806aea9a5abe03b9fb
Opcode Fuzzy Hash: d8d5d41af1a0bf4b025fdb64954458694dea1ca4ff18aa1b0e950ae667432f14
Instruction Fuzzy Hash: FA71CE71A04209EFDB14DF58C805BAEBBE9FF45724F14862EF8259B381DB75A900DB90

Function 0104EF42 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 0104F0F1

Part of subcall function 0104DC17: RtlAllocateHeap.NTDLL(00000000,00000000,0104D0E1,?,0104EE85,?,00000000,?,0103F625,00000000,0104D0E1,?,?,?,?,0104CEDB), ref: 0104DC49

__freea.LIBCMT ref: 0104F106
__freea.LIBCMT ref: 0104F116

Strings

`&, xrefs: 0104EF44, 0104F0BD

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID: `&
API String ID: 2243444508-2927270505
Opcode ID: f88bfcc3b7084a887d0cb754daacd8ae912fca03c548dbe1a5d32810b611a75b
Instruction ID: 75f543c951f32230b6ffe9f68492dfcf3a0bd51e508309d9c6f3cff9c1daee65
Opcode Fuzzy Hash: f88bfcc3b7084a887d0cb754daacd8ae912fca03c548dbe1a5d32810b611a75b
Instruction Fuzzy Hash: C651BFB2600217AFEB609EA8CCC0EBF3AE9EB45250F150178FE88D7150EB71DD408760

Function 00FB6200 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,8CB281B6,?,00000010,?,00FB9550,?), ref: 00FB6266
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00FB62AF
ReadFile.KERNEL32(00000000,8CB281B6,?,?,00000000,00000078,?), ref: 00FB62ED
CloseHandle.KERNEL32(00000000), ref: 00FB6339

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: f0d238dd42b52c775d614d008e06eb92e99a1524b96e61e7de51c20b208389ad
Instruction ID: cfeda844fe66f4ee954bd3dcd92ef4592f37f207ca6a305504d73a33fa33ab96
Opcode Fuzzy Hash: f0d238dd42b52c775d614d008e06eb92e99a1524b96e61e7de51c20b208389ad
Instruction Fuzzy Hash: 07418A71900609EBDB10DB99CC89BEEFBB8EF05724F14826AE411AB2D1D7789D44CF60

Function 00FE12C0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,?,8CB281B6,?,?,00000000,0105D670,000000FF,?,00FE12A8,00000000,80004005,?,01144C50,?,?), ref: 00FE12F7
GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,0105D670,000000FF,?,00FE12A8,00000000), ref: 00FE1311
TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,0105D670,000000FF,?,00FE12A8,00000000), ref: 00FE1329
CloseHandle.KERNEL32(00000001,?,?,00000000,0105D670,000000FF,?,00FE12A8,00000000,80004005,?,01144C50,?,?,00FC3989), ref: 00FE1332

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: dd39f3569533b4752473a0821671f4472cabc464508797bbf5c957293e3b0aae
Instruction ID: 20adbb6b4213529e23e63cec06cd211d32a58aba0bf63edf307c8f5931437bbe
Opcode Fuzzy Hash: dd39f3569533b4752473a0821671f4472cabc464508797bbf5c957293e3b0aae
Instruction Fuzzy Hash: 41019275900745EFC7308F55CC45BA6B7FCFB04720F00862EF86592AA0D775A800CB50

Function 0105327C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01052DAC: GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 01052DD7

IsValidCodePage.KERNEL32(-00000030,00000000,?,`&,?,?,?,?,?,`&,010530C3,?,00000000,?,?,00000104), ref: 010532DD
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,`&,010530C3,?,00000000,?,?,00000104), ref: 0105331F

Strings

`&, xrefs: 0105327E, 0105328E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: `&
API String ID: 546120528-2927270505
Opcode ID: 756ffc9575366d4278645201c4458b5edb648f49d5fa425e9a8e438bc7522bd0
Instruction ID: 76e066870779a57654d06844efd1684c40640d54dd458a7401a5587c5609cc4e
Opcode Fuzzy Hash: 756ffc9575366d4278645201c4458b5edb648f49d5fa425e9a8e438bc7522bd0
Instruction Fuzzy Hash: 60510570A002459EEBA5CF79C4806ABFFE5FF41340F1885AEC5D68B252DA74A545CB50

Function 01050308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,E8458D00,00000100,?,E8458D00,00000000), ref: 0105033C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,`&,0104F030,?,?,00000000,?,00000000), ref: 0105035A

Strings

`&, xrefs: 0105030A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: String
String ID: `&
API String ID: 2568140703-2927270505
Opcode ID: 087ca4e6928d9a39e1dcb6795b8200a93e4a7e40cc1315061676ecd66858e1c1
Instruction ID: 5d5342f0c758c49d0e1e0117a65062b26a8caafcebaff6975a3dd05e35287488
Opcode Fuzzy Hash: 087ca4e6928d9a39e1dcb6795b8200a93e4a7e40cc1315061676ecd66858e1c1
Instruction Fuzzy Hash: 0FF0643610051ABBCF226F95DC08EDF3F6AFB483A0F058121BE6825024CA36D871AB94

Function 00FC0B10 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,8CB281B6,?,?), ref: 00FC0B77
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00FC0C84

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8b3da6f35da748461ff5df4148168e9e187ab983cf6a9f2a7fb13b5964dc420a
Instruction ID: c65b695ae5743a3eb757e4315c49798eb65a78ddf7e4a620474b37cb437dda49
Opcode Fuzzy Hash: 8b3da6f35da748461ff5df4148168e9e187ab983cf6a9f2a7fb13b5964dc420a
Instruction Fuzzy Hash: AE615E71D00609DFDB14CFA8C945B9DFBB8FB49720F14826EE825A7390DB75AA05CB90

Function 00FBE0A0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,8CB281B6,?,?,?,80004005,?,00000000), ref: 00FBE13E
GetLastError.KERNEL32(?,?,?,80004005,?,00000000), ref: 00FBE176
GetLastError.KERNEL32(?,?,?,?,80004005,?,00000000), ref: 00FBE20F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 5ac63a930fb457fea003aea0f107c54541295d4a80b2683d245734ca85d38184
Instruction ID: 0631743595bf1329a618edddf7d0e7443626901ffe378632486e3f8aeafb612b
Opcode Fuzzy Hash: 5ac63a930fb457fea003aea0f107c54541295d4a80b2683d245734ca85d38184
Instruction Fuzzy Hash: 0E51F071E00A059FDB20DF69CC41BEAF7B5FF45320F148629E92997390EB71A901DB90

Function 00FA4920 Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,8CB281B6,?,?,7556E010,00000000,0109AAC5,000000FF,?,00FE32A7,00000000,.part,00000005), ref: 00FA496B
CreateDirectoryW.KERNEL32(000000FF,00000000,?,?,010D2A4C,00000001,?), ref: 00FA4A2A
GetLastError.KERNEL32 ref: 00FA4A38

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 3493815d568a295dc50964f90d2b301c5ab2359f41d471e26c54fbe52496a211
Instruction ID: d3fc5eecb5adf3c8dafae372c28a1537004905fefcb00a74b63e77313452d8b9
Opcode Fuzzy Hash: 3493815d568a295dc50964f90d2b301c5ab2359f41d471e26c54fbe52496a211
Instruction Fuzzy Hash: 4061B171E002099FDB10DFA8C885BDEFBF4EF99320F148269E414A72D1DB79A904DB60

Function 0104C63C Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0104C636,?,0103AD12,?,?,8CB281B6,0103AD12,?), ref: 0104C64D
TerminateProcess.KERNEL32(00000000,?,0104C636,?,0103AD12,?,?,8CB281B6,0103AD12,?), ref: 0104C654
ExitProcess.KERNEL32 ref: 0104C666

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bdc45962f0df88606065f41076bf7fe0920585a3d83844dfc07bc5d136bc5144
Instruction ID: 5e5218f7237d875acf3ea90e43a9d791249d8c6366d7b63063f0486e09a1a014
Opcode Fuzzy Hash: bdc45962f0df88606065f41076bf7fe0920585a3d83844dfc07bc5d136bc5144
Instruction Fuzzy Hash: 4FD05E71002104BFDF103F60DD8C8DC3F2DEF08241700D021BA8645130CB36A841CB90

Function 00FB6660 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 312COMMON

Download Yara Rule

APIs

Part of subcall function 00FB64D0: GetTickCount.KERNEL32 ref: 00FB6554
Part of subcall function 00FB64D0: __Xtime_get_ticks.LIBCPMT ref: 00FB655C
Part of subcall function 00FB64D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB65A6

Part of subcall function 00FDA240: GetUserNameW.ADVAPI32(00000000,?), ref: 00FDA2CE
Part of subcall function 00FDA240: GetLastError.KERNEL32 ref: 00FDA2D4
Part of subcall function 00FDA240: GetUserNameW.ADVAPI32(00000000,?), ref: 00FDA31C
Part of subcall function 00FDA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00FDA352
Part of subcall function 00FDA240: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00FDA39C

__Init_thread_footer.LIBCMT ref: 00FB67A1

Strings

\/:*?"<>|, xrefs: 00FB6763

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 2099558200-3830478854
Opcode ID: c1049327357df4d58f6eada204954e8ddcdaf0859d85be1010f91a34bb5ed61e
Instruction ID: e4c210ecb710d14456115e43c214e949ff48bb59a6f3bacbe9796d9eb47d27c0
Opcode Fuzzy Hash: c1049327357df4d58f6eada204954e8ddcdaf0859d85be1010f91a34bb5ed61e
Instruction Fuzzy Hash: EED1CF74D00258CFDB24DF64C8947EEBBB0BF16318F144199D449AB282DBB96E44DFA1

Function 00FA4C60 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,8CB281B6), ref: 00FA4E00

Part of subcall function 00FA4EC0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00FA4ECD

Strings

USERPROFILE, xrefs: 00FA4CAE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 1777821646-2419442777
Opcode ID: 06319678532f97bef591ddf9b0adc1f4c1b55862d19a8b6964fa9717a9f7db0d
Instruction ID: 69cd82d3bef62689fc4192f9d0e10beec7571e59cfa109054ed5634f476d16ea
Opcode Fuzzy Hash: 06319678532f97bef591ddf9b0adc1f4c1b55862d19a8b6964fa9717a9f7db0d
Instruction Fuzzy Hash: E961A3B1A00605DFDB14DF68C859BAEB7F4FF85720F10866DE815EB291DB71A900CB90

Function 01052E80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,010530CF,010530C3,00000000), ref: 01052EB2

Strings

`&, xrefs: 01052E82

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Info
String ID: `&
API String ID: 1807457897-2927270505
Opcode ID: 93c8047041c5daad6bd11db77d273cc9a5f9fbdf95c6d7a28421258877961167
Instruction ID: 9ae8be02f2ae605bb65f2db95a10c4d9954f183a120ecc823b40446e3b4dd361
Opcode Fuzzy Hash: 93c8047041c5daad6bd11db77d273cc9a5f9fbdf95c6d7a28421258877961167
Instruction Fuzzy Hash: 57511571504258DADB628A28DD84BEB7BA8EF59304F2405F9E9DAC7182D3359A46CB20

Function 00F04BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,00000000), ref: 00F04CC1

Strings

$, xrefs: 00F04C2D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: LongWindow
String ID: $
API String ID: 1378638983-3993045852
Opcode ID: 0fe5a8936246b784fd5a0afef6f8735abb32ebe3416014530f4f6f03948828af
Instruction ID: 9c340bb0abe82c18319bf91b4036a18dfc275facd17a9f2728019c6346d855f8
Opcode Fuzzy Hash: 0fe5a8936246b784fd5a0afef6f8735abb32ebe3416014530f4f6f03948828af
Instruction Fuzzy Hash: D331BAB1605380DFEB249F09C88471ABBF0BF88720F04855DFA558B295D376E954EF92

Function 00FE18E0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FE1931
EndDialog.USER32(00000000,00000001), ref: 00FE1940

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 4ce2bddabfa52ef9a0bf32d67da696f805fd0068e3a1724d547c6ca992fc5b44
Instruction ID: 4c9aa477b60f117e5761c4d44a84d8256c2c7becc74845acc92d8ef61b0aa426
Opcode Fuzzy Hash: 4ce2bddabfa52ef9a0bf32d67da696f805fd0068e3a1724d547c6ca992fc5b44
Instruction Fuzzy Hash: 50518A30A01785DFD721CF6AC948B9AFBF4FF45320F1482ADD4559B2A1D774AA04CB91

Function 00FBCFA0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00FBC783,00000000), ref: 00FBCFA0
DestroyWindow.USER32(?), ref: 00FBD057

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: fb46f5e5c410d75f569cdf53d9b3eb9bd31d3279bbf243530d85bb0d2fee0f58
Instruction ID: acfb53f794d9d84c2c9f8bc13c43d875ce8a3437c11117e2ef041cc7ee73d964
Opcode Fuzzy Hash: fb46f5e5c410d75f569cdf53d9b3eb9bd31d3279bbf243530d85bb0d2fee0f58
Instruction Fuzzy Hash: 4421E7B5A101099BD720AE19EC417EA77A8EB54370F004266FC14CB681DB7AEC61EBF5

Function 00FDF6D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00FDF735
CloseHandle.KERNEL32(?), ref: 00FDF789

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CloseFreeHandleLibrary
String ID:
API String ID: 10933145-0
Opcode ID: 1b18f8b3276d80d10a5aa6eef789f53ccf74f31f4a85310918a83df818096054
Instruction ID: 985f1852fb3c1b7ac5a69b8723c3a2a8d44455d93b4ffbc567a59b44b3a89a8b
Opcode Fuzzy Hash: 1b18f8b3276d80d10a5aa6eef789f53ccf74f31f4a85310918a83df818096054
Instruction Fuzzy Hash: FE219D75A046069FD368CF19D898B9ABBF8FB00B20F00422AE426C7394DB799945CF90

Function 00FA0F40 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA2350: LoadLibraryW.KERNEL32(ComCtl32.dll,8CB281B6,00000000,?,00000000), ref: 00FA238E
Part of subcall function 00FA2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FA23B1
Part of subcall function 00FA2350: FreeLibrary.KERNEL32(00000000), ref: 00FA242F

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00FA0F84
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA0F8F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: e28f50ed29b29cef8cd2aba90973605de7b9fb8475984e6f1ad71e23a72948a4
Instruction ID: 7ac77ecc5ba09afb7cb7479b090a39e9cc97fb194bc58b4492d3e4137a0b59c0
Opcode Fuzzy Hash: e28f50ed29b29cef8cd2aba90973605de7b9fb8475984e6f1ad71e23a72948a4
Instruction Fuzzy Hash: 6BF01C327812183BFA6421595C46F67B64DD786B64E144266BA98AB6C2ECCA7C0102D8

Function 0104DBDD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0104EE96,00000000,0104D0E1,00000000,?,0103F625,00000000,0104D0E1,?,?,?,?,0104CEDB), ref: 0104DBF3
GetLastError.KERNEL32(?,?,0104EE96,00000000,0104D0E1,00000000,?,0103F625,00000000,0104D0E1,?,?,?,?,0104CEDB), ref: 0104DBFE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b6626a18b989749f8b56db4f430822a15bd83ec41d706478997698766d00ee15
Instruction ID: 463dab04f2f908718becacce2d8de1bf435e369a9679516b09c7a2446ff9e2b2
Opcode Fuzzy Hash: b6626a18b989749f8b56db4f430822a15bd83ec41d706478997698766d00ee15
Instruction Fuzzy Hash: F3E08671100215AFDB622FE5A84C7D97BADAB50795F048065F6889A061DA7584808B94

Function 00FC3E40 Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00FC4020,?), ref: 00FC3E8B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 53cd382bb421b005c50fc8490b93268b137f7bb4886dc789b6cc712f36f41f11
Instruction ID: 72511b3693f2e34fc60d8823ea6403804acb89b440cfe849b5b8b654c9ed6517
Opcode Fuzzy Hash: 53cd382bb421b005c50fc8490b93268b137f7bb4886dc789b6cc712f36f41f11
Instruction Fuzzy Hash: 23618C71E0120A9BDB14CF68C985F9EBBF4BF08354F00466DE914AB681E775E944DBA0

Function 00FC2AB0 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,8CB281B6), ref: 00FC2ADB

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b3158a987b60e3893cea18e72e05cd8ee81b3f725da762f7131899b5b62d7c18
Instruction ID: 2ac5674f6b2b9be67306ee1765a3a6349c02f843e2bf6db20d477b534f95f3e8
Opcode Fuzzy Hash: b3158a987b60e3893cea18e72e05cd8ee81b3f725da762f7131899b5b62d7c18
Instruction Fuzzy Hash: D641F231900616DFDB10DF58CA82F9AFBB8FF44720F0481ADE914AB285D775AD00DBA0

Function 00FA2890 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00FA2B00: __Init_thread_footer.LIBCMT ref: 00FA2B76

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

__Init_thread_footer.LIBCMT ref: 00FA2970

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: 08b71d509f0f9053a892e45988bdc62af8875261e8103de360c6a39ddd7a72ae
Instruction ID: d8b7d3ce479d81407ff0800ae58c760b5e59a18450d8a07df0d3db0949263f16
Opcode Fuzzy Hash: 08b71d509f0f9053a892e45988bdc62af8875261e8103de360c6a39ddd7a72ae
Instruction Fuzzy Hash: 3231F6F5A00A40DFD728DF08F845B4AB3A5F727F28F104229E86147788D3B6B984EB44

Function 00FDF850 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00FC1B50,?,00000000,00000000,?,?), ref: 00FDF86D

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Part of subcall function 00FDF940: WaitForSingleObject.KERNEL32(?,000000FF,8CB281B6,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FDF974

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AllocateCreateFileHeapObjectSingleWait
String ID:
API String ID: 1261966429-0
Opcode ID: 148ee8c27f1a7c8394668753fbf2ab5e3961b94aa6f5fb8dd156f2ec72eaf74c
Instruction ID: 6529d5fc80fbdf1bac1885eb94421ac00d3f5459c40f6a956046a19ffd583991
Opcode Fuzzy Hash: 148ee8c27f1a7c8394668753fbf2ab5e3961b94aa6f5fb8dd156f2ec72eaf74c
Instruction Fuzzy Hash: EF31F534604B009FD324DF28D898B1AB7E1FF88310F24896EE59BDB360D731A995DB55

Function 00EA9BD0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a02940290a5de2cdf60943d3a55380d2e4268bcb2045f551db2e2cf5d62555
Instruction ID: 22517ae2b59f07666199e960f652401d1d9797cfbfa1f7283162165dcdc4c78b
Opcode Fuzzy Hash: 82a02940290a5de2cdf60943d3a55380d2e4268bcb2045f551db2e2cf5d62555
Instruction Fuzzy Hash: 7F012D75A44648AFC714CF54D841B66F7A8FB59B20F10C26EFC159B750D736A8109B50

Function 00F87FE0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

__Init_thread_footer.LIBCMT ref: 00F88052

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: fe6c7018c7a43a2630a6f51e33f20cff9d6531bc6fd0ca6975dbe47bb177d6c7
Instruction ID: 26776e29ecc5c41c4c16f2b1861aa3bd59099e00e4afd5f153a13cb65718a846
Opcode Fuzzy Hash: fe6c7018c7a43a2630a6f51e33f20cff9d6531bc6fd0ca6975dbe47bb177d6c7
Instruction Fuzzy Hash: D501F7B1A04745DFCB28DF58D946B84B3A4E749F24F14477DE426933C0DB35A904D711

Function 00FA2B00 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

Part of subcall function 00FA2BA0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00FA2C0E
Part of subcall function 00FA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00FA2C55
Part of subcall function 00FA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00FA2C74
Part of subcall function 00FA2BA0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00FA2CA3
Part of subcall function 00FA2BA0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00FA2D18

__Init_thread_footer.LIBCMT ref: 00FA2B76

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: c3cd304378ffd3fea2baa8774c20abbdd796f04581ccf3aa9eb6c45b03de8289
Instruction ID: e2f9dafb9abcd46e01c9d4f1feffcb7f535e0fe6408391c39dc8f269d8eb551f
Opcode Fuzzy Hash: c3cd304378ffd3fea2baa8774c20abbdd796f04581ccf3aa9eb6c45b03de8289
Instruction Fuzzy Hash: C601A2B1B40604EFCB28DF5CD942B49B3A4E746FA4F104269E9259B7C4D739A900DB91

Function 00EA9B10 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01037F9E: RaiseException.KERNEL32(E06D7363,00000001,00000003,8CB281B6,?,?,80004005,8CB281B6), ref: 01037FFE

RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: a0d3583f9c562519c40accb95289bcb6596042660dcd6022aee74f9a4abc1fdd
Instruction ID: 16fa307902d44e74a351a683838b35c375c4927bb720e0d576dc5a6f17891afe
Opcode Fuzzy Hash: a0d3583f9c562519c40accb95289bcb6596042660dcd6022aee74f9a4abc1fdd
Instruction Fuzzy Hash: 39F08271644248BFCB158F54DC42F56FBA8F749B14F10862EF91596650D776A800CB54

Function 0104DC17 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,0104D0E1,?,0104EE85,?,00000000,?,0103F625,00000000,0104D0E1,?,?,?,?,0104CEDB), ref: 0104DC49

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e5849412b2e9b5e67704d27d8af43392e88eab094ec3127cc45de92697567c36
Instruction ID: ca3d68ef572fab5f1ee36280772f698f09dfa7222984cfea61e8f8e4a6e5cabf
Opcode Fuzzy Hash: e5849412b2e9b5e67704d27d8af43392e88eab094ec3127cc45de92697567c36
Instruction Fuzzy Hash: 85E0EC7150022B67E7612DE95D98B9B7ACC9B611A0F040070BDD596080DBD0D44083A8

Function 00EA9B80 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,8CB281B6,?,Function_001BD840,000000FF), ref: 00EA9BAF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6ffc4033ffbcf569bbb49655dce8dc4e04b035994d26594d448c0d23593fd8a9
Instruction ID: 70346b12b63b9d5323494f7ac068fb8e4f14f7fec8c46bc4e573056483dead11
Opcode Fuzzy Hash: 6ffc4033ffbcf569bbb49655dce8dc4e04b035994d26594d448c0d23593fd8a9
Instruction Fuzzy Hash: 20E0ED75644648EBC725CF55DC41F56FBA8E709B50F10826ABC15D6680D736E8009A64

Function 0104D049 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0104D050

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 769ca0068ed58c0f47ec79c0bf525645b297996cb2591862ae12e30e295f5c90
Instruction ID: 32b29bbe2a04563a31b21735a322758d16b219e20a14f64192d67eb90038b3c0
Opcode Fuzzy Hash: 769ca0068ed58c0f47ec79c0bf525645b297996cb2591862ae12e30e295f5c90
Instruction Fuzzy Hash: 4FE09AB6C1020EABDB00DFD4C591BEFBBBCEB18310F5044269285E6140EB7557448BA1

Function 00FDBC20 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,8CB281B6,00000000,?,00000000,010A6063,000000FF,?,00FBAC2C,?,00000000,00000000,?,0000000D,0000000E), ref: 00FDBC59

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 771d65454ec1f2abca41a15c680c5cab18226f26caee0dcd33c42c2cc602df68
Instruction ID: 2e7913eb7d499e1b69fb82598d82b0717d83a3088dae8e7b2f897e7f63499850
Opcode Fuzzy Hash: 771d65454ec1f2abca41a15c680c5cab18226f26caee0dcd33c42c2cc602df68
Instruction Fuzzy Hash: 75115AB1904A49DFD720CF68C944B9AB7F8FB05730F14876AE425977D0E775A9008B80

Function 00EA8750 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00EA875B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4c717d3af69aa1c0fae2bb92814207a57fd7c7ecf6c98eca75a49024571aad23
Instruction ID: 2c4a0ea544566e7a4ed3f74fe70e15cdc510df1d2dc28dfa329636825ca233c7
Opcode Fuzzy Hash: 4c717d3af69aa1c0fae2bb92814207a57fd7c7ecf6c98eca75a49024571aad23
Instruction Fuzzy Hash: D1C08C302007104BC7705A18B64878232DC5B08704F00845AB449D3200CB74EC008654

Non-executed Functions

Function 00EA2F40 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON

Download Yara Rule

Strings

SelfRegModules, xrefs: 00EA5414
AI_XmlUninstall, xrefs: 00EA609A, 00EA6120
Feature_, xrefs: 00EA3D20, 00EA44D2, 00EA4EA7, 00EA5766, 00EA595C, 00EA59E2, 00EA5A68, 00EA5AEE
InstallFiles, xrefs: 00EA4B5E
800, xrefs: 00EA390D
6000, xrefs: 00EA5000
UnregisterMIMEInfo, xrefs: 00EA45A5
RemoveShortcuts, xrefs: 00EA4737
AI_ExtractPrereq, xrefs: 00EA59A9
AI_XmlElement, xrefs: 00EA5B61, 00EA60C0
InstallValidate, xrefs: 00EA38BE
AI_ScheduledTasks, xrefs: 00EA6043
AI_InstallPostPrerequisite, xrefs: 00EA5AB5
UnregisterFonts, xrefs: 00EA4281
RemoveIniValues, xrefs: 00EA462B, 00EA46B1
Registry, xrefs: 00EA432D, 00EA5013
20000, xrefs: 00EA5636
UnregisterProgIdInfo, xrefs: 00EA451F
AI_UserGroups, xrefs: 00EA5D55, 00EA5F49
PublishComponents, xrefs: 00EA56A9
File, xrefs: 00EA3598, 00EA48EF, 00EA4B7F
Options, xrefs: 00EA5A8F, 00EA5B10
100000, xrefs: 00EA58B9
1800, xrefs: 00EA5B4E, 00EA60AD
3000000, xrefs: 00EA510C
AI_DefaultActionCost, xrefs: 00EA62A0
RemoveIniFile, xrefs: 00EA4651
AI_XmlAttribute, xrefs: 00EA5BDE, 00EA6141
MIME, xrefs: 00EA45CB, 00EA4F90
1500000, xrefs: 00EA552A
Location, xrefs: 00EA5983, 00EA5A09
IniFile, xrefs: 00EA46D7, 00EA5099
ProgId, xrefs: 00EA4545, 00EA4F13
WriteRegistryValues, xrefs: 00EA4FED
RemoveEnvironmentStrings, xrefs: 00EA47BD
12000, xrefs: 00EA4102, 00EA4188, 00EA420E, 00EA4856, 00EA48DC, 00EA4962, 00EA49DF, 00EA4A65, 00EA4D80, 00EA520F, 00EA5295, 00EA531B
AI_ProcessGroups, xrefs: 00EA5F23
AI_ChainProductsPseudo, xrefs: 00EA61A6
InstallODBC, xrefs: 00EA51FC, 00EA5282, 00EA5308
Complus, xrefs: 00EA4009, 00EA54B7
CostInitialize, xrefs: 00EA332D
MsiConfigureServices, xrefs: 00EA559D, 00EA55C3
5000, xrefs: 00EA4D03
AI_GxInstall, xrefs: 00EA5C35
RemoveRegistry, xrefs: 00EA43B3
AI_ProcessTasks, xrefs: 00EA601D
CostFinalize, xrefs: 00EA36DC
ServiceInstall, xrefs: 00EA553D
UnpublishComponents, xrefs: 00EA3DCB
FileCost, xrefs: 00EA3514
CreateFolder, xrefs: 00EA49F2, 00EA4A78
UnregisterComPlus, xrefs: 00EA3FE3
RemoveFile, xrefs: 00EA4975
30000, xrefs: 00EA3CD1, 00EA5086, 00EA5742
200000, xrefs: 00EA583C
ODBCDataSource, xrefs: 00EA4115, 00EA5222
~, xrefs: 00EA5A99
RemoveODBC, xrefs: 00EA40EF, 00EA4175, 00EA41FB
CreateFolders, xrefs: 00EA4A52
Patch, xrefs: 00EA4C0A
BindImage, xrefs: 00EA4CF0, 00EA4D16
PatchSize, xrefs: 00EA4C44
MsiPublishAssemblies, xrefs: 00EA572F
MoveFiles, xrefs: 00EA4AD8
WriteIniValues, xrefs: 00EA5073
Component, xrefs: 00EA33B6, 00EA377A, 00EA395C, 00EA3B3E
RegisterComPlus, xrefs: 00EA548C
AI_XmlInstall, xrefs: 00EA5B3B, 00EA5BB8
RegisterTypeLibraries, xrefs: 00EA538E
10000, xrefs: 00EA56BC, 00EA62B3
ODBCTranslator, xrefs: 00EA419B, 00EA52A8
AI_UserAccounts, xrefs: 00EA5CD8, 00EA5FC6
500, xrefs: 00EA5EB9
RegisterClassInfo, xrefs: 00EA4DF3
RegisterExtensionInfo, xrefs: 00EA4E70
AI_UninstallGroups, xrefs: 00EA5D2F
DuplicateFile, xrefs: 00EA4869, 00EA4C90
RemoveRegistryValues, xrefs: 00EA4307, 00EA438D
FileSize, xrefs: 00EA4BBE
RemoveFolders, xrefs: 00EA49CC
Environment, xrefs: 00EA47E3, 00EA511F
ODBCDriver, xrefs: 00EA4221, 00EA532E
AI_DownloadPrereq, xrefs: 00EA5923
StopServices, xrefs: 00EA3ED7, 00EA3F5D
15000, xrefs: 00EA3EEA, 00EA3F70, 00EA4AEB, 00EA4C7D, 00EA4E83, 00EA55B0, 00EA57BF
InstallInitialize, xrefs: 00EA5829
100, xrefs: 00EA4BF7, 00EA4F00, 00EA5E3C
Shortcut, xrefs: 00EA475D, 00EA4D93
DuplicateFiles, xrefs: 00EA4C6A
120000, xrefs: 00EA474A
RegisterMIMEInfo, xrefs: 00EA4F6A
WriteEnvironmentStrings, xrefs: 00EA50F9
RegisterFonts, xrefs: 00EA517F
AI_GxUninstall, xrefs: 00EA5E29
UnregisterExtensionInfo, xrefs: 00EA4499
8000, xrefs: 00EA407C, 00EA4294, 00EA5192, 00EA5427
MsiUnpublishAssemblies, xrefs: 00EA3C82
AppId, xrefs: 00EA4439, 00EA4E19
PublishComponent, xrefs: 00EA3DF1, 00EA56CF
Extension, xrefs: 00EA44BF, 00EA4E96
CreateShortcuts, xrefs: 00EA4D6D
ServiceControl, xrefs: 00EA3EFD, 00EA3F83, 00EA5649
UnpublishFeatures, xrefs: 00EA3E4C
MsiAssembly, xrefs: 00EA5755
PublishFeatures, xrefs: 00EA57AC
AI_CountRowAction, xrefs: 00EA6223
UnregisterClassInfo, xrefs: 00EA4413
RemoveFiles, xrefs: 00EA48C9, 00EA494F
SelfReg, xrefs: 00EA408F, 00EA543A
AI_Game, xrefs: 00EA5C5B, 00EA5E4F
InstallFinalize, xrefs: 00EA58A6
RegisterProgIdInfo, xrefs: 00EA4EED
SelfUnregModules, xrefs: 00EA4069
2000, xrefs: 00EA3185, 00EA5C48, 00EA5CC5, 00EA5D42, 00EA5DBF, 00EA5F36, 00EA5FB3, 00EA6030
AI_UninstallAccounts, xrefs: 00EA5CB2
RemoveDuplicateFiles, xrefs: 00EA4843
Feature, xrefs: 00EA3E77, 00EA57D2
AI_InstallPrerequisite, xrefs: 00EA5A2F
Component_, xrefs: 00EA3E04, 00EA3F10, 00EA3FA5, 00EA401C, 00EA4128, 00EA41AE, 00EA4248, 00EA4340, 00EA43C6, 00EA4664, 00EA46EA, 00EA4770, 00EA47F6, 00EA487C, 00EA4902, 00EA4A05, 00EA4A8B, 00EA4B11, 00EA4B97, 00EA4CA3, 00EA4DA6, 00EA5026, 00EA50AC, 00EA5132, 00EA5235, 00EA52BB, 00EA5346, 00EA53C7, 00EA54CA, 00EA5550, 00EA55E5, 00EA565C, 00EA56E2
AI_AppSearchEx, xrefs: 00EA5EA6, 00EA5ECC
AI_ProcessAccounts, xrefs: 00EA5FA0
TypeLib, xrefs: 00EA53B4
3000, xrefs: 00EA3AEF, 00EA3DDE, 00EA3E64, 00EA3FF6, 00EA431A, 00EA43A0, 00EA4426, 00EA44AC, 00EA4532, 00EA45B8, 00EA47D0, 00EA4E06, 00EA4F7D, 00EA53A1, 00EA54A4
MoveFile, xrefs: 00EA4AFE
PatchFiles, xrefs: 00EA4BE4
1500, xrefs: 00EA4639, 00EA46C4, 00EA5BCB, 00EA6133
RemoveExistingProducts, xrefs: 00EA2F64
InstallServices, xrefs: 00EA5517
AI_PreRequisite, xrefs: 00EA5949, 00EA59CF, 00EA5A55, 00EA5ADB
AppSearch, xrefs: 00EA314B, 00EA31D4
ProcessComponents, xrefs: 00EA3AA0
StartServices, xrefs: 00EA5623
Font, xrefs: 00EA42A7, 00EA51A5
AI_UninstallTasks, xrefs: 00EA5DAC

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: a8dcf17151611bb6f86a521b9db8f3b02087265400c96ecd5c299e5c3ac481ef
Instruction ID: f5310d0f7cc948ed95a1cbf82e46457967a400de50aad7b01bebb5ab1ad5d2c8
Opcode Fuzzy Hash: a8dcf17151611bb6f86a521b9db8f3b02087265400c96ecd5c299e5c3ac481ef
Instruction Fuzzy Hash: 7033F560E84385EAD31CE7B6971975D29A0AB5BB04F90D28CF1D13F3C6CFB82A458752

Function 00EC41B0 Relevance: 48.2, APIs: 16, Strings: 11, Instructions: 961memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EC420A
VariantClear.OLEAUT32(?), ref: 00EC423C
VariantClear.OLEAUT32(?), ref: 00EC435F
VariantClear.OLEAUT32(?), ref: 00EC438E
SysFreeString.OLEAUT32(00000000), ref: 00EC4395
SysAllocString.OLEAUT32(00000000), ref: 00EC43E8
VariantClear.OLEAUT32(?), ref: 00EC4476
VariantClear.OLEAUT32(?), ref: 00EC44A8
VariantClear.OLEAUT32(?), ref: 00EC4609
VariantClear.OLEAUT32(?), ref: 00EC463C
SysFreeString.OLEAUT32(00000000), ref: 00EC4647
SysAllocString.OLEAUT32(00000000), ref: 00EC468A
SysFreeString.OLEAUT32(00000000), ref: 00EC4845

Part of subcall function 00EC5120: VariantClear.OLEAUT32(?), ref: 00EC5129

VariantClear.OLEAUT32(?), ref: 00EC47FB
VariantClear.OLEAUT32(?), ref: 00EC4837
SysAllocString.OLEAUT32(00000000), ref: 00EC4869

Strings

MsiResolveFormatted, xrefs: 00EC4AF7
MsiPublishEvents, xrefs: 00EC4D34
MsiEvaluateCondition, xrefs: 00EC4A5C
MsiSetProperty, xrefs: 00EC48F0
MessageBox, xrefs: 00EC4DFC
GetFontHeight, xrefs: 00EC5054
MsiGetProperty, xrefs: 00EC499D
MsiGetBytesCountText, xrefs: 00EC4EC4
MsiGetBinaryPathIndirect, xrefs: 00EC4C6C
MsiGetFormattedError, xrefs: 00EC4FA1
MsiGetBinaryPath, xrefs: 00EC4BAA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 1305860026-3153392536
Opcode ID: 9da8dc11e5a0c2b77acff5d07b22ccab247a8b87185dd58d76cfb29542b9cc0a
Instruction ID: 0e76367cf9306698ca5210bb5e3d1fab61732d1d954b7e44628280862dbf07af
Opcode Fuzzy Hash: 9da8dc11e5a0c2b77acff5d07b22ccab247a8b87185dd58d76cfb29542b9cc0a
Instruction Fuzzy Hash: FD924AB0900258DFDB20CFA4CD94BDEBBB4BF49314F104299E459B7281EB75AA85CF94

Function 00FD77C0 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(01146078,C0000000,00000003,00000000,00000004,00000080,00000000,8CB281B6,01146054,0114606C,?), ref: 00FD7837
GetLastError.KERNEL32 ref: 00FD7854
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00FD78CF
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00FD79CB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00FD7A3C
WriteFile.KERNEL32(00000000,01145920,00000000,00000000,00000000,?,0000001C), ref: 00FD7A6C
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,010C58A8,00000002), ref: 00FD7B17
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FD7B20
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00FD7A71

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00FD7C12
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 00FD7C98
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00FD7CA3
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,010C58A8,00000002,?,?,CPU: ,00000005), ref: 00FD7D17
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FD7D20
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,010C58A8,00000002), ref: 00FD7DA5
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FD7DAE

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Strings

CPU: , xrefs: 00FD7B68, 00FD7B7E, 00FD7CAC
x86, xrefs: 00FD7AA8
x64, xrefs: 00FD7AB1, 00FD7ABD
server, xrefs: 00FD7AC3, 00FD7ACB
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00FD7AE7
LOGGER->Reusing LOG file at:, xrefs: 00FD7973, 00FD7985, 00FD798F
LOGGER->Creating LOG file at:, xrefs: 00FD7BBA, 00FD7BCC, 00FD7BD6
LOGGER->failed to create LOG at:, xrefs: 00FD788A, 00FD789C, 00FD78A6
workstation, xrefs: 00FD7ABE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 4051163352-1312762833
Opcode ID: d07054f4db8ee6f9d47606546209bc1c7c1139ab6fe8e0f2da8255e54ed15071
Instruction ID: 932751476db5c27b79cd10f362c532cd366edb1914418a2e41954eb4b0882e96
Opcode Fuzzy Hash: d07054f4db8ee6f9d47606546209bc1c7c1139ab6fe8e0f2da8255e54ed15071
Instruction Fuzzy Hash: 8D127F70A012059FDB10DF68CC49BAEBBB5FF45320F188259E855AF2A6EB74ED04DB50

Function 00EC35A0 Relevance: 33.7, APIs: 22, Instructions: 727memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EC35FA
VariantClear.OLEAUT32(?), ref: 00EC362C
VariantClear.OLEAUT32(?), ref: 00EC3726
VariantClear.OLEAUT32(?), ref: 00EC3755
SysFreeString.OLEAUT32(00000000), ref: 00EC375C
SysAllocString.OLEAUT32(00000000), ref: 00EC37A3
VariantClear.OLEAUT32(?), ref: 00EC3827
VariantClear.OLEAUT32(?), ref: 00EC3859
VariantClear.OLEAUT32(?), ref: 00EC3959
VariantClear.OLEAUT32(?), ref: 00EC398C
SysFreeString.OLEAUT32(00000000), ref: 00EC3997
SysAllocString.OLEAUT32(00000000), ref: 00EC39DD
VariantClear.OLEAUT32(?), ref: 00EC3A5A
VariantClear.OLEAUT32(?), ref: 00EC3A8C
VariantClear.OLEAUT32(?), ref: 00EC3BAC
VariantClear.OLEAUT32(?), ref: 00EC3BDB
SysFreeString.OLEAUT32(00000000), ref: 00EC3BE2
SysAllocString.OLEAUT32(00000000), ref: 00EC3C35
VariantClear.OLEAUT32(?), ref: 00EC3CBA
VariantClear.OLEAUT32(?), ref: 00EC3CEC
VariantClear.OLEAUT32(?), ref: 00EC3DDD
VariantClear.OLEAUT32(?), ref: 00EC3E0A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID:
API String ID: 1305860026-0
Opcode ID: 4adfab40150a4e9ff9fb7ceb57d31a5de809389ee6fc90ca2527e593ddfc383c
Instruction ID: 509cf93f80f465fb95a1d0c3d91e3a3f8221c15043f7f0a89a40b07a9e9cf561
Opcode Fuzzy Hash: 4adfab40150a4e9ff9fb7ceb57d31a5de809389ee6fc90ca2527e593ddfc383c
Instruction Fuzzy Hash: 3A429A71900208DFCB10DFA8C944BDEBBF4FF49714F149269E405BB291E779AA45CBA1

Function 00EAF190 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 374memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00EAF5F0: EnterCriticalSection.KERNEL32(01146250,8CB281B6,00000000,?,?,?,?,?,?,P,0105F68D,000000FF), ref: 00EAF62D
Part of subcall function 00EAF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 00EAF6A8
Part of subcall function 00EAF5F0: LoadCursorW.USER32(00000000,00007F00), ref: 00EAF74E

SysFreeString.OLEAUT32(00000000), ref: 00EAF233
SysAllocString.OLEAUT32(00000000), ref: 00EAF264
GetWindowLongW.USER32(?,000000EC), ref: 00EAF33B
GetWindowLongW.USER32(?,000000EC), ref: 00EAF34B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EAF356
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00EAF364
GetWindowLongW.USER32(?,000000EB), ref: 00EAF372
SetWindowTextW.USER32(?,010C337C), ref: 00EAF411
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00EAF448
GlobalLock.KERNEL32(00000000), ref: 00EAF456
GlobalUnlock.KERNEL32(?), ref: 00EAF47A
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00EAF501
SysFreeString.OLEAUT32(00000000), ref: 00EAF516
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00EAF55D
SysFreeString.OLEAUT32(00000000), ref: 00EAF585

Strings

P, xrefs: 00EAF1AF, 00EAF2A2
P, xrefs: 00EAF24A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
String ID: P$P
API String ID: 4180125975-2819496421
Opcode ID: c4b233ecf39bec1b748221bbace26bbd901a141cec0b8541189ae052dcb12a8a
Instruction ID: ed49cdc90e38f0735b1231710c75a2afbcebffed68a14564d4d332da505f1992
Opcode Fuzzy Hash: c4b233ecf39bec1b748221bbace26bbd901a141cec0b8541189ae052dcb12a8a
Instruction Fuzzy Hash: FCD18271900206EFDF11DFE4C848BAFBBB8EF4A714F144168E911AB280D775AE05CBA1

Function 00EB8CD0 Relevance: 21.5, APIs: 14, Instructions: 520windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00EB8D83
ShowWindow.USER32(00000000,?), ref: 00EB8DA2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00EB8DB0
GetWindowRect.USER32(00000000,?), ref: 00EB8DC7
ShowWindow.USER32(00000000,?), ref: 00EB8DE8
SetWindowLongW.USER32(?,000000EB,?), ref: 00EB8DFF

Part of subcall function 00EB2970: RaiseException.KERNEL32(?,?,00000000,00000000,01035A3C,C000008C,00000001,?,01035A6D,00000000,?,00EA91C7,00000000,8CB281B6,00000001,?), ref: 00EB297C

ShowWindow.USER32(?,?), ref: 00EB8F43
GetWindowLongW.USER32(?,000000EB), ref: 00EB8F79
ShowWindow.USER32(?,?), ref: 00EB8F96
GetWindowRect.USER32(?,?), ref: 00EB8FBB
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00EB90F8
GetWindowRect.USER32(?,?), ref: 00EB91B5
GetWindowRect.USER32(?,?), ref: 00EB9207
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 00EB9243

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$ExceptionRaise
String ID:
API String ID: 1022490566-0
Opcode ID: fcbce27681c328f5c08affda8dd3bf48cc560cf5684dbd87c3a443c759ec127f
Instruction ID: 85acbde55142fa24bd4b41c3efccda710514a39e4464cb450f9edb5f92a2c2d9
Opcode Fuzzy Hash: fcbce27681c328f5c08affda8dd3bf48cc560cf5684dbd87c3a443c759ec127f
Instruction Fuzzy Hash: 6B12DC31A04205AFDB25CF68D844BABBBF9FF88304F04492DF596A7660DB30E885CB51

Function 00FAC0B0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00FAC452
FindClose.KERNEL32(00000000), ref: 00FAC480
FindClose.KERNEL32(00000000), ref: 00FAC509

Strings

No acceptable version found. It must be installed from package., xrefs: 00FAC8D6
No acceptable version found., xrefs: 00FAC8F9
No acceptable version found. Operating System not supported., xrefs: 00FAC8EB
Not selected for install., xrefs: 00FAC900
No acceptable version found. It must be downloaded., xrefs: 00FAC8DD
An acceptable version was found., xrefs: 00FAC8CF
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00FAC8F2
No acceptable version found. It must be downloaded manually from a site., xrefs: 00FAC8E4

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 544434140-749633484
Opcode ID: 343415b63d08c1076d38860779cfdc55bdadeafb4ca53ffb8348847ffccba42e
Instruction ID: e26654bc57e2d4f3ece9864909a04c5021437b529d2fa585449f4fbecf72e3a3
Opcode Fuzzy Hash: 343415b63d08c1076d38860779cfdc55bdadeafb4ca53ffb8348847ffccba42e
Instruction Fuzzy Hash: 49F19170900709CFDB10DF68C8487AEFBF1EF4A320F148699D859AB392DB34A945DB91

Function 00EAEBE0 Relevance: 16.8, APIs: 11, Instructions: 293nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EAECCB
GetWindowLongW.USER32(00000004,000000EC), ref: 00EAECDB
SetWindowLongW.USER32(00000004,000000EC,00000000), ref: 00EAECE6
NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 00EAECF4
GetWindowLongW.USER32(00000004,000000EB), ref: 00EAED02
SetWindowTextW.USER32(00000004,010C337C), ref: 00EAEDA1
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00EAEDD8
GlobalLock.KERNEL32(00000000), ref: 00EAEDE6
GlobalUnlock.KERNEL32(?), ref: 00EAEE0A
SetWindowLongW.USER32(00000004,000000EB,00000000), ref: 00EAEE6F
NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 00EAEEBD

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
String ID:
API String ID: 3555041256-0
Opcode ID: 09e29cfdb9048a26787e63921a425e2e8cc2ce21c52a4b52df56f6f662b44412
Instruction ID: c6eeb51457c63a56444b89a5c4798818c5710cf750aa6d58cb02b5f0f1ce605f
Opcode Fuzzy Hash: 09e29cfdb9048a26787e63921a425e2e8cc2ce21c52a4b52df56f6f662b44412
Instruction Fuzzy Hash: 97A1BF71901206ABDB24DFA4CC48BAFBBB9EF4A714F144518F955BB381DB35A900CBA1

Function 00EFFA40 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00EFFC1B
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00EFFC2B
SendMessageW.USER32(00000000,00000421,?,?), ref: 00EFFC40
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00EFFC51
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00EFFC64
GetWindowRect.USER32(?,?), ref: 00EFFC92

Part of subcall function 00F012B0: CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F0130F
Part of subcall function 00F012B0: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00EFFDEC,00000000,8CB281B6,?,?), ref: 00F01328

Part of subcall function 00EB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EB0DE6

SendMessageW.USER32(00000000,00000412,00000000), ref: 00EFFCF4
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00EFFD04

Strings

,, xrefs: 00EFFBC1

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: ,
API String ID: 1954517558-3772416878
Opcode ID: 224581cde96b3ea282cb12b0ebf4ac1822d11ce416957d7e59ea5993b7f8b8df
Instruction ID: 1d45ac852b48457123f02860296e70344d7e3f187c2dd6dee10edc2667de4801
Opcode Fuzzy Hash: 224581cde96b3ea282cb12b0ebf4ac1822d11ce416957d7e59ea5993b7f8b8df
Instruction Fuzzy Hash: 6AA11871A002099FDB24CFA9CD85BEEBBF9FF48300F50462AE556EB291D774A944CB50

Function 00EC6070 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 512windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00EC6143

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

__Init_thread_footer.LIBCMT ref: 00EC610F

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00EC643F
SendMessageW.USER32(?,0000102B,?,?), ref: 00EC64CF
SendMessageW.USER32(?,00001003,00000001,?), ref: 00EC6555
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00EC6695

Part of subcall function 00EAC3F0: __floor_pentium4.LIBCMT ref: 00EAC40D

Strings

AiFeatIco, xrefs: 00EC636D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__floor_pentium4
String ID: AiFeatIco
API String ID: 4294328693-859831556
Opcode ID: e3cdfd97c289e64317559464353b632df19f11fd13e284de5ffc5d6c3e56c479
Instruction ID: efa48db1c89910dc466605e3f926dc62eaf3c16e5bbe612f29b5567d88fa584f
Opcode Fuzzy Hash: e3cdfd97c289e64317559464353b632df19f11fd13e284de5ffc5d6c3e56c479
Instruction Fuzzy Hash: 5922CD71900249DFDF14DF68C984BEEBBB5FF48304F144169E859AF296DB71AA40CBA0

Function 01058B95 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 01058D79

Strings

1#INF, xrefs: 01058CCB
1#SNAN, xrefs: 01058CA1
1#IND, xrefs: 01058C9A
1#QNAN, xrefs: 01058CA8
`&, xrefs: 01058B97

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$`&
API String ID: 4168288129-2082501602
Opcode ID: 7f3f8a5f35b83484e4b71cb955a990f529e22d56570f7f9b822649e359ed93c6
Instruction ID: eef4dd43aaf148c55b784715a425064ed5b4cc030b0301d6a98f479c8031eb2f
Opcode Fuzzy Hash: 7f3f8a5f35b83484e4b71cb955a990f529e22d56570f7f9b822649e359ed93c6
Instruction Fuzzy Hash: 0CD21671E08229CFDBA5CE28CD407EAB7F5EB45305F1445EAD98DA7240E779AE818F40

Function 00FCA620 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 388COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

_wcschr.LIBVCRUNTIME ref: 00FCA6D9
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00FCA82E
GetDriveTypeW.KERNEL32(?), ref: 00FCA84A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00FCAA37
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00FCAAC1

Strings

]%!, xrefs: 00FCA7C9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Wow64$DriveInit_thread_footerRedirection$DisableHeapLogicalProcessRevertStringsType_wcschr
String ID: ]%!
API String ID: 2638324580-1069524040
Opcode ID: 29bb00a25bcf534b1288f1be05b7501940f484326aa462010edf75bd880abd6e
Instruction ID: 67e668af514ed45673b1aeac8df18740a9a28d44da2db8927a97d51791a16dad
Opcode Fuzzy Hash: 29bb00a25bcf534b1288f1be05b7501940f484326aa462010edf75bd880abd6e
Instruction Fuzzy Hash: 8BF1E23090015ADFDB24CB68CD85FADB7B4AF44314F0482EDE45AA7291EB74AE84DF91

Function 00F82A50 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00F82C80
SendMessageW.USER32(?,00000443,00000000), ref: 00F82CEA
MulDiv.KERNEL32(?,00000000), ref: 00F82D21

Strings

NumberValidationTipMsg, xrefs: 00F82B8B
Segoe UI, xrefs: 00F82CF8
NumberValidationTipTitle, xrefs: 00F82AC4

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSendWindow
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 701072176-2319862951
Opcode ID: c477d0ef1d1921e5d7cd1a2ad0fe8785e4cfc1945527284f2e3dde2bde704b01
Instruction ID: ff1e6bbccdcfc45a5a518a9d461c1e311a7eacb86c926b7e2e6940c17a407be0
Opcode Fuzzy Hash: c477d0ef1d1921e5d7cd1a2ad0fe8785e4cfc1945527284f2e3dde2bde704b01
Instruction Fuzzy Hash: 0DC19D71A00709AFEB24CF64CC55BEAB7F1EF89700F008259E596AB2C1DB746A45CF90

Function 01053B80 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetACP.KERNEL32(?,?,?,?,?,?,010493AE,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 01053C41
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,010493AE,?,?,?,00000055,?,-00000050,?,?), ref: 01053C6C
_wcschr.LIBVCRUNTIME ref: 01053D00
_wcschr.LIBVCRUNTIME ref: 01053D0E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 01053DCF

Strings

utf8, xrefs: 01053D3E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 8218e66d3761f4394dbb3d8203a2397e3ee21aa3d893686e9ce5305aeb726a55
Instruction ID: 79a225bd77487ee562c07295812792d9f7f0133e430096a97b90fd028404b39b
Opcode Fuzzy Hash: 8218e66d3761f4394dbb3d8203a2397e3ee21aa3d893686e9ce5305aeb726a55
Instruction Fuzzy Hash: 5571D771A00206AAE7A5AB79DC85BEB77E8FF54780F044469EE85DF180E671D9408760

Function 00FDFB20 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,8CB281B6,?,00000000,00000000), ref: 00FDFBF1
FindNextFileW.KERNEL32(?,00000000), ref: 00FDFC0C

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 375c625c12dbdec09288a4d32ff2cc6b994419dacf478d1ac8a1ed86a12eea4f
Instruction ID: 1ddba074e32770c9367452384761f9e1403a5d83c74a1c1c13b54bb5229c49b7
Opcode Fuzzy Hash: 375c625c12dbdec09288a4d32ff2cc6b994419dacf478d1ac8a1ed86a12eea4f
Instruction Fuzzy Hash: 16717B71D002899FDB10DFA9C848BDEBBB8FF49324F14816AE815AB291DB759A04DB50

Function 0104DD6A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0104DDF7

Strings

`&, xrefs: 0104DD6C

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: _strrchr
String ID: `&
API String ID: 3213747228-2927270505
Opcode ID: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
Instruction ID: 4b289a05367d3b176fde392bcc7f08bf63d9cdd6c6c2b4657aa75f4ca5ea339d
Opcode Fuzzy Hash: 61616e26537ace8c997b701a72d866b1042ed0193a591e10dac063b8da873d44
Instruction Fuzzy Hash: 1DB129B29042469FDB25DFA8C8C07EEBFE5EF65350F1481BAE994AB241D2349941C7A0

Function 00F00BAA Relevance: 9.1, APIs: 6, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00F00B67
ShowWindow.USER32(?,00000005), ref: 00F00B93
GetWindowLongW.USER32(?,000000F0), ref: 00F00BC5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00BE3
NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?), ref: 00F00BF6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00C0D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$Show$NtdllProc_
String ID:
API String ID: 3227303085-0
Opcode ID: 9e3ddf98792cf6c4d53b98b567902c24c1709b5a67077d4b0d63168251746a4c
Instruction ID: 28a1b78cce83412194390cb8c2769c0ef227a770576c3cbdbd440004c0913ea4
Opcode Fuzzy Hash: 9e3ddf98792cf6c4d53b98b567902c24c1709b5a67077d4b0d63168251746a4c
Instruction Fuzzy Hash: 7F217C75A04214EFDB259F58D844B6DBBB1FF89720F24022DE426A73E5CB366C10EB40

Function 01035CA1 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,01035BBD,00000000,?,01035D55,00000000,?,?,00EB0B74,?), ref: 01035CA3
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,00EB0B74,?), ref: 01035CCA
HeapAlloc.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035CD1
InitializeSListHead.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035CDE
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00EB0B74,?), ref: 01035CF3
HeapFree.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035CFA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: f40aacf931892b8923b06dd545bfd2b20022748f2469c95289d505efd78f429d
Instruction ID: b97f9737b3d7afd2f2082d3848acc276fa2745cdbdf653f0f6b99e297b3ef088
Opcode Fuzzy Hash: f40aacf931892b8923b06dd545bfd2b20022748f2469c95289d505efd78f429d
Instruction Fuzzy Hash: 21F0C8356106019BE7B15F2DAC4CB4637ECBB88B52F048029F9C1D3254DB75C4018B60

Function 0105430F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0105462D,00000002,00000000,?,?,?,0105462D,?,00000000), ref: 010543A8
GetLocaleInfoW.KERNEL32(?,20001004,0105462D,00000002,00000000,?,?,?,0105462D,?,00000000), ref: 010543D1
GetACP.KERNEL32(?,?,0105462D,?,00000000), ref: 010543E6

Strings

ACP, xrefs: 0105432D
OCP, xrefs: 01054363

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 85003600c4a00ed5746b57256e2662cb88f87403c38e8e91a6a44a4c13d8380b
Instruction ID: 6e785135551785cbc00370fac7dcb0e6c6908b080610d7e100b5d889a101fed3
Opcode Fuzzy Hash: 85003600c4a00ed5746b57256e2662cb88f87403c38e8e91a6a44a4c13d8380b
Instruction Fuzzy Hash: E521B032601101A7EBF58F58C941ADB77EAAB44A54B46C4A4EECAD7127F732DD80C350

Function 010544E4 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 010545F0
IsValidCodePage.KERNEL32(00000000), ref: 01054639
IsValidLocale.KERNEL32(?,00000001), ref: 01054648
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 01054690
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 010546AF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 3fac24c8fb7c47c3ffd75cc5963c8876b3a0a844f7c1fe809966e6f1317df474
Instruction ID: 2ba4be09e1d52570ef26e9c6efc7be72c26591269a87839e93d098620a97582f
Opcode Fuzzy Hash: 3fac24c8fb7c47c3ffd75cc5963c8876b3a0a844f7c1fe809966e6f1317df474
Instruction Fuzzy Hash: 87518471900206ABEFA0DFA9CC84AFF77F8BF18704F044469EE95DB151E77199448B61

Function 00FA3A50 Relevance: 6.3, APIs: 4, Instructions: 321fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00FA3BA8
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00FA3C45
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00FA3C6B
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00FA3CB5

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
String ID:
API String ID: 3625725927-0
Opcode ID: 887cd7f236d37fef1771c0c53d4efdd49e432105a4f35f542acfb0772d1f0f06
Instruction ID: 11daab5f18f69f3b3b5ee104f3fa85aab0d7e84f6766c7787bace1de11668334
Opcode Fuzzy Hash: 887cd7f236d37fef1771c0c53d4efdd49e432105a4f35f542acfb0772d1f0f06
Instruction Fuzzy Hash: F1A1A2B1E002099FDB14DF68CC45BAEF7F5FF85324F14862EE815AB281E7759A049B90

Function 00FCB3D0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918d22aaa1ddad2d13ca07c60b285378917d3f5e427d5a0a0e62e0d1308bd4fe
Instruction ID: 20c220948bc2f982ebad84a6243e9eba6fd277aca574f116a410769d0636bbfb
Opcode Fuzzy Hash: 918d22aaa1ddad2d13ca07c60b285378917d3f5e427d5a0a0e62e0d1308bd4fe
Instruction Fuzzy Hash: 6D81C275901219DFDB60DF68CD8AB99B7B4EF45320F1482DDE818AB292DB309E44CF91

Function 00F3AB40 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000017,8CB281B6,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00F3AB88
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00F3AB9B
LockResource.KERNEL32(00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00F3ABAA
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,Function_001C791D,000000FF), ref: 00F3ABBA

Part of subcall function 00FA1480: MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,8CB281B6,00000000,00000000), ref: 00FA14D4

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Resource$ByteCharFindLoadLockMultiSizeofWide
String ID:
API String ID: 203124936-0
Opcode ID: 3a17f238363784cbe6f6f93240443517479f76c5ec72445af742b67480957825
Instruction ID: 7badffbe8bba7baae74ce32b6b07ed84a8f57c87bdb8e2a7b8280c77a8d0a414
Opcode Fuzzy Hash: 3a17f238363784cbe6f6f93240443517479f76c5ec72445af742b67480957825
Instruction Fuzzy Hash: AF312571E04705ABDB209F75DC45BABF7B8EF48760F00462AE895A7380EB70E900C7A1

Function 00F00CE3 Relevance: 6.1, APIs: 4, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F00D3E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00D5C
NtdllDefWindowProc_W.NTDLL(?,00000086,?,00000000), ref: 00F00D6E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00D80

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$NtdllProc_
String ID:
API String ID: 3674618424-0
Opcode ID: 3b0c2a37c858328d25710e3ed26482b1d1d52b1fe01ae80aa2685f7658ca398f
Instruction ID: e15e3475034f0b82beb34b1955859758930be29eccc675ebfcbe2642a3b05bdc
Opcode Fuzzy Hash: 3b0c2a37c858328d25710e3ed26482b1d1d52b1fe01ae80aa2685f7658ca398f
Instruction Fuzzy Hash: 9731BA30A04254AFEB15CF68D985B59BBB0EF86320F1442AAE821AB3E1CB716D54DB50

Function 00F00C22 Relevance: 6.0, APIs: 4, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F00C3C
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00C5A
NtdllDefWindowProc_W.NTDLL(?,00000080,?,?), ref: 00F00C70
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F00C87

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$NtdllProc_
String ID:
API String ID: 3674618424-0
Opcode ID: 1098aa24de90ac2a3e4a5a48260c8ec837e7e84291565a554cd8cf0f044aecb2
Instruction ID: 97384b8572a56931218f931618c524123ce20a1c86de1655beba0da6bab54942
Opcode Fuzzy Hash: 1098aa24de90ac2a3e4a5a48260c8ec837e7e84291565a554cd8cf0f044aecb2
Instruction Fuzzy Hash: E7112776A04259EFDB259F98DC44B9DBBB5FB48320F21032AE965A33E0CB7219109B40

Function 0101D550 Relevance: 5.5, Strings: 4, Instructions: 529COMMON

Download Yara Rule

Strings

yxxx, xrefs: 0101D904
yxxx, xrefs: 0101D91D
yxxx, xrefs: 0101DA08
yxxx, xrefs: 0101D944

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: yxxx$yxxx$yxxx$yxxx
API String ID: 0-3504637693
Opcode ID: 86d536b0c90cb5e591e72dd4620eefd486c505a640d76a618b6dcbc3897e8151
Instruction ID: c02f20d315c5dfae72eafd5df8175ccfae624b56e4fad4a5da4afd5988826717
Opcode Fuzzy Hash: 86d536b0c90cb5e591e72dd4620eefd486c505a640d76a618b6dcbc3897e8151
Instruction Fuzzy Hash: 7302D7B1A006099FCB18DF9CC985AAEBBF5FF98300F148669E955EB355D734E900CB90

Function 00FCB7D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00FCB88C
FindClose.KERNEL32(00000000), ref: 00FCB9D7

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Strings

%d.%d.%d.%d, xrefs: 00FCB969

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 5e9a26f1217451f626508162931a7b16fa05abd001a73b2fa5b3b9df89c1450d
Instruction ID: afaa0b7fd8f427bdd1ce8574fdd7a80acb697f1d808e5c907f3412367f9ddf2d
Opcode Fuzzy Hash: 5e9a26f1217451f626508162931a7b16fa05abd001a73b2fa5b3b9df89c1450d
Instruction Fuzzy Hash: 1461BE34905219DFDF20DF28CD4AB9DBBB4EF44314F108299E859AB291DB369E84CF80

Function 00EBE290 Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

AI_NO_BORDER_HOVER, xrefs: 00EBE3DB
AI_CONTROL_VISUAL_STYLE, xrefs: 00EBE2F8
AI_NO_BORDER_NORMAL, xrefs: 00EBE360
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00EBE5B8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 319665923a2d789933546d9c34701464809b72c4bac9c374198ab21ffa89694c
Instruction ID: 150688e22e0fd3da6ed36d2e7638e40c7bf803c2423372099b203455b6633e8f
Opcode Fuzzy Hash: 319665923a2d789933546d9c34701464809b72c4bac9c374198ab21ffa89694c
Instruction Fuzzy Hash: 2FD16F70D00218DFEB14CFA9CC85BEEBBF1AF55305F108169E455AB385D778AA05CBA1

Function 01053F93 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 01053FE7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 01054031
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010540F7

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 335f1390ffca1db503fda3758b9717fb1573acc40bf04c3334ba811328c2d9d6
Instruction ID: 19bb3d839f56a9e779a77a540cf7903f65a58b98d02189190ea6e3e1ef9dfdd3
Opcode Fuzzy Hash: 335f1390ffca1db503fda3758b9717fb1573acc40bf04c3334ba811328c2d9d6
Instruction Fuzzy Hash: AE619C71A102179BEBA99F28CC81BEBB7E8EF14300F1041B9EE85C6285F774D991CB54

Function 00F13FC0 Relevance: 4.7, Strings: 3, Instructions: 907COMMON

Download Yara Rule

Strings

</a>, xrefs: 00F14308
<a>, xrefs: 00F142DD
&, xrefs: 00F14CB2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer
String ID: &$</a>$<a>
API String ID: 1385522511-4150034113
Opcode ID: f2cc6541e2bce6c2bd8b25c8e339d8ffdcad069a5232e25832cdb2db1236e318
Instruction ID: 1a3730269c3541f15fae6d7f99e82b25836397b752e4162c14749a7a72454b2c
Opcode Fuzzy Hash: f2cc6541e2bce6c2bd8b25c8e339d8ffdcad069a5232e25832cdb2db1236e318
Instruction Fuzzy Hash: 7E925470D01299DFDB20DFA8C844BDEBBB4AF54314F1081DAE009B7292DB746A89DF61

Function 00EB8890 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00EB88DE
GetWindowLongW.USER32(00000004,000000FC), ref: 00EB88F7
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00EB8909

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9feb7df908984ecde1029bae5369c76eac4b428f8907f33c91d1498e3a941351
Instruction ID: 398fd1e682fa96eee78920e439cfaebe3d3e168aa05c94c972eef3635579290a
Opcode Fuzzy Hash: 9feb7df908984ecde1029bae5369c76eac4b428f8907f33c91d1498e3a941351
Instruction Fuzzy Hash: D9419DB0601642EFDB24CF65D908B9AFBB8FF04714F004268E464ABB90DB76E914CB91

Function 00EBC4F0 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 00EBC546
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00EBC558
DeleteCriticalSection.KERNEL32(?,8CB281B6,?,?,?,?,010619C4,000000FF), ref: 00EBC583

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID:
API String ID: 1978754570-0
Opcode ID: 1e7505a780393c165bd3e5f4b9cbbed4de76bd1982c1ab5eb677cbd840db67cc
Instruction ID: f3be9e1f9f2ea611dd0ac90f493c970eac386616489f1cc7abc3cc9fc94dda9b
Opcode Fuzzy Hash: 1e7505a780393c165bd3e5f4b9cbbed4de76bd1982c1ab5eb677cbd840db67cc
Instruction Fuzzy Hash: E831E174A04246FFCB24DF24DC48B9AFBF8BF05714F144229E864A7691D771EA50CB90

Function 0103AD13 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0103AE0B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0103AE15
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0103AE22

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 34179a23d8270e3c589917fd6414184c2743b8061a9027f6489fd7aefc771fb5
Instruction ID: 77f44a1ff15b4b2dd4c01b1d743d52378e6846e99fe410a3ad76b394507c3964
Opcode Fuzzy Hash: 34179a23d8270e3c589917fd6414184c2743b8061a9027f6489fd7aefc771fb5
Instruction Fuzzy Hash: F531C375901229ABCB61DF68D8887CDBBF8BF58310F5041EAE45CA7290EB749B818F54

Function 00EB1670 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FC), ref: 00EB1689
SetWindowLongW.USER32(?,000000FC,?), ref: 00EB1697
DestroyWindow.USER32(?,?,?,?,?,?,80004003,?,00000001,?,?,00000001,?,?,010C383C), ref: 00EB16C3

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 7af55a5c30391638f39c89b3c6ee1fd4015c56f429254a77f2233944f9b70b26
Instruction ID: fa6bf71df235d76474b63b8bd94bc5eea4a0ebd94b0ed9ab8e3beaa5cb830a43
Opcode Fuzzy Hash: 7af55a5c30391638f39c89b3c6ee1fd4015c56f429254a77f2233944f9b70b26
Instruction Fuzzy Hash: 67F03034004B119BD7705F28ED08B837BE4BF04731B084B6CE4BA929E8C730E880DB00

Function 00EC7630 Relevance: 3.3, APIs: 2, Instructions: 252windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 00EC774D
SendMessageW.USER32(?,0000102B,0000009B,?), ref: 00EC7932

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f07a2dc27dbb7513641660395c1c7578ec279e0ab9e8aeebd96602b159b9b16d
Instruction ID: 5dab79db6a6779e2dcca58318a86906801ce8afe88a8a6c48931262da4968373
Opcode Fuzzy Hash: f07a2dc27dbb7513641660395c1c7578ec279e0ab9e8aeebd96602b159b9b16d
Instruction Fuzzy Hash: 39A1D571A04606AFCB1CCF24C695FE9FBE5FB54304F14826EE499EB281D735A902CB90

Function 00FBE3A0 Relevance: 3.1, APIs: 2, Instructions: 140fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,8CB281B6,00000000,?,00000000), ref: 00FBE48E
FindClose.KERNEL32(00000000,?,00000000), ref: 00FBE4D9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: befd193820dcdd8b57d6294e71b602fe46596dd3c18b75b5574875e287473c4a
Instruction ID: cfa3df4389c29489157c6e8e39718c687ac8fec98c8e3409691d90e512be71d3
Opcode Fuzzy Hash: befd193820dcdd8b57d6294e71b602fe46596dd3c18b75b5574875e287473c4a
Instruction Fuzzy Hash: 4351487190060ACFDB24DFA9C888BEEB7F4FF48318F144559E815AB282D774AA05CF91

Function 00FA2230 Relevance: 3.1, APIs: 2, Instructions: 105windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,8CB281B6,00000008,00000000), ref: 00FA227B
GetLastError.KERNEL32 ref: 00FA2285

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 14382c457510e267f31cd799beaec5fc483aef0cb8f763b0e980abe2233a4015
Instruction ID: 0659a0de06ee6c985c9b462691a59603090b95b7543941aaa7f515b7ea9a6d9d
Opcode Fuzzy Hash: 14382c457510e267f31cd799beaec5fc483aef0cb8f763b0e980abe2233a4015
Instruction Fuzzy Hash: D83181B1B002099BEB10CF99DC45BAEBBF8EB45724F10452EF518E7381D7B599009B91

Function 00F00010 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00F0007F
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00F0008D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 401546e9c0e04574fd9643469c2dffa9553c85d3cf1489747ed78673adaf4884
Instruction ID: 98c6ac2eb05ff0f28140ccfc4f846a74ac8b3805129c5ff1c897757c1943160e
Opcode Fuzzy Hash: 401546e9c0e04574fd9643469c2dffa9553c85d3cf1489747ed78673adaf4884
Instruction Fuzzy Hash: 77316B71901645EFCB20DF69C944B9AFBF4FB05720F148269E424AB7D0DB35A950DB90

Function 00FCE610 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,8CB281B6,?,00000000,00000000,00000000,010A351D,000000FF), ref: 00FCE678
FindClose.KERNEL32(00000000,?,8CB281B6,?,00000000,00000000,00000000,010A351D,000000FF), ref: 00FCE6C2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0253a227b34b44292f5f7cbeb2c0ebbf9038fa169fe3e1e2e05843578bf33688
Instruction ID: 17a6837cd817dd525cc40506e4136542cd98f146205468103a2301a86d7ff362
Opcode Fuzzy Hash: 0253a227b34b44292f5f7cbeb2c0ebbf9038fa169fe3e1e2e05843578bf33688
Instruction Fuzzy Hash: 2821A1719006499FD720DF68CD49BEEF7B8FF84324F14426AE825972D0D7345A048B94

Function 00ED52F0 Relevance: 1.9, Strings: 1, Instructions: 617COMMON

Download Yara Rule

Strings

2, xrefs: 00ED5576

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: b842bbab6fdf95d5d15e9cdc154877a2ac94508e6e101b481c414797b27cc15e
Instruction ID: 800be24c12840797988b6aadffd63900eb3a8e9b7226dd63cc77e13a92864554
Opcode Fuzzy Hash: b842bbab6fdf95d5d15e9cdc154877a2ac94508e6e101b481c414797b27cc15e
Instruction Fuzzy Hash: AB32DFB2A047518BCB04DF26D98056BB7E6EF94308F00493EF4CBD7291EA34E949C792

Function 0103E64C Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

`&, xrefs: 0103E64E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: `&
API String ID: 0-2927270505
Opcode ID: 3418172707bc904c2989e3ea988943aa80d3e01c382d5c5ae1dfd35426e18d04
Instruction ID: ec5fdd69b661ba7b30bbc6daf3fdee7c213a6514b2c600fa469386afc69ea9ca
Opcode Fuzzy Hash: 3418172707bc904c2989e3ea988943aa80d3e01c382d5c5ae1dfd35426e18d04
Instruction Fuzzy Hash: 92E1CF74A006068FDBA5CF68C4806AEB7F9FFC9310B244B9AD5D69B391D730E842CB51

Function 010541E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0105423A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 486ae42cdfbf6ce088688ac1a4014fdfdacebd9507b1b87eb90e88bc03f67f63
Instruction ID: 2e660ad665ed4d8755190be05c067827ffe5b9881f14932960221618fc859d2d
Opcode Fuzzy Hash: 486ae42cdfbf6ce088688ac1a4014fdfdacebd9507b1b87eb90e88bc03f67f63
Instruction Fuzzy Hash: 0121C272A10216ABEB689F29DC81AFB77ECEF54340F5040BAED45D6240FB75E981CB50

Function 01053E6D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

EnumSystemLocalesW.KERNEL32(01053F93,00000001,00000000,?,-00000050,?,010545C4,00000000,?,?,?,00000055,?), ref: 01053EDF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b021bd0b4d0a80eeb7ad782efc00aced7837acad43b6a297a08be67f4b8ec0c3
Instruction ID: 912496784a2f75ea9f536ecdb4981251a6ae5c619682aad2ece2a050c6ceae07
Opcode Fuzzy Hash: b021bd0b4d0a80eeb7ad782efc00aced7837acad43b6a297a08be67f4b8ec0c3
Instruction Fuzzy Hash: 4A1102366047019FDB589F39C8956BBBBE2FF807A8B18442DE9C78BA40E371A402C740

Function 01054415 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,010541AF,00000000,00000000,?), ref: 01054441

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 519c1698c3e0cb486e901196b39552dc7c484d4b112f8e8e78456da5389b54b5
Instruction ID: e87d5218b902902a23eac8dadcd6831cbc331ea23f2a2d85b916b937a3dec5da
Opcode Fuzzy Hash: 519c1698c3e0cb486e901196b39552dc7c484d4b112f8e8e78456da5389b54b5
Instruction Fuzzy Hash: E1F0F9325501127BEB64566888456FB7FA8EB40754F054468DED5E3140FF34F983CBA0

Function 01053D7B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 01053DCF

Strings

utf8, xrefs: 01053D3E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 9f61e255b4588fd24dd22aef444d3b5235350c87ea507c7a65c8322988d810e5
Instruction ID: 6ac0dddcf2b140395fba4183884bef94ee93053fbc1f8d1084c85e87b1a2c635
Opcode Fuzzy Hash: 9f61e255b4588fd24dd22aef444d3b5235350c87ea507c7a65c8322988d810e5
Instruction Fuzzy Hash: 0FF0C832A11106ABD724AB78DC45AFB73ECEB55750F004079EE46DB280EA74AD058750

Function 01053F08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

EnumSystemLocalesW.KERNEL32(010541E6,00000001,?,?,-00000050,?,01054588,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 01053F52

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f0da0f767eca40c23f0196be08e7af7e3ed07f05e8d6182cc5a079a3c9c56db5
Instruction ID: 65ff63c75d3f2c46d8aa119e047d487b469efa4ec05632f1a2f8cf5d3029ff72
Opcode Fuzzy Hash: f0da0f767eca40c23f0196be08e7af7e3ed07f05e8d6182cc5a079a3c9c56db5
Instruction Fuzzy Hash: CBF0C2362043056FDB655F399C81ABB7BE5FF807A8B05846DFDC58B680D6B29842C710

Function 0104FC09 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104A89A: EnterCriticalSection.KERNEL32(-01145108,?,0104CE16,00EA9F56,01139668,0000000C,0104D0E1,?), ref: 0104A8A9

EnumSystemLocalesW.KERNEL32(0104FBFC,00000001,011397A8,0000000C,0105002B,00000000), ref: 0104FC41

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 0926ffe1e0644369ebb721d93094ac97caa5b35e7555196b086bfaa22b413e54
Instruction ID: f557c96b8e1635e4a531cad241e41958d5076ae61b496c3b15f503bfda901242
Opcode Fuzzy Hash: 0926ffe1e0644369ebb721d93094ac97caa5b35e7555196b086bfaa22b413e54
Instruction Fuzzy Hash: B8F04FB6A40206DFE714EFA9E481B9D77F0FB44721F10412AE414DB290CB7649418F50

Function 01053E22 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0104D836: GetLastError.KERNEL32(?,00000008,0104F453), ref: 0104D83A
Part of subcall function 0104D836: SetLastError.KERNEL32(00000000,00000000,00000002,000000FF), ref: 0104D8DC

EnumSystemLocalesW.KERNEL32(01053D7B,00000001,?,?,?,010545E6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 01053E59

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6c07ad21f5400edf1014d163bf868f2a6c1da270be5e4e1c843e9f6ee9a4d1c8
Instruction ID: 5ca5026df2276bdec5a2008be4c78b47b02c6ccadebe8f68b821bb9caf5d1f6c
Opcode Fuzzy Hash: 6c07ad21f5400edf1014d163bf868f2a6c1da270be5e4e1c843e9f6ee9a4d1c8
Instruction Fuzzy Hash: 86F0553630020557CB15AF3AE8856ABBFD4FFC1B90B0A409DEE498F291C2329843C750

Function 00EC15F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00EBFD16,?,?,?,?,?,?,?,?,00EBFB78,?,?), ref: 00EC1640

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 6d360c71df07743c2a3c46a822f0f660858bdbbaa1e659d5cc9a037acb6106a9
Instruction ID: 2e1d92730511fd95f6588ded8cc25e00beeec2ccfc9b5fc50f8042ad57815c44
Opcode Fuzzy Hash: 6d360c71df07743c2a3c46a822f0f660858bdbbaa1e659d5cc9a037acb6106a9
Instruction Fuzzy Hash: EEF05874004181DFE3048F54C998F69BBAAFB4734AF5C45FAE098E5562C23ACE5ADF10

Function 01050186 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,01049F14,?,20001004,00000000,00000002,?,?,01049516), ref: 010501BA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6a0342a974a4cc5f1b90f67f601c002c6382453b6b00063f1ad8f727c55ba60b
Instruction ID: 2146aa4fe9121e56eb6ee63c1f38c802238396d65ec11298b8631536cb9c83ee
Opcode Fuzzy Hash: 6a0342a974a4cc5f1b90f67f601c002c6382453b6b00063f1ad8f727c55ba60b
Instruction Fuzzy Hash: 82E04F31541519BBDF122F64DC04AEF7E2AFF44750F008021FD8565129CB3689219BD5

Function 00EF6EE0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

1, xrefs: 00EF72E7

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: b7571b7c86493dcfd1582de626982ee6703fa41e5f6f789b5686cd2211eb464c
Instruction ID: 64886d975da2aed23835904e26ef6e27ca905cbbd509fc012288258a4c82e603
Opcode Fuzzy Hash: b7571b7c86493dcfd1582de626982ee6703fa41e5f6f789b5686cd2211eb464c
Instruction Fuzzy Hash: BAD114B090578AEFE709CF64C55878AFBF4BB15308F14824DD4A85B281D3BAA618CFD1

Function 00F7B7A0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c319aa88b0e4a43522cdebcc7ffad44ba32f9036d240999169387d1a76786374
Instruction ID: cd7f97f3a66997415abddcafe3e40b96cdffe6725edb8bacf40f833b63f0880a
Opcode Fuzzy Hash: c319aa88b0e4a43522cdebcc7ffad44ba32f9036d240999169387d1a76786374
Instruction Fuzzy Hash: AA02D772E002159FDB18DF68C880BAEB7B5EB99710F14823EE815E7385E731AD45CB91

Function 0103E2BE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0c5334fcb45ab754bbbed2a31bf3ab4776e1f5f5f161e0e52aaab4d8686747
Instruction ID: e5f0f722af43bf9ccfb47d7e49dc4168f5d469a8c3fcf0001b1be204a231c37f
Opcode Fuzzy Hash: eb0c5334fcb45ab754bbbed2a31bf3ab4776e1f5f5f161e0e52aaab4d8686747
Instruction Fuzzy Hash: 3CC1ED70A00646CFDB65CF6CC4846AEBBE9AF89314F14879DD5C29B392DB30E846CB51

Function 00EAF7C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e79bc001cbd1d6693dafa61148007cb35f0fa73347203068802aa7263056c68
Instruction ID: 338939e8c86a47c408033d3d8292b02412dd32fc158512f0af1fab6efc719353
Opcode Fuzzy Hash: 3e79bc001cbd1d6693dafa61148007cb35f0fa73347203068802aa7263056c68
Instruction Fuzzy Hash: EF71F8B0805B48DFE761CF68C95478ABFF0BB05314F108A5EC4A99B391D3B96648DF91

Function 00F47F20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0806eb36ef62146b32610216a9ef631503dba67868bf667fc66559d1130c93
Instruction ID: 4fa689c1edaa5e1808a991cf282e5f3b66532e6b9531e79d5127021e5676e695
Opcode Fuzzy Hash: fd0806eb36ef62146b32610216a9ef631503dba67868bf667fc66559d1130c93
Instruction Fuzzy Hash: B041D3B0905749EED704CF69C50878AFBF0BB09318F20869DD4989B781D7BAA619CFD1

Function 00EB8720 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52c18d8d16f434c8046293ef275ebafaae33b0f576691fb84b1d2d311d8404f
Instruction ID: 0451b411d7ba592ef60cb6692e0d9dd4c93ee8e55d78e75c879c8ea69df6ee7f
Opcode Fuzzy Hash: b52c18d8d16f434c8046293ef275ebafaae33b0f576691fb84b1d2d311d8404f
Instruction Fuzzy Hash: 9831DCB0405B84CEE321CF29C55834BBBF0AB05728F108A5DD4E24BB91C3BAA648CB91

Function 00EB2250 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df49fefc2155d207cbb846c0519a58b6ea2b740fd01d674645f59e89f9c65e91
Instruction ID: 6d71b821509b2a324b9999361e909a0627f5e7a4a2c91ab47d34aa750631251b
Opcode Fuzzy Hash: df49fefc2155d207cbb846c0519a58b6ea2b740fd01d674645f59e89f9c65e91
Instruction Fuzzy Hash: 5F2147B0804788CFD720CF58C544B8ABBF4FB09724F1186AED4959B791E3B9AA44CF90

Function 00EB1C90 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2091662e10d38450566ea238e96d182a6845b37389b24eaff56f7a4c1b98cc
Instruction ID: cdef9d404603ba90dd796d3820e27affcc9a88ebd833e7af7164662a37dd2d6e
Opcode Fuzzy Hash: eb2091662e10d38450566ea238e96d182a6845b37389b24eaff56f7a4c1b98cc
Instruction Fuzzy Hash: B8216DB0804788DFD710CF58C54478ABBF4FB09714F1186AED455AB791E3B9AA44CF90

Function 0168C160 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1532941791.000000000168B000.00000004.00000020.00020000.00000000.sdmp, Offset: 0168B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_168b000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ef38ce7a25e885b24f6b95f8098430fb4c03170a57ef0d38eabf7f50296c63
Instruction ID: d934e43b6fcb704cd91fe8d27fdb267631828754d4fa302bfdb975084b0a9175
Opcode Fuzzy Hash: f6ef38ce7a25e885b24f6b95f8098430fb4c03170a57ef0d38eabf7f50296c63
Instruction Fuzzy Hash: BD01451144F3C24FD7139B74A8B22957FB09E0315571E49CBC9C1CB5A3C60D184EDB62

Function 00ECD320 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b194ba8dbb9777303d6b23d8b66ec48e30233b5cd924dce3861fcc5c0fd2fb
Instruction ID: 3e1c76c410056279a21b1983cb6fb108df3f82a7fe5acd07208d3edec9b21f42
Opcode Fuzzy Hash: 30b194ba8dbb9777303d6b23d8b66ec48e30233b5cd924dce3861fcc5c0fd2fb
Instruction Fuzzy Hash: FE110CB5905248DFCB54CF58C544749BBF4FB08728F2082AEE8289F781D3769A06CF80

Function 0105783E Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
Instruction ID: 95bf27385c4149a2b3b0ebbb12ba246371c4df48584dd9089aeddf4c591ed794
Opcode Fuzzy Hash: 53d55dbc7befab1462941653f93551db49e582fd117fd3c7d9640c03956ee69d
Instruction Fuzzy Hash: 39E08C72911228EBCB14DB9DC944D9AF7ECEB45A00B5100AAFA01D3200C270DE00D7D0

Function 0104C66D Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
Instruction ID: 20277ae461bfd94d160fcb78fc52dbe92fb10dad498acaaf7cafc9875d5d1b90
Opcode Fuzzy Hash: 144c5401b694974f51f95ed054cfd58255e5e3608f4b0faf65206ff88c737fe7
Instruction Fuzzy Hash: C3C080B404350057DF55552883B03B53394A3A5681F9014DCC58207641C51D6845D750

Function 00FE2F90 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 487timefilememoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00FE2FA9
LocalFree.KERNEL32(?,00000000,00000000,0000005C,Everyone,10000000,00000000,?,00000000), ref: 00FE2FB9
GetLastError.KERNEL32(?,00000000), ref: 00FE2FF7
LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 00FE3036
GetLastError.KERNEL32(?,00000000), ref: 00FE3050
LocalFree.KERNEL32(?,?,00000000), ref: 00FE3061
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,8CB281B6,7556F530,?,?), ref: 00FE3100
GetLastError.KERNEL32 ref: 00FE311E
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00FE314B
GetLastError.KERNEL32 ref: 00FE3155
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE31DA
GetLastError.KERNEL32 ref: 00FE31E4
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE321C
SystemTimeToFileTime.KERNEL32(00000000,010C341C), ref: 00FE323D
CompareFileTime.KERNEL32(010C341C,?), ref: 00FE324F
PathFileExistsW.SHLWAPI(?,00000005), ref: 00FE32EC
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,00000001,S-1-1-0,10000000,00000001), ref: 00FE3387
GetLastError.KERNEL32 ref: 00FE3397
CloseHandle.KERNEL32(00000000), ref: 00FE339F

Strings

S-1-5-18, xrefs: 00FE3352
S-1-1-0, xrefs: 00FE3341
.part, xrefs: 00FE3291

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FileTime$ErrorLast$Local$FreeSystem$Create$AllocCloseCompareExistsHandlePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1123205858-2727065896
Opcode ID: 5b49efcf678953aba9ae8efac46d26d92059534f25960cdf096cccd29ffca043
Instruction ID: 3fdbe44b349901c0c07ed8896559e8b503e69848cebc61e7da59a22b454412c8
Opcode Fuzzy Hash: 5b49efcf678953aba9ae8efac46d26d92059534f25960cdf096cccd29ffca043
Instruction Fuzzy Hash: 2C12AC70A007849FDB20CF6AC88CBAABBF4BF44714F04452EE182976A0DB75EA44DF50

Function 00FD4B10 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON

Download Yara Rule

Strings

Unable to get a temp file for script output, temp path: , xrefs: 00FD4C1F
Unable to retrieve exit code from process., xrefs: 00FD4E92
Unable to create process: , xrefs: 00FD4D15
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00FD4C6F
Unable to retrieve PowerShell output from file: , xrefs: 00FD4E6F
txt, xrefs: 00FD4BE3
Unable to find file , xrefs: 00FD4B43
ps1, xrefs: 00FD4BB6, 00FD4BC8, 00FD4BD2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: 9b86a2fbe4132314798bcbde57b2489238db3cfdf4f54cba1f3e7106fef7a226
Instruction ID: 0ba76c5668043553012b1050813430cd3d57ddd62a9269e2777fbdbea9a92ba7
Opcode Fuzzy Hash: 9b86a2fbe4132314798bcbde57b2489238db3cfdf4f54cba1f3e7106fef7a226
Instruction Fuzzy Hash: 78C1B031D00649AFDB10DFA8CD45BAEBBF5BF09324F14825AF454BB291DB74AA00DB90

Function 00F8A2B0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 238libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

GetModuleHandleW.KERNEL32(kernel32,8CB281B6,?,?,00000000), ref: 00F8A3B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00F8A3FB
__Init_thread_footer.LIBCMT ref: 00F8A40E
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00F8A456
__Init_thread_footer.LIBCMT ref: 00F8A469
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F8A4B1
__Init_thread_footer.LIBCMT ref: 00F8A4C4

Part of subcall function 00F61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F61FF1
Part of subcall function 00F61FB0: _wcschr.LIBVCRUNTIME ref: 00F620AF

Strings

@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00F8A347
SetDefaultDllDirectories, xrefs: 00F8A4AB
SetSearchPathMode, xrefs: 00F8A3F5
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00F8A340, 00F8A34F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00F8A322
SetDllDirectory, xrefs: 00F8A450
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00F8A327, 00F8A32F
kernel32.dll, xrefs: 00F8A60D
kernel32, xrefs: 00F8A3AE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$AddressProc$DirectoryHandleHeapModuleProcessSystem_wcschr
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 1258094593-3455668873
Opcode ID: 4c29d75883181404b31ae2788d40d9548955a8be47a2f3de7196c093c9a413b9
Instruction ID: 06bb8ea7587c8e7384363b10f251ea9602234b595ec3afd56fbc41f018827a01
Opcode Fuzzy Hash: 4c29d75883181404b31ae2788d40d9548955a8be47a2f3de7196c093c9a413b9
Instruction Fuzzy Hash: 56A169B0900318DFDB28DF54D849B9EBBB4FB4671CF5082AEE498AB241D7705A48CF91

Function 00FA9E90 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 00FA9EDE
GetDlgItem.USER32(?,000001F8), ref: 00FA9EEB
GetDlgItem.USER32(?,000001F7), ref: 00FA9F38
SetWindowTextW.USER32(00000000,00000000), ref: 00FA9F47
ShowWindow.USER32(?,00000005), ref: 00FA9F67

Part of subcall function 00FA93B0: GetWindowLongW.USER32(?,000000F0), ref: 00FA93EF
Part of subcall function 00FA93B0: GetWindowLongW.USER32(?,000000F0), ref: 00FA9400
Part of subcall function 00FA93B0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA9412
Part of subcall function 00FA93B0: GetWindowLongW.USER32(?,000000EC), ref: 00FA9425
Part of subcall function 00FA93B0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA9434
Part of subcall function 00FA93B0: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00FA9448
Part of subcall function 00FA93B0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA9457

GetDlgItem.USER32(?,000001F7), ref: 00FA9F86
SetWindowTextW.USER32(00000000,00000000), ref: 00FA9F95
ShowWindow.USER32(?,00000000), ref: 00FA9FB5
ShowWindow.USER32(?,00000000), ref: 00FA9FBC
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00FAA005
GetDlgItem.USER32(00000000,00000000), ref: 00FAA039
IsWindow.USER32(00000000), ref: 00FAA043
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 00FAA090

Strings

Details >>, xrefs: 00FA9F6D
Details <<, xrefs: 00FA9F1F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$ItemLong$Show$MessageSendText
String ID: Details <<$Details >>
API String ID: 1573988680-3763984547
Opcode ID: cbbb8e16281ea8686305cd16cc28f0bcc9f54a311a5fdc8432efef34c9221926
Instruction ID: b5c4f4548e8faf939dc3c54a721ee7e463175c5a639315433b9f844a383b8efa
Opcode Fuzzy Hash: cbbb8e16281ea8686305cd16cc28f0bcc9f54a311a5fdc8432efef34c9221926
Instruction Fuzzy Hash: 1C71CCB1A00208AFDB24DFA8DC46BAEFBF4EF49710F24822DF511A7290D771A845DB50

Function 00FADB40 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 167COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?,8CB281B6,?,?,?,0109C4C5,000000FF,?,00FE04CF,?,?,?,00000000), ref: 00FADCD8
GetActiveWindow.USER32 ref: 00FADC3A

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Strings

"%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00FAECDF
TRANSFORMS=:%s.mst MSINEWINSTANCE=1 , xrefs: 00FAE910
REINSTALL=ALL REINSTALLMODE=vomus , xrefs: 00FAED93
TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 , xrefs: 00FAE8FF
"%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00FAE7B2
%s , xrefs: 00FAEA4C, 00FAED81
AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 , xrefs: 00FAEB95
majorupgrade-content.mst, xrefs: 00FAE756, 00FAEC4F
.msi, xrefs: 00FAE747, 00FAEC40
TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1, xrefs: 00FAE8B7
MSINEWINSTANCE=1 , xrefs: 00FAE8E6
.mst, xrefs: 00FAE797, 00FAE7FE, 00FAECBE
"%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 , xrefs: 00FAE818

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$ActiveDebugHeapOutputProcessStringWindow
String ID: "%s" TRANSFORMS="%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_MAJORUPGRADE=1 AI_NEWINST=1 $ "%s" TRANSFORMS="%s;%s;%s" AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ %s $ AI_INST_PRODCODES=%s AI_INTANCE_LOCATION="%s" AI_INST_MAJORUPGRADE=1 $ MSINEWINSTANCE=1 $ REINSTALL=ALL REINSTALLMODE=vomus $ TRANSFORMS="%s" AI_INST_MAJORUPGRADE=1$ TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1 $ TRANSFORMS=:%s.mst MSINEWINSTANCE=1 $.msi$.mst$majorupgrade-content.mst
API String ID: 758407959-743168453
Opcode ID: 4af81ee35158085ec84dd7b5f44565a0b8ff83749f43537ccaf5856055e3492e
Instruction ID: 94f8ac454e19765b3fd08516cfc49586e937f10f55bd3748656d02651dc9ef5f
Opcode Fuzzy Hash: 4af81ee35158085ec84dd7b5f44565a0b8ff83749f43537ccaf5856055e3492e
Instruction Fuzzy Hash: CB51C375E002059FDB14DB6CC8457AEBBF4EF46320F1482ADE816AB791DB359D00CBA1

Function 00EB16D0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 359stringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00EB1770
GetParent.USER32(?), ref: 00EB17B1
lstrcmpW.KERNEL32(?,#32770), ref: 00EB17D1
GetWindowLongW.USER32(?,000000F0), ref: 00EB1871

Strings

#32770, xrefs: 00EB17C8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$LongParentlstrcmp
String ID: #32770
API String ID: 4031819654-463685578
Opcode ID: 203c70698c69c94f5603a519592b176564e588000c53913e83b067c5c905c7ed
Instruction ID: ed0d5a1296af600d30e2c02a237e40de8463c69ab6f81a9cd48031ca111c4942
Opcode Fuzzy Hash: 203c70698c69c94f5603a519592b176564e588000c53913e83b067c5c905c7ed
Instruction Fuzzy Hash: 35E1A174A00219EFDB14CFA4C854BEEBBB5FF49724F5491A9E411BB290D734AD44CB60

Function 00FE2A10 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,8CB281B6,00000000,00000000), ref: 00FE2AA1
GetLastError.KERNEL32 ref: 00FE2ACF

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00FE2AE5
FreeLibrary.KERNEL32(00000000), ref: 00FE2AFE
GetLastError.KERNEL32 ref: 00FE2B0B
GetLastError.KERNEL32 ref: 00FE2CF9
GetLastError.KERNEL32 ref: 00FE2D5E

Strings

Advapi32.dll, xrefs: 00FE2A9C
ConvertStringSidToSidW, xrefs: 00FE2ADF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: 1cfa34e972757b61858afc8b2e3f41270e077677423738402567cac46215ddcd
Instruction ID: d6dcfb41560cd1d948692efa7a3363c026181faa13006293df652a9e331954d3
Opcode Fuzzy Hash: 1cfa34e972757b61858afc8b2e3f41270e077677423738402567cac46215ddcd
Instruction Fuzzy Hash: E8F19CB1C0125AEBDB50CF95C9847EEBBB8FF14324F208119E915B7280E735AA45DFA1

Function 00EDD6E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,8CB281B6,?,?,00000000,?,?,?,?,?,?,8CB281B6,01068E95,000000FF), ref: 00EDD74D
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00EDD753
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,8CB281B6,01068E95,000000FF,?,00EF45FA,010CB84C,8CB281B6,8CB281B6), ref: 00EDD783
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00EDD789

Strings

RoGetActivationFactory, xrefs: 00EDD743
.dll, xrefs: 00EDD8A6
CoIncrementMTAUsage, xrefs: 00EDD779
DllGetActivationFactory, xrefs: 00EDD902
combase.dll, xrefs: 00EDD748, 00EDD77E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: 4ff9103a449baba043d05a115301a5c17ffa9912091f9e9c81e3e94599b260f5
Instruction ID: d8eb8462d2d8a0820115e84f989a720d842ba2771c2a65680b5781b02895d924
Opcode Fuzzy Hash: 4ff9103a449baba043d05a115301a5c17ffa9912091f9e9c81e3e94599b260f5
Instruction Fuzzy Hash: 95A19A71904209EFDB15EFA8CC94BEEBBB4EF58314F14502AE411B7290DBB19A46CB51

Function 00EFA430 Relevance: 21.2, APIs: 14, Instructions: 243COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EFA49E
SetWindowLongW.USER32(?,000000F0,00C80000), ref: 00EFA4CC
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00EFA4E1
GetWindowLongW.USER32(?,000000EC), ref: 00EFA518
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EFA545
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00EFA559
GetWindowLongW.USER32(?,000000F0), ref: 00EFA57B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EFA592
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00EFA5A6
GetWindowRect.USER32(?,?), ref: 00EFA5F6
GetWindowLongW.USER32(?,000000EC), ref: 00EFA61C
GetWindowRect.USER32(?,?), ref: 00EFA66A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000604,?,?), ref: 00EFA6A0
SetWindowTextW.USER32(?,?), ref: 00EFA6E1

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$Rect$Text
String ID:
API String ID: 445026432-0
Opcode ID: 5bbe46dc7c22a21d211fb12050241c365a7337710ebb9bd6e3d3c1ecd07c97ab
Instruction ID: 067242a02d39323e4c0e2d1fc5b16f9d9c7e530860eccde101930c5de7236c2d
Opcode Fuzzy Hash: 5bbe46dc7c22a21d211fb12050241c365a7337710ebb9bd6e3d3c1ecd07c97ab
Instruction Fuzzy Hash: 32919F75A00609AFDB14CFA8DC45BEEBBB5FF48310F244229F526E7294DB31A950CB50

Function 00ED3400 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 222libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,8CB281B6,?,?,?,?,?,?,?,8CB281B6,010664A5,000000FF,?,00ED371A,010C74D0), ref: 00ED3467
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00ED346D
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,8CB281B6,010664A5,000000FF,?,00ED371A,010C74D0,8CB281B6,8CB281B6), ref: 00ED349E
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00ED34A4

Strings

RoGetActivationFactory, xrefs: 00ED345D
.dll, xrefs: 00ED35A9
CoIncrementMTAUsage, xrefs: 00ED3494
DllGetActivationFactory, xrefs: 00ED35E9
combase.dll, xrefs: 00ED3462, 00ED3499

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: e81cf18d1f81059a23ad4780f8a4942992413259af5b0272ac3bb8d066543cc6
Instruction ID: 6be9b51c225318eb737e885c3348ff2e3f5a05bdf0d859b8758ee7aee8946bfe
Opcode Fuzzy Hash: e81cf18d1f81059a23ad4780f8a4942992413259af5b0272ac3bb8d066543cc6
Instruction Fuzzy Hash: 91819F70900209EFDB15EFB8D884BEEBBB4EF48714F14512AE421B7390DB709A45CB62

Function 00FD74C0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(01146054,8CB281B6,?,00000010), ref: 00FD74FC

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

EnterCriticalSection.KERNEL32(00000010,8CB281B6,?,00000010), ref: 00FD7509
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FD753B
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FD7544
WriteFile.KERNEL32(00000000,00FC3C07,6054B9EC,010A500D,00000000,010C334C,00000001,?,?,000000FF,00000000), ref: 00FD75C6
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FD75CF
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FD7605
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FD760E
WriteFile.KERNEL32(00000000,?,?,?,00000000,010C58A8,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FD766F
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FD7678
LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FD76A8

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Strings

Bw, xrefs: 00FD76A8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
String ID: Bw
API String ID: 201293332-2555579916
Opcode ID: 10d2143f81f8c5e75c704c505cbeec30c743b6e4783f24f4e694fbeff329cac2
Instruction ID: 28dbacd65d6e2f9288d2fec5af4f51489bbe8e2d8261a4ef2df361ae603b7647
Opcode Fuzzy Hash: 10d2143f81f8c5e75c704c505cbeec30c743b6e4783f24f4e694fbeff329cac2
Instruction Fuzzy Hash: 3961B031905644AFDB10DF68CD49BAEBBB9FF05310F14815AF841AB3A1E735A914DFA0

Function 00FCEC20 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,8CB281B6,?,?), ref: 00FCEC83
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00FCEE19
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00FCEE75
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00FCEEC5
RegCloseKey.ADVAPI32(?), ref: 00FCEF05

Strings

Software\JavaSoft\Java Development Kit\, xrefs: 00FCEC75, 00FCEC7D
JavaHome, xrefs: 00FCEE6F, 00FCEEBA
Software\JavaSoft\Java Runtime Environment\, xrefs: 00FCEC66

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: OpenQueryValue$Close
String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
API String ID: 2529929805-1079072530
Opcode ID: 8c2cdc41abe0c542a77b9d021328afff7ee80deb160e9696fb389a7ca8fef1f7
Instruction ID: b949c86ed53dc0bbce09109707c9ceedc37ab4fd8cf1dc5cc0aea36ae7803dd3
Opcode Fuzzy Hash: 8c2cdc41abe0c542a77b9d021328afff7ee80deb160e9696fb389a7ca8fef1f7
Instruction Fuzzy Hash: 07029E70D0126A9BDB24DF28CD89BDEB7B4AF44314F1442EDE409A7281DB75AE88DF50

Function 00FD81B0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,8CB281B6,?,?,01146054), ref: 00FD81F8
LoadLibraryW.KERNEL32(Shell32.dll,?,01146054), ref: 00FD8207
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00FD821B
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00FD829A
SHGetMalloc.SHELL32(?), ref: 00FD82D7
PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 00FD832A
CreateDirectoryW.KERNEL32(?,?,Everyone,10000000,00000000,?,00000000), ref: 00FD83B5

Strings

ADVINST_LOGS, xrefs: 00FD831D
Everyone, xrefs: 00FD8371
SHGetSpecialFolderPathW, xrefs: 00FD8215
Shell32.dll, xrefs: 00FD8202

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
API String ID: 1254244429-1733115844
Opcode ID: 721b31141aa638cd6d8dabfc94be8df8dfe9636a86a0a498e8e2cfc4523bfe0e
Instruction ID: b170d6a728151afea2f88dbbafb34b01146e3bbdfd82cd1fd8125203f15d697f
Opcode Fuzzy Hash: 721b31141aa638cd6d8dabfc94be8df8dfe9636a86a0a498e8e2cfc4523bfe0e
Instruction Fuzzy Hash: CAB1BC71D00609DFDB10DFA9C845BAEFBF5AF55320F28821AE415BB390EB759A01DB60

Function 00ECC7D0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,8CB281B6), ref: 00ECC85C

Part of subcall function 00EB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EB0DE6

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00ECC95F
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00ECC973
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00ECC988
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00ECC99D
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00ECC9B4
GetWindowRect.USER32(?,?), ref: 00ECC9E6
SendMessageW.USER32(00000000,00000412,00000000), ref: 00ECCA48
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00ECCA58

Strings

tooltips_class32, xrefs: 00ECC855
,, xrefs: 00ECC90E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: ,$tooltips_class32
API String ID: 1954517558-3856767331
Opcode ID: 8620c774fb4327b7f11dc14622aba7ce2bf6786c18de67a4a16f08036c71c7c3
Instruction ID: 6ff167cae8389a079caaf7df4a33e2045f74793e3a22599669c5bb16e2fcaa10
Opcode Fuzzy Hash: 8620c774fb4327b7f11dc14622aba7ce2bf6786c18de67a4a16f08036c71c7c3
Instruction Fuzzy Hash: 4D914E71A00308AFDB24CFA4DD95FEEBBF8FB08700F14452AE516EA694D775A944CB50

Function 00FA8440 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 223threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0114611C,8CB281B6,?,?,00000000,?,?,?,?,?,00000000,0109B407,000000FF), ref: 00FA84B3
EnterCriticalSection.KERNEL32(?,8CB281B6,?,?,00000000,?,?,?,?,?,00000000,0109B407,000000FF), ref: 00FA84C5
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,0109B407,000000FF), ref: 00FA84D2
GetCurrentThread.KERNEL32 ref: 00FA84DD
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,010C337C,00000000,?,?,?,?,?,00000000,0109B407,000000FF), ref: 00FA86BE
LeaveCriticalSection.KERNEL32(?,010C337C,00000000,?,?,?,?,?,00000000,0109B407,000000FF), ref: 00FA879A

Strings

<--------------------MORE--FRAMES-------------------->, xrefs: 00FA8662
[0x%.8Ix] , xrefs: 00FA86C5
*** Stack Trace (x86) ***, xrefs: 00FA85B7
MODULE_BASE_ADDRESS, xrefs: 00FA870B
Bw, xrefs: 00FA879A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$ Bw$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 3051236879-1089596180
Opcode ID: b5640fa4a384b74a575d48473feda59249331201917a8dd6dad64f4e887528fe
Instruction ID: 26153ca3001471e0732fe0e69b815831967954c6b0fbdcbc28fd894c321d4711
Opcode Fuzzy Hash: b5640fa4a384b74a575d48473feda59249331201917a8dd6dad64f4e887528fe
Instruction Fuzzy Hash: AAA179B1900388DFDB25DFA4CC45BEE7BB8BF4A708F004069E959AB281DBB55B05CB50

Function 00FA9D00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA2350: LoadLibraryW.KERNEL32(ComCtl32.dll,8CB281B6,00000000,?,00000000), ref: 00FA238E
Part of subcall function 00FA2350: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FA23B1
Part of subcall function 00FA2350: FreeLibrary.KERNEL32(00000000), ref: 00FA242F

GetDlgItem.USER32(?,000001F4), ref: 00FA9D41
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00FA9D52
MulDiv.KERNEL32(00000009,00000000), ref: 00FA9D6A
GetDlgItem.USER32(?,000001F6), ref: 00FA9DA4
IsWindow.USER32(00000000), ref: 00FA9DAD
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00FA9DC4
GetDlgItem.USER32(?,000001F8), ref: 00FA9DCE
GetWindowRect.USER32(?,?), ref: 00FA9DDF
GetWindowRect.USER32(?,?), ref: 00FA9DF2
GetWindowRect.USER32(00000000,?), ref: 00FA9E02

Strings

Courier New, xrefs: 00FA9D70

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
String ID: Courier New
API String ID: 1717253393-2572734833
Opcode ID: b15fd428014ed74e701adaa42af978dee58cbae6ae69b727a7b8d636b279a8f3
Instruction ID: f7e4f1fa154e6b78672e8496cebdfae950ce689a3017c2a63d298d302e7a7559
Opcode Fuzzy Hash: b15fd428014ed74e701adaa42af978dee58cbae6ae69b727a7b8d636b279a8f3
Instruction Fuzzy Hash: B341A571BC43097BEB249F259C42FAE77A9EF49B04F010529FB157A5C1DAF4A8808B54

Function 00EAF5F0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01146250,8CB281B6,00000000,?,?,?,?,?,?,P,0105F68D,000000FF), ref: 00EAF62D
LoadCursorW.USER32(00000000,00007F00), ref: 00EAF6A8
LoadCursorW.USER32(00000000,00007F00), ref: 00EAF74E
LeaveCriticalSection.KERNEL32(01146250), ref: 00EAF7A3

Strings

P, xrefs: 00EAF600
0, xrefs: 00EAF733
WM_ATLGETCONTROL, xrefs: 00EAF644
AtlAxWinLic140, xrefs: 00EAF70F, 00EAF765
WM_ATLGETHOST, xrefs: 00EAF639
Bw, xrefs: 00EAF7A3
AtlAxWin140, xrefs: 00EAF65F, 00EAF6C3

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: Bw$0$AtlAxWin140$AtlAxWinLic140$P$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-2973112047
Opcode ID: c695a973b0f42bdcebca8592c667d6005984b87cb95ac8d7381f7dfedb69d370
Instruction ID: 1bc1739829d29b605a3a47b07d191f3882e24ac14566377915eebb6650b633d5
Opcode Fuzzy Hash: c695a973b0f42bdcebca8592c667d6005984b87cb95ac8d7381f7dfedb69d370
Instruction Fuzzy Hash: 005138B4C10219AFCB65CF94D944BDEBFF8BF09B14F14422AE414BB280D77559448FA0

Function 00FA5310 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FA54AE
__Init_thread_footer.LIBCMT ref: 00FA5607
GetStdHandle.KERNEL32(000000F5,?,8CB281B6,?,?), ref: 00FA568F
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00FA5696
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00FA56AA
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FA56B1

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,00000000,00000000,010C58A8,00000002,?,?), ref: 00FA5740
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FA5747
IsWindow.USER32(00000000), ref: 00FA5960

Strings

Error, xrefs: 00FA58FF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
String ID: Error
API String ID: 2811146417-2619118453
Opcode ID: 1bd88368996076336916cd669302a7621785ba1cc6eb78462ec93d259f3c7521
Instruction ID: ef07646e7119ae924105230780d1c8a4250426e764246a8aa74edba70c8b1249
Opcode Fuzzy Hash: 1bd88368996076336916cd669302a7621785ba1cc6eb78462ec93d259f3c7521
Instruction Fuzzy Hash: 23224BB4D00708DFDB24CFA4C844BDEBBB4BF5A724F244299D455AB280DB75AA88CF51

Function 00F059B0 Relevance: 16.7, APIs: 11, Instructions: 170COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F059F7
GetParent.USER32 ref: 00F05A0D
GetWindowRect.USER32(?,?), ref: 00F05A18
GetParent.USER32(?), ref: 00F05A20
GetWindow.USER32(?,00000004), ref: 00F05A52
GetWindowRect.USER32(?,?), ref: 00F05A60
GetWindowLongW.USER32(00000000,000000F0), ref: 00F05A6D
MonitorFromWindow.USER32(?,00000002), ref: 00F05A85
GetMonitorInfoW.USER32(00000000,?), ref: 00F05A9F
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000004), ref: 00F05B4D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$LongMonitorParentRect$FromInfo
String ID:
API String ID: 1820395375-0
Opcode ID: cd9a571a10c3b580dc996596d3ec9e6d001266abb4c83a8e32f916c4e50a0577
Instruction ID: a87cf6cb3a74cdcaddd10a8e43eebcb7c5c8f12c92cf92d5c8aced1e43a7ebcd
Opcode Fuzzy Hash: cd9a571a10c3b580dc996596d3ec9e6d001266abb4c83a8e32f916c4e50a0577
Instruction Fuzzy Hash: 25516076E005199FDF24CBA8CD45B9EBBB9FB48720F254229E815A7284DB30AD44DF90

Function 00FA93B0 Relevance: 16.6, APIs: 11, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FA93EF
GetWindowLongW.USER32(?,000000F0), ref: 00FA9400
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA9412
GetWindowLongW.USER32(?,000000EC), ref: 00FA9425
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA9434
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00FA9448
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA9457
GetWindowRect.USER32(?,?), ref: 00FA9496
GetDlgItem.USER32(?,?), ref: 00FA94D2
IsWindow.USER32(00000000), ref: 00FA94DD
GetWindowRect.USER32(?,?), ref: 00FA94F8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$MessageRectSend$Item
String ID:
API String ID: 661679956-0
Opcode ID: 8a749bcf1fff6b374c7ccfa92f01fa5a6249d74fede76869e44f2772015ed763
Instruction ID: 3a6c5d9a1c14d3c2f1dc68ee0e1b9ae4763f5f7dfa999aec38e271a627f5a3ff
Opcode Fuzzy Hash: 8a749bcf1fff6b374c7ccfa92f01fa5a6249d74fede76869e44f2772015ed763
Instruction Fuzzy Hash: 1641C1759087019FD720DF68DC80F2BB7E4BF99710F148A2DF9AA92591D770E8848B61

Function 00FCF880 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 296libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F61FF1
Part of subcall function 00F61FB0: _wcschr.LIBVCRUNTIME ref: 00F620AF

GetLastError.KERNEL32(8CB281B6,?,?,?,000000FF,?,00FB4196,?,?), ref: 00FCF8ED
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00FCFA7A
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00FCFADE
FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,00FB4196,?,?), ref: 00FCFBD2

Strings

x86, xrefs: 00FCF938
GetPackagePath, xrefs: 00FCFA74, 00FCFAD8
Kernel32.dll, xrefs: 00FCF8C1
x64, xrefs: 00FCF966
neutral, xrefs: 00FCF982

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem_wcschr
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 3734293021-4043905686
Opcode ID: f9d8d626cce35b2ec0935ffab29d404320157f595af428510371a833cb5e7050
Instruction ID: bdec49c869efcccfc594a651b2d9ab9e3809eab787439fcde1b89ae8818790e3
Opcode Fuzzy Hash: f9d8d626cce35b2ec0935ffab29d404320157f595af428510371a833cb5e7050
Instruction Fuzzy Hash: 0BC17B70A0020ADFDB14CFA8C995BADFBB5FF49324F14826DE415AB291DB74AD04CB90

Function 00FF2A80 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 282COMMON

Download Yara Rule

Strings

PropertyValue, xrefs: 00FF2CC9
TimeRemaining, xrefs: 00FF2C4F
Progress, xrefs: 00FF2ABD
Text, xrefs: 00FF2AFA
Visible, xrefs: 00FF2B6D
Enabled, xrefs: 00FF2BE0

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
API String ID: 0-2691827946
Opcode ID: c9f74be4e9414e0b2ee5294d800ea2fc2703daf83bc649a10d98a39b0ccbcaa6
Instruction ID: e6c971442f994d54240886931eb8b74b870ad0240b622c3557b0883ae5a53d3f
Opcode Fuzzy Hash: c9f74be4e9414e0b2ee5294d800ea2fc2703daf83bc649a10d98a39b0ccbcaa6
Instruction Fuzzy Hash: DCB18BB1A00349DFDB14CF48D844BAEBBE1FF95320F14826EE9659B390D7769A00DB91

Function 00FCD7C0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00FCD7F6

Strings

HKLM, xrefs: 00FCD825
HKCC, xrefs: 00FCD8A5
HKEY_CLASSES_ROOT, xrefs: 00FCD891
HKEY_LOCAL_MACHINE, xrefs: 00FCD83D
HKEY_CURRENT_CONFIG, xrefs: 00FCD8B9
HKEY_CURRENT_USER, xrefs: 00FCD869
HKCU, xrefs: 00FCD855
HKCR, xrefs: 00FCD87D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: _wcschr
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
API String ID: 2691759472-1956487666
Opcode ID: 42fa628aacf4ff079a66c6777f31742ea1791bfce20eb8d4070ae8c458caad80
Instruction ID: c39fb6fbadac4db763eb65bab3cc0a8af302c23c2c90cdc7947f242918683fa2
Opcode Fuzzy Hash: 42fa628aacf4ff079a66c6777f31742ea1791bfce20eb8d4070ae8c458caad80
Instruction Fuzzy Hash: D541F5B6E40707ABDB105B65CD02FAEB7A8EB10321F14457EEC50E66D0EB71DC00EAA1

Function 00ED2860 Relevance: 15.4, APIs: 10, Instructions: 404memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

CreateThread.KERNEL32(00000000,00000000,00ED29B0,010C7458,00000000,?), ref: 00ED292A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00ED2943
CloseHandle.KERNEL32(00000000), ref: 00ED2959
CoInitializeEx.COMBASE(00000000,00000000), ref: 00ED2A09
GetProcessHeap.KERNEL32(?,00000000), ref: 00ED2B0B
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ED2B11
GetProcessHeap.KERNEL32(?,00000000), ref: 00ED2B90
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ED2B96
CoUninitialize.COMBASE ref: 00ED2CEA
Concurrency::cancel_current_task.LIBCPMT ref: 00ED2D6B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$Process$FreeInit_thread_footer$CloseConcurrency::cancel_current_taskCreateHandleInitializeObjectSingleThreadUninitializeWait
String ID:
API String ID: 1779960141-0
Opcode ID: af086ebbd6626983aa8d8b7915f2f9376e214cfde0ac5b7eb62ec3c06882ac01
Instruction ID: 47cebd21099ea6d6e5f6e7f547d1b21525e26590c99a54331ca95f80d7432aaf
Opcode Fuzzy Hash: af086ebbd6626983aa8d8b7915f2f9376e214cfde0ac5b7eb62ec3c06882ac01
Instruction Fuzzy Hash: BCF16970900209DFDB14DFA8C944BEEBBB8FF54304F20815EE955BB291DB74AA45CBA1

Function 00EC3190 Relevance: 15.3, APIs: 10, Instructions: 339memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EC31EA
VariantClear.OLEAUT32(?), ref: 00EC321C
VariantClear.OLEAUT32(?), ref: 00EC3316
VariantClear.OLEAUT32(?), ref: 00EC3345
SysFreeString.OLEAUT32(00000000), ref: 00EC334C
SysAllocString.OLEAUT32(00000000), ref: 00EC3393
VariantClear.OLEAUT32(?), ref: 00EC341A
VariantClear.OLEAUT32(?), ref: 00EC344C
VariantClear.OLEAUT32(?), ref: 00EC3527
VariantClear.OLEAUT32(?), ref: 00EC3556

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID:
API String ID: 1305860026-0
Opcode ID: 75a68f5c94ed75804c407507560164f10d8506d89e5dcb82f58d85d6518a565a
Instruction ID: 5fb08489998d5a7e16ef0fc56e17da6d9b70606c7f4b3984f2e544ede4ebc009
Opcode Fuzzy Hash: 75a68f5c94ed75804c407507560164f10d8506d89e5dcb82f58d85d6518a565a
Instruction Fuzzy Hash: 4AC17831A002489FCB14DFA8C944BDEBBF4FF49714F149269E414F7291E739AA46CBA4

Function 00FD2BC0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 343synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

ResetEvent.KERNEL32(?,?,?), ref: 00FD2C4A
SetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00FD2C83
ResetEvent.KERNEL32(?,?,?,?,?,00000001,08000000,?,?,?), ref: 00FD2E19
SetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000,?,?,?), ref: 00FD2E4B
ResetEvent.KERNEL32(?,?,?,?,?,?,00000001,08000000), ref: 00FD2F26
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00FD2F43
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000001,08000000), ref: 00FD2F4A

Strings

FTP Server, xrefs: 00FD2CF6, 00FD2D08, 00FD2D12

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Event$Reset$Init_thread_footerObjectSingleWait$HeapProcess
String ID: FTP Server
API String ID: 3860647947-688436434
Opcode ID: f84d702cc91edd1ce85f4640344757bc4ad28d63396a04349df8429373b321aa
Instruction ID: 0edcd1d2ce3d604a28f52e55f5ff782d8630802967b2cf0dd94b14d84375fbf8
Opcode Fuzzy Hash: f84d702cc91edd1ce85f4640344757bc4ad28d63396a04349df8429373b321aa
Instruction Fuzzy Hash: 75D1A231A00245DFDB50DF68C888B9EBBB6FF59324F18825AE814AB392D734DD44DB90

Function 00FD4900 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00FB4998), ref: 00FD49F3
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 00FD4A37
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00FD4A54
CloseHandle.KERNEL32(00000000), ref: 00FD4A6E
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00FD4AAD

Strings

Unable to get temp file , xrefs: 00FD49D4
ps1, xrefs: 00FD4969, 00FD497B, 00FD4985, 00FD4996
Unable to save script file , xrefs: 00FD4A7D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 2821137686-4253966538
Opcode ID: 5a5d3a79a950d347cde22cd3f649e6ef2b2cfb5238544c67a65db13291641511
Instruction ID: 570472609a51d60921365bb84634b99be91960d23448116ad6096a09f84a0ed0
Opcode Fuzzy Hash: 5a5d3a79a950d347cde22cd3f649e6ef2b2cfb5238544c67a65db13291641511
Instruction Fuzzy Hash: B251D371A00609AFDB10DFA8CC45BAEBBB9AF05714F188259E550BB382D774AD04DBA4

Function 00FC3C80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00FC3CBE
GetUserDefaultLangID.KERNEL32 ref: 00FC3CCB
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00FC3CDD
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00FC3CF1
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00FC3D06

Strings

kernel32.dll, xrefs: 00FC3CD4
GetSystemDefaultUILanguage, xrefs: 00FC3CEB
GetUserDefaultUILanguage, xrefs: 00FC3D00

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: 3deb8bcf7c84ecbeaf10747dad3d089e3936a8706452c3829f8a67611bb59ade
Instruction ID: 2f7f6adfaf691149ac1118d8784688554615fd5d2c28b49bd402cd162a85aea7
Opcode Fuzzy Hash: 3deb8bcf7c84ecbeaf10747dad3d089e3936a8706452c3829f8a67611bb59ade
Instruction Fuzzy Hash: 8941E030A043069BC754EF24D551BBAB7E1BFE8391F91591EF8C6C7280EB358A44DB52

Function 01039810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01039847
___except_validate_context_record.LIBVCRUNTIME ref: 0103984F
_ValidateLocalCookies.LIBCMT ref: 010398D8
__IsNonwritableInCurrentImage.LIBCMT ref: 01039903
_ValidateLocalCookies.LIBCMT ref: 01039958
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0103996E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01039983

Strings

csm, xrefs: 010398ED

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 253d0b2791485c3abe19b4a9ccdda86f948ca6b886be8514d6cd5a978790f702
Instruction ID: 6504b8b422aee31ab62a00c7b33b2e1a887725045d5df6c5b35dd68c1898636c
Opcode Fuzzy Hash: 253d0b2791485c3abe19b4a9ccdda86f948ca6b886be8514d6cd5a978790f702
Instruction Fuzzy Hash: 8641A234E0020AEBDF14DF6CC880ADEBBE9AFD5318F148096E9959B392D771D905CB91

Function 00FA9A60 Relevance: 13.7, APIs: 9, Instructions: 202COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00FA9A94
EndDialog.USER32(?,00000000), ref: 00FA9B52

Part of subcall function 00FA9550: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00FA9582
Part of subcall function 00FA9550: GetWindowLongW.USER32(?,000000F0), ref: 00FA9588
Part of subcall function 00FA9550: GetDlgItem.USER32(?,?), ref: 00FA95FA
Part of subcall function 00FA9550: GetWindowRect.USER32(00000000,?), ref: 00FA9612

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Long$DialogItemMessageRectSend
String ID:
API String ID: 188208873-0
Opcode ID: 1911bd08878549b1cfb6e3984731f1a43b8ce94663b8aa2c29071fd7827ed0fe
Instruction ID: 1c6b5e772f92b5655a80439219e07828a3d5ad4bfbee8802935534e1b778388c
Opcode Fuzzy Hash: 1911bd08878549b1cfb6e3984731f1a43b8ce94663b8aa2c29071fd7827ed0fe
Instruction Fuzzy Hash: 8C71A375A086069BDB24CF68C848BAEBBF4FB49730F140639E426E7AD0D7B4D940DB50

Function 00F89FD0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 232fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?), ref: 00F8A069
CloseHandle.KERNEL32(00000000), ref: 00F8A090

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

Part of subcall function 00F8BC00: FindResourceW.KERNEL32(00000000,00000001,00000006,?,00000000,?,?,80070057,8CB281B6,?,?,00000000,0105D670,000000FF,?,00FD338D), ref: 00F8BC3D
Part of subcall function 00F8BC00: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00F8BC6E

WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?), ref: 00F8A105
CloseHandle.KERNEL32(00000000), ref: 00F8A157

Part of subcall function 00F8BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00FB3DCA,000000FF,00000000,00000000,00000000,00000000,?,?,?,00FB3DCA,?,?), ref: 00F8BA3C
Part of subcall function 00F8BA20: WideCharToMultiByte.KERNEL32(00000003,00000000,00FB3DCA,000000FF,?,-00000001,00000000,00000000,?,?,?,00FB3DCA,?,?), ref: 00F8BA73

Strings

EXE, xrefs: 00F8A023
.bat, xrefs: 00F8A01E
open, xrefs: 00F8A183

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ByteCharMultiWide$CloseFileHandleInit_thread_footer$CreateFindHeapProcessResourceWrite
String ID: .bat$EXE$open
API String ID: 4275363648-2898749727
Opcode ID: c6f2ba5d15876e07503302c4e820438d146d322516aaadc4974370ccb77abcce
Instruction ID: dd4eeae28bb46b4f40bb9387b98d377d9eec462e485f5f18a4f7cc53134a0559
Opcode Fuzzy Hash: c6f2ba5d15876e07503302c4e820438d146d322516aaadc4974370ccb77abcce
Instruction Fuzzy Hash: E3A16970901648EFEB11DFA8CD48B8DFBB4FF49324F24829AE414AB291DB74A944DF51

Function 00ECB720 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 218windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00ECB771
SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00ECB7D5
lstrcpynW.KERNEL32(?,?,00000020), ref: 00ECB847
MulDiv.KERNEL32(?,00000048,00000000), ref: 00ECB884
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00ECB8B6

Strings

?, xrefs: 00ECB88A
t, xrefs: 00ECB892

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t
API String ID: 3928028829-1995845436
Opcode ID: 4926c123d5b64e39b45ad05009180888378e30e140ed42d1e2a69a1e0fe2a6f2
Instruction ID: 373389f1d4be61674d099df9bb15f593924f57bc51122685c743adc1570718f1
Opcode Fuzzy Hash: 4926c123d5b64e39b45ad05009180888378e30e140ed42d1e2a69a1e0fe2a6f2
Instruction Fuzzy Hash: A791AF71604340AFE321DF64C845F9BBBE8BF89700F004A2AF6A9D71A0D775E544CB52

Function 00EB6C00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00EB6CEF

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00EB6D43
CloseHandle.KERNEL32(00000000), ref: 00EB6D92

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00EB6DF6
CloseHandle.KERNEL32(00000000,?), ref: 00EB6E1C

Strings

html, xrefs: 00EB6CFC
aix, xrefs: 00EB6D01

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: 96794d1e746a01601a7c11e69e95a6e328c1016866f16917138b885b1184f1d7
Instruction ID: b7aec37931ab7ec9bfc51dd3412201b27fa1f3f534ff7c1ce1f4b9f566a45fbd
Opcode Fuzzy Hash: 96794d1e746a01601a7c11e69e95a6e328c1016866f16917138b885b1184f1d7
Instruction Fuzzy Hash: BF519EB0A00248EFDB24DF94D849BDEBBF4FB46708F10416DE451AB284D7B96A48CB61

Function 00F82470 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F82500

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F8253D
__Init_thread_footer.LIBCMT ref: 00F82554
SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00F8257F

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

Part of subcall function 00F61FB0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F61FF1
Part of subcall function 00F61FB0: _wcschr.LIBVCRUNTIME ref: 00F620AF

Strings

UxTheme.dll, xrefs: 00F824D1
SetWindowTheme, xrefs: 00F82532
explorer, xrefs: 00F82567

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake_wcschr
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 3852524043-3123591815
Opcode ID: ba0ba2c3a3ece8aaeae41a71ca27790a23006fca82202cfbe8d04b849e8d50b5
Instruction ID: 075d15a4600a85126fe12d3eaad23fa1e5a517f65e25539e9a17210da14ed3c0
Opcode Fuzzy Hash: ba0ba2c3a3ece8aaeae41a71ca27790a23006fca82202cfbe8d04b849e8d50b5
Instruction Fuzzy Hash: E421E4B4E40300EBC734DF14ED05B89B7A4EB16BA4F100229E8289F288D775AE41DB90

Function 00EB97E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EB980A
GetWindow.USER32(?,00000005), ref: 00EB9817
GetWindow.USER32(00000000,00000002), ref: 00EB9952

Part of subcall function 00EB9660: GetWindowRect.USER32(?,?), ref: 00EB968C
Part of subcall function 00EB9660: GetWindowRect.USER32(?,?), ref: 00EB969C

GetWindowRect.USER32(?,?), ref: 00EB98AB
GetWindowRect.USER32(00000000,?), ref: 00EB98BB
GetWindowRect.USER32(00000000,?), ref: 00EB98D5

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: faaeab1f4cf7e6d358b88c1eb07fd557087e1d71d3405f95bf942e8f31fff14c
Instruction ID: 9e785a553e312db092f31d4d7062b17e250b6097870df60b4410d61a8740582d
Opcode Fuzzy Hash: faaeab1f4cf7e6d358b88c1eb07fd557087e1d71d3405f95bf942e8f31fff14c
Instruction Fuzzy Hash: 5B41AF305087419BC721DF25C980AABF7E9BFD6704F545A1DF285A3622EB30E988CB52

Function 01035BAB Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,01035D55,00000000,?,?,00EB0B74,?), ref: 01035BCF
HeapAlloc.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035BD6

Part of subcall function 01035CA1: IsProcessorFeaturePresent.KERNEL32(0000000C,01035BBD,00000000,?,01035D55,00000000,?,?,00EB0B74,?), ref: 01035CA3

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,01035D55,00000000,?,?,00EB0B74,?), ref: 01035BE6
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00EB0B74,?), ref: 01035C0D
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,00EB0B74,?), ref: 01035C21
InterlockedPopEntrySList.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035C34
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00EB0B74,?), ref: 01035C47

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 0a4a10c70f1e4e196d03c67e02fd6fb9bfbb530efca29550996ed52d67b3000f
Instruction ID: add83422696bef56ec4beb0cc3bd2747d034c981baea45a739544338653c53fe
Opcode Fuzzy Hash: 0a4a10c70f1e4e196d03c67e02fd6fb9bfbb530efca29550996ed52d67b3000f
Instruction Fuzzy Hash: 87112E31610619AFE7311B68AC88FAF769CFB84799F094522FAC1D6264DA25CC004774

Function 00FD0260 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00FD029A,?,8CB281B6,?,?,?,000000FF,?), ref: 00FD2154
Part of subcall function 00FD2140: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00FD029A,?,8CB281B6,?,?,?,000000FF,?,00FCFC64), ref: 00FD2171
Part of subcall function 00FD2140: GetLastError.KERNEL32(?,8CB281B6,?,?,?,000000FF,?,00FCFC64,?,?,00000000,00000000,8CB281B6,?,?), ref: 00FD21D0

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

ResetEvent.KERNEL32(?,00000000,010A38DD), ref: 00FD036A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FD0389
WaitForSingleObject.KERNEL32(8CB281B6,000000FF), ref: 00FD0390

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

Strings

attachment, xrefs: 00FD059D
filename, xrefs: 00FD06E1
GET, xrefs: 00FD02EA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Event$CreateInit_thread_footerObjectSingleWait$ErrorFindHeapLastProcessResetResource
String ID: GET$attachment$filename
API String ID: 818129584-3911147371
Opcode ID: 974d87242c6d81ba0b3e0d339fcc34d0d183efcebf4a6aa7ddcad43450d55957
Instruction ID: 5f0093d53c998f6c8c27970447933e5fe9ce3aaa55a89e4ceb1d77c111fbb965
Opcode Fuzzy Hash: 974d87242c6d81ba0b3e0d339fcc34d0d183efcebf4a6aa7ddcad43450d55957
Instruction Fuzzy Hash: FB02AD70901249DFDB10DFA8C944BEEBBF5BF15324F18816AE815AB391DB74AA04DF90

Function 00FE6EA0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 371COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

_wcschr.LIBVCRUNTIME ref: 00FE6F6B
_wcschr.LIBVCRUNTIME ref: 00FE701D
_wcschr.LIBVCRUNTIME ref: 00FE703C

Part of subcall function 00EA9390: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,00EB69F0,-00000010,?,00EBAA9D,*.*), ref: 00EA93B7

_wcschr.LIBVCRUNTIME ref: 00FE70E2
GetTickCount.KERNEL32 ref: 00FE728A

Strings

0123456789AaBbCcDdEeFf, xrefs: 00FE6F01, 00FE6F13, 00FE6F1D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: _wcschr$Init_thread_footer$CountFindHeapProcessResourceTick
String ID: 0123456789AaBbCcDdEeFf
API String ID: 2181188311-3822820098
Opcode ID: f8c7162ff73479ec9b633fdf72ace250274a50ab13a31d3c08c3f6a5c0e4e0fb
Instruction ID: 0bee021213e97a193bb477c3216c538fac5c961fd83ae4917a23240d97d1722c
Opcode Fuzzy Hash: f8c7162ff73479ec9b633fdf72ace250274a50ab13a31d3c08c3f6a5c0e4e0fb
Instruction Fuzzy Hash: 33D13F31A007458FDB20EF6AC888BAEB7F5FF48320F14865DE5659B291DB34E845DB90

Function 00FA09E0 Relevance: 10.8, APIs: 7, Instructions: 300fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,8CB281B6,?,00000000), ref: 00FA0A69
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000), ref: 00FA0AEC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FA0B39
GetFileSize.KERNEL32(00000000,00000000), ref: 00FA0B42
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FA0BA5
CloseHandle.KERNEL32(00000000), ref: 00FA0CF7
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00FA0D7F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointerSize
String ID:
API String ID: 4181610692-0
Opcode ID: 417632957eeb5af468c9dcd0e7232b9005ffbab564380a872e0d22ab51f5ae3e
Instruction ID: 85466665510e3302d64bba25230eb542aa8610521fe2b5ba51198f50fe120299
Opcode Fuzzy Hash: 417632957eeb5af468c9dcd0e7232b9005ffbab564380a872e0d22ab51f5ae3e
Instruction Fuzzy Hash: FBC180B1D00308DFDB24CFA4D984BEEBBB5BF46314F208259E455BB281DB74AA45DB90

Function 00EAEFA0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EAF06A
SysFreeString.OLEAUT32(00000000), ref: 00EAF0B6
SysFreeString.OLEAUT32(00000000), ref: 00EAF0D8
SysFreeString.OLEAUT32(00000000), ref: 00EAF233

Strings

P, xrefs: 00EAF1AF, 00EAF2A2
P, xrefs: 00EAF24A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: String$Free$Alloc
String ID: P$P
API String ID: 986138563-2819496421
Opcode ID: 7884bb5cbb49fef1214830a971cb653f16ffbd9382f33b79a205037993485a64
Instruction ID: b2511736ed7ce4e3ca76b4a42c26a12b2e4c9d530c56bb7eab1f199d6c83dc24
Opcode Fuzzy Hash: 7884bb5cbb49fef1214830a971cb653f16ffbd9382f33b79a205037993485a64
Instruction Fuzzy Hash: 47A18F75A0020AEFDB14DFA8CC84BAFB7B8FF49714F104129E515EB281D774AA05CB61

Function 00EB4E50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01146008,8CB281B6,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010604E5), ref: 00EB4EBA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010604E5), ref: 00EB4F3A
EnterCriticalSection.KERNEL32(01146024,?,?,?,?,?,?,?,?,?,?,?,00000000,010604E5,000000FF), ref: 00EB50F3
LeaveCriticalSection.KERNEL32(01146024,?,?,?,?,?,?,?,?,?,?,00000000,010604E5,000000FF), ref: 00EB5114

Strings

Bw, xrefs: 00EB510D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID: Bw
API String ID: 1807155316-2555579916
Opcode ID: 9240914d767b03cb5c230acf610720349afb6850dffc828ad19d4359fd8349cb
Instruction ID: 63c8884d9f99e1b12bfdea33f01c395b32645d2a23f5fc31ccf7f1fbf336020f
Opcode Fuzzy Hash: 9240914d767b03cb5c230acf610720349afb6850dffc828ad19d4359fd8349cb
Instruction Fuzzy Hash: 4CB19E75A01649DFDB25CFA8C888BEFBBB4BF09318F144168E415BB285C775AD44CBA0

Function 00EB0E10 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(010C37FC,00000000,00000001,010C3E84,?), ref: 00EB0EE0

Strings

:, xrefs: 00EB0ECA
{, xrefs: 00EB0F40

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateInstance
String ID: :${
API String ID: 542301482-3766677574
Opcode ID: a963bc8f2c88401997ce2ef049dd36ace751f010127c10593d1d805e995421ac
Instruction ID: 05856faff92c51c17cd0614667539b836b21d96258a75de09a669d9afb02edb4
Opcode Fuzzy Hash: a963bc8f2c88401997ce2ef049dd36ace751f010127c10593d1d805e995421ac
Instruction Fuzzy Hash: C6619E74B002559BDF289F988894BFFB7B4AB09B18F14546DE851FB280D775EC80CB61

Function 00ED4CC3 Relevance: 10.7, APIs: 7, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00ED4D55
SysFreeString.OLEAUT32(00000000), ref: 00ED4DCA
GetProcessHeap.KERNEL32(?,?), ref: 00ED4E30
HeapFree.KERNEL32(00000000,?,?), ref: 00ED4E36
GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00ED4E66
HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00ED4E6C
SysFreeString.OLEAUT32(00000000), ref: 00ED4E84

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
Instruction ID: 27f0ce3d444997136f6f0afdd463086cf97d1addcbad14b75e25d26dfe43d94a
Opcode Fuzzy Hash: c14391def34d30c0b168fa8ca342d20c76c682d681f1f84f8917b2a93bac1295
Instruction Fuzzy Hash: C8615BB0D0025A9BDF11DFA8C8847AEBBB4FF25314F14415AD861BB3C1D7789A06CBA1

Function 00EB2500 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01146250,8CB281B6,00000000,0114626C), ref: 00EB2573
LeaveCriticalSection.KERNEL32(01146250), ref: 00EB25D7
LoadCursorW.USER32(00EA0000,?), ref: 00EB2630
LeaveCriticalSection.KERNEL32(01146250), ref: 00EB26C8

Strings

ATL:%p, xrefs: 00EB2650
Bw, xrefs: 00EB25D7, 00EB26C8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: Bw$ATL:%p
API String ID: 2080323225-355214207
Opcode ID: 59112e167bff653a689afe48181bf1ac3ea7771091d795c1b2a5270479c7d4aa
Instruction ID: a59c20c1a06d6eecd58f082ba94f3971aaece1c53fa50fe2a8b283f1442d5011
Opcode Fuzzy Hash: 59112e167bff653a689afe48181bf1ac3ea7771091d795c1b2a5270479c7d4aa
Instruction Fuzzy Hash: C5519B70904B449BD724CF69C945BABF7F4FF18714F00961DE9A6A7A40E730A984CB90

Function 00FCE2C0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,8CB281B6,?,?), ref: 00FCE307
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,8CB281B6,010A344D), ref: 00FCE37F
GetLastError.KERNEL32 ref: 00FCE390
WaitForSingleObject.KERNEL32(010A344D,000000FF), ref: 00FCE3AC
GetExitCodeProcess.KERNEL32(010A344D,00000000), ref: 00FCE3BD
CloseHandle.KERNEL32(010A344D), ref: 00FCE3C7
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FCE3E2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 1f04db3b03c6e5660cf8cd88d8487e6f13889fca4ce1511db074264834273f4e
Instruction ID: 717da0e773f3ba70450ad30e23e62ebfdbc1cb43544a1046754a61557ec4ea6a
Opcode Fuzzy Hash: 1f04db3b03c6e5660cf8cd88d8487e6f13889fca4ce1511db074264834273f4e
Instruction Fuzzy Hash: A8418E31E04389ABDB20CFA5CD45BEEBBF8AF49310F14965AF864A7184D7759A40CF60

Function 00FE0E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000010,?,00000000,00FC6881,00000000,8CB281B6,?,00000010,00000000), ref: 00FE0EAB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00FE0EC1
FreeLibrary.KERNEL32(00000000), ref: 00FE0EFA
FreeLibrary.KERNEL32(00000000,?,00000010,?,00000000,00FC6881,00000000,8CB281B6,?,00000010,00000000), ref: 00FE0F16

Strings

Shlwapi.dll, xrefs: 00FE0EAA
DllGetVersion, xrefs: 00FE0EBB

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: bb8c44dddb6eb7451deb808ab986d51b7eadb3686a1a6e0c3855f53fbabeb63e
Instruction ID: 82bbab55cf542ac5258ba33e4d70e3653b9027ed93f2e895054ef3ec04f17718
Opcode Fuzzy Hash: bb8c44dddb6eb7451deb808ab986d51b7eadb3686a1a6e0c3855f53fbabeb63e
Instruction Fuzzy Hash: 7821D7766143019BC314AF29E88166BF7E8FFE9711F80066EF589C3201EB35D84487A2

Function 00ECDE90 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00ECDEF7
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00ECDF1F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ECDF37
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00ECDF68
GetParent.USER32(?), ref: 00ECE044
SendMessageW.USER32(00000000,00000136,?,?), ref: 00ECE055

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: 4a723a4f4a24f51db54d7dead9c29be327a5ab004218ae4d3abe7a92bc580986
Instruction ID: ae51dada04c36aed1fc40c69e5a13c9f6a3abdcf5085b7da28840f9ca877e1ba
Opcode Fuzzy Hash: 4a723a4f4a24f51db54d7dead9c29be327a5ab004218ae4d3abe7a92bc580986
Instruction Fuzzy Hash: 8B615A76A00618AFDB259FE4DC09FEEBBB9FF48B10F100129F619AB694C7716941CB50

Function 00F82240 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00F822AB
GetParent.USER32(00000000), ref: 00F822FE
GetWindowRect.USER32(00000000), ref: 00F82301
GetParent.USER32(00000000), ref: 00F82310

Part of subcall function 00F3FCF0: GetWindowRect.USER32(?,?), ref: 00F3FD8B
Part of subcall function 00F3FCF0: GetWindowRect.USER32(?,?), ref: 00F3FDA3

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00F82400
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00F82413

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageRectSendWindow$Parent
String ID:
API String ID: 425339167-0
Opcode ID: f9a0e2419918cf75c097f8a6d26800a8b6d90e2c86c0bdc622cc44cd54113061
Instruction ID: e2764a79b8d0f1cbcaeec4128fbbd8d52e322e2062e3d05c979c7dd4685a51d4
Opcode Fuzzy Hash: f9a0e2419918cf75c097f8a6d26800a8b6d90e2c86c0bdc622cc44cd54113061
Instruction Fuzzy Hash: 95515975D00708ABDB24DFA8C945BDEBBF8EF59710F144329E815B7691EB706A80CB50

Function 00FA9550 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00FA9582
GetWindowLongW.USER32(?,000000F0), ref: 00FA9588
GetDlgItem.USER32(?,?), ref: 00FA95FA
GetWindowRect.USER32(00000000,?), ref: 00FA9612
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 00FA969F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00FA96D3

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$MessageSend$ItemLongRect
String ID:
API String ID: 3432912040-0
Opcode ID: 298b4283fe545bda48273a58b168394c6cc64fd7cd9a2421963e7cb3dc797bfb
Instruction ID: f2afd7bdf1e511ab52906e098ea3f5b905fb0b99be6f1fdf0e306d6af8ae2a98
Opcode Fuzzy Hash: 298b4283fe545bda48273a58b168394c6cc64fd7cd9a2421963e7cb3dc797bfb
Instruction Fuzzy Hash: B151CE70608300DFD728CF28C985B2ABBE1FF85B18F184A2CF5999B695D7B1E844DB51

Function 00F96080 Relevance: 9.1, APIs: 6, Instructions: 149COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F960CA
std::_Lockit::_Lockit.LIBCPMT ref: 00F960EC
std::_Lockit::~_Lockit.LIBCPMT ref: 00F96114
__Getctype.LIBCPMT ref: 00F961E5
std::_Facet_Register.LIBCPMT ref: 00F96247
std::_Lockit::~_Lockit.LIBCPMT ref: 00F96271

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: a349df1620c239ada0ed7237e114bcd5f2c9d011ae597cb0b98a9252cbc23d76
Instruction ID: 68577fc3ab9b8e3535393f2df94c311d84ed7db42cdebdd3f4a135a5a2f5d64f
Opcode Fuzzy Hash: a349df1620c239ada0ed7237e114bcd5f2c9d011ae597cb0b98a9252cbc23d76
Instruction Fuzzy Hash: 2C51DEB0D00609CFEB24CF68C940BAAB7F4FF14714F14816DD895AB382E735AA84DB91

Function 00ECF780 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ECF7CD

Strings

`Dialog_`=', xrefs: 00ECF900
AiTabPage, xrefs: 00ECF9E3, 00ECFAEA
' AND `Control_`=', xrefs: 00ECF947
ControlEvent, xrefs: 00ECFA59

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$`Dialog_`='
API String ID: 3850602802-1655181372
Opcode ID: 9973e3b6cbcd3dee708bebb28dba950e071c9efb01a841d71a04e9e179510103
Instruction ID: 31cab10df3ed576914cca17c98d3815f2f99e7a330a471f512ad2c5fb66f91e9
Opcode Fuzzy Hash: 9973e3b6cbcd3dee708bebb28dba950e071c9efb01a841d71a04e9e179510103
Instruction Fuzzy Hash: AAF15671900248DFDF14DF68C999BEE7BF1BF08304F1441A9ED15AB292DB75AA05CBA0

Function 01037D52 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01037D49,01037D15,?,?,00ED21FD,00FA0140,?,00000008), ref: 01037D60
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01037D6E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01037D87
SetLastError.KERNEL32(00000000,01037D49,01037D15,?,?,00ED21FD,00FA0140,?,00000008), ref: 01037DD9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 56966f279f9fbc6484d524195c0bd3871f70e77d033975864c4132a16bfe614b
Instruction ID: 4488608fbd611b60304d2e178007a8ad096a6a825fbd0c02cbc8156afca8c16f
Opcode Fuzzy Hash: 56966f279f9fbc6484d524195c0bd3871f70e77d033975864c4132a16bfe614b
Instruction Fuzzy Hash: 8501287330A312AEE77935787C887BB3BACEBD1270720063AF6A0A20E4EF110C405B40

Function 00FB3CC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(8CB281B6,00000000,00000000), ref: 00FB3D1F
GetShortPathNameW.KERNEL32(?,?,?), ref: 00FB3D8D

Strings

x86, xrefs: 00FB3F4A
x64, xrefs: 00FB3FAA
neutral, xrefs: 00FB3EE6

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: NamePathShort
String ID: neutral$x64$x86
API String ID: 1295925010-1541741584
Opcode ID: 09aa073e5e0005966cd90d29d7e1e263d1718f6ba0b82de10374815123f5d2bd
Instruction ID: 3397a26eb41e13bdefbaf1e42d6fac623d3cf9023c57fdcbb62c3d4cd97b3fb1
Opcode Fuzzy Hash: 09aa073e5e0005966cd90d29d7e1e263d1718f6ba0b82de10374815123f5d2bd
Instruction Fuzzy Hash: 39B19071A00208EFDB04DFA5C859BDEBFB4EF49324F148159E415AB291DB75AA44CFA0

Function 00FA9710 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 260COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 00FA99E8

Strings

Close, xrefs: 00FA9904
Details >>, xrefs: 00FA996E
Send Error Report, xrefs: 00FA994A
Copy, xrefs: 00FA99CF

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: HandleModule
String ID: Close$Copy$Details >>$Send Error Report
API String ID: 4139908857-113472931
Opcode ID: 765fbbaed84b14db1998733adcf38d685685b8998f2ee0fafe7ed3a0a451dc70
Instruction ID: 096b5c5bb22d0a3610a9b5840303513ed9e3ce3624bafa77aea1b7e69afc2c1e
Opcode Fuzzy Hash: 765fbbaed84b14db1998733adcf38d685685b8998f2ee0fafe7ed3a0a451dc70
Instruction Fuzzy Hash: 5B91A2B0A40305ABDB24CF60DC56FAAB7B5FF49B14F404229F551BB2D0EBB5A904DB50

Function 00EA8890 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00EA8975
__Init_thread_footer.LIBCMT ref: 00EA89EF

Strings

</a>, xrefs: 00EA8AF9
<a>, xrefs: 00EA8BA1
<a href=", xrefs: 00EA8937

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: 6b5ae4ec0d7239af04f34e5a45afbec487c09fdbc4230fad2438948fa9d3caf4
Instruction ID: ca60a41244ce708274c517a50775adacd7d26f2e58db98ed43149df8e9b4344e
Opcode Fuzzy Hash: 6b5ae4ec0d7239af04f34e5a45afbec487c09fdbc4230fad2438948fa9d3caf4
Instruction Fuzzy Hash: 77A1B4B4A00204DFCB18DF64D955BADB7B1FF8AB18F10522DE425AF281DB71B985CB50

Function 00FA2450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?,?,8CB281B6,00000000,?), ref: 00FA266C
SHGetMalloc.SHELL32(?), ref: 00FA2695

Strings

C:\, xrefs: 00FA2621
%s, %.2u %s %.4u %.2u:%.2u:%.2u GMT, xrefs: 00FA2566
C:\FAKE_DIR\, xrefs: 00FA263A, 00FA2657

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$FolderHeapLocationMallocProcessSpecial
String ID: %s, %.2u %s %.4u %.2u:%.2u:%.2u GMT$C:\$C:\FAKE_DIR\
API String ID: 3216538967-785558474
Opcode ID: ae9ddf9a708877001d5eed18b649ca2b9ca6d07a4d17ac791d40f845ec59bf6b
Instruction ID: 39c98f309f27a63b7ac144460aa053f44e1882781e06e8208023ff9ca91ec923
Opcode Fuzzy Hash: ae9ddf9a708877001d5eed18b649ca2b9ca6d07a4d17ac791d40f845ec59bf6b
Instruction Fuzzy Hash: 8A716EB1A00349EFDB24EF99C845BEEBBF8FB48B08F004519F955AB281D7749944CB94

Function 00ECDC60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00ECDD5D
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00ECDD72
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00ECDD7A

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Part of subcall function 00ECF780: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ECF7CD

Strings

SysTabControl32, xrefs: 00ECDD55
TabHost, xrefs: 00ECDCE9, 00ECDCFB, 00ECDD05

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: SysTabControl32$TabHost
API String ID: 2359350451-2872506973
Opcode ID: 5841c494ebe112da69d21f70e80be7df9c4028e98daa21e02a08f1496d2c1072
Instruction ID: 1dadbe7dd3cd07d5c5b4bb0b0e3edaf56bbe2c13802a379430153dc7f023a0c0
Opcode Fuzzy Hash: 5841c494ebe112da69d21f70e80be7df9c4028e98daa21e02a08f1496d2c1072
Instruction Fuzzy Hash: 4A518D35A006059FDB14DF68C884BAEBBF8FF89710F14466DE915AB391DB71A900CBA0

Function 00EB6E60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,8CB281B6), ref: 00EB6EF3
GetLastError.KERNEL32 ref: 00EB6F1C
RegCloseKey.ADVAPI32(?,00000000,00000000,?,010C337C,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00EB7065

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00EB6EE8
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00EB6F5C

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CloseCreateErrorEventLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1713683948-2079760225
Opcode ID: 169c8c5c17193021db93bbbab3127d61d41c14d1505e9db6eb3f3d0c2cf4be74
Instruction ID: 2df22519e106abd3191ceeda96448f08990957433e4cc67c412d0fc9c986431c
Opcode Fuzzy Hash: 169c8c5c17193021db93bbbab3127d61d41c14d1505e9db6eb3f3d0c2cf4be74
Instruction Fuzzy Hash: 06618F70D05249DEDB10DF68C9457DEFBF4BF15304F10815DE499AB282DBB46A48CB91

Function 00FC6820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

AppDataFolder, xrefs: 00FC69C8, 00FC6A05
ProgramFilesFolder, xrefs: 00FC68E7
APPDATA, xrefs: 00FC6A57, 00FC6A5F
PROGRAMFILES, xrefs: 00FC6A3D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFilesFolder
API String ID: 0-3551742416
Opcode ID: 52cd09d9e837937f8840c40ebe4aab980d68ee650b8beba95dfb9aeb7a3a5a35
Instruction ID: b2f630d23561ad4f5e4258886f7eeb0c3c2b654c50d034ddc60b6f1aa09056d6
Opcode Fuzzy Hash: 52cd09d9e837937f8840c40ebe4aab980d68ee650b8beba95dfb9aeb7a3a5a35
Instruction Fuzzy Hash: 8E21D132A04206ABCB249F68D941FFAF3A8FB55720F50466EE916D7280EB35DD44C740

Function 0103A78C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,0103A84D,?,?,00000000,?,?,0103A8FF,00000002,FlsGetValue,010BA0D0,010BA0D8), ref: 0103A81C

Strings

api-ms-, xrefs: 0103A7DC

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: b027a7ac020534ecfe5f4a0a4d1529a53d9e34bb99368b1e71f059d46aa4a999
Instruction ID: 5f7b5f863d38d91d2e1a0a20fc2788aa9a6a751aa5e72f7ccaf2eeed0e1b8092
Opcode Fuzzy Hash: b027a7ac020534ecfe5f4a0a4d1529a53d9e34bb99368b1e71f059d46aa4a999
Instruction Fuzzy Hash: C1118C31B40225EBDBB39B689C80B9E37ECAF41760F1541A1F9D1EB284E664E90186D1

Function 0104C68F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8CB281B6,?,?,00000000,010B6426,000000FF,?,0104C662,?,?,0104C636,?), ref: 0104C6C4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0104C6D6
FreeLibrary.KERNEL32(00000000,?,00000000,010B6426,000000FF,?,0104C662,?,?,0104C636,?), ref: 0104C6F8

Strings

CorExitProcess, xrefs: 0104C6CE
mscoree.dll, xrefs: 0104C6BD

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b40d8c53931d42c7fa7a3086544c73717fc458906df13fae2eecd10993e116e9
Instruction ID: 4d649ec6b0375c03862ff9a740bc57c703ed0de5dec6787200bcc5040c874a20
Opcode Fuzzy Hash: b40d8c53931d42c7fa7a3086544c73717fc458906df13fae2eecd10993e116e9
Instruction Fuzzy Hash: AD01A271914619EFEB258F54DD85BEEBBB8FB04B11F00853AF851A2294DB799900CB50

Function 00FA79C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00FA7A1E
GetProcAddress.KERNEL32(00000000), ref: 00FA7A25
__Init_thread_footer.LIBCMT ref: 00FA7A3C

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Strings

SymFromAddr, xrefs: 00FA7A14
Dbghelp.dll, xrefs: 00FA7A19

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3268644551-642441706
Opcode ID: 0d4d42698709991cb8e8140c24fc00c43cec6d7cce9a433b9ba0e6e7e3a3aa6a
Instruction ID: 073ba2fbd0a7e37dc382718ff3e09fe119e522100f70f292b8484def0fc7996b
Opcode Fuzzy Hash: 0d4d42698709991cb8e8140c24fc00c43cec6d7cce9a433b9ba0e6e7e3a3aa6a
Instruction Fuzzy Hash: EC01B1B9A49700EFC724CF59E945F98B7A8E70AF38F104279E82687380E779A500CB10

Function 010366EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,01036687,00000064), ref: 0103670D
LeaveCriticalSection.KERNEL32(01144CD8,?,?,01036687,00000064,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 01036717
WaitForSingleObjectEx.KERNEL32(?,00000000,?,01036687,00000064,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 01036728
EnterCriticalSection.KERNEL32(01144CD8,?,01036687,00000064,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103672F

Strings

Bw, xrefs: 01036717

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: Bw
API String ID: 3269011525-2555579916
Opcode ID: bdd063860ec4316444749220b588eee49e6d507ba08cc3c22b452bfe7d94ba76
Instruction ID: d4244959a591662b8f2c20a7f0e3c0116c2b05c173a1f604f783760c9ecebc5c
Opcode Fuzzy Hash: bdd063860ec4316444749220b588eee49e6d507ba08cc3c22b452bfe7d94ba76
Instruction Fuzzy Hash: EEE0D835541524B7CB261F95FD49BDD3F6CFB04F51B094012FA8566524CB7609118FE8

Function 00EC03C0 Relevance: 7.7, APIs: 5, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC25D0: __Init_thread_footer.LIBCMT ref: 00EC263F

SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00EC0502
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00EC05B7
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00EC0656
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00EC0701

Part of subcall function 00EB2970: RaiseException.KERNEL32(?,?,00000000,00000000,01035A3C,C000008C,00000001,?,01035A6D,00000000,?,00EA91C7,00000000,8CB281B6,00000001,?), ref: 00EB297C

SendMessageW.USER32(?,0000104C,00000000,?), ref: 00EC0787

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$ExceptionInit_thread_footerRaise
String ID:
API String ID: 3442259968-0
Opcode ID: 47040c49c977ed1ea9ddb0a9ed33573b02151a2207368c28fbf881edea0463d4
Instruction ID: a7ae69d3f5c33522b627c7ec5ceeec04527864d863b39714ea023054a3e7f37c
Opcode Fuzzy Hash: 47040c49c977ed1ea9ddb0a9ed33573b02151a2207368c28fbf881edea0463d4
Instruction Fuzzy Hash: 06B12CB1D01359DBEB24DF54CD54BDABBF1BF48308F10529AE9186B280D7B66A84CF90

Function 00F06CB0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F06ED0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F06ED6
GetProcessHeap.KERNEL32(-000000FF,00000000), ref: 00F06F01
HeapFree.KERNEL32(00000000,-000000FF,00000000), ref: 00F06F07

Strings

_TEMP, xrefs: 00F06DF7, 00F06E2A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: _TEMP
API String ID: 3859560861-1625495653
Opcode ID: 08512c7899bb6ff2064bd66718c5ff919ee5a6d8bf7680a313d531df81b72aa2
Instruction ID: 0f3f963149e8ba1dd6ea001b33974fbefb8f56f8926817357d2e912e37c61f30
Opcode Fuzzy Hash: 08512c7899bb6ff2064bd66718c5ff919ee5a6d8bf7680a313d531df81b72aa2
Instruction Fuzzy Hash: 8891BCB1E012499FDB10DFA8C984BEEBBF8EF44324F244269D405B72D1CB749A05DBA1

Function 00EAFCE0 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00EAFD30
GetDlgItem.USER32(?,?), ref: 00EAFD55
SendMessageW.USER32(?,?,?,?), ref: 00EAFE1F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 1ae12dc63f03450e4ae932831efd16820ababbbe7807a81f9ebb305bf462ffe1
Instruction ID: c1cb9293613a3d6a921ba57c81ae2c1c36f3007e5d364034895f0f2a2257a6c2
Opcode Fuzzy Hash: 1ae12dc63f03450e4ae932831efd16820ababbbe7807a81f9ebb305bf462ffe1
Instruction Fuzzy Hash: EC41D6363001019FC7298FA8E888F66BBA5FB4E321F04947AE589DA561D731FC51DB60

Function 00F9BCD0 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F9BD04
std::_Lockit::_Lockit.LIBCPMT ref: 00F9BD24
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9BD4C
std::_Facet_Register.LIBCPMT ref: 00F9BE2B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F9BE55

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 93bf5a4964e32836229bf1a3485613389b9cf6ff904b6f4b0cefa68ea148f7f7
Instruction ID: 967452fbbdf214c93367eec6b0447ec192e1722302b57ed41c9d530139cb103c
Opcode Fuzzy Hash: 93bf5a4964e32836229bf1a3485613389b9cf6ff904b6f4b0cefa68ea148f7f7
Instruction Fuzzy Hash: 2C51DF70900209DFEF24CF54D5407AEBBB4FF50718F20815DD891AB380D775AA05DB80

Function 00EF7A70 Relevance: 7.6, APIs: 5, Instructions: 100threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EF7A99
CoInitializeEx.COMBASE(00000000,00000002), ref: 00EF7AA9
SendMessageW.USER32(?,000005FA,?,00000000), ref: 00EF7BC1

Part of subcall function 00F06040: EnterCriticalSection.KERNEL32(8CB281B6,8CB281B6), ref: 00F06080
Part of subcall function 00F06040: GetCurrentThreadId.KERNEL32 ref: 00F06093
Part of subcall function 00F06040: LeaveCriticalSection.KERNEL32(?), ref: 00F06111

Part of subcall function 00F00100: SetLastError.KERNEL32(0000000E,?,00EF880B,?,?,?,?), ref: 00F00118

GetLastError.KERNEL32(?,?,010CC530,00000000), ref: 00EF7B33
ShowWindow.USER32(?,0000000A,?,?,010CC530,00000000), ref: 00EF7B45

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalCurrentErrorLastSectionThread$EnterInitializeLeaveMessageSendShowWindow
String ID:
API String ID: 2782539745-0
Opcode ID: b07aa4cbba19948ccc40d911ea5d706fc6c1949ff1452de1250bc5efd6d79fd6
Instruction ID: caad84786f0b56d7adfe25227493b6280398ec82c584e8fe8dc0d9b4d4aa4f7e
Opcode Fuzzy Hash: b07aa4cbba19948ccc40d911ea5d706fc6c1949ff1452de1250bc5efd6d79fd6
Instruction Fuzzy Hash: 1931EE71D00308EBDB24EFA0CC4ABEEBBB5EF10704F104269E551AB2C0DBB95A45DB91

Function 00EADB60 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EADBC2
VariantClear.OLEAUT32(?), ref: 00EADC1B
VariantClear.OLEAUT32(?), ref: 00EADC25
VariantClear.OLEAUT32(?), ref: 00EADC2F
VariantClear.OLEAUT32(?), ref: 00EADC3C

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 71f1a88a10604be7e99cb79e1431a9ae7087c449dcef385d52e9135c7152a32e
Instruction ID: 9f9b22e90509d3114b4d4356c4ff9cd1206c909401f3f1891440273f716a8bfd
Opcode Fuzzy Hash: 71f1a88a10604be7e99cb79e1431a9ae7087c449dcef385d52e9135c7152a32e
Instruction Fuzzy Hash: 9F312A71D05248EFDB05CFA8C944BDEBBF8EF49704F10C59AE460A7290D7B5AA44CBA1

Function 00ED46E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED472A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00ED4730
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00ED4753
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,01066756,000000FF), ref: 00ED477B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,01066756,000000FF), ref: 00ED4781

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: aed0deee7c3dd85b78abcc48d8664e3f5f11b8dd3672de419893d40980ae8278
Instruction ID: 4aadf74dc5dcdd9d5a2b32e8771b3848f936f5d95aef52a68adbf8b03b058844
Opcode Fuzzy Hash: aed0deee7c3dd85b78abcc48d8664e3f5f11b8dd3672de419893d40980ae8278
Instruction Fuzzy Hash: C41146B1A44319ABEB10EF94CC45BEFB7BCEB04B04F104519F510BB6C1D7B5A5048791

Function 00EC0DC0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EC0DCB
SendMessageW.USER32(?,?,?,0000102B), ref: 00EC0E28
SendMessageW.USER32(?,?,?,0000102B), ref: 00EC0E77
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00EC0E88
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00EC0E95

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 95978a4c15cfcb17ee01d93f9b89e95d299180d165ab0b754a7af9e71baabc81
Instruction ID: d34e221235d49efe85f88cb3e3f174abac54fdf37e1c6de8fa178eb62f35ae34
Opcode Fuzzy Hash: 95978a4c15cfcb17ee01d93f9b89e95d299180d165ab0b754a7af9e71baabc81
Instruction Fuzzy Hash: 9B213E31958746AAD220DF11CD44B1ABBE1BFED758F202B1EF1D421194E7F191848E86

Function 00FD3F70 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00FD3FC9
_wcschr.LIBVCRUNTIME ref: 00FD40A9

Strings

realm, xrefs: 00FD438D, 00FD439F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: _wcschr
String ID: realm
API String ID: 2691759472-4204190682
Opcode ID: df3904975c6f8ce8c591935ca5f02cf11f70f90b46bc88a6be95b2d6627ea689
Instruction ID: a92e25eb539b746bb1d04b247a8b2b4a63ae714001b6d681caf862e4907cc1c7
Opcode Fuzzy Hash: df3904975c6f8ce8c591935ca5f02cf11f70f90b46bc88a6be95b2d6627ea689
Instruction Fuzzy Hash: A8F19131A00649DFDB01DFA8C848B9EBBF6EF55320F18825AE8159B391DB74ED44DB90

Function 00EC5E20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Part of subcall function 00F82040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00EC0168,00000000,80004005), ref: 00F820AB
Part of subcall function 00F82040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F820DB

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00EC5FDC
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00EC5FF3
SendMessageW.USER32(?,00001061,00000000,?), ref: 00EC604F

Strings

QuickSelectionList, xrefs: 00EC5F15, 00EC5F27, 00EC5F31

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID: QuickSelectionList
API String ID: 3168177373-3633591268
Opcode ID: 70a4ea6d0d1fc9088f403190a214669b7fb148128e21cd1efd3da9d927ef3a91
Instruction ID: c0197f880c18582cf76b52ee8b09facbbbc39d39d9c0985c8a023f87a480bd9d
Opcode Fuzzy Hash: 70a4ea6d0d1fc9088f403190a214669b7fb148128e21cd1efd3da9d927ef3a91
Instruction Fuzzy Hash: 24819971A006059FCB14DF68C894BEEB7F4FF89324F10861DE955AB290DB71A944CB90

Function 00EF99D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0F40: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00FA0F84
Part of subcall function 00FA0F40: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA0F8F

GetCurrentThreadId.KERNEL32 ref: 00EF9B3C
SendMessageW.USER32(?,00000127,00030003,00000000), ref: 00EF9BC5

Strings

AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00EF9AE0
AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 00EF9A69

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$CurrentThread
String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
API String ID: 2377075789-1831360935
Opcode ID: f89fce5f1aad1a90a406e5e2b3bfe616d3b8323427ee0d501f3b7e300722a4b2
Instruction ID: 283a7daf03cd92ee0d73322aad58a1e6f6b90f4cd8e6f525c0eeeb8a644b2ea0
Opcode Fuzzy Hash: f89fce5f1aad1a90a406e5e2b3bfe616d3b8323427ee0d501f3b7e300722a4b2
Instruction Fuzzy Hash: FB81C231A00208DFCF15EF64C985BADBBB5AF49700F1441ADE946AF296DB74AE04CF91

Function 00EFC4B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EFC4EE
SetWindowPos.USER32(?,00000000,?,?,?,00000008,00000604), ref: 00EFC6C1

Strings

AiDlgWeight, xrefs: 00EFC50C
AiDlgHeight, xrefs: 00EFC5E1

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Rect
String ID: AiDlgHeight$AiDlgWeight
API String ID: 3200805268-871102398
Opcode ID: 40813b5292d8e7cd21a663674a54570083633b603ea42ac8a80f700d7ee3ecaa
Instruction ID: 1dcd38d7b447e06c43a83f86dfb738d098bf107c82a55fd7bcc49301e326d1c1
Opcode Fuzzy Hash: 40813b5292d8e7cd21a663674a54570083633b603ea42ac8a80f700d7ee3ecaa
Instruction Fuzzy Hash: 98615B71D0020DAFCB14CFA8C989BDEBBB5EF48714F249169E911BB281D734AA04CF90

Function 00FDF940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,8CB281B6,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FDF974

Part of subcall function 00FA5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0109A8AD,000000FF), ref: 00FA5188
Part of subcall function 00FA5170: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0109A8AD,000000FF), ref: 00FA51BB

Part of subcall function 00EB2970: RaiseException.KERNEL32(?,?,00000000,00000000,01035A3C,C000008C,00000001,?,01035A6D,00000000,?,00EA91C7,00000000,8CB281B6,00000001,?), ref: 00EB297C

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Strings

.jar, xrefs: 00FDFDFC
.pack, xrefs: 00FDFCB1
*.*, xrefs: 00FDF9EA, 00FDF9FC, 00FDFA04

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateExceptionHeapObjectRaiseSingleWait
String ID: *.*$.jar$.pack
API String ID: 2917691982-3892993289
Opcode ID: 31d041ce1127447c90d6757429eb596adc06dcc5fc5bc9ba145ac8df393d2371
Instruction ID: 9dbb9adeb835e1a6613f26c0e3e78b5033776e504dd033a815dbdbd4da59663c
Opcode Fuzzy Hash: 31d041ce1127447c90d6757429eb596adc06dcc5fc5bc9ba145ac8df393d2371
Instruction Fuzzy Hash: 5C515F70A0060A9FDB10DFA9C854BAEB7B5FF45324F14826AE426EB391D738D904DB90

Function 00F05E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0166EEE8,8CB281B6,0166EEE8), ref: 00F05E41
GetCurrentThreadId.KERNEL32 ref: 00F05E51
LeaveCriticalSection.KERNEL32(?), ref: 00F05E77

Strings

Bw, xrefs: 00F05E77

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: Bw
API String ID: 2351996187-2555579916
Opcode ID: 31605331ecaf01bd73538bd251935754c5f7844abf6ef056b0391503f137836e
Instruction ID: abac5c96853542e77fb97ec8cf01784629be53234fff57b7494c397b5c90d263
Opcode Fuzzy Hash: 31605331ecaf01bd73538bd251935754c5f7844abf6ef056b0391503f137836e
Instruction Fuzzy Hash: 5941D075A00916AFDB20CF58C880BABF7A8FB44720F108729E965D7280D7B5EE54DBD0

Function 00EB2990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EB29C6
EnterCriticalSection.KERNEL32(01146250), ref: 00EB29E6
LeaveCriticalSection.KERNEL32(01146250), ref: 00EB2A0A

Strings

Bw, xrefs: 00EB2A0A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: Bw
API String ID: 2351996187-2555579916
Opcode ID: b75b747ed42777267880303101a4f53ea1bd30728df4b5583433db8415016611
Instruction ID: 9de6303f472c9a19239618820515d88271208af8f8ca180b6ca666c745197d49
Opcode Fuzzy Hash: b75b747ed42777267880303101a4f53ea1bd30728df4b5583433db8415016611
Instruction Fuzzy Hash: CF21BF71904744EFDB34CF58D941B9BBBE8FB05B14F00862EE865A7780D779A904CB90

Function 00F06040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(8CB281B6,8CB281B6), ref: 00F06080
GetCurrentThreadId.KERNEL32 ref: 00F06093
LeaveCriticalSection.KERNEL32(?), ref: 00F06111

Strings

Bw, xrefs: 00F06111

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: Bw
API String ID: 2351996187-2555579916
Opcode ID: 2f17fac335bf54d706fa508229b3263a1dce56ef9dd084c1f1ddaba3e4f6d97b
Instruction ID: 4357b132acc13a548c41b9f787a504dbbdcd15b22de763bddeaef1082ca268e1
Opcode Fuzzy Hash: 2f17fac335bf54d706fa508229b3263a1dce56ef9dd084c1f1ddaba3e4f6d97b
Instruction Fuzzy Hash: B331CD71D00245DFEB21CF58C84579EBBF4EF08324F148169E895E3391E3769A10DB90

Function 00ED4B50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00ED4B92
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00ED4B98

Strings

RoOriginateLanguageException, xrefs: 00ED4B88
combase.dll, xrefs: 00ED4B8D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: c5a9d93000828d2626fce1d129a7401b55daf80eb6ddaababf99024262d5d104
Instruction ID: 8ec8ae88e85201adfe9c9beb097febe102dc850ea6d6c71dbf8154f80cfd08b8
Opcode Fuzzy Hash: c5a9d93000828d2626fce1d129a7401b55daf80eb6ddaababf99024262d5d104
Instruction Fuzzy Hash: 3C31B1B0900249EFDB14EFA8C945BEEB7F4EB14314F10862AE825A73C0E7759B45CB91

Function 00FD2140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00FD029A,?,8CB281B6,?,?,?,000000FF,?), ref: 00FD2154
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00FD029A,?,8CB281B6,?,?,?,000000FF,?,00FCFC64), ref: 00FD2171
GetLastError.KERNEL32(?,8CB281B6,?,?,?,000000FF,?,00FCFC64,?,?,00000000,00000000,8CB281B6,?,?), ref: 00FD21D0

Strings

AdvancedInstaller, xrefs: 00FD21B7

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 442960be3b982b1f405ab189b3807430b752ffd1da8bc5726a915e7058179fa8
Instruction ID: f37193a05e497bd48d5e4ed163e171c537ef0a9bd4ff3c9df1a9e4c161e9ff7d
Opcode Fuzzy Hash: 442960be3b982b1f405ab189b3807430b752ffd1da8bc5726a915e7058179fa8
Instruction Fuzzy Hash: A9118B31740602BBE724DB22DC89F56BBA6BB58B10F14842AF6059B680CB71F851DBA4

Function 00EF95E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00EF962E
DestroyWindow.USER32(?), ref: 00EF966A

Strings

Eg, xrefs: 00EF9602, 00EF9682
Eg, xrefs: 00EF9670

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Destroy
String ID: Eg$Eg
API String ID: 3707531092-2327054945
Opcode ID: 1dcedce1d07551c8e9f7f5230d0b6045fe2610aebca969f3c4ed21f86c8da955
Instruction ID: adc14744860ca8fce7e37dceb62fff6c4e7ef18145107e572e945038dd839e92
Opcode Fuzzy Hash: 1dcedce1d07551c8e9f7f5230d0b6045fe2610aebca969f3c4ed21f86c8da955
Instruction Fuzzy Hash: 4621F070904688EFDB15CF68C904B9DFBF4FF05B14F10426AE466AB681CB75AA44CB91

Function 00F81F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F82470: __Init_thread_footer.LIBCMT ref: 00F82500
Part of subcall function 00F82470: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F8253D
Part of subcall function 00F82470: __Init_thread_footer.LIBCMT ref: 00F82554
Part of subcall function 00F82470: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00F8257F

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F81FA2
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F81FC0
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F81FC8

Part of subcall function 00EB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EB0DE6

Strings

SysListView32, xrefs: 00F81F99

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
String ID: SysListView32
API String ID: 605634508-78025650
Opcode ID: c3c8f0afa71a53f6b9e62a9a4afa21c894173f8647faed4d03aab9278bb439c6
Instruction ID: 4c32cfbb8efc2f72af95f10cf37cfb44588505ab786bf3abc4a1a9a7887305c1
Opcode Fuzzy Hash: c3c8f0afa71a53f6b9e62a9a4afa21c894173f8647faed4d03aab9278bb439c6
Instruction Fuzzy Hash: 99117935301310AFD628AA158C05F9BFBE9FBC9B50F054619FA44AB2A5C6B1BC40CBA1

Function 00EB2700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01146250), ref: 00EB273C
GetCurrentThreadId.KERNEL32 ref: 00EB2750
LeaveCriticalSection.KERNEL32(01146250), ref: 00EB278E

Strings

Bw, xrefs: 00EB278E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: Bw
API String ID: 2351996187-2555579916
Opcode ID: f5a4c605b6bc783666dbc0af78a0369eef6bf21463d95b76bfc3174f28702d2e
Instruction ID: 6fc2295bf1d265c15515bf9be93c282095331e7dcd16df8b1186080a93df6a14
Opcode Fuzzy Hash: f5a4c605b6bc783666dbc0af78a0369eef6bf21463d95b76bfc3174f28702d2e
Instruction Fuzzy Hash: E5113435A04355DBCB34CF59C900B9BBBE8EF56B24F10822FE826A7350DB755800CB90

Function 00F829C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(46030080,RichEdit20W,?,00000000,46030080,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00F82A0B
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F82A23
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F82A2B

Part of subcall function 00EB0DB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EB0DE6

Strings

RichEdit20W, xrefs: 00F82A02

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSendWindow$CreateLong
String ID: RichEdit20W
API String ID: 4015368215-4173859555
Opcode ID: d50550e1c1b55d24b2c09a62095810849aac26531504565a68e90bda035334a1
Instruction ID: 06ba26675eb8339c48b9a420cae922bc048367eb4840893f25c0710d7767eb32
Opcode Fuzzy Hash: d50550e1c1b55d24b2c09a62095810849aac26531504565a68e90bda035334a1
Instruction Fuzzy Hash: 38015B35301310AFD6289A15CC05F5BFBE9FBC9B50F158219FA48A7294C6B1AC40CAA1

Function 00F04830 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F04881
GetParent.USER32(?), ref: 00F0488A
SendMessageW.USER32(?,00000411,00000000,?), ref: 00F0489F

Strings

,, xrefs: 00F04879

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Parent$MessageSend
String ID: ,
API String ID: 2251359880-3772416878
Opcode ID: 77351b0d98f0ac531bab8fd798defb512bfa794ff390c6cea5af6e013ab5a4c1
Instruction ID: 80acb6173efc68058afd10684d2ef930a5f795ebb4af61110a644936c0830f85
Opcode Fuzzy Hash: 77351b0d98f0ac531bab8fd798defb512bfa794ff390c6cea5af6e013ab5a4c1
Instruction Fuzzy Hash: 561180B1915341AFD724DF14D844B1AFBE4FB89310F00892AF66492690C7B1E854DF96

Function 00EBFFD0 Relevance: 6.3, APIs: 4, Instructions: 292windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00EC0118
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00EC012D

Part of subcall function 00EA9B10: RtlAllocateHeap.NTDLL(?,00000000,?,8CB281B6,00000000,0105D840,000000FF,?,?,01139A1C,?,00FDBB18,80004005,8CB281B6), ref: 00EA9B5A

Part of subcall function 00F82040: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00EC0168,00000000,80004005), ref: 00F820AB
Part of subcall function 00F82040: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F820DB

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00EC025E
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00EC035A

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID:
API String ID: 3168177373-0
Opcode ID: 6e0fd9e35b3fc048c3078d32ccd82e50a42be8e135733e97eba9959ea366773a
Instruction ID: ffd29a3b39c8521663b9a43e67436bd6ecd6eac2f9b9ea47e3a622fd9b95a5aa
Opcode Fuzzy Hash: 6e0fd9e35b3fc048c3078d32ccd82e50a42be8e135733e97eba9959ea366773a
Instruction Fuzzy Hash: DFB17C71A00209DFDB18DFA8C985FEEFBB4FF48314F144219E425AB291DB75A945CBA0

Function 00EC8180 Relevance: 6.3, APIs: 4, Instructions: 266windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 00EC8258
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00EC8287
SendMessageW.USER32(00000000,0000110A,00000004,0A74C085), ref: 00EC8443
SendMessageW.USER32(0000110A,0000110A,00000001,00000000), ref: 00EC8466

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7f2787de6cf005f8281f4b8aeef04f667246cfe344e683c8bfa37f231770b22e
Instruction ID: eef38f324545982304d3ba2afe84c67f4858e01162169b6393978785516701b9
Opcode Fuzzy Hash: 7f2787de6cf005f8281f4b8aeef04f667246cfe344e683c8bfa37f231770b22e
Instruction Fuzzy Hash: E9A14C719002049FCB19DF68CB84FAEB7F5BB49714F156569E811BB291DB31EC42CBA0

Function 00EC3E70 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EC3ECD
VariantClear.OLEAUT32(?), ref: 00EC3EFF
VariantClear.OLEAUT32(?), ref: 00EC4117
VariantClear.OLEAUT32(?), ref: 00EC4146

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e28d1778409eaf1bcb060d5a3c18dd156a8dcfe37ce467f2343bb95a9cf68998
Instruction ID: e801f6694ff7abe547fb1506770fe63f39089f8dc90769a0428845295e0faa6e
Opcode Fuzzy Hash: e28d1778409eaf1bcb060d5a3c18dd156a8dcfe37ce467f2343bb95a9cf68998
Instruction Fuzzy Hash: 0BA17774901259DFCB10CFA8C994BDEBBB4FF48304F259269E404BB391E735AA46CB91

Function 00EC2F00 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EC2F5A
VariantClear.OLEAUT32(?), ref: 00EC2F8C
VariantClear.OLEAUT32(?), ref: 00EC30F5
VariantClear.OLEAUT32(?), ref: 00EC3124

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ecd0aadaad5a40551441c98051e0ed8665f323a550306b5b84d1039f54708493
Instruction ID: ed6c65f07be493d2381b49c191047b6b10d6deff3f6bdfa45cfc63829cbf9eaf
Opcode Fuzzy Hash: ecd0aadaad5a40551441c98051e0ed8665f323a550306b5b84d1039f54708493
Instruction Fuzzy Hash: 2E81B230A00348DFDB14DFA8C944B9EFBB4EF45704F24815DD414AB392D775AA45CB91

Function 00EB4650 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00EB46F0
SysFreeString.OLEAUT32(00000000), ref: 00EB4731

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a51bc20b5c100fb5b8241ade6cc23f41bd8a27b1f9e8e59e08b0eff336fbd175
Instruction ID: 7427daee676dfae1a32a323633b431126103603ea56b558cff39073379fd0a99
Opcode Fuzzy Hash: a51bc20b5c100fb5b8241ade6cc23f41bd8a27b1f9e8e59e08b0eff336fbd175
Instruction Fuzzy Hash: 8961C376A04219EFDB24CF58D844B9ABBB8FB49720F10416AFC14AB391D776DD10CBA0

Function 00F3FCF0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F3FD8B
GetWindowRect.USER32(?,?), ref: 00F3FDA3
GetWindowRect.USER32(?,?), ref: 00F3FE10
GetWindowLongW.USER32(?,000000EC), ref: 00F3FE34

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Rect$Long
String ID:
API String ID: 3486571012-0
Opcode ID: 6be7324bc2fd848eac4748c6e54c9d834ac8825337670de6af4afbaee2a75cd0
Instruction ID: 414c50a7fa14fc94679c67e6f0d1e07da18ab216a82127af086c58c23c3f1dd4
Opcode Fuzzy Hash: 6be7324bc2fd848eac4748c6e54c9d834ac8825337670de6af4afbaee2a75cd0
Instruction Fuzzy Hash: A941BF36A083059FC714CF15D884A6BB7E8FF99B14F05462EF95597204DB30E988CB92

Function 00EBCCF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(8CB281B6,8CB281B6,?), ref: 00EBCD2F
EnterCriticalSection.KERNEL32(?,8CB281B6,?), ref: 00EBCD3C
LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00EBCE13

Strings

Bw, xrefs: 00EBCE13

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Bw
API String ID: 3991485460-2555579916
Opcode ID: 2424dea80f60b5af66e1d78285bd2c050700a3d360219b967ee6899cea7beb1c
Instruction ID: 50411572fd648ddaddd14889d746a9b931a637375b737b3e5160b74afb487d9c
Opcode Fuzzy Hash: 2424dea80f60b5af66e1d78285bd2c050700a3d360219b967ee6899cea7beb1c
Instruction Fuzzy Hash: E641D6792047058FCB21CF38C881BEBBBB5EF55314F20452AE596E7341CB31A906CB90

Function 00FBC6B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,?,00000000,00000000), ref: 00FBC70F
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00FBC71C
WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00FBC739
WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00FBC75B

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4485390d7b39499b7db1780968cd24e4e97fef58944b9f669bd118f934ad640c
Instruction ID: 5b2a6b14bddaf1f5e90616e1479de806fb52c4ef11e2a40ce9b7bbe06ec78b9d
Opcode Fuzzy Hash: 4485390d7b39499b7db1780968cd24e4e97fef58944b9f669bd118f934ad640c
Instruction Fuzzy Hash: CA2167B27403067BE7205F15EC82FAB775DEF90B04F204129FA05971C0EBA17D058EA4

Function 00EF642D Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000010,?,00000060), ref: 00EF6467
GetWindowRect.USER32(?,?), ref: 00EF64B6
GetWindowLongW.USER32(?,000000EC), ref: 00EF64DF
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,00000060), ref: 00EF6571

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$LongRect
String ID:
API String ID: 463821813-0
Opcode ID: c69d7e25c4406713b80ce3bf7b4c7462cb513fb70dd44e0d55a3967f814a1e11
Instruction ID: 7fea7019c2cd190565a398ec0b4ff97f6094c6e540538b58c6db9ac7f0f809a0
Opcode Fuzzy Hash: c69d7e25c4406713b80ce3bf7b4c7462cb513fb70dd44e0d55a3967f814a1e11
Instruction Fuzzy Hash: E9419F75108745AFC315CF28D845A6AFBB4FF89700F044A2EFA9193264D732E894CF91

Function 00FA5170 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,0109A8AD,000000FF), ref: 00FA5188
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,0109A8AD,000000FF), ref: 00FA51BB
GetStdHandle.KERNEL32(000000F5,?,8CB281B6,00000000,0105D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00FA5226
SetConsoleTextAttribute.KERNEL32(00000000,?,8CB281B6,00000000,0105D840,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 00FA522D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ByteCharMultiWide$AttributeConsoleHandleText
String ID:
API String ID: 3849414675-0
Opcode ID: 8e90ed241e99e8b415d2d91b62508e23f906f042646d54bc1b61ef2f6f4ee536
Instruction ID: 517b445d88d4e7475925b3ceb3c6369018ade41edf42c09d6eb13dfd94cdde0a
Opcode Fuzzy Hash: 8e90ed241e99e8b415d2d91b62508e23f906f042646d54bc1b61ef2f6f4ee536
Instruction Fuzzy Hash: CE21F976705611AFD7109F58DC89F6AF7ACEB85720F20472AF625DB2D0CB356C018BA0

Function 00EF98E0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EF996F
GetParent.USER32(00000000), ref: 00EF9977
GetParent.USER32(00000000), ref: 00EF997C
SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00EF998D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Parent$MessageSend
String ID:
API String ID: 2251359880-0
Opcode ID: e9d4070659664a394c725fdbe078150b7d3ae40f7bd67d50af5b027769079f21
Instruction ID: f8e82bd48a334596840ad91b9c03babc1ef21dad47cdb42761dd295a10079d39
Opcode Fuzzy Hash: e9d4070659664a394c725fdbe078150b7d3ae40f7bd67d50af5b027769079f21
Instruction Fuzzy Hash: BB2104322001096BDB288A28EC84FBEF3ACEFD1758F055539F601E2155EB31DD91C7A4

Function 00EB89D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EB8A19
GetParent.USER32(?), ref: 00EB8A4D

Part of subcall function 01035D0D: GetProcessHeap.KERNEL32(00000008,00000008,?,00EB0DC7,?,?,00EB0B74,?), ref: 01035D12
Part of subcall function 01035D0D: HeapAlloc.KERNEL32(00000000,?,?,00EB0B74,?), ref: 01035D19

SetWindowLongW.USER32(?,000000EB), ref: 00EB8A80
ShowWindow.USER32(?,00000000), ref: 00EB8A96

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$HeapLong$AllocParentProcessShow
String ID:
API String ID: 78937335-0
Opcode ID: 236e7f85c86d9f88ca409ff5edeeca1e19042eda6f5d28c5947b62c705d66559
Instruction ID: 766fb2f830382a638e5465ce1970260bcc7cd0af144f6e7bd48c4388c7f175c7
Opcode Fuzzy Hash: 236e7f85c86d9f88ca409ff5edeeca1e19042eda6f5d28c5947b62c705d66559
Instruction Fuzzy Hash: E62191746047019FC724EF29D948A6BBBE8FF99714B054A2EF4A6D3A50DB30E844CB61

Function 00EBCB20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,8CB281B6), ref: 00EBCB8A
EnterCriticalSection.KERNEL32(?,8CB281B6), ref: 00EBCB97
LeaveCriticalSection.KERNEL32(?), ref: 00EBCBE8

Strings

Bw, xrefs: 00EBCBE8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Bw
API String ID: 3991485460-2555579916
Opcode ID: d70a4caddce3e0a7414558d2ace918e410dab6c30d5feadb630129dfdd22a5d9
Instruction ID: a639b8916537c9109553c244677eccd5c0b5c9d2e62bda527893353590817ed6
Opcode Fuzzy Hash: d70a4caddce3e0a7414558d2ace918e410dab6c30d5feadb630129dfdd22a5d9
Instruction Fuzzy Hash: A521F9369042459FDF11CF64C881BDABBB4FF16314F1045A9EC997B346C7325909CB60

Function 00EBCC10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,8CB281B6), ref: 00EBCC7A
EnterCriticalSection.KERNEL32(?,8CB281B6), ref: 00EBCC87
LeaveCriticalSection.KERNEL32(?), ref: 00EBCCCE

Strings

Bw, xrefs: 00EBCCCE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Bw
API String ID: 3991485460-2555579916
Opcode ID: 665248b4f56c3d8cf9e33fa81e101da6e1442cec6a39f512d458060c5e88cfb5
Instruction ID: 47f3bcb1d2198ef4f845d04a92d4f9edcdd5d49dcf38086ee2153ccf1461daf7
Opcode Fuzzy Hash: 665248b4f56c3d8cf9e33fa81e101da6e1442cec6a39f512d458060c5e88cfb5
Instruction Fuzzy Hash: 4921C4759042459FDF11CF24C880BEABBB8FF15324F2045A9EC59AB346D7329905CFA0

Function 00EBCA60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,8CB281B6,?), ref: 00EBCABD
EnterCriticalSection.KERNEL32(?,8CB281B6,?), ref: 00EBCACA
LeaveCriticalSection.KERNEL32(?), ref: 00EBCAF2

Strings

Bw, xrefs: 00EBCAF2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Bw
API String ID: 3991485460-2555579916
Opcode ID: c4d8ee0166c232722767e1d0c1d15a1eabb1c6a12c868093694528b720b4d31b
Instruction ID: 81fc65411316d2b418057384019d90f37cd03d4da9e83ab1015084a7b3ead35c
Opcode Fuzzy Hash: c4d8ee0166c232722767e1d0c1d15a1eabb1c6a12c868093694528b720b4d31b
Instruction Fuzzy Hash: 9521EC769042459FCF11CF54C8807DABF78EB55324F2046AAD896A7345C7365A09CBA0

Function 00FE0320 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

DeleteFileW.KERNEL32(?), ref: 00FE03FA
DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00FE052F

Part of subcall function 00FCF280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,8CB281B6,00000001,7568EB20,00000000), ref: 00FCF2CF
Part of subcall function 00FCF280: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,8CB281B6,00000001,7568EB20,00000000), ref: 00FCF305

Part of subcall function 00FCC7E0: LoadStringW.USER32(000000A1,?,00000514,8CB281B6), ref: 00FCC836

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00FE03AE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 3544038457-3685554107
Opcode ID: ba071c3f3e83eced76da3519fcac8922a0714aa1827fa2923982e1eff965d2ec
Instruction ID: da494545f4457ffcf621a9aa7da5d54c8860dbbb41ddde9136fd4d00134da12e
Opcode Fuzzy Hash: ba071c3f3e83eced76da3519fcac8922a0714aa1827fa2923982e1eff965d2ec
Instruction Fuzzy Hash: B391B071A00645DFDB00DF69CC44B9EBBF5EF45324F1882A9E815EB2A2DB75E904CB90

Function 00EAD8D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00EAD946
SendMessageW.USER32(?,00000000,00000000), ref: 00EADA42

Part of subcall function 00EAF190: SysFreeString.OLEAUT32(00000000), ref: 00EAF233

Strings

AtlAxWin140, xrefs: 00EAD93E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: c3fcf8fd72c83c3e7a28f3d70650bb1ebc8048161b64ee10128653af650fec5a
Instruction ID: 3444f6b40d415eebd7415162d13e61e601d78efdc8c5fe5939147b3de39cc62b
Opcode Fuzzy Hash: c3fcf8fd72c83c3e7a28f3d70650bb1ebc8048161b64ee10128653af650fec5a
Instruction Fuzzy Hash: 8B911474604204EFDB14CF64C888B5ABBB9FF49714F148599F85AAF294C771E901CF90

Function 00F0E970 Relevance: 5.4, APIs: 4, Instructions: 419memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00F0EB86
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00F0EB8C

Part of subcall function 00F10530: GetProcessHeap.KERNEL32(?,?,8CB281B6,00000000,?,00000000), ref: 00F105EA
Part of subcall function 00F10530: HeapFree.KERNEL32(00000000,?,?,8CB281B6,00000000,?,00000000), ref: 00F105F0

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F0ED97
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F0ED9D

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ecd8b28aa8354ac1beee89dc862fd7ce7337272cc0d5561c12f8fbeea64d8755
Instruction ID: 2fcb117d7c4f818b78c9142a67bf80eee36f92262621b2e85b47fa05a5e5f0b3
Opcode Fuzzy Hash: ecd8b28aa8354ac1beee89dc862fd7ce7337272cc0d5561c12f8fbeea64d8755
Instruction Fuzzy Hash: 0CF19970E00249DFDB04EFA8C949BEEBBB4FF45314F204599E412AB2D1DB75AA04DB91

Function 00FD7150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9E50: GetProcessHeap.KERNEL32 ref: 00EA9EA5
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9ED7
Part of subcall function 00EA9E50: __Init_thread_footer.LIBCMT ref: 00EA9F62

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010A13BF,000000FF), ref: 00FD72D3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010A13BF,000000FF), ref: 00FD7361

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00FD723F

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: 666736495a8b90424cd17223b02eb01a2d4fdaa8311b989bcf20625b8750918d
Instruction ID: 5811072a8ca06e936452f6de1c63e625aaea7204bc0133c8d6ea5840665120a8
Opcode Fuzzy Hash: 666736495a8b90424cd17223b02eb01a2d4fdaa8311b989bcf20625b8750918d
Instruction Fuzzy Hash: DB61ED70905784CFD714DF68C94475EFBF0EB46728F1482AEE455AB382DB75AA04CB90

Function 00EED130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 01036662: EnterCriticalSection.KERNEL32(01144CD8,?,?,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 0103666D
Part of subcall function 01036662: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9EF6,01145904,8CB281B6,?,?,0105DE0D,000000FF,?,00FDBABC,8CB281B6), ref: 010366AA

__Init_thread_footer.LIBCMT ref: 00EED28D

Part of subcall function 01036618: EnterCriticalSection.KERNEL32(01144CD8,?,?,00EA9F67,01145904,010B6640), ref: 01036622
Part of subcall function 01036618: LeaveCriticalSection.KERNEL32(01144CD8,?,00EA9F67,01145904,010B6640), ref: 01036655
Part of subcall function 01036618: RtlWakeAllConditionVariable.NTDLL ref: 010366CC

Strings

Windows.UI.Xaml.Controls.ListViewItem, xrefs: 00EED256
ItemData, xrefs: 00EED2F2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ItemData$Windows.UI.Xaml.Controls.ListViewItem
API String ID: 2296764815-2445763458
Opcode ID: 6b03885ffc56447c8b47a915abd33724b55c3a2e96a7b38bc5bf5ee5593e8453
Instruction ID: e92a3c04f1aacd17a3515354f8ff97ad6dc2ba3b4f950854279459b4d1a0c478
Opcode Fuzzy Hash: 6b03885ffc56447c8b47a915abd33724b55c3a2e96a7b38bc5bf5ee5593e8453
Instruction Fuzzy Hash: 6B7191B090528DEFDB15CFA8C9047DEBBF0FF15708F148259E45567281D7B99A08CBA2

Function 00F93C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,8CB281B6,00000000,00000000), ref: 00F93D11

Strings

\\?\UNC\, xrefs: 00F93D3C, 00F93D9E
\\?\, xrefs: 00F93E0B, 00F93E37

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 4d9fa3c0a2327846a878e34495b13cd067acd315834ae0aec65f3df8820a1e32
Instruction ID: 469f3323932b783aeaa47665ee1cbec706dd9358e203808409f2f2d36d5a877c
Opcode Fuzzy Hash: 4d9fa3c0a2327846a878e34495b13cd067acd315834ae0aec65f3df8820a1e32
Instruction Fuzzy Hash: B651CF70E00604DBEF14DF58D885BAEB7F5FF89704F20821DE8516B281DB756A48DBA0

Function 00FD8550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,8CB281B6,?,?,01146054), ref: 00FD858F
CreateDirectoryW.KERNEL32(?,00000000,?,01146054), ref: 00FD85F0

Strings

ADVINST_LOGS, xrefs: 00FD85C8

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: d43891417803aa42e5dcb2cce3e6b274e9831e14607c133c41d4d7b821b3e021
Instruction ID: 2f08b249a2741f4df0aef738b2612d80d53a17836839f5598ab9dfb6597028cb
Opcode Fuzzy Hash: d43891417803aa42e5dcb2cce3e6b274e9831e14607c133c41d4d7b821b3e021
Instruction Fuzzy Hash: B951C475900215CACB709F28C844BBAB3B5FF14764F1846AFD85997390EF758D82DB90

Function 00EB7110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,?,00000002,010C337C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,8CB281B6), ref: 00EB7280

Part of subcall function 00F8DDA0: GetModuleHandleW.KERNEL32(Advapi32.dll,8CB281B6,?,?,?,00000000,?,Function_001BDD00,000000FF), ref: 00F8DDE3

CloseHandle.KERNEL32(?,8CB281B6), ref: 00EB72B9

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00EB7178

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CloseHandle$Module
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
API String ID: 1412095732-2431777889
Opcode ID: db52972de88f6a7f790560aba252916c9e0d4c3059f5e94d4f3155d01d9d4a06
Instruction ID: 7a00eabb8bfdc3a06ff008f3efce81c160398256a4d75c405e2e213a73c9ff93
Opcode Fuzzy Hash: db52972de88f6a7f790560aba252916c9e0d4c3059f5e94d4f3155d01d9d4a06
Instruction Fuzzy Hash: 09514870D14248DADB20DFA4C959BDEBBB4BF18704F10819DE495BB281DBB46A48CFA1

Function 00EF86F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000005,?,?,?), ref: 00EF881F

Strings

|f, xrefs: 00EF8726
|f, xrefs: 00EF8715, 00EF882E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ShowWindow
String ID: |f$|f
API String ID: 1268545403-584886612
Opcode ID: cc7e0a60e1557806fb73965ff73c2ac809e0fe70ccabe57a3d26c338197f7036
Instruction ID: 2f080705c92e62f7b195d35bf5980545e3c9a6b893f27f8de7d6015274083625
Opcode Fuzzy Hash: cc7e0a60e1557806fb73965ff73c2ac809e0fe70ccabe57a3d26c338197f7036
Instruction Fuzzy Hash: 25417B31901249EFDB25DFA4C954BDEBBF4EF08714F24416DE815AB282DB75AA04CF90

Function 0105277F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0105284F
__freea.LIBCMT ref: 0105285E

Part of subcall function 0104DC17: RtlAllocateHeap.NTDLL(00000000,00000000,0104D0E1,?,0104EE85,?,00000000,?,0103F625,00000000,0104D0E1,?,?,?,?,0104CEDB), ref: 0104DC49

Strings

`&, xrefs: 01052781

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: AllocateHeapStringType__freea
String ID: `&
API String ID: 4073780324-2927270505
Opcode ID: b9484dcf86ac342db3adac7d3991dc17e9741a5307e6d138f28eb3343b997926
Instruction ID: 31ab836a136ac7092415cba72d0a181c188ad9abe825908f7c4e61c9cbce66b6
Opcode Fuzzy Hash: b9484dcf86ac342db3adac7d3991dc17e9741a5307e6d138f28eb3343b997926
Instruction Fuzzy Hash: D731B072A0221AEBDF659FA9CC44EEF7BA9EF45710F084168FD44A7250E734C951C7A0

Function 00FA73D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,8CB281B6,010D9754), ref: 00FA7428
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00FA7524

Part of subcall function 00F99AC0: std::locale::_Init.LIBCPMT ref: 00F99B9D

Part of subcall function 00F972B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F97385

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00FA7446

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: 469a0f2993f266d377c5ef225c28bb2ae67e0f5e3ea493229db0cbfd6b27a3e1
Instruction ID: 6a545a3f347c174a5343b4cfe6760c5a05b2271e4ee74adc9c115d28baf6ad6e
Opcode Fuzzy Hash: 469a0f2993f266d377c5ef225c28bb2ae67e0f5e3ea493229db0cbfd6b27a3e1
Instruction Fuzzy Hash: 7941AD70A04309DBDB20DF68CD09BAEBBF8FF05310F108559E455EB290D7B8AA08CB91

Function 00FF2050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,00000001,_pbl_evt,00000008,?,?,010DA350,00000001,8CB281B6,00000000), ref: 00FF20FE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00FF211B

Strings

_pbl_evt, xrefs: 00FF20D2

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 88c042d315a5c9b76eb193829999145d84b809fb2135b503c3d5a2d4e0b42f4d
Instruction ID: 8c65c2b1d96cc5e4d601889a7450cfec256be4e59a2aa4ab820c4a86c0c3d780
Opcode Fuzzy Hash: 88c042d315a5c9b76eb193829999145d84b809fb2135b503c3d5a2d4e0b42f4d
Instruction Fuzzy Hash: B9314D71D00208EFDB10DFA8C955BEEB7F8EF19714F508119E951BB280DBB56A09CBA0

Function 00F96870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F9689B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F968FE

Strings

bad locale name, xrefs: 00F96921

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 53b6fee7601115db2175192c328c46e81283f3c0fe050f84a99756a92972e05f
Instruction ID: 1ab574752a77510afc0b55ae017abe17d157959078d792d2e6841f1c111d32e8
Opcode Fuzzy Hash: 53b6fee7601115db2175192c328c46e81283f3c0fe050f84a99756a92972e05f
Instruction Fuzzy Hash: B421E070A05784DFEB20CF69C40474ABFE4AF15714F14869ED485CBB81D7B6EA04DBA1

Function 00F0DE10 Relevance: 5.3, APIs: 4, Instructions: 316memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?), ref: 00F0E08B
HeapFree.KERNEL32(00000000,?,?), ref: 00F0E091
GetProcessHeap.KERNEL32(?,?), ref: 00F0E160
HeapFree.KERNEL32(00000000,?,?), ref: 00F0E166

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 676c1937fd14ee4ad2584ef087e25dfa516ad0ea221bbbe306743acf636f2034
Instruction ID: 5a18a3dfa4852d679cb6bf51ab8fd61b4dfc81e56004d79a12ec20f3fd401012
Opcode Fuzzy Hash: 676c1937fd14ee4ad2584ef087e25dfa516ad0ea221bbbe306743acf636f2034
Instruction Fuzzy Hash: 26D18C30E00208CFDB14DFA8C894BEEBBB5FF54314F244569D415AB292DB74AE45EB91

Function 00EC1200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetParent.USER32(00000005), ref: 00EC1274

Strings

d, xrefs: 00EC1240
C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00EC1249

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Parent
String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
API String ID: 975332729-3357045315
Opcode ID: 7559e1d8f84e4d167f67e578eba175309e54207fc1ab8340d63dbc806045ce89
Instruction ID: 4809fea6231ebfc694a32610020126f3dc72e45ebf7c5c55722fb01810731bb7
Opcode Fuzzy Hash: 7559e1d8f84e4d167f67e578eba175309e54207fc1ab8340d63dbc806045ce89
Instruction Fuzzy Hash: 74211374D05298EFDF04DFE4D958B8EBBB0BF15308F148098E045AB295CBB96A08DF81

Function 00EAD329 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EAD39A

Strings

d, xrefs: 00EAD369
C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EAD375

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-4096264744
Opcode ID: f2645fa9976abddcbfd59627bf6bad5eb2bc78c8cf670a3e730e4dbdc8c6a8c5
Instruction ID: 5d0421796978d886ab45f38b451a96ce88b785a589635629ab80981ef20ff7bd
Opcode Fuzzy Hash: f2645fa9976abddcbfd59627bf6bad5eb2bc78c8cf670a3e730e4dbdc8c6a8c5
Instruction Fuzzy Hash: BE213674D05298DFDF04DFE4D95878EBBB0BF19308F108098E041AB285DBB85A08CF81

Function 00EACF5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EACFCB

Strings

d, xrefs: 00EACF9D
C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EACFA6

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-4096264744
Opcode ID: 1637e8612955d6ce196d5f27f04093de64d14f50932b244e3bea273df9fe4137
Instruction ID: 5065f67813a9ec3ede513838672034c7e86f5b779f39b83c852cab8d7c4e0b4e
Opcode Fuzzy Hash: 1637e8612955d6ce196d5f27f04093de64d14f50932b244e3bea273df9fe4137
Instruction Fuzzy Hash: F6213074D05298EFDF04DFE0D99879EBBB1BF19308F108098E041AB285DBB85A08DF91

Function 00EC12CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000D), ref: 00EC133B

Strings

d, xrefs: 00EC1305
C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00EC130E

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Parent
String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$d
API String ID: 975332729-3357045315
Opcode ID: 4c85e2496a3a28ff6f7889f7accb8a8142553c9652082721fbe47f75f97edd54
Instruction ID: 3c1d32000cb0a7257b561a90d93a3e2af15f4311a0b511d27965a699a49ae9dc
Opcode Fuzzy Hash: 4c85e2496a3a28ff6f7889f7accb8a8142553c9652082721fbe47f75f97edd54
Instruction Fuzzy Hash: 7B210F74D00288EEDB04DFE4D958B9DBBB1BF15308F148098E041AB296DBB95A08DB41

Function 00EAD3F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EAD460

Strings

d, xrefs: 00EAD42D
C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EAD439

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-4096264744
Opcode ID: abfeffd4efbac12df4946c36c5ae06ab2c5bd29629deed577f3831656ece83a0
Instruction ID: 1b3771c28c119cd5e8860bf575fc58c33c16256f960deb206c1807e28ca9600d
Opcode Fuzzy Hash: abfeffd4efbac12df4946c36c5ae06ab2c5bd29629deed577f3831656ece83a0
Instruction Fuzzy Hash: 44211474D05288EEDF05DFE4D9587CEBBB1BF59308F108158E0416B285DBB95A08DF41

Function 00EAD021 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EAD08C

Strings

d, xrefs: 00EAD05C
C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EAD065

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-4096264744
Opcode ID: 70f93be25721898ab7c69d8cd3e2cf56621e1e335154622a5e3cbb34faea7195
Instruction ID: 349608046276166bf425e8c1acdf84eee95520addbd042a2c776eb5c38c881b2
Opcode Fuzzy Hash: 70f93be25721898ab7c69d8cd3e2cf56621e1e335154622a5e3cbb34faea7195
Instruction Fuzzy Hash: 3D210074D15288EEDF09DFE0D9987DDBBB1BF15308F108098E0456B285DBB95A08DF51

Function 00F012B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F0130F
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00EFFDEC,00000000,8CB281B6,?,?), ref: 00F01328

Strings

tooltips_class32, xrefs: 00F01306

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Window$Create
String ID: tooltips_class32
API String ID: 870168347-1918224756
Opcode ID: df8c2e22029d32e6fc99f7f79eb22deaf0db467d7e7a6d321e665ee6a5c997a2
Instruction ID: 0fcb734d2748c02680f251dee39f73e86c41a123a0d5dc93981ae58d7d82fb7c
Opcode Fuzzy Hash: df8c2e22029d32e6fc99f7f79eb22deaf0db467d7e7a6d321e665ee6a5c997a2
Instruction Fuzzy Hash: 3F01F0313802127BF7288664DC0AFA232D8D740F50F38833CBB54FE0C0D6A2EA10D608

Function 00EC1391 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(00000013), ref: 00EC13C4

Strings

Unknown exception, xrefs: 00EC1399
C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00EC13A9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Parent
String ID: C:\JobRelease\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-2259502730
Opcode ID: 255d2cd8a33effb66e242bb4a17df3c12ea658b6c0496548194dc95018d7c1a3
Instruction ID: c17a6d7d633e2c812eaee09cf25164855eacb094d3a315969ed4dd2ff72fc108
Opcode Fuzzy Hash: 255d2cd8a33effb66e242bb4a17df3c12ea658b6c0496548194dc95018d7c1a3
Instruction Fuzzy Hash: 42016134D05248EFCF04DBE4C915ADDBBB1AF59304F54809CE0416F296DBB55A08DB91

Function 00EAD4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EAD4E8

Strings

C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EAD4D3
Unknown exception, xrefs: 00EAD4C0

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-452454139
Opcode ID: 583900040f647bc5a509ccb6282654b450d3c755a49e46b7500ababc91f0959f
Instruction ID: f8c896cada3ced0a22995f7da38c9d18fbd40fd77c48d79e75d05ddddebd7c52
Opcode Fuzzy Hash: 583900040f647bc5a509ccb6282654b450d3c755a49e46b7500ababc91f0959f
Instruction Fuzzy Hash: D3018C34D05288DBCF05EBE4C9156DEBBB1BF5A304F54819CE0426F386DBB45A08DB92

Function 00EAD0E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00EAD10F

Strings

C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00EAD0FA
Unknown exception, xrefs: 00EAD0EA

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\JobRelease\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-452454139
Opcode ID: 465f4508acd8631e72317b22cd85d5a17e0c75fd9764fdb89b556a7e79864077
Instruction ID: 083b41c2d79b80ee7e3ce1a09e67c071ecda03ef7bbe89787141d18be75d0ce0
Opcode Fuzzy Hash: 465f4508acd8631e72317b22cd85d5a17e0c75fd9764fdb89b556a7e79864077
Instruction Fuzzy Hash: CF018C34D05288DBCF05EBE4C9156DEBBB1BF5A304F54809CE0426F286DBB45A08EB92

Function 01052DAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,?,00000104), ref: 01052DD7
GetACP.KERNEL32(00000000,?,?,?,00000104), ref: 01052DEE

Strings

`&, xrefs: 01052DAE

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID:
String ID: `&
API String ID: 0-2927270505
Opcode ID: 65cb3473efc2fdd3a66b80d43434dc8626a470bb72670817b59be3b1dd85f1c9
Instruction ID: 2a4d89a72c6658963b12cde8d9f7188387c24c319496f7fd3be8fc098f25381b
Opcode Fuzzy Hash: 65cb3473efc2fdd3a66b80d43434dc8626a470bb72670817b59be3b1dd85f1c9
Instruction Fuzzy Hash: 61F04F30400505CFEBA4EB6CD4487AA77F5BB40329F940358E976861D5C7B55985CB81

Function 0103598C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EB3650: InitializeCriticalSectionAndSpinCount.KERNEL32(01144C5C,00000000,8CB281B6,00EA0000,Function_001BD840,000000FF,?,010359BB,?,?,?,00EA6438), ref: 00EB3675
Part of subcall function 00EB3650: GetLastError.KERNEL32(?,010359BB,?,?,?,00EA6438), ref: 00EB367F

IsDebuggerPresent.KERNEL32(?,?,?,00EA6438), ref: 010359BF
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EA6438), ref: 010359CE

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 010359C9

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 125afe7efc509614f56180eabe735d4b2831a4e3d2c80f74fc4b2be0d341746c
Instruction ID: acd7afb4b62a459df28a45b5527e770d7f9db64c71ae696b76d2814e83f012b6
Opcode Fuzzy Hash: 125afe7efc509614f56180eabe735d4b2831a4e3d2c80f74fc4b2be0d341746c
Instruction Fuzzy Hash: E8E06DB02017018BD370AF35E484382BAE8AB4A718F118D2FD5D6D6614E7B5E444CB91

Function 00EE1B70 Relevance: 5.3, APIs: 4, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00EE1E5F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00EE1E65
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?), ref: 00EE1F0F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00EE1F15

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a1f3d4d613d82e7a88a1f8cdab952c5ffd26d36e57c45064b13a620733ca73b3
Instruction ID: b29d07c701b53accbb746fb6165a8a53583ab989101588d213ee4daf152d8033
Opcode Fuzzy Hash: a1f3d4d613d82e7a88a1f8cdab952c5ffd26d36e57c45064b13a620733ca73b3
Instruction Fuzzy Hash: 20B19B70E00298CEDB24DB29CC45BDEBBB9FF51314F1042DAE419A7292DB745A84CF91

Function 00EE07E0 Relevance: 5.2, APIs: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00EE0A0F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EE0A15
GetProcessHeap.KERNEL32(?,?,?,?,?,?), ref: 00EE0ABF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EE0AC5

Memory Dump Source

Source File: 00000000.00000002.1533794043.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.1533777897.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1533991431.000000000113E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534015817.0000000001143000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534032262.0000000001144000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534048894.0000000001166000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_w4Xl662CE7.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 75c433bec9ebd11ea6cec7c2ccbdbd1d31c78efb202a5931a8d6087034962bf3
Instruction ID: 2ab4b453f118ffbe98db57a0e82c00fb9c298a5de6f8ad2d511918c2a6a74e8c
Opcode Fuzzy Hash: 75c433bec9ebd11ea6cec7c2ccbdbd1d31c78efb202a5931a8d6087034962bf3
Instruction Fuzzy Hash: 7D916B709013ACCEEB24DB25CC44BDAB7B9AF51304F1442E9D45DA7282DBB45A88CF52

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w4Xl662CE7.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSI93F.tmp

C:\Users\user\AppData\Local\Temp\MSIAD7.tmp

C:\Users\user\AppData\Local\Temp\MSIb1285.LOG

C:\Users\user\AppData\Local\Temp\shi8B2.tmp

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\holder0.aiph

C:\Windows\Installer\6b0e6e.msi

C:\Windows\Installer\MSI115C.tmp

C:\Windows\Installer\MSI11CB.tmp

C:\Windows\Installer\MSI122A.tmp

C:\Windows\Installer\MSI1259.tmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
w4Xl662CE7.exe

Function 00FDB350 Relevance: 21.6, APIs: 10, Strings: 2, Instructions: 551
COMMON

Function 00FCEAB0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Function 00FC4050 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
windowCOMMON

Function 00FDA240 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159
COMMON

Function 00FA2BA0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Function 00FA2F80 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Function 00FC4960 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 220
COMMON

Function 00FB64D0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 495
COMMON

Function 00FDF7B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
libraryCOMMON

Function 00F8DDA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96
registrylibraryloaderCOMMON

Function 01035A9F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00FE0BE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Function 00FC2810 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 224
fileCOMMON

Function 00FDF2F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON