Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1558587
MD5:	716a34c1339da740605493398067b147
SHA1:	bd1637bb6c98fa7134e322c283b72269340a79c5
SHA256:	7de8aa46aeb2240ba3a17691fbbd06c1ea72600b36fceb8bdd9c950dd867a69b
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 716A34C1339DA740605493398067B147)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: Setup.exe

Joe Sandbox ML: detected

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: Setup.exe, 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmp, inetc.dll.0.dr

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: Joe Sandbox View

IP Address: 207.246.91.177 207.246.91.177

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_6D25332C lstrcmpiW,lstrcmpiW,InternetOpenW,GlobalAlloc,lstrcmpiW,GetLastError,lstrlenW,lstrlenW,GlobalAlloc,GlobalAlloc,InternetCrackUrlW,InternetConnectW,lstrcpyW,lstrcpyW,InternetSetOptionW,lstrlenW,InternetSetOptionW,lstrlenW,InternetSetOptionW,InternetSetOptionW,lstrlenW,InternetSetOptionW,lstrlenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpAddRequestHeadersW,lstrcmpiW,HttpAddRequestHeadersW,lstrlenW,lstrlenW,GlobalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,HttpAddRequestHeadersW,GlobalFree,GetLastError,lstrcmpiW,lstrlenW,HttpSendRequestW,GetLastError,lstrlenW,HttpSendRequestW,GetLastError,GlobalFree,GlobalFree,HttpSendRequestW,GetLastError,InternetQueryDataAvailable,GlobalAlloc,InternetReadFile,GetLastError,GlobalFree,GetLastError,HttpQueryInfoW,GetLastError,GlobalAlloc,HttpQueryInfoW,GlobalFree,InternetCloseHandle,GetLastError,InternetCloseHandle,GetLastError,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,InternetCloseHandle,GetLastError,

0_2_6D25332C

Source: global traffic

DNS traffic detected: DNS query: pcapp.store

Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=&evt_src=fa_mini_insta
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/3
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/32
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/:
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/inst_cpg.php?guid=9AC52742-8547-84D6-5349-ECEC87A66D67&_fcid=1731963210091936&ve
Source: Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/installing.php?guid=&winver=
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/m
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/ows
Source: Setup.exe	String found in binary or memory: https://pcapp.store/pixel.gif?guid=
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/pixel.gif?guid=9AC52742-8547-84D6-5349-ECEC87A66D67&version=fa.1092c&evt_src=fa_
Source: Setup.exe, 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pcapp.store/pixel.gif?guid=ility
Source: Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/privacy.html?guid=welhttps://pcapp.store/pixel.gif?guid=&version=&evt_src=fa_min
Source: Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/tos.html?guid=
Source: Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/u

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_6D25332C	0_2_6D25332C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_6D261BFF	0_2_6D261BFF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_6FD710C8	0_2_6FD710C8

Source: Setup.exe	Binary or memory string: OriginalFilename vs Setup.exe
Source: Setup.exe, 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs Setup.exe
Source: Setup.exe, 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamensJSON.dllH vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.evad.winEXE@1/7@1/1

Source: C:\Users\user\Desktop\Setup.exe

0_2_0040352D

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsdA4EF.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: Setup.exe, 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmp, inetc.dll.0.dr

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_6D261BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6D261BFF

Source: Setup.exe	Static PE information: real checksum: 0x3937f should be: 0x33d16
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: nsJSON.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6718
Source: inetc.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x13c41
Source: NSISFastLib.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x30512
Source: nsDialogs.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2f9b

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_6D2630C0 push eax; ret

0_2_6D2630EE

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: Setup.exe, 00000000.00000003.1464842884.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"BkRNtHSWRJfXnioexJQIP%2Eexe","2":"Memory+Compression","3":"OfficeClickToRun%2Eexe","4":"Registry","5":"RuntimeBroker%2Eexe","6":"SearchApp%2Eexe","7":"Setup%2Eexe","8":"SgrmBroker%2Eexe","9":"StartMenuExperienceHost%2Eexe","10":"System","11":"SystemSettings%2Eexe","12":"TextInputHost%2Eexe","13":"WinStore%2EApp%2Eexe","14":"WmiPrvSE%2Eexe","15":"%5BSystem+Process%5D","16":"backgroundTaskHost%2Eexe","17":"conhost%2Eexe","18":"csrss%2Eexe","19":"ctfmon%2Eexe","20":"dasHost%2Eexe","21":"dllhost%2Eexe","22":"dwm%2Eexe","23":"explorer%2Eexe","24":"fontdrvhost%2Eexe","25":"lsass%2Eexe","26":"services%2Eexe","27":"sihost%2Eexe","28":"smartscreen%2Eexe","29":"smss%2Eexe","30":"spoolsv%2Eexe","31":"sppsvc%2Eexe","32":"svchost%2Eexe","33":"upfc%2Eexe","34":"wininit%2Eexe","35":"winlogon%2Eexe"},"sys_lang":"en-GB","parent_proc":"explorer%2Eexe"}
Source: Setup.exe, 00000000.00000003.1793222723.0000000000580000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2705548133.000000000057F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Setup.exe, 00000000.00000002.2705548133.0000000000549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Setup.exe, 00000000.00000003.1463871336.00000000005BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"BkRNtHSWRJfXnioexJQIP%2Eexe","2":"Memory+Compression","3":"OfficeClickToRun%2Eexe","4":"Registry","5":"RuntimeBroker%2Eexe","6":"SearchApp%2Eexe","7":"Setup%2Eexe","8":"SgrmBroker%2Eexe","9":"StartMenuExperienceHost%2Eexe","10":"System","11":"SystemSettings%2Eexe","12":"TextInputHost%2Eexe",
Source: Setup.exe, 00000000.00000003.1463871336.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"BkRNtHSWRJfXnioexJQIP%2Eexe","2":"Memory+Compression","3":"OfficeClickToRun%2Eexe",
Source: Setup.exe, 00000000.00000003.1463871336.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29",
Source: Setup.exe, 00000000.00000003.1793167477.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Setup.exe, 00000000.00000003.1463703178.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device",
Source: Setup.exe, 00000000.00000002.2705548133.0000000000549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware%2C+Inc%2E
Source: Setup.exe, 00000000.00000003.1463703178.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{
Source: Setup.exe, 00000000.00000003.1464842884.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"104","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"BW_RP","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"PE9ZC_7M+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"BkRNtHSWRJfXnioexJQIP%2Eexe","2":"Memory+Compression","3":"OfficeClickToRun%2Eexe","4":"Registry","5":"RuntimeBroker%2Eexe","6":"SearchApp%2Eexe","7":"Setup%2Eexe","8":"SgrmBroker%2Eexe","9":"StartMenuExperienceHost%2Eexe","10":"System","11":"SystemSettings%2Eexe","12":"TextInputHost%2Eexe","13":"WinStore%2EApp%2Eexe","14":"WmiPrvSE%2Eexe","15":"%5BSystem+Process%5D","16":"backgroundTaskHost%2Eexe","17":"conhost%2Eexe","18":"csrss%2Eexe","19":"ctfmon%2Eexe","20":"dasHost%2Eexe","21":"dllhost%2Eexe","22":"dwm%2Eexe","23":"explorer%2Eexe","24":"fontdrvhost%2Eexe","25":"lsass%2Eexe",

Source: C:\Users\user\Desktop\Setup.exe	API call chain: ExitProcess graph end node			graph_0-7947
Source: C:\Users\user\Desktop\Setup.exe	API call chain: ExitProcess graph end node			graph_0-7951

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_6D261BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6D261BFF

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_6FD918C9 CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,CreateWindowExW,SetPropW,SendMessageW,SendMessageW,SendMessageW,SetWindowLongW,GetProcessHeap,HeapFree,

0_2_6FD918C9

Source: C:\Users\user\Desktop\Setup.exe

0_2_0040352D

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	12 Virtualization/Sandbox Evasion	OS Credential Dumping	141 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	124 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsJSON.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pcapp.store	207.246.91.177	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://pcapp.store/inst_cpg.php?guid=9AC52742-8547-84D6-5349-ECEC87A66D67&_fcid=1731963210091936&ve	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/pixel.gif?guid=ility	Setup.exe, 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmp	false	high
https://pcapp.store/pixel.gif?guid=	Setup.exe	false	high
https://pcapp.store/32	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/m	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false	high
https://pcapp.store/3	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=&evt_src=fa_mini_insta	Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/pixel.gif?guid=9AC52742-8547-84D6-5349-ECEC87A66D67&version=fa.1092c&evt_src=fa_	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/privacy.html?guid=welhttps://pcapp.store/pixel.gif?guid=&version=&evt_src=fa_min	Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/u	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/ows	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/tos.html?guid=	Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/:	Setup.exe, 00000000.00000002.2706325838.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://pcapp.store/installing.php?guid=&winver=	Setup.exe, 00000000.00000002.2705548133.0000000000514000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.246.91.177	pcapp.store	United States		20473	AS-CHOOPAUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558587
Start date and time:	2024-11-19 15:58:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@1/7@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Setup.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
207.246.91.177	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pcapp.store	https://pivotanimator.net/Download.php	Get hash	malicious	Unknown	Browse	45.32.1.23

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	owari.arm7.elf	Get hash	malicious	Mirai	Browse	45.32.45.196
	owari.ppc.elf	Get hash	malicious	Unknown	Browse	104.238.167.204
	0kToM9fVGQ.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	x86.elf	Get hash	malicious	Unknown	Browse	192.248.174.148
	Xa04iTOvv5.exe	Get hash	malicious	Unknown	Browse	199.247.4.86
	https://stopify.co/BOAZ81	Get hash	malicious	Unknown	Browse	45.77.159.83
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	204.80.154.20
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	108.61.212.81
	x86.elf	Get hash	malicious	Unknown	Browse	44.174.151.192
	PO-341999-PDF.exe	Get hash	malicious	AsyncRAT	Browse	95.179.135.209

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	140288
Entropy (8bit):	6.334087823000165
Encrypted:	false
SSDEEP:	3072:H5dnvmOEATceozVDkRasOCdUFZrR7beB2SK0XCC+W/ST+BeXZQUC5:ZdnvmsTceZUtCdUFZr9b4KznC5
MD5:	9C7A4D75F08D40AD6F5250DF6739C1B8
SHA1:	793749511C61B00A793D0AEA487E366256DD1B95
SHA-256:	6EB17C527C9E7F7FEA1FDB2EA152E957B50A56796E53CE1E5946B165B82DEAEF
SHA-512:	E85235307B85FFD3AAB76FF6290BEE0B3B9FD74C61A812B5355FE7B854D4C6B77BD521E52638D28E249A43D9EC7AA6F2670AF2B1C671091492C7FE19D6F9A4E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../.iTN.:TN.:TN.:.6.;^N.:.6.;.N.:.6.;@N.:.6.;UN.:...;AN.:...;DN.:...;{N.:.6.;_N.:TN.:'N.:B..;QN.:B..;UN.:B.%:UN.:TNM:UN.:B..;UN.:RichTN.:........................PE..L...z..f...........!...(.x...................................................`..............................................x...x....0..X....................@......0...............................p...@............................................text...0v.......x.................. ..`.rdata..\~...........\|..............@..@.data...............................@....rsrc...X....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\image.gif

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	dropped
Size (bytes):	997
Entropy (8bit):	4.188896534234179
Encrypted:	false
SSDEEP:	12:2E5KZbHOjOruFw6MLxENScRVar7FC53tK1Oqd3Aa0n:tAlHOjOX60ENvRVZKbEn
MD5:	1636218C14C357455B5C872982E2A047
SHA1:	21FBD1308AF7AD25352667583A8DC340B0847DBC
SHA-256:	9B8B6285BF65F086E08701EEE04E57F2586E973A49C5A38660C9C6502A807045
SHA-512:	837FA6BCBE69A3728F5CB4C25C35C1D13E84B11232FC5279A91F21341892AD0E36003D86962C8AB1A056D3BEEB2652C754D51D6EC7EEE0E0EBFE19CD93FB5CB0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIF89a............P..........4q...5j...O..F.].......................o..._.....5y.t........\....K>}...g..t....X...B..ET....t~....go..Jx...........\|..U!f.\|....>u.M.........w>..+r...\|...A{.....t...E...b.8}....d....A.....R..y..l...w....G5u...{....t.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!..NETSCAPE2.0.....!.......,...............H..A....`pp....~.xR......d.......,...D...)2 .1.....N` R......(@......,8RDA../..XB....P.F .....#...b`F...#8p......<\.`.........A....n\|.CH...........+... .E.....d`.@......;

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	4.684597989866362
Encrypted:	false
SSDEEP:	384:njt65uI9oYzcCaHjl9Cb4I1f0AGhrHXoREnRxtIpH/u0abJ2v2DW9O9tk8ZwkpwD:noHtNQoRSIwTJB6Q/kPyBp6
MD5:	A35CDC9CF1D17216C0AB8C5282488EAD
SHA1:	ED8E8091A924343AD8791D85E2733C14839F0D36
SHA-256:	A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
SHA-512:	0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:	24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	9728
Entropy (8bit):	5.158136237602734
Encrypted:	false
SSDEEP:	96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
MD5:	6C3F8C94D0727894D706940A8A980543
SHA1:	0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
SHA-256:	56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
SHA-512:	2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsJSON.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.819708895488079
Encrypted:	false
SSDEEP:	384:n7U5CiIZ1ZC2RvhrTfldNuwQ5pk+BISivMyyOgqCoRUj+OvHxOuofnykhVQJrTU:YoZ1ZnhrTfldqk7Yyy94RxOcVQJrT
MD5:	F4D89D9A2A3E2F164AEA3E93864905C9
SHA1:	4D4E05EE5E4E77A0631A3DD064C171BA2E227D4A
SHA-256:	64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
SHA-512:	DBDA3FE7CA22C23D2D0F2A5D9D415A96112E2965081582C7A42C139A55C5D861A27F0BD919504DE4F82C59CF7D1B97F95ED5A55E87D574635AFDB7EB2D8CADF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.'..fI_.fI_.fI_3.H^.fI_.fH_?fI_.8M^.fI_.8I^.fI_.8._.fI_.8K^.fI_Rich.fI_........PE..L...`..Z...........!.....>..........E........P............................................@..........................X......@Z..P....p..........................H....X...............................................P...............................text...W<.......>.................. ..`.rdata.......P.......B..............@..@.data...@....`.......R..............@....rsrc........p.......T..............@..@.reloc..H............X..............@..B........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.612743851840157
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	190'056 bytes
MD5:	716a34c1339da740605493398067b147
SHA1:	bd1637bb6c98fa7134e322c283b72269340a79c5
SHA256:	7de8aa46aeb2240ba3a17691fbbd06c1ea72600b36fceb8bdd9c950dd867a69b
SHA512:	26fd528583d6f2c3ceeaa4882548dac3a44a228e96f2e78c88a9bc5c6fb62cb477d084212f00e4ba1951c85c7b19b46e24bbe488845ca189036c4150b5d05b96
SSDEEP:	3072:UbG7N2kDTHUpouL4Ynd86Pzy5n+/mGCK8izuG2okB2h4l591BBgkXmUT:UbE/HUzRe6ry5nmQiiGz4z9TJXrT
TLSH:	3804F15056E0C862D8A28B71B5797F7B8AB5DC2192B45F8313107B187E7DE819F0E3A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	45d44c7192498005

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	08/05/2024 02:00:00 14/02/2025 00:59:59
Subject Chain	CN=FAST CORPORATION LTD, O=FAST CORPORATION LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	04786BD703B906E22AECB2AD38CE4D94
Thumbprint SHA-1:	07BE42727905BE32C822A638502C1B8FAAE6540A
Thumbprint SHA-256:	FDB017BB88E5D453E22A73810690C72534F58EFB109EA0D4494EC393F2307DBC
Serial:	0E5C655E1CBE9A8879372F58A5BC0302

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F37E940B4BAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F37E940B48Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x4f40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2bd00	0x2968	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x36000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x4f40	0x5000	6147c56de0951034d77b52b0075b790f	False	0.1015625	data	2.760740823683962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c208	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	English	United States	0.036372224846480866
RT_DIALOG	0x70430	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x70638	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x70730	0xa0	data	English	United States	0.60625
RT_DIALOG	0x707d0	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x708c0	0x14	data	English	United States	1.1
RT_VERSION	0x708d8	0x240	data	English	United States	0.4895833333333333
RT_MANIFEST	0x70b18	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 15:59:20.203303099 CET	49705	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:20.203360081 CET	443	49705	207.246.91.177	192.168.2.8
Nov 19, 2024 15:59:20.203444958 CET	49705	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:20.321541071 CET	49705	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:20.321583986 CET	443	49705	207.246.91.177	192.168.2.8
Nov 19, 2024 15:59:52.402255058 CET	49705	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:52.498023033 CET	49707	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:52.498071909 CET	443	49707	207.246.91.177	192.168.2.8
Nov 19, 2024 15:59:52.498142004 CET	49707	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:52.498920918 CET	49707	443	192.168.2.8	207.246.91.177
Nov 19, 2024 15:59:52.498939991 CET	443	49707	207.246.91.177	192.168.2.8
Nov 19, 2024 16:00:24.568833113 CET	49707	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:24.569796085 CET	49708	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:24.569854021 CET	443	49708	207.246.91.177	192.168.2.8
Nov 19, 2024 16:00:24.569919109 CET	49708	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:24.570183039 CET	49708	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:24.570194006 CET	443	49708	207.246.91.177	192.168.2.8
Nov 19, 2024 16:00:56.616211891 CET	49708	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:56.785145044 CET	49715	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:56.785191059 CET	443	49715	207.246.91.177	192.168.2.8
Nov 19, 2024 16:00:56.785351992 CET	49715	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:56.785583973 CET	49715	443	192.168.2.8	207.246.91.177
Nov 19, 2024 16:00:56.785594940 CET	443	49715	207.246.91.177	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 15:59:20.191205978 CET	51749	53	192.168.2.8	1.1.1.1
Nov 19, 2024 15:59:20.198558092 CET	53	51749	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 15:59:20.191205978 CET	192.168.2.8	1.1.1.1	0x563a	Standard query (0)	pcapp.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	207.246.91.177	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	167.99.235.203	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	45.32.1.23	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	209.222.21.115	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	159.223.126.41	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	104.248.126.225	A (IP address)	IN (0x0001)	false
Nov 19, 2024 15:59:20.198558092 CET	1.1.1.1	192.168.2.8	0x563a	No error (0)	pcapp.store	64.176.203.93	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:59:17
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	190'056 bytes
MD5 hash:	716A34C1339DA740605493398067B147
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.2%
Total number of Nodes:	1282
Total number of Limit Nodes:	60

Executed Functions

Function 6FD710C8 Relevance: 128.4, APIs: 63, Strings: 10, Instructions: 612
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 6FD71AF9
LocalAlloc.KERNEL32(00000040,?), ref: 6FD71B07
LocalAlloc.KERNEL32(00000040,?), ref: 6FD71B17
LocalAlloc.KERNEL32(00000040,?), ref: 6FD71B25
LocalAlloc.KERNEL32(00000040,?), ref: 6FD71B36
InternetOpenW.WININET(6FD794E0,00000000,00000000), ref: 6FD71B91
InternetQueryOptionW.WININET(00000000,00000032,?,?), ref: 6FD71BBC
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 6FD71BE6
InternetSetOptionW.WININET(00000000,00000002,6FD79800,00000004), ref: 6FD71BFB
InternetSetOptionW.WININET(00000000,00000006,6FD79804,00000004), ref: 6FD71C13
LoadLibraryA.KERNEL32(WININET,FtpCommandW), ref: 6FD71C1F
GetProcAddress.KERNEL32(00000000), ref: 6FD71C26
lstrcmpiW.KERNEL32(/end), ref: 6FD71C41
lstrcmpiW.KERNEL32(/end,6FD79140), ref: 6FD71C6C
PostMessageW.USER32(?,00000113,00000001,00000000), ref: 6FD71CB9
CreateFileW.KERNEL32(6FD79140,40000000,00000001,00000000,-00000002,00000000,00000000), ref: 6FD71CF5
GetFileSize.KERNEL32(?,00000000), ref: 6FD71D38
InternetCrackUrlW.WININET(00000000,00000000,0000003C), ref: 6FD71D51
wsprintfW.USER32 ref: 6FD71D7D
lstrlenW.KERNEL32(6FD7C2F8,6FD7C2F8,6FD798A8), ref: 6FD71D92
lstrcatW.KERNEL32(?,?), ref: 6FD71DAD
GetTickCount.KERNEL32 ref: 6FD71DB3
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 6FD71DE5
lstrlenW.KERNEL32(?,00000003,00000000,00000000), ref: 6FD71E1E
lstrlenW.KERNEL32(?,?), ref: 6FD71E30
InternetConnectW.WININET(00000000,?,?,?), ref: 6FD71E46
InternetCloseHandle.WININET(00000000), ref: 6FD71E96
HttpQueryInfoW.WININET(00000000,00000016,6FD7C2F8,00000800,00000000), ref: 6FD71EC6
WriteFile.KERNEL32(?,6FD7C2F8,00000800,00000004,00000000), ref: 6FD71F2B
InternetCloseHandle.WININET(00000000), ref: 6FD7203C
InternetCloseHandle.WININET(00000000), ref: 6FD72046
InternetGetLastResponseInfoW.WININET(?,6FD7C2F8,?), ref: 6FD7207D
lstrcpynW.KERNEL32(?,00000000,00000020), ref: 6FD720BE
GetLastError.KERNEL32 ref: 6FD720C6
SleepEx.KERNEL32(000007D0,00000000), ref: 6FD72123
SleepEx.KERNEL32(00000BB8,00000000), ref: 6FD72139
ShowWindow.USER32(?,00000000), ref: 6FD7217C
GetParent.USER32(?), ref: 6FD721A1
MessageBoxW.USER32(00000000), ref: 6FD721A8
ShowWindow.USER32(?,00000005), ref: 6FD721C8
SleepEx.KERNEL32(000003E8,00000000), ref: 6FD721D4
CloseHandle.KERNEL32(?), ref: 6FD721F9
DeleteFileW.KERNEL32(6FD79140), ref: 6FD72234
InternetCloseHandle.WININET(00000000), ref: 6FD7223E
lstrcmpiW.KERNEL32(/end), ref: 6FD7224F
LocalFree.KERNEL32(?), ref: 6FD72279
LocalFree.KERNEL32(?), ref: 6FD7227E
LocalFree.KERNEL32(?), ref: 6FD72283
LocalFree.KERNEL32(?), ref: 6FD72288
LocalFree.KERNEL32(?), ref: 6FD7228D
IsWindow.USER32(?), ref: 6FD72290
PostMessageW.USER32(?,00000111,FFEE0001,00000000), ref: 6FD722A8

Strings

Inetc plug-in, xrefs: 6FD7218B
/end, xrefs: 6FD71C36, 6FD71C61, 6FD72244
WININET, xrefs: 6FD71C1A
Unknown, xrefs: 6FD71F9D, 6FD71FA5
<, xrefs: 6FD71B3A
FtpCommandW, xrefs: 6FD71C15
Not Available, xrefs: 6FD71F73, 6FD71F7B
530, xrefs: 6FD72087, 6FD7209C
%s:%s, xrefs: 6FD71D73
Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 6FD7219B

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Internet$Local$AllocCloseFileFreeHandle$Option$MessageSleepWindowlstrcmpilstrlen$InfoLastPostQueryShow$AddressConnectCountCrackCreateDeleteErrorHttpLibraryLoadOpenParentPointerProcResponseSizeTickWritelstrcatlstrcpynwsprintf
String ID: %s:%s$/end$530$<$FtpCommandW$Inetc plug-in$Not Available$Unknown$WININET$Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 666050937-1780337547
Opcode ID: 45b767de46b8305d7e3a6ebc480d9987f8db4df155bd54e1c17fc1094a7811d4
Instruction ID: 332f252de228935bf0c913aa2e734fc20a1f7c5a54d69b56487308502bfa623e
Opcode Fuzzy Hash: 45b767de46b8305d7e3a6ebc480d9987f8db4df155bd54e1c17fc1094a7811d4
Instruction Fuzzy Hash: 34228172900665EFFF608F64CC44BAA7BF9FB0A325F184129E911EE294DB307911DB61

Function 0040352D Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,00440000,00000020,00440000,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNEL32(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00441800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,https://pcapp.store/pixel.gif?guid=,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\Setup.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

Error launching installer, xrefs: 004038FF
TEMP, xrefs: 0040384E
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
NSIS Error, xrefs: 0040368E
C:\Users\user\Desktop\Setup.exe, xrefs: 00403A09
1033, xrefs: 0040386A
\Temp, xrefs: 00403820
TMP, xrefs: 00403856
.tmp, xrefs: 0040396A
UXTHEME, xrefs: 0040361B, 00403620, 00403626
https://pcapp.store/pixel.gif?guid=, xrefs: 004039BB
SeShutdownPrivilege, xrefs: 00403AA1
Low, xrefs: 0040383C
~nsu, xrefs: 0040394E

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Setup.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$https://pcapp.store/pixel.gif?guid=$~nsu
API String ID: 3859024572-1041456349
Opcode ID: 59563f10b518abe82f4e46869e687cc46109865bf66e8378302a61db0c445f8a
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 59563f10b518abe82f4e46869e687cc46109865bf66e8378302a61db0c445f8a
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Function 6FD918C9 Relevance: 56.2, APIs: 21, Strings: 11, Instructions: 215
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 6FD918E3
HeapAlloc.KERNEL32(00000000), ref: 6FD918E6
GetProcessHeap.KERNEL32(00000000,00000000,error,00000000,00000000), ref: 6FD91959
HeapFree.KERNEL32(00000000), ref: 6FD91B8D

Part of subcall function 6FD91E9C: GlobalAlloc.KERNEL32(00000040,?,?,6FD910BE,error,?,00000104), ref: 6FD91EB2
Part of subcall function 6FD91E9C: lstrcpynW.KERNEL32(00000004,?,?,6FD910BE,error,?,00000104), ref: 6FD91EC8

Strings

EDIT, xrefs: 6FD919BB
BUTTON, xrefs: 6FD9198F, 6FD91AE7, 6FD91B15
NSIS: nsControl pointer property, xrefs: 6FD91B29
COMBOBOX, xrefs: 6FD919E2
p^Cw, xrefs: 6FD918E6
RICHEDIT_CLASS, xrefs: 6FD91A54
LISTBOX, xrefs: 6FD91A09
error, xrefs: 6FD91900, 6FD9194C
STATIC, xrefs: 6FD91A78
RichEdit, xrefs: 6FD91A30
LINK, xrefs: 6FD91A9C, 6FD91ADB

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Heap$AllocProcess$FreeGloballstrcpyn
String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error$p^Cw
API String ID: 1913068523-2259555814
Opcode ID: 04a2fc85a2e4d2a660a09ad2e4a2037a20b8d3484ffc5bf5e5c72525895d94b0
Instruction ID: f33c6785a0212041dc11d861bc6122cd2e0da0e4ebf1ab0dc80387bda65354ee
Opcode Fuzzy Hash: 04a2fc85a2e4d2a660a09ad2e4a2037a20b8d3484ffc5bf5e5c72525895d94b0
Instruction Fuzzy Hash: 43819072904618EBEB90DBE4CD45F9EBBFCBB06314F058112E909B7281D735BD159BA0

Function 6D261BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2612BB: GlobalAlloc.KERNEL32(00000040,?,6D2612DB,?,6D26137F,00000019,6D2611CA,-000000A0), ref: 6D2612C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6D261D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6D261D75
lstrcpyW.KERNEL32(00000808,?), ref: 6D261D7F
GlobalFree.KERNEL32(00000000), ref: 6D261D92
GlobalFree.KERNEL32(?), ref: 6D261E74
GlobalFree.KERNEL32(?), ref: 6D261E79
GlobalFree.KERNELBASE(?), ref: 6D261E7E
GlobalFree.KERNEL32(00000000), ref: 6D262068
lstrcpyW.KERNEL32(?,?), ref: 6D262222
GetModuleHandleW.KERNEL32(00000008), ref: 6D2622A1
LoadLibraryW.KERNEL32(00000008), ref: 6D2622B2
GetProcAddress.KERNEL32(?,?), ref: 6D26230C
lstrlenW.KERNEL32(00000808), ref: 6D262326

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 81699939716c51c0e2f2ffa9978eebf48ebc98d134616d45c22b86b9a4c43b8f
Instruction ID: e9a92f4e0bc481aacc43d5136d3e0f04dea8ced87f076dbcc8557f9de777cd40
Opcode Fuzzy Hash: 81699939716c51c0e2f2ffa9978eebf48ebc98d134616d45c22b86b9a4c43b8f
Instruction Fuzzy Hash: AA228EB1DA838FDBDB22CFA8C4846AEB7B4FF05316F10852AD1A5A6140D774A5C1CB70

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
\*.*, xrefs: 00405CB4
., xrefs: 00405D18
., xrefs: 00405D04

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1333152261
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Function 6FD73C06 Relevance: 231.8, APIs: 90, Strings: 42, Instructions: 790stringwindowmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040), ref: 6FD73CBB
WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 6FD73CEA
lstrlenA.KERNEL32 ref: 6FD73CF6
lstrcmpiW.KERNEL32(?,/silent,00000000), ref: 6FD73D4D
lstrcmpiW.KERNEL32(/weaksecurity), ref: 6FD73D69
lstrcpyW.KERNEL32(6FD794E0,NSIS_Inetc (Mozilla),?,00000000), ref: 6FD74228
wsprintfW.USER32 ref: 6FD74267
lstrlenW.KERNEL32(?,?,6FD799A8), ref: 6FD74278
FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 6FD74294
SetDlgItemTextW.USER32(00000000,000003EE,6FD793E0), ref: 6FD742C8
CloseHandle.KERNEL32(00000000), ref: 6FD742D1
#17.COMCTL32(?,00000000), ref: 6FD742F5
GetWindowLongW.USER32(?,000000F0), ref: 6FD7433F
SetWindowLongW.USER32(000000F0,00000000), ref: 6FD74353
GetTickCount.KERNEL32 ref: 6FD74359
CreateDialogParamW.USER32(0000006E,?,6FD71028,00000000), ref: 6FD7439A
CreateThread.KERNEL32(00000000,00000000,Function_000010C8,00000000,00000000,?), ref: 6FD743BC
GetDlgItem.USER32(00000403), ref: 6FD743E0
GetDlgItem.USER32(000003F8), ref: 6FD743EF
ShowWindow.USER32(00000001), ref: 6FD7440B
GetWindowLongW.USER32(00000000,000000F0), ref: 6FD7442A
EnableWindow.USER32(00000000,00000000), ref: 6FD74437
IsWindowVisible.USER32(00000000), ref: 6FD74442
ShowWindow.USER32(00000000,00000000), ref: 6FD7444F
IsWindow.USER32 ref: 6FD7445B
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6FD7446E
IsDialogMessageW.USER32(?), ref: 6FD74482
IsDialogMessageW.USER32(?,?), ref: 6FD74493
TranslateMessage.USER32(?), ref: 6FD744A1
DispatchMessageW.USER32(?), ref: 6FD744AF
IsWindow.USER32 ref: 6FD744BB
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 6FD744CE
TerminateThread.KERNEL32(00000000,00000001), ref: 6FD744E0
CloseHandle.KERNEL32(00000000), ref: 6FD744F1
SetDlgItemTextW.USER32(?,000003EE,6FD7700C), ref: 6FD7451C
SetWindowLongW.USER32(00000000,000000F0,?), ref: 6FD74535
ShowWindow.USER32(00000000,00000005), ref: 6FD74548
DestroyWindow.USER32 ref: 6FD74560
GetLastError.KERNEL32 ref: 6FD74572
lstrlenW.KERNEL32(?, (Err=%d),00000000), ref: 6FD7458C
wsprintfW.USER32 ref: 6FD745A1
lstrcmpiW.KERNEL32(/end), ref: 6FD745C6
LocalFree.KERNEL32 ref: 6FD745D2
LocalFree.KERNEL32(?), ref: 6FD745E2
LocalFree.KERNEL32(?), ref: 6FD745F7
LocalFree.KERNEL32(?), ref: 6FD74607
LocalFree.KERNEL32(?), ref: 6FD74617
LocalFree.KERNEL32(?), ref: 6FD74627
LocalFree.KERNEL32(?), ref: 6FD74637
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 6FD746CB
LocalAlloc.KERNEL32(00000040), ref: 6FD746E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6FD746FC
LocalFree.KERNEL32(00000000), ref: 6FD7470D
LocalFree.KERNEL32(?), ref: 6FD74721

Strings

second, xrefs: 6FD73ED0, 6FD73EFA, 6FD73F2A
/canceltext, xrefs: 6FD73F72
Downloading, xrefs: 6FD73EAF
/receivetimeout, xrefs: 6FD74053
%s:%s, xrefs: 6FD7425C
/silent, xrefs: 6FD73D47
Inetc plug-in, xrefs: 6FD742B4
Connecting ..., xrefs: 6FD73EDA, 6FD73EF0, 6FD73F1E
/useragent, xrefs: 6FD73FCD
/file, xrefs: 6FD74112
/username, xrefs: 6FD73D91
minute, xrefs: 6FD73F13
Connecting, xrefs: 6FD73EB9, 6FD73EBE, 6FD73EC4
(Err=%d), xrefs: 6FD74581
/popup, xrefs: 6FD73E1D
Connecting, xrefs: 6FD73EC5
Downloading %s, xrefs: 6FD73EDF, 6FD73EE6, 6FD73F18
/banner, xrefs: 6FD73F48
Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 6FD73E70
Filename: %s, xrefs: 6FD7418C
/question, xrefs: 6FD73F8D
/nocancel, xrefs: 6FD73DC9
/proxy, xrefs: 6FD73FE8
/translate, xrefs: 6FD73E88
/tostackconv, xrefs: 6FD740BD
/resume, xrefs: 6FD73E47
NSIS_Inetc (Mozilla), xrefs: 6FD7421E
/password, xrefs: 6FD73DAD
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 6FD73ED5, 6FD73F04, 6FD73F24
file, xrefs: 6FD740F8
/noproxy, xrefs: 6FD73E01
/header, xrefs: 6FD7408A
/tostack, xrefs: 6FD740D7
/end, xrefs: 6FD745BB
(%d %s%s remaining), xrefs: 6FD73F30
/nocookies, xrefs: 6FD73DE5
/caption, xrefs: 6FD73D7A
#32770, xrefs: 6FD7428D
Are you sure that you want to stop download?, xrefs: 6FD73FC2
hour, xrefs: 6FD73F0E
/weaksecurity, xrefs: 6FD73D5E
/connecttimeout, xrefs: 6FD7401C

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Window$Local$Free$Message$ItemLong$ByteCharDialogMultiShowWidelstrcmpilstrlen$AllocCloseCreateHandleTextThreadwsprintf$CountDestroyDispatchEnableErrorFindLastObjectParamSingleTerminateTickTranslateVisibleWaitlstrcpy
String ID: (%d %s%s remaining)$ (Err=%d)$#32770$%dkB (%d%%) of %dkB @ %d.%01dkB/s$%s:%s$/banner$/canceltext$/caption$/connecttimeout$/end$/file$/header$/nocancel$/nocookies$/noproxy$/password$/popup$/proxy$/question$/receivetimeout$/resume$/silent$/tostack$/tostackconv$/translate$/useragent$/username$/weaksecurity$Are you sure that you want to stop download?$Connecting$Connecting$Connecting ...$Downloading$Downloading %s$Filename: %s$Inetc plug-in$NSIS_Inetc (Mozilla)$Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation.$file$hour$minute$second
API String ID: 4223430742-3456146329
Opcode ID: 4ce1f8899079dd374e0c3491996c53dbd064cbf82eeff2bb769755f4e4833785
Instruction ID: 0c316ec372e3f7583286af9c5d99a982351ede3550522b5969905f9fa221177c
Opcode Fuzzy Hash: 4ce1f8899079dd374e0c3491996c53dbd064cbf82eeff2bb769755f4e4833785
Instruction Fuzzy Hash: CD524272504B61EFFFA1AF74CC44A663BF8FB07365B084129E4109E294DB31B865DB62

Function 6FD7308B Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 376
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestW.WININET(?,HEAD,?,00000000,00000000,00000000,80400000,00000000), ref: 6FD730E8
wsprintfW.USER32 ref: 6FD73113
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD7312A
wsprintfW.USER32 ref: 6FD73147
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD7315E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6FD73167
InternetReadFile.WININET(00000000,?,00000200,?), ref: 6FD7318D
InternetErrorDlg.WININET(00000000,00002EEE,00000007,00000000), ref: 6FD731C5
HttpQueryInfoW.WININET(00000000,0000001C,?,00000200,00000000), ref: 6FD7322B
lstrcpynW.KERNEL32(6FD798A8,00000000,00000200), ref: 6FD73254
HttpQueryInfoW.WININET(00000000,0000003D,?,00000200,00000000), ref: 6FD73275
lstrcpynW.KERNEL32(6FD799A8,00000000,00000200), ref: 6FD73298
InternetCloseHandle.WININET(00000000), ref: 6FD732A1
HttpOpenRequestW.WININET(?,PUT,?,00000000,00000000,00000000,00400000,00000000), ref: 6FD73353
wsprintfW.USER32 ref: 6FD7337E
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD73395
HttpAddRequestHeadersW.WININET(00000000,Content-Type: application/x-www-form-urlencoded,?,A0000000), ref: 6FD733AC
HttpAddRequestHeadersA.WININET(00000000,6FD796E8,?,A0000000), ref: 6FD733C3
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD733DA
wsprintfW.USER32 ref: 6FD733F7
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD7340E
wsprintfW.USER32 ref: 6FD7342B
HttpAddRequestHeadersW.WININET(00000000,?,?,A0000000), ref: 6FD73442
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 6FD73469
InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 6FD7348B
InternetErrorDlg.WININET(00000000,00002EEE,00000007,00000000), ref: 6FD734D9
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 6FD73524
InternetSetFilePointer.WININET(00000000,?,00000000,00000000,00000000), ref: 6FD73548

Strings

POST, xrefs: 6FD7332A
Authorization: basic %s, xrefs: 6FD73141, 6FD733F1
Content-Type: application/x-www-form-urlencoded, xrefs: 6FD733A6
Proxy-authorization: basic %s, xrefs: 6FD7310D, 6FD73378
PUT, xrefs: 6FD73347, 6FD7334F
HEAD, xrefs: 6FD730E0, 6FD73338
Content-Type: octet-streamContent-Length: %d, xrefs: 6FD73425

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Http$Request$Headers$Internet$wsprintf$Query$Info$ErrorFileOpenOptionlstrcpyn$CloseHandlePointerReadSend
String ID: Authorization: basic %s$Content-Type: application/x-www-form-urlencoded$Content-Type: octet-streamContent-Length: %d$HEAD$POST$PUT$Proxy-authorization: basic %s
API String ID: 2926174240-387942550
Opcode ID: 09a0fdb852c90f0eedb93e245818be656dde5b7e01165fa68e0ac6cb4342b600
Instruction ID: cd5c3e3e5f1fe40d7c1c1d29ad35a39e7e6346fe84400414ed0f55af336e572a
Opcode Fuzzy Hash: 09a0fdb852c90f0eedb93e245818be656dde5b7e01165fa68e0ac6cb4342b600
Instruction Fuzzy Hash: A8D19272900624BAFB719B20CC49FDA77F8EB06314F040166E914EE185DF74BA94CBA5

Function 6FD72530 Relevance: 61.4, APIs: 29, Strings: 6, Instructions: 163
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000002), ref: 6FD7253E
GetDlgItem.USER32(?,000003ED), ref: 6FD7255F
GetDlgItem.USER32(000003EC), ref: 6FD72573
GetWindowLongW.USER32(00000000,000000F0), ref: 6FD72587
SetWindowLongW.USER32(?,000000F0,56000000), ref: 6FD72598
SendMessageW.USER32(00000031,00000000,00000000), ref: 6FD725B7
SendDlgItemMessageW.USER32(?,000003E9,00000030,00000000,00000000), ref: 6FD725CF
SendDlgItemMessageW.USER32(?,00000002,00000030,?,00000000), ref: 6FD725DB
GetParent.USER32(00000002), ref: 6FD725F9
GetDlgItem.USER32(00000000), ref: 6FD72600
GetWindowTextW.USER32(00000000), ref: 6FD72607
SetWindowTextW.USER32(00000000,6FD79360), ref: 6FD72613
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 6FD72625
ShowWindow.USER32(00000000,00000000), ref: 6FD7263B
GetWindowLongW.USER32(?,000000F0), ref: 6FD7264D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6FD7265C
SendDlgItemMessageW.USER32(?,000003ED,00000401,00000000,01900000), ref: 6FD72674
GetModuleHandleW.KERNEL32(00000000,00000067,00000000), ref: 6FD7268B
LoadIconW.USER32(00000000), ref: 6FD72692
SendDlgItemMessageW.USER32(?,000003F1,00000170,00000000), ref: 6FD726A4
SetDlgItemTextW.USER32(?,000003F0), ref: 6FD726B2
SetWindowTextW.USER32(?,6FD793E0), ref: 6FD726CB
SetTimer.USER32(?,00000001,000003E8,00000000), ref: 6FD726DB
SetDlgItemTextW.USER32(?,000003F1,6FD79828), ref: 6FD726F6
SetDlgItemTextW.USER32(?,000003F2,Downloading %s), ref: 6FD72703
SetDlgItemTextW.USER32(?,000003F3,Connecting ...), ref: 6FD72710
SetDlgItemTextW.USER32(?,000003F4,%dkB (%d%%) of %dkB @ %d.%01dkB/s), ref: 6FD7271D
SetDlgItemTextW.USER32(?,000003F5,second), ref: 6FD7272A
SetDlgItemTextW.USER32(?,000003F6, (%d %s%s remaining)), ref: 6FD72737

Strings

second, xrefs: 6FD7271F
Inetc plug-in, xrefs: 6FD726BC
Connecting ..., xrefs: 6FD72705
(%d %s%s remaining), xrefs: 6FD7272C
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 6FD72712
Downloading %s, xrefs: 6FD726F8

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Item$Text$Window$MessageSend$Long$HandleIconLoadModuleParentShowTimer
String ID: (%d %s%s remaining)$%dkB (%d%%) of %dkB @ %d.%01dkB/s$Connecting ...$Downloading %s$Inetc plug-in$second
API String ID: 3891978239-2469666409
Opcode ID: 786f53b6ab7fb67841ed5e0007b3edc541350ea7151d94cf15df2d849b7bc21b
Instruction ID: 611853934739af73f9a420a1f7756d1781e9972ebbcf2f6110c62586aadf6110
Opcode Fuzzy Hash: 786f53b6ab7fb67841ed5e0007b3edc541350ea7151d94cf15df2d849b7bc21b
Instruction Fuzzy Hash: B6415232685B60BBFF622760CC4AFAE37E8EB46725F144115F601AD0C0CFB47A51CA99

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Function 00403BEC Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75573420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C6D
lstrlenW.KERNEL32(get,?,?,?,get,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75573420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,get,?,?,?,get,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(get,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00440800), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

RichEdit, xrefs: 00403E47
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
RichEdit20W, xrefs: 00403E38, 00403E3E
RichEd20, xrefs: 00403E1A
RichEd32, xrefs: 00403E28
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
.DEFAULT\Control Panel\International, xrefs: 00403C58
get, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403CEC, 00403D0A, 00403D1A, 00403D20
_Nb, xrefs: 00403D70, 00403DD8
1033, xrefs: 00403C0C, 00403C68
.exe, xrefs: 00403CFA

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$get
API String ID: 1975747703-2863344434
Opcode ID: b5e4680adf6fab30abf8c31c9b96982c96c1f128c8b6e65fe06ccfbd791f05a2
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: b5e4680adf6fab30abf8c31c9b96982c96c1f128c8b6e65fe06ccfbd791f05a2
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Function 6FD71494 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 156
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32(?), ref: 6FD714D3
GetTickCount.KERNEL32 ref: 6FD714E6
GetDlgItem.USER32(?,000003E9), ref: 6FD71532
RedrawWindow.USER32(00000000), ref: 6FD7153B
GetDlgItem.USER32(?,00000002), ref: 6FD71546
RedrawWindow.USER32(00000000), ref: 6FD71549
GetDlgItem.USER32(?,000003ED), ref: 6FD71557
RedrawWindow.USER32(00000000), ref: 6FD7155A
MessageBoxW.USER32(?,?,6FD793E0,00000034), ref: 6FD715AA
KillTimer.USER32(?,00000001), ref: 6FD715E3
DestroyWindow.USER32(?), ref: 6FD715EC
GetDlgItem.USER32(?,000003E9), ref: 6FD71616
GetDlgItem.USER32(?,00000002), ref: 6FD71620
GetDlgItem.USER32(?,000003ED), ref: 6FD7162C
RedrawWindow.USER32(?,00000000,00000000,00000001), ref: 6FD7163F
RedrawWindow.USER32(00000000,00000000,00000000,00000001), ref: 6FD71648
RedrawWindow.USER32(00000000,00000000,00000000,00000001), ref: 6FD71651
UpdateWindow.USER32(?), ref: 6FD7165C
UpdateWindow.USER32(00000000), ref: 6FD7165F
UpdateWindow.USER32(00000000), ref: 6FD71662

Strings

Inetc plug-in, xrefs: 6FD71596

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Window$ItemRedraw$Update$CountDestroyKillMessageTickTimer
String ID: Inetc plug-in
API String ID: 2903798878-2626376821
Opcode ID: fe009c4c36282e9079ed68b40d2bdc442e3eb92e15b1edbb9ec27821593f51c7
Instruction ID: 19052a3e4f39f6a44207faa7a6797acde07c4128e166934aa640c20f7206fea6
Opcode Fuzzy Hash: fe009c4c36282e9079ed68b40d2bdc442e3eb92e15b1edbb9ec27821593f51c7
Instruction Fuzzy Hash: 3F414F72640318BBEF765F34CC55F9A3FA9EB02764F084226F9059E1A4CB71B950DA90

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Setup.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,C:\Users\user\Desktop\Setup.exe,C:\Users\user\Desktop\Setup.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNEL32(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

}8@, xrefs: 00403227, 00403242
Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
soft, xrefs: 0040316B
Inst, xrefs: 00403162
C:\Users\user\Desktop\Setup.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Null, xrefs: 00403174

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Setup.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-2653049739
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(get,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(get,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,00425020,755723A0), ref: 004066A8
lstrcatW.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(get,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Strings

https://pcapp.store/pixel.gif?guid=, xrefs: 0040674E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
get, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$get$https://pcapp.store/pixel.gif?guid=
API String ID: 4260037668-826360470
Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

A, xrefs: 00403374
... %d%%, xrefs: 004033FB
PB, xrefs: 004033A2, 004033BD, 0040343A
}8@, xrefs: 004032B4
*B, xrefs: 004032DF
A, xrefs: 0040347E

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ PB$ A$ A$... %d%%$}8@
API String ID: 551687249-3288948294
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Function 6FD917BE Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000000), ref: 6FD91813
GetWindowRect.USER32(00000000,?), ref: 6FD9181E
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 6FD9182E
CreateDialogParamW.USER32(00000001,?,6FD914D6,00000000), ref: 6FD91843
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 6FD91876
SetWindowLongW.USER32(?,00000004,6FD91407), ref: 6FD91884
GetProcessHeap.KERNEL32(00000008,00000000), ref: 6FD9189E
HeapAlloc.KERNEL32(00000000), ref: 6FD918A5

Part of subcall function 6FD91E9C: GlobalAlloc.KERNEL32(00000040,?,?,6FD910BE,error,?,00000104), ref: 6FD91EB2
Part of subcall function 6FD91E9C: lstrcpynW.KERNEL32(00000004,?,?,6FD910BE,error,?,00000104), ref: 6FD91EC8

Strings

p^Cw, xrefs: 6FD918A5
error, xrefs: 6FD91852

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
String ID: error$p^Cw
API String ID: 1928716940-4078540929
Opcode ID: 51184a5d5e3028ac8d1087e11a0d940d601091d0acf1753a35a52bda797ad746
Instruction ID: 8e3d47fd11c1277bcc8c172db4ccd016880dc068729c30d400d14f78cd97b769
Opcode Fuzzy Hash: 51184a5d5e3028ac8d1087e11a0d940d601091d0acf1753a35a52bda797ad746
Instruction Fuzzy Hash: A0311876800A14ABEF509FE5C949DAE7FBCFB0B761B08400AF609A7241D7327524DBA0

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,get,00441000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,get,get,00000000,00000000,get,00441000,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425020,755723A0), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll, xrefs: 00401835, 00401851
get, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp$C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll$get
API String ID: 1941528284-3416983306
Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Function 6D262655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6D2612BB: GlobalAlloc.KERNEL32(00000040,?,6D2612DB,?,6D26137F,00000019,6D2611CA,-000000A0), ref: 6D2612C5

GlobalFree.KERNEL32(?), ref: 6D262743
GlobalFree.KERNELBASE(00000000), ref: 6D262778

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1edea3893a29bc94e90f2c3ba7648f6c7a3657ad1500ecb474511039311c8b2b
Instruction ID: 1c618d4eff601494a2843517fad1e05e71a4ab8202b8c68a971d7564e96d34e5
Opcode Fuzzy Hash: 1edea3893a29bc94e90f2c3ba7648f6c7a3657ad1500ecb474511039311c8b2b
Instruction Fuzzy Hash: 0731A0B15983DAEBCB278F54C9D8D3A77B6FF8A3493148529F24182110C730A895DB71

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4083868402
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Function 6D262480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(00000000), ref: 6D2625C2

Part of subcall function 6D2612CC: lstrcpynW.KERNEL32(00000000,?,6D26137F,00000019,6D2611CA,-000000A0), ref: 6D2612DC

GlobalAlloc.KERNEL32(00000040), ref: 6D262548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6D262563

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: b00948eefe11c588776a2a0d5eec8034939ce6aace0b9d9f7a5575b73b09c770
Instruction ID: ab5e0da1c764a339184fcf9a44fa95e263c5bbfbba8030eda7a11fcd03a15c8e
Opcode Fuzzy Hash: b00948eefe11c588776a2a0d5eec8034939ce6aace0b9d9f7a5575b73b09c770
Instruction Fuzzy Hash: 3C41ADF019838ADFD739DF28D854A3677B8FF4A319B00892DE54686181E730A5C5CBB1

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Function 6D261817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 6D261BFF: GlobalFree.KERNEL32(?), ref: 6D261E74
Part of subcall function 6D261BFF: GlobalFree.KERNEL32(?), ref: 6D261E79
Part of subcall function 6D261BFF: GlobalFree.KERNELBASE(?), ref: 6D261E7E

GlobalFree.KERNEL32(00000000), ref: 6D2618C5
FreeLibrary.KERNEL32(?), ref: 6D26194B
GlobalFree.KERNEL32(00000000), ref: 6D261970

Part of subcall function 6D26243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6D26246F

Part of subcall function 6D262810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6D261896,00000000), ref: 6D2628E0

Part of subcall function 6D261666: wsprintfW.USER32 ref: 6D261694

Strings

, xrefs: 6D261951

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: b445783aa9fbe0f27b5ee08c3407fc20223c92fd3cb8328cb5b6c64e760f84ed
Instruction ID: c387a5fbeacfb0339df643f8487c74fd840d3e32b90ceafd88c9e5a08ab5a677
Opcode Fuzzy Hash: b445783aa9fbe0f27b5ee08c3407fc20223c92fd3cb8328cb5b6c64e760f84ed
Instruction Fuzzy Hash: A541A7714883CF9BEF129F24D888BA537A8BF06359F148475EB559A08ADB74E0C4C770

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiA50F.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiA50F.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiA50F.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp
API String ID: 2655323295-2171371601
Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069
C:\Users\user\AppData\Local\Temp\, xrefs: 00406061

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1331003597
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Function 6D2610E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6D261171
GlobalAlloc.KERNEL32(00000040,?), ref: 6D2611E3
GlobalFree.KERNEL32 ref: 6D26124A
GlobalFree.KERNELBASE(?), ref: 6D26129B
GlobalFree.KERNEL32(00000000), ref: 6D2612B1

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d2db71fb0ebb827b345f59d52d0b709521dc5359a6b08a358ce31eb32a1d7655
Instruction ID: 4b054d21d76e59e18d5cb23dec00325ad91ef67977b40b5a64a79c5ab97fa42d
Opcode Fuzzy Hash: d2db71fb0ebb827b345f59d52d0b709521dc5359a6b08a358ce31eb32a1d7655
Instruction Fuzzy Hash: 5851707594439ADFDB02CF68C848A3677F4FB4A719B008565EA44DB251E734F9C0CB60

Function 004020D8 Relevance: 6.1, APIs: 4, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402103
LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
KiUserCallbackDispatcher.NTDLL(?,00000400,?,0040CE50,0040A000,?,00000008,00000001,000000F0), ref: 00402164

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425020,755723A0), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$CallbackDispatcherFreeHandleLoadModuleTextUserWindowlstrcat
String ID:
API String ID: 719239633-0
Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Function 6FD724B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30networkCOMMON

Download Yara Rule

APIs

HttpSendRequestExW.WININET(?,?,00000000,00000008,00000000), ref: 6FD724F4
HttpSendRequestW.WININET(?,00000000,00000000), ref: 6FD7250F

Strings

(, xrefs: 6FD724ED

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: HttpRequestSend
String ID: (
API String ID: 360639707-3887548279
Opcode ID: b34824c9d5bc1f230acee19d25fb729a1149099c944e50498828f10d0c2e7e39
Instruction ID: 519d42203751559d6cde9efc24cbf865857df94ac11c5b412095a12939554f71
Opcode Fuzzy Hash: b34824c9d5bc1f230acee19d25fb729a1149099c944e50498828f10d0c2e7e39
Instruction Fuzzy Hash: B2F0F932D0075AAAEF118FA0CD45B9D7BF6BB9A318F18920AF50078094DBB165948B95

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(0056E3D8), ref: 00401C0B
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C1D

Part of subcall function 0040657A: lstrcatW.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(get,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Strings

get, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: get
API String ID: 3292104215-4248514160
Opcode ID: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
Opcode Fuzzy Hash: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiA50F.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 89c6ceebaf26a2410158c75cc71a1e3b778611476644ea09d24f59567d4f9c93
Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
Opcode Fuzzy Hash: 89c6ceebaf26a2410158c75cc71a1e3b778611476644ea09d24f59567d4f9c93
Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNEL32(?,00441000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiA50F.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3fb0128ec3c0afb48f28764f09fc95c95f98cfbd5e462e7a9813c2ba4e742ed8
Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
Opcode Fuzzy Hash: 3fb0128ec3c0afb48f28764f09fc95c95f98cfbd5e462e7a9813c2ba4e742ed8
Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D

Function 00401F12 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Strings

@, xrefs: 00401F8A

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @
API String ID: 165873841-2766056989
Opcode ID: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
Opcode Fuzzy Hash: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Function 00402C05 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,?), ref: 00402C14
InvalidateRect.USER32(?), ref: 00402C24

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 0509652848a83ac1d7feddac23dc24ced32f84c0220a85d8a6f2313ae5a63aab
Instruction ID: 5efb85e177e5feb05262591b5578bbf68be0fc1facb886aaf0ec985341d6bcc2
Opcode Fuzzy Hash: 0509652848a83ac1d7feddac23dc24ced32f84c0220a85d8a6f2313ae5a63aab
Instruction Fuzzy Hash: CEE08C72700008FFEB01CBA4EE84DAEB779FB40315B00007AF502A00A0D7300D40DA28

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Function 6D262A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(6D26505C,00000004,00000040,6D26504C), ref: 6D262A9D

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8d49f57d04c5b96b75db184e407325b56cb93aa60413bd242ae9b886dbb780b6
Instruction ID: 1bb38225cfeaafaacbe700d3a6cf7398d2424f0e7cb572678eba92a5d1eafbf8
Opcode Fuzzy Hash: 8d49f57d04c5b96b75db184e407325b56cb93aa60413bd242ae9b886dbb780b6
Instruction Fuzzy Hash: 85F07FB05483C5EFCB50CB28854873A3BF0A70E209B14856AA188D624AE3748488DBA1

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,get,?), ref: 004063CE

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Function 00404499 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 0040657A: lstrcatW.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(get,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

SetDlgItemTextW.USER32(?,?,00000000), ref: 004044B3

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ItemTextlstrcatlstrlen
String ID:
API String ID: 281422827-0
Opcode ID: 686190c6e4e1e5cc0914df72c0c951126eb576f2e70f28df627782bea9933419
Instruction ID: 6ac98b26730712a62f5b3967fa7f39b4c61dbbfa6ef1674fce18da22a1fc1fc0
Opcode Fuzzy Hash: 686190c6e4e1e5cc0914df72c0c951126eb576f2e70f28df627782bea9933419
Instruction Fuzzy Hash: D3C08C35008200BFD641A714EC42F0FB7A8FFA031AF00C42EB05CA10D1C63494208A2A

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 6D262B98 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000000), ref: 6D262C57

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c0fd09cde7c48aa87f6e47a82722b958ce47e2e3694e4ecb884c276a7da630f6
Instruction ID: b684237a9f706b632045ca5c873fc94e4df092fd1c5e00ea3ffa70268694e1b6
Opcode Fuzzy Hash: c0fd09cde7c48aa87f6e47a82722b958ce47e2e3694e4ecb884c276a7da630f6
Instruction Fuzzy Hash: 604147B25883CAEFDB209F64D988B7A3774EF4A35DF21C825E60486105D739D8C4CAB1

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425020,755723A0), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 5953877b6410b482209df80f50a5fc1a362c20bdcc401faed897dac012a701f2
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: 5953877b6410b482209df80f50a5fc1a362c20bdcc401faed897dac012a701f2
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Function 6D2612BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,6D2612DB,?,6D26137F,00000019,6D2611CA,-000000A0), ref: 6D2612C5

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5f80afa5423167ac70a5835dd479904134bcb85019a6e9c7fcf02c7011c98a6f
Instruction ID: a2f888825913be75d402690bd98bcda9c3e13c216bba2b166625e7866747a12a
Opcode Fuzzy Hash: 5f80afa5423167ac70a5835dd479904134bcb85019a6e9c7fcf02c7011c98a6f
Instruction Fuzzy Hash: 6BB01270A04250DFEE008B64CC4EF3732B4E709309F04C000FA00C0185C320C800C534

Non-executed Functions

Function 6D25332C Relevance: 198.6, APIs: 74, Strings: 39, Instructions: 845networkstringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,PreConfig,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D2533B5
lstrcmpiW.KERNEL32(00000000,Proxy,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D2533C5
InternetOpenW.WININET(?,00000001,00000000,00000000,00000000), ref: 6D253421
GlobalAlloc.KERNEL32(00000040,0000003C,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D253436
lstrcmpiW.KERNEL32(00000000,6D255110,Raw,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253487
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D2534D7
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x), ref: 6D2534FD
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x), ref: 6D25351F
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x), ref: 6D253531
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x), ref: 6D25354A
InternetCrackUrlW.WININET(?,00000000,00000000,00000000), ref: 6D253561
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 6D253582
lstrcpyW.KERNEL32(?,6D2552F8,?,GET,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2535D4
lstrcpyW.KERNEL32(?,?,?,GET,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2535E8
lstrlenW.KERNEL32(00000000,?,?,00000000,?,GET), ref: 6D25361D
InternetSetOptionW.WININET(?,0000002B,?,00000000), ref: 6D25362C
lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,GET), ref: 6D253653
InternetSetOptionW.WININET(?,0000002C,?,00000000), ref: 6D253662
InternetSetOptionW.WININET(?,00000041,?,00000004), ref: 6D25368D
lstrlenW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,GET), ref: 6D2536B1
InternetSetOptionW.WININET(?,0000001C,?,00000000), ref: 6D2536C0
lstrlenW.KERNEL32(00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,GET), ref: 6D2536E4
InternetSetOptionW.WININET(?,0000001D,?,00000000), ref: 6D2536F3
InternetSetOptionW.WININET(?,00000002,?,00000004), ref: 6D253727
InternetSetOptionW.WININET(?,00000005,?,00000004), ref: 6D25375B
InternetSetOptionW.WININET(?,00000006,?,00000004), ref: 6D25378F
HttpOpenRequestW.WININET(?,?,?,00000000,00000000,6D256024,84480200,00000000), ref: 6D2537B6
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 6D25382E
HttpAddRequestHeadersW.WININET(00000000,Accept-Encoding: gzip,deflate,000000FF,20000000), ref: 6D253847
lstrcmpiW.KERNEL32(?,POST,?,?,?,?,?,?,?,?,00000000), ref: 6D253855
HttpAddRequestHeadersW.WININET(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,20000000), ref: 6D253879
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6D2538A2
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6D2538AD
GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6D2538C5
lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2538D5
lstrcatW.KERNEL32(00000000,6D2551A0,?,?,?,?,?,?,?,?,00000000), ref: 6D2538E1
lstrcatW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2538EB
lstrcatW.KERNEL32(00000000,6D2550F8,?,?,?,?,?,?,?,?,00000000), ref: 6D2538F7
HttpAddRequestHeadersW.WININET(?,00000000,?,A0000000), ref: 6D253907
GlobalFree.KERNEL32(00000000), ref: 6D25390E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D25396C
lstrcmpiW.KERNEL32(?,Unicode,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D25399B
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2539A8
HttpSendRequestW.WININET(00000000,00000000,00000000,?,00000000), ref: 6D2539B9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2539C6
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2539E2
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,?), ref: 6D253A0D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253A1A
GlobalFree.KERNEL32(?), ref: 6D253A34
GlobalFree.KERNEL32(?), ref: 6D253A3D
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6D253A4A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 6D253A57
InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6D253A81
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253A96
InternetReadFile.WININET(00000000,00000000,?,?), ref: 6D253AB5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 6D253B14
GlobalFree.KERNEL32(?), ref: 6D253B2F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 6D253B37
HttpQueryInfoW.WININET(00000000,00000013,00000000,?,00000000), ref: 6D253B5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253B66
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253B7E
HttpQueryInfoW.WININET(00000000,00000013,00000000,?,00000000), ref: 6D253B95
GlobalFree.KERNEL32(00000000), ref: 6D253BB6
InternetCloseHandle.WININET(00000000), ref: 6D253BBD
GetLastError.KERNEL32(?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,00000000), ref: 6D253BC5
InternetCloseHandle.WININET(?), ref: 6D253BDF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D253BE7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D253BF5
GlobalFree.KERNEL32(?), ref: 6D253C0F
GlobalFree.KERNEL32(?), ref: 6D253C18
GlobalFree.KERNEL32(?), ref: 6D253C32
GlobalFree.KERNEL32(00000000), ref: 6D253C39
InternetCloseHandle.WININET(?), ref: 6D253C42
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,nsJSON NSIS plug-in/1.0.x.x,?,?), ref: 6D253C4A

Strings

Content-Type: application/json, xrefs: 6D25386C
Verb, xrefs: 6D253599
Unicode, xrefs: 6D253995
Agent, xrefs: 6D253363
PreConfig, xrefs: 6D2533AF
nsJSON NSIS plug-in/1.0.x.x, xrefs: 6D25335D
Password, xrefs: 6D253635, 6D2536C6
Headers, xrefs: 6D253804
Proxy, xrefs: 6D253397, 6D2533BF
InternetReadFile, xrefs: 6D253B1B
Content-Type: application/x-www-form-urlencoded, xrefs: 6D253873
ConnectTimeout, xrefs: 6D2536F9
UnicodeOutput, xrefs: 6D253ADA
Bypass, xrefs: 6D2533F8
RawOutput, xrefs: 6D253AC2
POST, xrefs: 6D25384D
ParamsType, xrefs: 6D253470
InternetCrackUrl, xrefs: 6D253BFC
Url, xrefs: 6D25333B
Data, xrefs: 6D2537CC
Server, xrefs: 6D2533D8
Accept-Encoding: gzip,deflate, xrefs: 6D253841
Raw, xrefs: 6D253463
Output, xrefs: 6D253AFF
InternetConnect, xrefs: 6D253BEE
HttpOpenRequest, xrefs: 6D253BCC
Username, xrefs: 6D2535FF, 6D253693
Decoding, xrefs: 6D253667
InternetQueryDataAvailable, xrefs: 6D253B3E
ReceiveTimeout, xrefs: 6D253761
Params, xrefs: 6D25344C
InternetOpen, xrefs: 6D253C51
AccessType, xrefs: 6D25337B
HttpSendRequest, xrefs: 6D2539CD, 6D253A21, 6D253A5E
StatusCode, xrefs: 6D253BA5
SendTimeout, xrefs: 6D25372D
GET, xrefs: 6D253593
JSON_SerializeAlloc, xrefs: 6D2534DE, 6D253973
DataEncoding, xrefs: 6D2537E1

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Internet$Global$ErrorLast$Httplstrlen$Free$OptionRequest$Alloc$lstrcmpi$Headers$CloseHandleQuerySendlstrcatlstrcpy$InfoOpen$AvailableConnectCrackDataFileRead
String ID: Accept-Encoding: gzip,deflate$AccessType$Agent$Bypass$ConnectTimeout$Content-Type: application/json$Content-Type: application/x-www-form-urlencoded$Data$DataEncoding$Decoding$GET$Headers$HttpOpenRequest$HttpSendRequest$InternetConnect$InternetCrackUrl$InternetOpen$InternetQueryDataAvailable$InternetReadFile$JSON_SerializeAlloc$Output$POST$Params$ParamsType$Password$PreConfig$Proxy$Raw$RawOutput$ReceiveTimeout$SendTimeout$Server$StatusCode$Unicode$UnicodeOutput$Url$Username$Verb$nsJSON NSIS plug-in/1.0.x.x
API String ID: 1670357981-3940592491
Opcode ID: 16f86a90be0a0b94a8b4871c07af6154d11a46e75a4517e6b58ac9fc65be382c
Instruction ID: c1fd90e5664e62600d35c7c661ee1166ac0235b06b6c68d0f9ffafa6c9a52742
Opcode Fuzzy Hash: 16f86a90be0a0b94a8b4871c07af6154d11a46e75a4517e6b58ac9fc65be382c
Instruction Fuzzy Hash: 2E424BB199421ABFEF015FB08C49EBF7BBCFF09215B015529FA05E6141EB35D9608BA0

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(00000000,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(get,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,get), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

https://pcapp.store/pixel.gif?guid=, xrefs: 004049A3
get, xrefs: 00404AEB, 00404AF0, 00404AFB
A, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$get$https://pcapp.store/pixel.gif?guid=
API String ID: 2624150263-3942083012
Opcode ID: aac53df244383e2a07a9d2c6e377dc106276e891bc31ab3524a37a2d2ad96109
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: aac53df244383e2a07a9d2c6e377dc106276e891bc31ab3524a37a2d2ad96109
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Function 00406D85 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Function 0040755C Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Function 6D252E57 Relevance: 79.2, APIs: 34, Strings: 11, Instructions: 412memorystringfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D252ECB
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,00000000), ref: 6D252EFE
SetHandleInformation.KERNEL32(?,00000001,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D252F15
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,00000000), ref: 6D252F2D
SetHandleInformation.KERNEL32(?,00000001,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D252F3E
GlobalAlloc.KERNEL32(00000040,00000010,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D252F4C
GlobalAlloc.KERNEL32(00000040,00000044,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D252F5F
lstrlenW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6D252FC8
GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,00000000), ref: 6D252FE2
lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 6D25300F
lstrlenW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6D253014
lstrcpyW.KERNEL32(00000000,6D2550EC,?,?,?,?,?,00000000), ref: 6D253028
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,08000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 6D253095
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2530C4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253132
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253140
ReadFile.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253160
GlobalReAlloc.KERNEL32(00000000,00000002,00000042), ref: 6D25317E
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D25318C
ReadFile.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2531CD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D2531D5
GetExitCodeProcess.KERNEL32(?,?), ref: 6D253246
GlobalAlloc.KERNEL32(00000040,00000016,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D253254
wsprintfW.USER32 ref: 6D253269
GlobalFree.KERNEL32(00000000), ref: 6D253285
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D25328D
GlobalFree.KERNEL32(00000000), ref: 6D2532A7
GlobalFree.KERNEL32(?), ref: 6D2532B1
GlobalFree.KERNEL32(00000000), ref: 6D2532B8
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D2532CA
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D2532D9
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D2532E8
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6D2532F7
GlobalFree.KERNEL32(00000000), ref: 6D2532FE

Strings

Path, xrefs: 6D252E8D
Arguments, xrefs: 6D252F72
%lu, xrefs: 6D253263
DoCreateProcess, xrefs: 6D2531DC
Input, xrefs: 6D2530A5
UnicodeOutput, xrefs: 6D253209
RawOutput, xrefs: 6D2531F3
WorkingDir, xrefs: 6D253058
UnicodeInput, xrefs: 6D2530CF
Output, xrefs: 6D252E6A, 6D25322D
ExitCode, xrefs: 6D252E7B, 6D253274

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Handle$Close$Alloc$Free$Create$FileInformationPipeProcessReadlstrcpylstrlen$CodeErrorExitLastwsprintf
String ID: %lu$Arguments$DoCreateProcess$ExitCode$Input$Output$Path$RawOutput$UnicodeInput$UnicodeOutput$WorkingDir
API String ID: 2805452489-696223222
Opcode ID: 5f199193345e86ecc194f726d3ba207562e35e3cdede0f9cfc0a06922730bf80
Instruction ID: 3b0f84a9ccbb30aa98a236f0e19007d194bc548048c1fee0a7b34a8364b78471
Opcode Fuzzy Hash: 5f199193345e86ecc194f726d3ba207562e35e3cdede0f9cfc0a06922730bf80
Instruction Fuzzy Hash: DBE19B7198420EEBDF118FA0CC49FBFBBB8FF4A715F114129EA14A6150D7319961CBA0

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

N, xrefs: 0040519B
, xrefs: 004054D4
M, xrefs: 004050BA

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Function 6D253C89 Relevance: 52.8, APIs: 15, Strings: 15, Instructions: 251memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D253CC1

Part of subcall function 6D25414A: lstrcmpiW.KERNEL32(?,/tree,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254182

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

lstrcmpiW.KERNEL32(00000000,/noexpand,00000000), ref: 6D253CF0
GlobalFree.KERNEL32(00000000), ref: 6D253F55

Part of subcall function 6D254C09: GlobalAlloc.KERNEL32(00000040,?,00000000,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C25
Part of subcall function 6D254C09: lstrcpynW.KERNEL32(00000004,?,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C3A

wsprintfW.USER32 ref: 6D253E18

Strings

/count, xrefs: 6D253D4D
/end, xrefs: 6D253D8F
/noexpand, xrefs: 6D253CEA
/key, xrefs: 6D253CFD
node, xrefs: 6D253E72
string, xrefs: 6D253E54
/keys, xrefs: 6D253D11
yes, xrefs: 6D253DF8, 6D253E2C
JSON_Serialize, xrefs: 6D253F17
array, xrefs: 6D253E68
/index, xrefs: 6D253D9F
/type, xrefs: 6D253D25
value, xrefs: 6D253E5E
/isempty, xrefs: 6D253D61
/exists, xrefs: 6D253D39

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$AllocFreelstrcmpi$lstrcpylstrcpynwsprintf
String ID: /count$/end$/exists$/index$/isempty$/key$/keys$/noexpand$/type$JSON_Serialize$array$node$string$value$yes
API String ID: 760165124-199274824
Opcode ID: d4dbc1a2d7a0f96013a08f07826ebe0b7012c145e6fd271185bb5a5fa94476c6
Instruction ID: a4cac888e5f1f2ec1374036c3bc9adbca488342e0698ef6ffeba4ee2352a5858
Opcode Fuzzy Hash: d4dbc1a2d7a0f96013a08f07826ebe0b7012c145e6fd271185bb5a5fa94476c6
Instruction Fuzzy Hash: BA71A0345E960FEADB025F288C88F7B77B8FF0775AB106125F915E2100E722D971D6A2

Function 6FD727C1 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 212stringwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6FD727D3
GetTickCount.KERNEL32 ref: 6FD727E7
wsprintfW.USER32 ref: 6FD7282E
MulDiv.KERNEL32(00000064,?), ref: 6FD72853
lstrlenW.KERNEL32(?, %d%%,00000000), ref: 6FD72866
wsprintfW.USER32 ref: 6FD72876
SetWindowTextW.USER32(?,?), ref: 6FD7288F
SetDlgItemTextW.USER32(?,000003E9,?), ref: 6FD728B7
SetDlgItemTextW.USER32(?,000003EA,6FD79140), ref: 6FD728C4
lstrcatW.KERNEL32(?, ( ), ref: 6FD72901
lstrlenW.KERNEL32(?), ref: 6FD7290A
lstrcatW.KERNEL32(?,/sec ),00000000), ref: 6FD72938
SetDlgItemTextW.USER32(?,000003EB,?), ref: 6FD72955
wsprintfW.USER32 ref: 6FD72986
SetDlgItemTextW.USER32(?,000003EF,?), ref: 6FD7299C
SetDlgItemTextW.USER32(?,000003EE,?), ref: 6FD729D0
MulDiv.KERNEL32(00000190,00000000), ref: 6FD729E5
SendDlgItemMessageW.USER32(?,000003ED,00000402,00000000), ref: 6FD729F7
MulDiv.KERNEL32(?,?,?), ref: 6FD72A15
wsprintfW.USER32 ref: 6FD72A41
GetDlgItem.USER32(?,000003EC), ref: 6FD72A62
SetWindowTextW.USER32(00000000), ref: 6FD72A69

Strings

%d:%02d:%02d, xrefs: 6FD72980, 6FD72A3B
%s - %s, xrefs: 6FD72828
Inetc plug-in, xrefs: 6FD72813
<, xrefs: 6FD7295C
( , xrefs: 6FD728FB
%d%%, xrefs: 6FD7285A
/sec ), xrefs: 6FD7292C

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: ItemText$wsprintf$CountTickWindowlstrcatlstrlen$MessageSend
String ID: ( $ %d%%$%d:%02d:%02d$%s - %s$/sec )$<$Inetc plug-in
API String ID: 2899058848-745815842
Opcode ID: 1d69481b1af72191b3dd52262bacb87b2333cbf3742460b8ae0150cbecf471a7
Instruction ID: 620c106b111c20460bf7d21f4bea437658e079c07769b0ab5c4898dfbfa88702
Opcode Fuzzy Hash: 1d69481b1af72191b3dd52262bacb87b2333cbf3742460b8ae0150cbecf471a7
Instruction Fuzzy Hash: 3971D172900624EBEF64DB64CC88EEA73FDEB49325F044155F544EE284DF70BA918BA1

Function 6FD72B20 Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 350networkfilelibraryCOMMON

Download Yara Rule

APIs

InternetGetLastResponseInfoW.WININET(?,?,?), ref: 6FD72B5C
wsprintfW.USER32 ref: 6FD72BAC
InternetGetLastResponseInfoW.WININET(?,?,?), ref: 6FD72C0A
wsprintfW.USER32 ref: 6FD72C6D
InternetGetLastResponseInfoW.WININET(?,?,?), ref: 6FD72CD0
FtpOpenFileW.WININET(?,?,80000000,80000002,00000000), ref: 6FD72D2F
GetLastError.KERNEL32 ref: 6FD72D40
InternetGetLastResponseInfoW.WININET(?,?,00000200), ref: 6FD72D67
FtpCreateDirectoryW.WININET(?,?), ref: 6FD72DD5
InternetGetLastResponseInfoW.WININET(?,?,00000200), ref: 6FD72DF1
lstrlenW.KERNEL32(?), ref: 6FD72DF4
FtpOpenFileW.WININET(?,?,40000000,80000002,00000000), ref: 6FD72E37
InternetGetLastResponseInfoW.WININET(?,?,00000200), ref: 6FD72E68
lstrcpynW.KERNEL32(?,?,00000020), ref: 6FD72EC7
InternetGetLastResponseInfoW.WININET(?,?,00000200), ref: 6FD72F12
LoadLibraryA.KERNEL32(WININET,FtpGetFileSize), ref: 6FD72F2E
GetProcAddress.KERNEL32(00000000), ref: 6FD72F35

Strings

110, xrefs: 6FD72CF7
550, xrefs: 6FD72D7C, 6FD72E88, 6FD72EA9
553, xrefs: 6FD72D93
WININET, xrefs: 6FD72F29
FtpGetFileSize, xrefs: 6FD72F24
SIZE %s, xrefs: 6FD72BA6
213 , xrefs: 6FD72C16
REST %d, xrefs: 6FD72C67
350, xrefs: 6FD72CE0
TYPE I, xrefs: 6FD72B8F

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: Last$InfoInternetResponse$FileOpenwsprintf$AddressCreateDirectoryErrorLibraryLoadProclstrcpynlstrlen
String ID: 110$213 $350$550$553$FtpGetFileSize$REST %d$SIZE %s$TYPE I$WININET
API String ID: 1477666268-197188557
Opcode ID: ba694bba1a96454c4a5df9839bb3539c80ddf1489d356e43bcfcb98c26282c19
Instruction ID: 3e7a5a1eb5ce2e89fef62f77ab96834ed8223cb0433790fc2d49d9ecbd59f6e4
Opcode Fuzzy Hash: ba694bba1a96454c4a5df9839bb3539c80ddf1489d356e43bcfcb98c26282c19
Instruction Fuzzy Hash: D9C15B72904359EAEB74CB64CC89FDB77BCEB45325F14056AE414EA180EF70BA488A60

Function 6FD736C4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 202stringwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6FD736D3
GetTickCount.KERNEL32 ref: 6FD736EE
MulDiv.KERNEL32(-6FD7980C,?,?), ref: 6FD7371D
MulDiv.KERNEL32(00000064,?,?), ref: 6FD73783
wsprintfW.USER32 ref: 6FD737D8
lstrlenW.KERNEL32(6FD7D630, (%d %s%s remaining),00000000,?,6FD7700C), ref: 6FD737FC
wsprintfW.USER32 ref: 6FD7380A
SetDlgItemTextW.USER32(000003E9,Connecting ...), ref: 6FD73834
MulDiv.KERNEL32(00000190,?,00000000), ref: 6FD7385C
GetDlgItem.USER32(000003ED,00000402), ref: 6FD73873
SendMessageW.USER32(00000000), ref: 6FD73876
wsprintfW.USER32 ref: 6FD738BD
GetDlgItem.USER32(000003EE), ref: 6FD738CD
IsWindow.USER32(00000000), ref: 6FD738DF
GetWindowTextW.USER32(00000000,6FD7DFD0,00000800), ref: 6FD738F5
lstrcmpW.KERNEL32(6FD7DFD0,6FD7D630), ref: 6FD73902
SetWindowTextW.USER32(00000000,6FD7D630), ref: 6FD7390E

Strings

second, xrefs: 6FD73737
Connecting ..., xrefs: 6FD73823, 6FD73828
(%d %s%s remaining), xrefs: 6FD737F6
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 6FD737D2
minute, xrefs: 6FD7374C
hour, xrefs: 6FD7375F
Downloading %s, xrefs: 6FD738A7

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: ItemTextWindowwsprintf$CountTick$MessageSendlstrcmplstrlen
String ID: (%d %s%s remaining)$%dkB (%d%%) of %dkB @ %d.%01dkB/s$Connecting ...$Downloading %s$hour$minute$second
API String ID: 3991246718-1428494263
Opcode ID: 60bf5391517f5656e198c050b9a2f74b23bc9506b0624ae3edeb02e2903830c2
Instruction ID: 72eda2a840dd05beee8e84c658290899f9d430259aa70fd1f0f7bdfd03f80f0e
Opcode Fuzzy Hash: 60bf5391517f5656e198c050b9a2f74b23bc9506b0624ae3edeb02e2903830c2
Instruction Fuzzy Hash: 9651D572A00621EBFB745B24CC86B5A77E9EB4A370F184225F911EF2C4DB71B91186E1

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

N, xrefs: 004047F4
get, xrefs: 00404835

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$get
API String ID: 3103080414-214687294
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Function 6FD739AE Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 114stringnetworkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,00000013,?,?,00000000), ref: 6FD739E4
lstrcmpW.KERNEL32(?,6FD77010), ref: 6FD73A0D
lstrcmpW.KERNEL32(00000000,401), ref: 6FD73A31
lstrcmpW.KERNEL32(00000000,403), ref: 6FD73A52

Strings

407, xrefs: 6FD73A88
Request Error, xrefs: 6FD73B1A
304, xrefs: 6FD73ACA
401, xrefs: 6FD73A25
403, xrefs: 6FD73A46
Redirection, xrefs: 6FD73AFF
5, xrefs: 6FD73B4F
(%s), xrefs: 6FD73B37
405, xrefs: 6FD73AA9
Server Error, xrefs: 6FD73B63
404, xrefs: 6FD73A67

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: lstrcmp$HttpInfoQuery
String ID: (%s)$304$401$403$404$405$407$5$Redirection$Request Error$Server Error
API String ID: 386791786-3813172215
Opcode ID: a918a7ca783bf4e65ae6541139135870df3bd22625785c1856a87d5b50f0cfd1
Instruction ID: d284696b8009a66c1d8aab73614025be050d1f216ff37f5e832bd9efa28dce01
Opcode Fuzzy Hash: a918a7ca783bf4e65ae6541139135870df3bd22625785c1856a87d5b50f0cfd1
Instruction Fuzzy Hash: 9741E1B580432AE6EBB09F60CD4AF8977F8EB01385F004196D614EF144EB70B659DBA2

Function 6D252BB4 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 141windowmemorythreadCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000008,00000000,00000000,7556F360,?,?,?,6D2545D3,6D253C68,?,00000000,00000000), ref: 6D252BD8

Part of subcall function 6D2519D2: lstrcmpW.KERNEL32(00000000,6D2550D0,00000000,h<%m,6D252C02,00000000,00000000,Async,00000000,?,?,?,6D2545D3,6D253C68,?,00000000), ref: 6D2519EB
Part of subcall function 6D2519D2: lstrcmpiW.KERNEL32(00000000,false,?,?,?,6D2545D3,6D253C68,?,00000000,00000000), ref: 6D2519FD

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 6D252C11
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,6D2545D3,6D253C68,?,00000000,00000000), ref: 6D252C29
wsprintfW.USER32 ref: 6D252C42
GlobalFree.KERNEL32(00000000), ref: 6D252C5B
GlobalFree.KERNEL32(00000000), ref: 6D252C67
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 6D252C96
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,00001DFF,00000000), ref: 6D252CB5
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 6D252CCB
TranslateMessage.USER32(00000000), ref: 6D252CDF
DispatchMessageW.USER32(00000000), ref: 6D252CE9
PostMessageW.USER32(00000000,00000012,?,?), ref: 6D252CFC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D2545D3,6D253C68,?,00000000), ref: 6D252D0B

Strings

Handle, xrefs: 6D252C4C
UIAsync, xrefs: 6D252C72
Async, xrefs: 6D252BEC
h<%m, xrefs: 6D252BBF

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: GlobalMessage$AllocCreateFreeThread$CloseDispatchHandleMultipleObjectsPeekPostTranslateWaitlstrcmplstrcmpiwsprintf
String ID: Async$Handle$UIAsync$h<%m
API String ID: 783503903-3558367965
Opcode ID: bfd3bb212ddea4833fc1e98c29d4cdef9782293ac6d0cd41da002f7816c855ad
Instruction ID: 1e90168fbc0a8a87a5801f1f1ea0e8ead98c1f86b85c9e4b6138bfd12611d0ec
Opcode Fuzzy Hash: bfd3bb212ddea4833fc1e98c29d4cdef9782293ac6d0cd41da002f7816c855ad
Instruction Fuzzy Hash: 274192B158221EFBDB215FA58C4CEBF7E7CEF4A266B100118FA15A2185DB35D920D7B0

Function 6D25465D Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 120stringmemorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000020,00000000,755734C0,00000000,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D254670
wsprintfW.USER32 ref: 6D254685
GlobalFree.KERNEL32(00000000), ref: 6D2546A3
GetModuleHandleA.KERNEL32(wininet.dll,1%m,00000400,00000000,00000000,00000000,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D2546C7
FormatMessageW.KERNEL32(00001300,00000000,1%m,00000400,00000000,00000000,00000000,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D2546DB
lstrlenW.KERNEL32(?,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D2546EE
GlobalAlloc.KERNEL32(00000040,?,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D254704
lstrcpyW.KERNEL32(00000000,?,?,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D25471A
lstrcpyW.KERNEL32(1%m,6D2551A0,?,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D254728
lstrcpyW.KERNEL32(1%m,00000000,?,?,?,6D2531E9,?,DoCreateProcess,00000000), ref: 6D254775
GlobalFree.KERNEL32(00000000), ref: 6D25478D
LocalFree.KERNEL32(00000000,?,DoCreateProcess), ref: 6D25479F

Strings

wininet.dll, xrefs: 6D2546C2
ErrorMessage, xrefs: 6D25477C
%lu, xrefs: 6D25467F
1%m, xrefs: 6D254672, 6D25471C, 6D25476A, 6D25467E, 6D2546BF, 6D254727, 6D254774
ErrorCode, xrefs: 6D254690

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Freelstrcpy$Alloc$FormatHandleLocalMessageModulelstrlenwsprintf
String ID: %lu$ErrorCode$ErrorMessage$wininet.dll$1%m
API String ID: 3175574836-342626864
Opcode ID: 448b85f12d4e4cb8bc5400f9487ba37144c6241b0ce66344fc7a7ba23d96654e
Instruction ID: 96eef46f3aa91f279ddd4d392c8fea082b05a4477d994e6cbcbf94d4028f17a7
Opcode Fuzzy Hash: 448b85f12d4e4cb8bc5400f9487ba37144c6241b0ce66344fc7a7ba23d96654e
Instruction Fuzzy Hash: 8531897548020EBBDF118FA4CC88FBFBB78EB4A759F500515FA14AA150D7719D31DAA0

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Function 6FD910EF Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 113stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6FD91E4E: lstrcpynW.KERNEL32(6FD91054,?,?,?,6FD91054,?), ref: 6FD91E7B
Part of subcall function 6FD91E4E: GlobalFree.KERNEL32 ref: 6FD91E8B

lstrcmpiW.KERNEL32(?,save,6FD94920,00000400,6FD95128,00000400,?,00000005), ref: 6FD91168
GetFileAttributesW.KERNEL32(6FD95128), ref: 6FD9117A
lstrcpyW.KERNEL32(6FD95928,6FD95128), ref: 6FD91193
lstrcpyW.KERNEL32(6FD94920,All Files|*.*), ref: 6FD911B8
CharNextW.USER32(6FD94920), ref: 6FD911D9
GetCurrentDirectoryW.KERNEL32(00000400,6FD94120), ref: 6FD911F1
GetSaveFileNameW.COMDLG32(0000004C), ref: 6FD91205
GetOpenFileNameW.COMDLG32(0000004C), ref: 6FD9120D
CommDlgExtendedError.COMDLG32 ref: 6FD91213
GetSaveFileNameW.COMDLG32(0000004C), ref: 6FD91230
GetOpenFileNameW.COMDLG32(0000004C), ref: 6FD91238
SetCurrentDirectoryW.KERNEL32(6FD94120,6FD95128), ref: 6FD91250

Strings

All Files|*.*, xrefs: 6FD911B2
L, xrefs: 6FD91135
save, xrefs: 6FD91162

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: File$Name$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedFreeGlobalNextlstrcmpilstrcpyn
String ID: All Files|*.*$L$save
API String ID: 3853173656-601108453
Opcode ID: f76553c8daee65b78a483c6fed2c80b328858d9795c57bf39169034328a9fe93
Instruction ID: ba2c62cc1f267c4ee715b122ba40cc1fa7d6036398f4c7a72c8ef7dbb1c0ad90
Opcode Fuzzy Hash: f76553c8daee65b78a483c6fed2c80b328858d9795c57bf39169034328a9fe93
Instruction Fuzzy Hash: C8414676900704FBEB809FE8C949A8A7BFCFB46366F044126F819E6281D775B855CB60

Function 6D254446 Relevance: 24.2, APIs: 10, Strings: 6, Instructions: 182stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040), ref: 6D254481
GlobalAlloc.KERNEL32(00000040), ref: 6D254494
lstrcmpiW.KERNEL32(00000000,/index,00000000), ref: 6D2544DC
lstrcmpiW.KERNEL32(00000000,/value), ref: 6D2544F1
lstrcmpiW.KERNEL32(00000000,/file), ref: 6D254501
lstrcmpiW.KERNEL32(00000000,/http), ref: 6D254511
lstrcmpiW.KERNEL32(00000000,/exec), ref: 6D254521
GlobalFree.KERNEL32(?), ref: 6D254592
GlobalFree.KERNEL32(00000000), ref: 6D254599
lstrcmpiW.KERNEL32(00000000,/unicode,00000000), ref: 6D254611

Part of subcall function 6D25414A: lstrcmpiW.KERNEL32(?,/tree,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254182

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

Strings

/unicode, xrefs: 6D25460B
/http, xrefs: 6D25450B
/value, xrefs: 6D2544EB
/exec, xrefs: 6D25451B
/index, xrefs: 6D2544D6
/file, xrefs: 6D2544FB

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrcmpi$Global$Free$Alloc$lstrcpy
String ID: /exec$/file$/http$/index$/unicode$/value
API String ID: 2337425550-1467310578
Opcode ID: c90027977daf69336b615e6ef57964f4756135853af16136686da30b7ed6bdfd
Instruction ID: 43891c0f79718d1ec72f35967d50a2a4c0055ee76c809ed5e36cdeb091ec6913
Opcode Fuzzy Hash: c90027977daf69336b615e6ef57964f4756135853af16136686da30b7ed6bdfd
Instruction Fuzzy Hash: C4519F719C460FABDF018F698C44EBFB7A8AF1D356F108121F91596105EB30CA72CB95

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

[Rename], xrefs: 0040626C, 0040627E
%ls=%ls, xrefs: 004061F8

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Function 6D251A11 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 199stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,6D252DE0,00000000), ref: 6D251AB1
lstrcmpW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,6D252DE0), ref: 6D251AFA
GlobalAlloc.KERNEL32(00000040,00000010,?,?,6D252DE0), ref: 6D251B26
GlobalAlloc.KERNEL32(00000040,00000010,?,?,6D252DE0), ref: 6D251B4B
lstrlenW.KERNEL32(00000000,?,?,6D252DE0), ref: 6D251B63
GlobalAlloc.KERNEL32(00000040,00000000,?,?,6D252DE0), ref: 6D251B73
lstrcpyW.KERNEL32(?,00000000,?,?,6D252DE0), ref: 6D251B8D
lstrlenW.KERNEL32(00000000,?,?,6D252DE0), ref: 6D251BC3
GlobalAlloc.KERNEL32(00000040,00000000,?,?,6D252DE0), ref: 6D251BD3
lstrcpyW.KERNEL32(00000000,00000000,?,?,6D252DE0), ref: 6D251BE2
GlobalAlloc.KERNEL32(00000040,00000002,?,?,6D252DE0), ref: 6D251BEE
GlobalFree.KERNEL32(00000000), ref: 6D251C09

Strings

-%m, xrefs: 6D251A15, 6D251B30, 6D251B79, 6D251B93

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Alloc$lstrcmplstrcpylstrlen$Free
String ID: -%m
API String ID: 2483198964-3225033159
Opcode ID: d031cffcc6f890e9a1e9a9851d139b13c883ac19746dba3699c13ef1570c4150
Instruction ID: 21cac5e0df566f948abb65649e648cde6551d9e7a7eaa3e7b6a309674b973a2f
Opcode Fuzzy Hash: d031cffcc6f890e9a1e9a9851d139b13c883ac19746dba3699c13ef1570c4150
Instruction Fuzzy Hash: 13711470A8061BDFDF228F18C444F3A7BB4AF4A756F018569E85A9B250E731D8E0CB91

Function 6FD914D6 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 222windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?), ref: 6FD91531
GetDlgItem.USER32(?,?), ref: 6FD91544
SetWindowLongW.USER32(?,00000000,00000000), ref: 6FD91659
GetWindowTextW.USER32(?,00000000,00000400), ref: 6FD916B0
DrawTextW.USER32(?,00000000,000000FF,?,00000414), ref: 6FD916D1
GetWindowLongW.USER32(?,000000EB), ref: 6FD9171C
SetTextColor.GDI32(?,00000000), ref: 6FD9172F
DrawTextW.USER32(?,00000000,000000FF,00000000,?), ref: 6FD91749
DrawFocusRect.USER32(?,00000010), ref: 6FD9176A
RemovePropW.USER32(00000000,NSIS: nsControl pointer property), ref: 6FD9178E

Strings

NSIS: nsControl pointer property, xrefs: 6FD91786

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Text$DrawWindow$Long$ColorFocusItemMessagePropRectRemoveSend
String ID: NSIS: nsControl pointer property
API String ID: 2008169532-1714965683
Opcode ID: 45a0b9c77551be7c6b1b417d91b736dc8a5bbf31300b49117031b89600e748ba
Instruction ID: 7d590a9f92b32df644533a74d91b4ab1fa28c3b935618602ce02fba0e08c1032
Opcode Fuzzy Hash: 45a0b9c77551be7c6b1b417d91b736dc8a5bbf31300b49117031b89600e748ba
Instruction Fuzzy Hash: F081AB71900206DBEF919FE4CC80BAA7BBDFF05310F058566E8559B1A6C772F895CBA0

Function 6D253FC3 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(wininet.dll,"?%m,00000400,"?%m,00000000,00000000,00000000,00000000,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D253FED
FormatMessageW.KERNEL32(00001300,00000000,"?%m,00000400,"?%m,00000000,00000000,00000000,00000000,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D25400F
lstrlenW.KERNEL32(00000000,00000000,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D254023
lstrcpyW.KERNEL32(?,00000000,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D254033
lstrcpyW.KERNEL32(00000000,6D2551A0,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D254048
lstrcpyW.KERNEL32(?,"?%m,?,?,?,6D253F22,00000000,JSON_Serialize,00000000), ref: 6D25408D
wsprintfW.USER32 ref: 6D2540A5
LocalFree.KERNEL32(00000000), ref: 6D2540BA

Strings

"?%m, xrefs: 6D253FCA, 6D253FFD, 6D254080, 6D253FDE, 6D253FE1, 6D253FE7, 6D254002, 6D254008, 6D254088, 6D25409B
wininet.dll, xrefs: 6D253FE8
(%lu), xrefs: 6D25409C

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrcpy$FormatFreeHandleLocalMessageModulelstrlenwsprintf
String ID: (%lu)$"?%m$wininet.dll
API String ID: 2657572252-2785463851
Opcode ID: 0b6146e0cfc26fe240f3a7eae6ba21f74828f2ec2ffe924c465aabd02da415ec
Instruction ID: 63f471e4b0951cac3ee0dbff951b7fd7ea87a945f2816c4cecd572143f6115b7
Opcode Fuzzy Hash: 0b6146e0cfc26fe240f3a7eae6ba21f74828f2ec2ffe924c465aabd02da415ec
Instruction Fuzzy Hash: 9E31897558020AABEB158FA4CC88EBFBB7CEB49359F600612F914D6114D730E972CBA1

Function 6D251CED Relevance: 18.3, APIs: 10, Strings: 2, Instructions: 290stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00001000,00000000), ref: 6D251D07
GlobalAlloc.KERNEL32(00000040,00001000,00000000,?), ref: 6D251D65
lstrlenW.KERNEL32(?,00000001,00000000), ref: 6D251D96
lstrcmpiW.KERNEL32(00000004,true), ref: 6D251DC1
lstrlenW.KERNEL32(00000004,00000001,00000000), ref: 6D251E1D
lstrlenW.KERNEL32(?,00000001,00000000), ref: 6D251EB9
lstrlenW.KERNEL32(?,00000001,00000000), ref: 6D251F19
GlobalFree.KERNEL32(00000004), ref: 6D251FA7
GlobalFree.KERNEL32(00000000), ref: 6D251FDB

Part of subcall function 6D252536: lstrlenW.KERNEL32(00000000,6D253F05,?,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D252578
Part of subcall function 6D252536: lstrlenW.KERNEL32(?,6D253F05,?,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D252607

SetLastError.KERNEL32(00000000), ref: 6D251FE6

Strings

[]=, xrefs: 6D251EDC
true, xrefs: 6D251DB9

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrlen$Global$AllocFree$ErrorLastlstrcmpi
String ID: []=$true
API String ID: 462359672-2138158760
Opcode ID: c9cf7ddf0c9b32e2fa923bf86991c762a576fea35324905e91bbe51e3bc4dc09
Instruction ID: fba513b019f916d36b017de2028511275648fa6a00021febb57601bd2c22aec1
Opcode Fuzzy Hash: c9cf7ddf0c9b32e2fa923bf86991c762a576fea35324905e91bbe51e3bc4dc09
Instruction Fuzzy Hash: 39A1EAB6D5020EBBDF12CFD0CC85EEFB7BCAF08305F404566A615E6140E775AA948BA0

Function 6D25489D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114synchronizationmemorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D2548D5

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

GlobalFree.KERNEL32(00000000), ref: 6D2549D1

Part of subcall function 6D251A11: GlobalAlloc.KERNEL32(00000040,00000010,?,?,6D252DE0), ref: 6D251B26
Part of subcall function 6D251A11: GlobalAlloc.KERNEL32(00000040,00000010,?,?,6D252DE0), ref: 6D251B4B
Part of subcall function 6D251A11: lstrlenW.KERNEL32(00000000,?,?,6D252DE0), ref: 6D251B63
Part of subcall function 6D251A11: GlobalAlloc.KERNEL32(00000040,00000000,?,?,6D252DE0), ref: 6D251B73
Part of subcall function 6D251A11: lstrcpyW.KERNEL32(?,00000000,?,?,6D252DE0), ref: 6D251B8D

lstrcmpiW.KERNEL32(00000000,/timeout,00000000,?), ref: 6D254954
WaitForSingleObject.KERNEL32(00000000,00000000,00000000), ref: 6D254987
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?), ref: 6D2549AF
CloseHandle.KERNEL32(00000000), ref: 6D2549B6

Strings

Handle, xrefs: 6D25490D
wait, xrefs: 6D254994
/timeout, xrefs: 6D25494E

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Alloc$FreeObjectSingleWaitlstrcpy$CloseHandlelstrcmpilstrlen
String ID: /timeout$Handle$wait
API String ID: 371915083-854704214
Opcode ID: 231e8dd7aa43386590e2625cb19f78caf8ea2ce104cfdd479027a11d5d297dc3
Instruction ID: 194e084a876e1a62bd01519d898f2c2b989dafbf9af4b8915482d446987858f1
Opcode Fuzzy Hash: 231e8dd7aa43386590e2625cb19f78caf8ea2ce104cfdd479027a11d5d297dc3
Instruction Fuzzy Hash: BD31B43118C20FABDB015F658C49F6BB7BCAF4F22A7114226FA14D6141EB30D432C6A5

Function 6D25431D Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D254356

Part of subcall function 6D25414A: lstrcmpiW.KERNEL32(?,/tree,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254182

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

lstrcmpiW.KERNEL32(00000000,/file,00000000), ref: 6D254384
GetLastError.KERNEL32 ref: 6D25440E

Part of subcall function 6D254C09: GlobalAlloc.KERNEL32(00000040,?,00000000,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C25
Part of subcall function 6D254C09: lstrcpynW.KERNEL32(00000004,?,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C3A

GlobalFree.KERNEL32(00000000), ref: 6D25442A

Strings

/unicode, xrefs: 6D254393
/format, xrefs: 6D2543A9
JSON_Serialize, xrefs: 6D254415
/file, xrefs: 6D25437E

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$AllocFreelstrcmpi$ErrorLastlstrcpylstrcpyn
String ID: /file$/format$/unicode$JSON_Serialize
API String ID: 2114172429-2463986589
Opcode ID: ff5f16caee4a0f29cd840c227c55e8012e3122cd22531526a15fa75cba04b388
Instruction ID: 0cbd5ca981223ae1696e860f2dfadd022cfbe6f5ff7e5dc4e1e148df3b29a3bc
Opcode Fuzzy Hash: ff5f16caee4a0f29cd840c227c55e8012e3122cd22531526a15fa75cba04b388
Instruction Fuzzy Hash: 15318F7069920EABDB019F559888FBFB7B8EF4E346B144129FD09D6210E730D93286A5

Function 6D25240B Relevance: 13.6, APIs: 9, Instructions: 120filestringmemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000002,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000002,7556F360,00000000,00000002,00000000), ref: 6D252439
GetFileSize.KERNEL32(00000000,00000000), ref: 6D25244C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D25246A
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 6D252480
CloseHandle.KERNEL32(00000000), ref: 6D252487
lstrlenW.KERNEL32(00000002,00000000,00000002,7556F360), ref: 6D25249C
lstrlenA.KERNEL32(00000002,00000000,00000002,7556F360), ref: 6D2524A4
GlobalFree.KERNEL32(00000000), ref: 6D25251A
GlobalFree.KERNEL32(00000002), ref: 6D252527

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: FileGlobal$Freelstrlen$AllocCloseCreateHandleReadSize
String ID:
API String ID: 670225477-0
Opcode ID: 220821f4f035b3ba1d7b722047ab0eec07a2b26b77d7d949ac22c0c7634be655
Instruction ID: a86859145826262042dd16ab96dd326ef93fdc936e2beafce96dfbcd5ce71f6c
Opcode Fuzzy Hash: 220821f4f035b3ba1d7b722047ab0eec07a2b26b77d7d949ac22c0c7634be655
Instruction Fuzzy Hash: A331C7B184524ABBDB218F65CC08FAF7BB8EF46325F008219FD16962C0D7349A10CB60

Function 6D2515F7 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 192stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000002,00000000,7556FFC0), ref: 6D251604
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D2516BB
wsprintfW.USER32 ref: 6D251756
lstrcpyW.KERNEL32(00000000,?), ref: 6D2517C9

Strings

, xrefs: 6D251654
~, xrefs: 6D25165B
\u%04x, xrefs: 6D251750

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: AllocGloballstrcpylstrlenwsprintf
String ID: $\u%04x$~
API String ID: 1920656451-1521313420
Opcode ID: 0a8cd05ec9278c44d6b9a28804768985a0cebc3894b0b9343b2b2f58527a192b
Instruction ID: 48721c2c2fe0f42faafba58c15facd297a11cb02d71bf8b417a49bd70fdd2923
Opcode Fuzzy Hash: 0a8cd05ec9278c44d6b9a28804768985a0cebc3894b0b9343b2b2f58527a192b
Instruction Fuzzy Hash: F051F2359E030FEAEB034F5C88A4FB977B0FB55702F54811AE915D6194D3B585E0CB90

Function 6D252D25 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040), ref: 6D252D5E
GlobalAlloc.KERNEL32(00000040), ref: 6D252D71
GlobalFree.KERNEL32(00000000), ref: 6D252E28

Part of subcall function 6D25414A: lstrcmpiW.KERNEL32(?,/tree,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254182

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

lstrcmpiW.KERNEL32(00000000,/end,00000000), ref: 6D252DAA
lstrcmpiW.KERNEL32(00000000,/index), ref: 6D252DBA
GlobalFree.KERNEL32(00000000), ref: 6D252E21

Strings

/end, xrefs: 6D252DA4
/index, xrefs: 6D252DB4

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Freelstrcmpi$Alloc$lstrcpy
String ID: /end$/index
API String ID: 3216674501-41208782
Opcode ID: a05aafce2797af4ce73e2c2090e2c7c1a3ae384bdd1b47a0b65eeb02abfa929e
Instruction ID: 8308dcbab22de2d2d818d337dcf29fa9b63bf4de9eae364118689628d624f12f
Opcode Fuzzy Hash: a05aafce2797af4ce73e2c2090e2c7c1a3ae384bdd1b47a0b65eeb02abfa929e
Instruction Fuzzy Hash: 503174B168524EEFDB11CF65C888E6B3BB8EF4A356B044129F919D7240D731D921CBA0

Function 6D2547A9 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 89stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D2547E0

Part of subcall function 6D25414A: lstrcmpiW.KERNEL32(?,/tree,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254182

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

lstrcmpiW.KERNEL32(00000000,/end,00000000), ref: 6D25480A
lstrcmpiW.KERNEL32(00000000,/index), ref: 6D25481A
GlobalFree.KERNEL32(00000000), ref: 6D254882

Strings

/end, xrefs: 6D254804
/index, xrefs: 6D254814
/options, xrefs: 6D25482D

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Globallstrcmpi$Free$Alloclstrcpy
String ID: /end$/index$/options
API String ID: 2166273740-1446855818
Opcode ID: 904ea1678d830aab340ebfc189490daae50d8101b5cedcc110bc5ef64711db8f
Instruction ID: d699fbb32a079bf23442f7273caeca58660dc9096af2e0064135b3423cbc68e0
Opcode Fuzzy Hash: 904ea1678d830aab340ebfc189490daae50d8101b5cedcc110bc5ef64711db8f
Instruction Fuzzy Hash: 4E21A57158564FABDB018F569C8CEAB7BBCEF9A35AB044165FD0497200D730C936CBA1

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Function 6FD91CCE Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000), ref: 6FD91CE6
ShowWindow.USER32(00000008), ref: 6FD91CF4
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6FD91D10
IsDialogMessageW.USER32(?), ref: 6FD91D20
IsDialogMessageW.USER32(?), ref: 6FD91D30
TranslateMessage.USER32(?), ref: 6FD91D3A
DispatchMessageW.USER32(?), ref: 6FD91D44
SetWindowLongW.USER32(?,00000004), ref: 6FD91D5E

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Message$DialogWindow$DispatchLongSendShowTranslate
String ID:
API String ID: 1036221185-0
Opcode ID: 40b33aafd2af83ffa581910260ed78cb163562964330480762054a608c66caad
Instruction ID: c517c5c0d1fcd69cba3db860615369786474a68822c8807e427e9d53af99a3ab
Opcode Fuzzy Hash: 40b33aafd2af83ffa581910260ed78cb163562964330480762054a608c66caad
Instruction Fuzzy Hash: 81110932800A49FBEF119FE5DC0ADAE3B7DFB46762B044011F609A7065D732B425DB90

Function 6D254231 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 89stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000), ref: 6D254269

Part of subcall function 6D254B73: lstrcpyW.KERNEL32(00000000,00000004,00000000,?,6D254178,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D254B94
Part of subcall function 6D254B73: GlobalFree.KERNEL32(00000000), ref: 6D254BA5

lstrcmpiW.KERNEL32(00000000,/unicode,00000000), ref: 6D254291
lstrcmpiW.KERNEL32(00000000,/always), ref: 6D2542A6

Part of subcall function 6D254C09: GlobalAlloc.KERNEL32(00000040,?,00000000,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C25
Part of subcall function 6D254C09: lstrcpynW.KERNEL32(00000004,?,?,6D2541B1,?,?,6D252D8C,00000000,00000000,00000000), ref: 6D254C3A

GlobalFree.KERNEL32(00000000), ref: 6D2542FA
GlobalFree.KERNEL32(00000000), ref: 6D254304

Strings

/unicode, xrefs: 6D25428B
/always, xrefs: 6D2542A0

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$Free$Alloclstrcmpi$lstrcpylstrcpyn
String ID: /always$/unicode
API String ID: 3554853735-1970542336
Opcode ID: 4ceeafa197634064686d25150a63216bc9110a0aa922d5c6d7cb78acc08d211b
Instruction ID: 858f03c1992016be3f1a205b6ed4fe6fbe3236666d76b2612385954185ea6950
Opcode Fuzzy Hash: 4ceeafa197634064686d25150a63216bc9110a0aa922d5c6d7cb78acc08d211b
Instruction Fuzzy Hash: 8F21E13169521EABDB018F15C888F6F77B8AF4A36AF114116F904DB200D774D933CBA0

Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,0042C248,00000000,00425020,755723A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425020,755723A0), ref: 004055FA
SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(get,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5
*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2246974252
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Function 6FD91021 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 6FD91E4E: lstrcpynW.KERNEL32(6FD91054,?,?,?,6FD91054,?), ref: 6FD91E7B
Part of subcall function 6FD91E4E: GlobalFree.KERNEL32 ref: 6FD91E8B

SHBrowseForFolderW.SHELL32(?), ref: 6FD910A8
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 6FD910C8
CoTaskMemFree.OLE32(00000000,error), ref: 6FD910E6

Strings

0vv, xrefs: 6FD910C8
E, xrefs: 6FD91093
error, xrefs: 6FD910B4, 6FD910DB

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Free$BrowseFolderFromGlobalListPathTasklstrcpyn
String ID: 0vv$E$error
API String ID: 1728609016-41027614
Opcode ID: 2b8055c973e5c72f14f0a2e18390f15a12e7bbfeee7051361d72fcb88d2d38e1
Instruction ID: 97684fa035e01e2db09fcdd2bd4cd3c6d06825b3b6b0e159ee91ecbe14c1fc30
Opcode Fuzzy Hash: 2b8055c973e5c72f14f0a2e18390f15a12e7bbfeee7051361d72fcb88d2d38e1
Instruction Fuzzy Hash: 3E2149B6900318ABDB80DFE0C945BDE77BCBB09354F004256E518E6240E736BA54CFA1

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(get,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

MS Shell Dlg, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: MS Shell Dlg
API String ID: 2584051700-76309092
Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0002BCFB,00000064,0002E668), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Function 6FD71A64 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,6FD77010), ref: 6FD71A82
wsprintfW.USER32 ref: 6FD71AB7

Strings

%u kB, xrefs: 6FD71AA4
???, xrefs: 6FD71A6F
%u bytes, xrefs: 6FD71A92
%u MB, xrefs: 6FD71AAF

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: %u MB$%u bytes$%u kB$???
API String ID: 2408954437-4199891213
Opcode ID: b872e17ea7eea712d59238c628111cb5859894777842478fd3db2f5f7a8988ec
Instruction ID: 3a375b233d8af739a937a04d8f867cd8487dc9897760a27b455935aa2c824f69
Opcode Fuzzy Hash: b872e17ea7eea712d59238c628111cb5859894777842478fd3db2f5f7a8988ec
Instruction Fuzzy Hash: B1F06571004608BADBF01B28AC50E69336DFB01338F504F12FC6EDC150DE21F5995552

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Function 6FD71385 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6FD7138E
GetWindowRect.USER32(00000000,?), ref: 6FD713C0
GetClientRect.USER32(00000000,?), ref: 6FD713C4
GetWindowRect.USER32(?,?), ref: 6FD713D1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6FD71413
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 6FD71453

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: RectWindow$ClientInfoParametersParentSystem
String ID:
API String ID: 1395677574-0
Opcode ID: 392718eb18f5f4b6f5b28b83c1684f0b243eadaa0c1afd56f51da94e6d2bc261
Instruction ID: 657e8d0cb01d31bce0f1357e455085758e015297e61f2a615c917717a6ab1d00
Opcode Fuzzy Hash: 392718eb18f5f4b6f5b28b83c1684f0b243eadaa0c1afd56f51da94e6d2bc261
Instruction Fuzzy Hash: 4C212B32A00529AFEF10DBB8CD49BDDBBF9AB45654F094165E900F7180DA70BD00CBA1

Function 6FD74A49 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 11stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(Downloading %s,Uploading %s), ref: 6FD74A5D
lstrcpyW.KERNEL32(Downloading,Uploading), ref: 6FD74A6D

Strings

Downloading, xrefs: 6FD74A68
Uploading %s, xrefs: 6FD74A4C
Uploading, xrefs: 6FD74A63
Downloading %s, xrefs: 6FD74A51

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: lstrcpy
String ID: Downloading$Downloading %s$Uploading$Uploading %s
API String ID: 3722407311-2813864553
Opcode ID: 0dfcf5e9af6b6acf8414e560b4b6f6b7d77b61c8c65864e7f612b930296044d1
Instruction ID: 1590c8a1096cff357295e23933eeb5a3d7052782968e47831acbdfb086514a5a
Opcode Fuzzy Hash: 0dfcf5e9af6b6acf8414e560b4b6f6b7d77b61c8c65864e7f612b930296044d1
Instruction Fuzzy Hash: F6C00261048AA4BBDFF027B98D08A5E7FD49707262B1C0941E1455D5064E66305C96E6

Function 6D2517D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(15FF5700,00000000,?,?,?,?,?,?,?,?,6D253ED9,00000000), ref: 6D2517E5
GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,6D253ED9,00000000), ref: 6D2517FA
wsprintfW.USER32 ref: 6D2518CD

Strings

0x%c%c%c%c, xrefs: 6D2518C7
\, xrefs: 6D251825

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: AllocGloballstrlenwsprintf
String ID: 0x%c%c%c%c$\
API String ID: 983123113-737428342
Opcode ID: 5d05b0a04fa8d7e431625aeb0e80e1f009ab21c46381b6695dfcac709f9956f1
Instruction ID: 18beae2a9bdf86ef5b3127d801c03295eff5a09f1b40ab530ac589e7beafebf6
Opcode Fuzzy Hash: 5d05b0a04fa8d7e431625aeb0e80e1f009ab21c46381b6695dfcac709f9956f1
Instruction Fuzzy Hash: 3541C671A9421EABDB25CF98C885FBEB7B4FF4A311F108155E905EB240D234D9D1C790

Function 6D261979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6D2619DA
GlobalFree.KERNEL32(?), ref: 6D261B7A
GlobalFree.KERNEL32(?), ref: 6D261B7F

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0bece071f0955a28fe090fc13f0e45178b0ce287b75c04578d55d51cf442b8eb
Instruction ID: 2a54ce06ebd6c3709aedc9b7fdffb3d6e6e02570e384a5b04b9146a225f1b2a4
Opcode Fuzzy Hash: 0bece071f0955a28fe090fc13f0e45178b0ce287b75c04578d55d51cf442b8eb
Instruction Fuzzy Hash: D151B332DE83DFABCB179FA884809BE76B5BB45315B118169E500A3210E771BDC5C7B1

Function 6D252984 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(6D255050,?,00000000,?,00000000,|H%m,6D2521C4,|H%m,00000000,?,00000000,00000000,00000000,?,?,6D25487C), ref: 6D2529D4
lstrcmpiW.KERNEL32(6D255050,?,00000000,?,00000000,|H%m,6D2521C4,|H%m,00000000,?,00000000,00000000,00000000,?,?,6D25487C), ref: 6D2529DC
lstrcmpW.KERNEL32(75FF855B,?,00000000,?,00000000,|H%m,6D2521C4,|H%m,00000000,?,00000000,00000000,00000000,?,?,6D25487C), ref: 6D252A2A
lstrcmpiW.KERNEL32(75FF855B,?,00000000,?,00000000,|H%m,6D2521C4,|H%m,00000000,?,00000000,00000000,00000000,?,?,6D25487C), ref: 6D252A38

Strings

|H%m, xrefs: 6D252984

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrcmplstrcmpi
String ID: |H%m
API String ID: 3524194181-2782187842
Opcode ID: afa22afaf1e3607e53340dbdabe918b6470f48a86fbbb23f2766553385e32bb8
Instruction ID: 8cc3a678d634bafdcf098064f4748194a05d779155788f8204772e205b212aa7
Opcode Fuzzy Hash: afa22afaf1e3607e53340dbdabe918b6470f48a86fbbb23f2766553385e32bb8
Instruction Fuzzy Hash: 0631D6B22C820BAFDB368F18C844F6677A5FF45761F298094E954872E1D732C872C790

Function 6D2512FF Relevance: 7.6, APIs: 5, Instructions: 96stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000800,?,00000004,?,?,?,6D251E4C,00000004,00000800,00000000), ref: 6D25131D
GlobalAlloc.KERNEL32(00000040,-00000002,?,?,?,6D251E4C,00000004,00000800,00000000), ref: 6D25132C
IsCharAlphaNumericW.USER32(?,00000000,?,?,?,6D251E4C,00000004,00000800,00000000), ref: 6D251351
lstrlenW.KERNEL32(00000000,00000000,?,?,?,6D251E4C,00000004,00000800,00000000), ref: 6D2513C0
GlobalFree.KERNEL32(00000000), ref: 6D2513E9

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Globallstrlen$AllocAlphaCharFreeNumeric
String ID:
API String ID: 2254421552-0
Opcode ID: c3f156a36fcfc6f27d92f088e8d1092316c9dc8e1fdb1479edbade9db3f501d5
Instruction ID: 7434cc4bec9568e461bcaced9be09e239776a5ba7421fde91880a4a58813e2ed
Opcode Fuzzy Hash: c3f156a36fcfc6f27d92f088e8d1092316c9dc8e1fdb1479edbade9db3f501d5
Instruction Fuzzy Hash: 5431F07659062BF7DB111F58C898F7B37B8EF0AB52B100042F900DA654E374C9A1C7A1

Function 6D251C1C Relevance: 7.6, APIs: 5, Instructions: 87fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,00000000,00000000,?,?,6D253F05,?,00000000,?), ref: 6D251C6D
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 6D251C91
GetLastError.KERNEL32(?,?,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D251C99
GlobalFree.KERNEL32(00000000), ref: 6D251CCF
SetLastError.KERNEL32(00000000,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D251CD8

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileFreeGlobalHandle
String ID:
API String ID: 653717721-0
Opcode ID: ae71867bc05c57d06c9a49d635404c172d227c16b90cf5e2cb8b01f795c453b3
Instruction ID: 6d5e5a71f0555792cf730df89e2d999ca6078e945c37fb07a48a4e0506625fd1
Opcode Fuzzy Hash: ae71867bc05c57d06c9a49d635404c172d227c16b90cf5e2cb8b01f795c453b3
Instruction Fuzzy Hash: BB2181B295021DFFDB019F60CC48EAF37BCEF49366B118125F91597140E732DEA08AA1

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Function 6D252A75 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,,`%m,00000000,00000000,00000000,?,?,6D252E0D,6D25602C,00000000,00000000), ref: 6D252AA9
GlobalFree.KERNEL32(00000000), ref: 6D252ADA
GlobalFree.KERNEL32(?), ref: 6D252AE1
GlobalFree.KERNEL32(?), ref: 6D252AE4

Strings

,`%m, xrefs: 6D252A95, 6D252AA3

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: FreeGlobal$lstrcmpi
String ID: ,`%m
API String ID: 2789208084-1485294008
Opcode ID: 2a22059dca700dbea4d06f2e036b5bed7dcaab1a62217ee8a9ffe50f9859177f
Instruction ID: 11376a779e5c255fecc5c6ce790e0fc748a96ed81acc94586e82efec4c74aca6
Opcode Fuzzy Hash: 2a22059dca700dbea4d06f2e036b5bed7dcaab1a62217ee8a9ffe50f9859177f
Instruction Fuzzy Hash: AC118B75A4161AAFDB21CF58C880E6AB7A8FF48651B1081A9EC5497340D772ED20CBD0

Function 6D2549E9 Relevance: 7.5, APIs: 5, Instructions: 45filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,00000000), ref: 6D254A00
WriteFile.KERNEL32(00000000,?,00000000), ref: 6D254A0F
lstrlenW.KERNEL32(?,00000000), ref: 6D254A1A
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 6D254A4A
GlobalFree.KERNEL32(00000000), ref: 6D254A51

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: FileWritelstrlen$FreeGlobal
String ID:
API String ID: 3525607692-0
Opcode ID: eacbf8cbe09c20b6e3382017ac1de94607868638f171a85044a8fdfc919016fb
Instruction ID: 341ae32046c789bc363bf507a01475f35d123eeb0a36d7a58b324a333f00bcf0
Opcode Fuzzy Hash: eacbf8cbe09c20b6e3382017ac1de94607868638f171a85044a8fdfc919016fb
Instruction Fuzzy Hash: 4B010431450219AFDF129F50CC09FBB7BB8EF09215F044265B92AA6110D7B1AE21CBD4

Function 6D2616BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6D2622D8,?,00000808), ref: 6D2616D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6D2622D8,?,00000808), ref: 6D2616DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6D2622D8,?,00000808), ref: 6D2616F0
GetProcAddress.KERNEL32(6D2622D8,00000000), ref: 6D2616F7
GlobalFree.KERNEL32(00000000), ref: 6D261700

Memory Dump Source

Source File: 00000000.00000002.2706727938.000000006D261000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D260000, based on PE: true

Associated: 00000000.00000002.2706709486.000000006D260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706745853.000000006D264000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2706765225.000000006D266000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d260000_Setup.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: e36efe3de0741732a314946bac6899e048a8ab7e692f118329ea40eecbce6b23
Instruction ID: 0876efe84958c547e88e649ff0d28629a694d6fb7672c5aee27535e5394b108f
Opcode Fuzzy Hash: e36efe3de0741732a314946bac6899e048a8ab7e692f118329ea40eecbce6b23
Instruction Fuzzy Hash: 3DF0127210A2787BDA2016E6CC4CDAB7EACDF8F2F9B114211F65892190C6615C02D7F1

Function 6D253F72 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,JSON,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 6D253F9D
lstrcmpiW.KERNEL32(00000000,Raw,?,?,00000000,?,?,?,?,?,?,00000000,?,?,00000000), ref: 6D253FB0

Strings

DataType, xrefs: 6D253F7D
JSON, xrefs: 6D253F97
Raw, xrefs: 6D253FAA

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrcmpi
String ID: DataType$JSON$Raw
API String ID: 1586166983-3390691770
Opcode ID: ed880dd92a44dcba6e55dabc5451d40a6ee107b27d57ab1363a3a24e30e744dc
Instruction ID: 9a21f2758ef41a5f6f702fb8416ce5316e90c22bd1707104909d217b878af73c
Opcode Fuzzy Hash: ed880dd92a44dcba6e55dabc5451d40a6ee107b27d57ab1363a3a24e30e744dc
Instruction Fuzzy Hash: 00E026325EC11E3BCA112F34AC0AF7B3FAC9F43179B248320F90AE5186E719A4B150D8

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: f5c410226751388561f0977026f7bc113d9509f0ffdd9d2834ff72966f8c02b6
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: f5c410226751388561f0977026f7bc113d9509f0ffdd9d2834ff72966f8c02b6
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14
4Wu, xrefs: 00405F16

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Wu$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3057243036
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Function 6FD9148C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 6FD913D2: GetPropW.USER32(?,NSIS: nsControl pointer property), ref: 6FD913DB

LoadCursorW.USER32(00000000,00007F89), ref: 6FD914A8
SetCursor.USER32(00000000,?,?,?), ref: 6FD914AF
CallWindowProcW.USER32(?,?,00000020,?,?), ref: 6FD914CC

Strings

, xrefs: 6FD9149B

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: Cursor$CallLoadProcPropWindow
String ID:
API String ID: 1635134901-3916222277
Opcode ID: 61045b297c6eada24e58779f985d130eb432401216a57dfdab0b629fa06892fb
Instruction ID: 8600d0ec357cf8358bd66684de44bb52ab608fb6cd588dd545f4768b76c93c39
Opcode Fuzzy Hash: 61045b297c6eada24e58779f985d130eb432401216a57dfdab0b629fa06892fb
Instruction Fuzzy Hash: FCE0C936144209FBEF415FE2CD0599A3B6DAF09361F048520FA1D88060C776B470AB61

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Function 6D251FF4 Relevance: 6.4, APIs: 5, Instructions: 147stringCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6D252029

Part of subcall function 6D251558: GlobalFree.KERNEL32(?), ref: 6D2515B5
Part of subcall function 6D251558: GlobalFree.KERNEL32(?), ref: 6D2515C9
Part of subcall function 6D251558: GlobalFree.KERNEL32(00000000), ref: 6D2515E0

lstrlenA.KERNEL32(00000000,00000000,00000000,7556F360,?,6D254658), ref: 6D25205F
GlobalFree.KERNEL32(?), ref: 6D2520D2
GlobalFree.KERNEL32(00000000), ref: 6D2520F1
GlobalFree.KERNEL32(00000000), ref: 6D252152

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: FreeGlobal$lstrlen
String ID:
API String ID: 3041391548-0
Opcode ID: c6c7dd54a211f58adc4b78ec04c304f9a1288711da1b91f361660e826e8b6ef2
Instruction ID: ea52fa26f5ed0dce90697666b173cf965dc991204efbc095867bcc656bffc653
Opcode Fuzzy Hash: c6c7dd54a211f58adc4b78ec04c304f9a1288711da1b91f361660e826e8b6ef2
Instruction Fuzzy Hash: B2516EB119464FDFD7228F18C884E27B7E8FF56365721C62DE6A986290D731E8A1CF40

Function 6D252B39 Relevance: 6.3, APIs: 5, Instructions: 52stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,?,6D2541D0,00000000,?,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000), ref: 6D252B59
GlobalAlloc.KERNEL32(00000040,0000000C,00000000,?,6D2541D0,00000000,?,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D252B7A
lstrlenW.KERNEL32(00000000,?,6D2541D0,00000000,?,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D252B7F
GlobalAlloc.KERNEL32(00000040,00000000,?,6D2541D0,00000000,?,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D252B8F
lstrcpyW.KERNEL32(00000000,00000000,?,6D2541D0,00000000,?,?,00000000,00000000,00000000,?,6D252D8C,00000000,00000000,00000000), ref: 6D252B95

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: AllocGlobal$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3653182775-0
Opcode ID: 3cff5b58c995c0fa3b0d19123bfc7fab737a8fbf8bbb65a374bd3339bd124cbb
Instruction ID: d12b62019fc11b36b716b6f036039904c568bda02eac31a4bdbec760afcbae88
Opcode Fuzzy Hash: 3cff5b58c995c0fa3b0d19123bfc7fab737a8fbf8bbb65a374bd3339bd124cbb
Instruction Fuzzy Hash: 18012DB169021AEFEF218F65C848F6B7BA8FF45795F004465EA089B294D731EC10CBA0

Function 6FD7187E Relevance: 6.1, APIs: 4, Instructions: 117filenetworkCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,6FD79C90,00002000,?,00000000), ref: 6FD718B6
InternetWriteFile.WININET(?,6FD79C90,?,?), ref: 6FD718DC
InternetReadFile.WININET(?,6FD79C90,00002000,?), ref: 6FD7191A
WriteFile.KERNEL32(?,6FD79C90,?,?,00000000), ref: 6FD7199E

Memory Dump Source

Source File: 00000000.00000002.2706805863.000000006FD71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FD70000, based on PE: true

Associated: 00000000.00000002.2706784915.000000006FD70000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706824623.000000006FD77000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706839008.000000006FD78000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2706980410.000000006FD7F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd70000_Setup.jbxd

Similarity

API ID: File$InternetReadWrite
String ID:
API String ID: 1380539803-0
Opcode ID: 5c8b3c6a92ec42cfa0cd3a05b9751aea3b049a5fa8fe768650349534a910d678
Instruction ID: 341193147344d44ea5af592f8b3310c7051849be91a534e31313c4038c5974a4
Opcode Fuzzy Hash: 5c8b3c6a92ec42cfa0cd3a05b9751aea3b049a5fa8fe768650349534a910d678
Instruction Fuzzy Hash: 1341B476600611EFFFA4CF64C5A4EA977F9FB02368B14031AD070AE208DB30B952C791

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiA50F.tmp$C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll
API String ID: 1659193697-345751807
Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Function 6FD91332 Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(7556F380,?,00000400,00000400,?,7556F380,00000000), ref: 6FD9133E
CharPrevW.USER32(7556F380,00000000,?,7556F380,00000000), ref: 6FD91349
MulDiv.KERNEL32(?,00000000,00000064), ref: 6FD9136D
MapDialogRect.USER32(7556F380,7556F380), ref: 6FD91393

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: CharDialogPrevRectlstrlen
String ID:
API String ID: 3411278111-0
Opcode ID: 0b0bd55b7c6eb183c769a180c5c3b6238a21f68df51d75792ffd92c93231982b
Instruction ID: a5cb56ae12646e0619fe99cfcd452aa20e87ada9a87af27f28bb18924738c206
Opcode Fuzzy Hash: 0b0bd55b7c6eb183c769a180c5c3b6238a21f68df51d75792ffd92c93231982b
Instruction Fuzzy Hash: D5118635D04625EB8B50BFE8C9459DEB7BDEF42710B004619EC2897600D332B910CB94

Function 6D251933 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000200,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,6D2523BE,00000000,?,00000000), ref: 6D25194F
GlobalAlloc.KERNEL32(00000040,00000001,?,6D2523BE,00000000,?,00000000,00000000,?,6D25294A,00000000,6D25510C,00000001,00000000,00000000,00000000), ref: 6D251961
WideCharToMultiByte.KERNEL32(?,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,6D2523BE,00000000,?,00000000,00000000,?,6D25294A), ref: 6D251980
GlobalFree.KERNEL32(00000000), ref: 6D251991

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AllocFree
String ID:
API String ID: 2244543456-0
Opcode ID: 38d830dc3ec4bf3cb404a0cf83d3675ea212a796fb2cea0f496ef68eb3624d20
Instruction ID: d97d30859f7463f6ae198725e4a99d14c2412c83e704fbbf2f459e080a82f33a
Opcode Fuzzy Hash: 38d830dc3ec4bf3cb404a0cf83d3675ea212a796fb2cea0f496ef68eb3624d20
Instruction Fuzzy Hash: FB01697528461ABBEB120F55CC48FBB7FADFF4A761F000120FA18D9194D771D820CAA0

Function 6FD91407 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?), ref: 6FD91447
DestroyWindow.USER32 ref: 6FD9145E
GetProcessHeap.KERNEL32(00000000), ref: 6FD9146B
HeapFree.KERNEL32(00000000), ref: 6FD91472

Memory Dump Source

Source File: 00000000.00000002.2707158755.000000006FD91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6FD90000, based on PE: true

Associated: 00000000.00000002.2707011598.000000006FD90000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707198671.000000006FD93000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707227440.000000006FD94000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000000.00000002.2707243260.000000006FD98000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd90000_Setup.jbxd

Similarity

API ID: HeapWindow$CallDestroyFreeProcProcess
String ID:
API String ID: 1278960361-0
Opcode ID: 67f7198970347bc93942e56b67a0885854a708767ab7294ca05c047faf3665af
Instruction ID: b1167bdb57c106c597fcb9458aedfd37e09ab51135ea4f9a9983f9b4d16f60dd
Opcode Fuzzy Hash: 67f7198970347bc93942e56b67a0885854a708767ab7294ca05c047faf3665af
Instruction Fuzzy Hash: 23011E33500604EBEF428FD5C9099DA7B7DFB4B372B084126F65896162D732B471EB90

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Function 6D2519D2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(00000000,6D2550D0,00000000,h<%m,6D252C02,00000000,00000000,Async,00000000,?,?,?,6D2545D3,6D253C68,?,00000000), ref: 6D2519EB
lstrcmpiW.KERNEL32(00000000,false,?,?,?,6D2545D3,6D253C68,?,00000000,00000000), ref: 6D2519FD

Strings

h<%m, xrefs: 6D2519D2
false, xrefs: 6D2519F5

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrcmplstrcmpi
String ID: false$h<%m
API String ID: 3524194181-1254420435
Opcode ID: a7fd3ae3246e8b9657a14d57646194791cbb78b815b47d86cf556d50e754676c
Instruction ID: e900be89e74ece1d950269899d86cc0910802866d88f99d826e451a01e71f563
Opcode Fuzzy Hash: a7fd3ae3246e8b9657a14d57646194791cbb78b815b47d86cf556d50e754676c
Instruction Fuzzy Hash: 86E0483129065A5BEB235F119C08F7777D89B09657B1089A4A819D5419D722E4A0D6D0

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,get,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,get,get,get,00000000,0042C248), ref: 0040645C

Strings

get, xrefs: 00406412

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseQueryValue
String ID: get
API String ID: 3356406503-4248514160
Opcode ID: a598e195228f1036644e08b1753da052d1713cd74bd9ea8ab147b12b545f69e3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: a598e195228f1036644e08b1753da052d1713cd74bd9ea8ab147b12b545f69e3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Function 6D252536 Relevance: 5.2, APIs: 4, Instructions: 243stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,6D253F05,?,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D252578
lstrlenW.KERNEL32(?,6D253F05,?,00000000,00000000,00000000,?,6D251CC7,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D252642
lstrlenW.KERNEL32(?,6D253F05,?,6D253F05,?,00000000,?,00000000,00000000,00000000), ref: 6D252607

Part of subcall function 6D25229E: GlobalReAlloc.KERNEL32(00000000,?,00000042), ref: 6D2522D4
Part of subcall function 6D25229E: GetLastError.KERNEL32(?,?,6D252754,00000000,00000000,00000000,6D25510C,00000001,6D253F05,?,00000000,00000000,00000000,?,6D251CC7,00000000), ref: 6D2522DE
Part of subcall function 6D25229E: GlobalFree.KERNEL32(00000000), ref: 6D2522EB
Part of subcall function 6D25229E: lstrcpyW.KERNEL32(?,00000000,00000000,00000000,?,?,?,6D252754,00000000,00000000,00000000,6D25510C,00000001,6D253F05,?,00000000), ref: 6D252319

lstrcpyW.KERNEL32(?,6D255110,00000000,00000000,00000000,?,6D251CC7,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D2527AF

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: lstrlen$Globallstrcpy$AllocErrorFreeLast
String ID:
API String ID: 2385761697-0
Opcode ID: 7731bd25b310bf086e50c6c6ad3b65b6b7491b48f52ae66664cba8686b49a6d5
Instruction ID: ba5dba9f2e53ccc155e49391f0b4f0405b1860c7d256f70564d2149b3643d344
Opcode Fuzzy Hash: 7731bd25b310bf086e50c6c6ad3b65b6b7491b48f52ae66664cba8686b49a6d5
Instruction Fuzzy Hash: 0F714DB518010EBFDF228F548C85EBB3B69EF49308F408014FE24AA1A1D736D971DBA1

Function 6D25229E Relevance: 5.1, APIs: 4, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

GlobalReAlloc.KERNEL32(00000000,?,00000042), ref: 6D2522D4
GetLastError.KERNEL32(?,?,6D252754,00000000,00000000,00000000,6D25510C,00000001,6D253F05,?,00000000,00000000,00000000,?,6D251CC7,00000000), ref: 6D2522DE
GlobalFree.KERNEL32(00000000), ref: 6D2522EB
lstrcpyW.KERNEL32(?,00000000,00000000,00000000,?,?,?,6D252754,00000000,00000000,00000000,6D25510C,00000001,6D253F05,?,00000000), ref: 6D252319

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: Global$AllocErrorFreeLastlstrcpy
String ID:
API String ID: 213496960-0
Opcode ID: 227bfb088c4e8522bad8a28c08e5d1ed693349cf48651258480008f91d47f99d
Instruction ID: 22b3235ec26226bda33319020aee91aec18765253dbd0fe22229e89ed7363013
Opcode Fuzzy Hash: 227bfb088c4e8522bad8a28c08e5d1ed693349cf48651258480008f91d47f99d
Instruction Fuzzy Hash: B33139B924020B9FDB25CF19C481E7AB3B5FF49316B60412CED95CB295D730E862CB90

Function 6D2521FB Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000002,00000002,6D2524FE,00000000,00000000,00000000,00000002,7556F360,?,6D2524FE,00000002,00000002), ref: 6D252210
GlobalAlloc.KERNEL32(00000040,?,?,6D2524FE,00000002,00000002), ref: 6D252226
MultiByteToWideChar.KERNEL32(00000000,00000002,00000002,6D2524FE,00000000,00000000,?,?,6D2524FE,00000002,00000002), ref: 6D25223D
GlobalFree.KERNEL32(00000000), ref: 6D25224E

Memory Dump Source

Source File: 00000000.00000002.2706659220.000000006D251000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D250000, based on PE: true

Associated: 00000000.00000002.2706638791.000000006D250000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706678319.000000006D255000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2706692445.000000006D257000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d250000_Setup.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AllocFree
String ID:
API String ID: 2244543456-0
Opcode ID: 982ddda330cf8c1080a9671532cdc9458ec66bca935fe3c76f857ce00656a525
Instruction ID: 122501877938eb5c6169a1c4b064e45a3f6a212ccac14545234ba16f4f11f739
Opcode Fuzzy Hash: 982ddda330cf8c1080a9671532cdc9458ec66bca935fe3c76f857ce00656a525
Instruction Fuzzy Hash: 8DF04F75244625BBEB210F958C4DF6B7BACEF8A755F804110FA09CA194D770C815CAA0

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.2705193029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2705173115.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705241056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705260088.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2705398530.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\NSISFastLib.dll

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\image.gif

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\inetc.dll

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsiA50F.tmp\nsJSON.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
Setup.exe

Function 6FD710C8 Relevance: 128.4, APIs: 63, Strings: 10, Instructions: 612
networkstringmemoryCOMMON

Function 0040352D Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 450
stringfilecomCOMMON

Function 6FD918C9 Relevance: 56.2, APIs: 21, Strings: 11, Instructions: 215
memoryCOMMON

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 6FD7308B Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 376
networkstringfileCOMMON

Function 6FD72530 Relevance: 61.4, APIs: 29, Strings: 6, Instructions: 163
windowtimeCOMMON

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BEC Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Function 6FD71494 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 156
windowtimeCOMMON

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Function 6FD917BE Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82
memoryCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON