Edit tour

Windows Analysis Report
payment receipt copy.bat.exe

Overview

General Information

Sample name:	payment receipt copy.bat.exe
Analysis ID:	1561725
MD5:	1712324115eb0e31f7fa6df81f799315
SHA1:	626fe2da083fd11d95ed4bdcc4e109284d83d4a2
SHA256:	02fe0d6de9551efd2f96b35adcb8c709fa40b9413c0a8183073ad0f6b25564dc
Tags:	batexeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

payment receipt copy.bat.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\payment receipt copy.bat.exe" MD5: 1712324115EB0E31F7FA6DF81F799315)

InstallUtil.exe (PID: 7660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 7868 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ShouldExitCurrentIteration.exe (PID: 7920 cmdline: "C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe" MD5: 1712324115EB0E31F7FA6DF81F799315)

InstallUtil.exe (PID: 8012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["00.dynamic-dns.net:2195:1"], "Assigned name": "2", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-AJ9FFW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13390:$a1: Remcos restarted by watchdog! 0x138e8:$a3: %02i:%02i:%02i:%03i 0x13c6d:$a4: * Remcos v
00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xacb18:$a1: Remcos restarted by watchdog! 0xad070:$a3: %02i:%02i:%02i:%03i 0xad3f5:$a4: * Remcos v
00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1436101779.0000000005E50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x11e0:$a1: Remcos restarted by watchdog! 0x1738:$a3: %02i:%02i:%02i:%03i 0x1abd:$a4: * Remcos v
00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xaa260:$a1: Remcos restarted by watchdog! 0xaa7b8:$a3: %02i:%02i:%02i:%03i 0xaab3d:$a4: * Remcos v
00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
Process Memory Space: payment receipt copy.bat.exe PID: 7560	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: payment receipt copy.bat.exe PID: 7560	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: payment receipt copy.bat.exe PID: 7560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: payment receipt copy.bat.exe PID: 7560	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2e45e:$a1: Remcos restarted by watchdog! 0x9fa9c:$a1: Remcos restarted by watchdog! 0x2e995:$a3: %02i:%02i:%02i:%03i 0x2ef4e:$a3: %02i:%02i:%02i:%03i 0x9ffd3:$a3: %02i:%02i:%02i:%03i 0xa058c:$a3: %02i:%02i:%02i:%03i 0x2ebb7:$a4: * Remcos v 0xa01f5:$a4: * Remcos v
Process Memory Space: InstallUtil.exe PID: 7660	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 7660	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe56b:$a1: Remcos restarted by watchdog! 0xeaa2:$a3: %02i:%02i:%02i:%03i 0xf05b:$a3: %02i:%02i:%02i:%03i 0xecc4:$a4: * Remcos v
Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x80ae:$a1: Remcos restarted by watchdog! 0x85e5:$a3: %02i:%02i:%02i:%03i 0x8b9e:$a3: %02i:%02i:%02i:%03i 0x8807:$a4: * Remcos v
Process Memory Space: InstallUtil.exe PID: 8012	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 8012	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xef5f:$a1: Remcos restarted by watchdog! 0xf496:$a3: %02i:%02i:%02i:%03i 0xfa4f:$a3: %02i:%02i:%02i:%03i 0xf6b8:$a4: * Remcos v
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.payment receipt copy.bat.exe.5e50000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
6.2.InstallUtil.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.InstallUtil.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
6.2.InstallUtil.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
6.2.InstallUtil.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
6.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
6.2.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
6.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.payment receipt copy.bat.exe.3d86138.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.payment receipt copy.bat.exe.3d86138.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.payment receipt copy.bat.exe.3d86138.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
0.2.payment receipt copy.bat.exe.3d86138.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , ProcessId: 7868, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs" , ProcessId: 7868, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment receipt copy.bat.exe, ProcessId: 7560, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: A9 77 79 EE 0C DE 1D 8B 88 8F CE 3D E3 3A 8A 33 E2 38 8D EA 07 4F 91 3C 5B E2 32 B1 10 4F AE F3 E7 CF 8A D3 56 C0 36 F9 BA A8 95 54 7B D8 FE F5 D5 97 D0 28 32 D6 DB 0F 23 0E 33 50 4F B4 2B 67 D0 00 A2 24 6C 97 52 B6 66 3A CD 8A C6 B4 FF 6C C4 59 92 2D 1A 49 34 3B DB E4 70 1C AF 9D C0 D9 00 BC AA C6 37 61 7C F0 B7 68 43 3E 81 3B 72 20 27 98 EF 97 E4 BE 82 DD 47 CA A8 C3 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-AJ9FFW\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:02:13.124095+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.8	49705	109.248.151.221	2195	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:02:16.175398+0100	2803304	3	Unknown Traffic	192.168.2.8	49706	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["00.dynamic-dns.net:2195:1"], "Assigned name": "2", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-AJ9FFW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for domain / URL

Source: teebro1800.dynamic-dns.net

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Virustotal: Detection: 52%			Perma Link

Multi AV Scanner detection for submitted file

Source: payment receipt copy.bat.exe	Virustotal: Detection: 52%			Perma Link
Source: payment receipt copy.bat.exe	ReversingLabs: Detection: 50%

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: payment receipt copy.bat.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005515EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		2_2_005515EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		6_2_004315EC

Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5939897b-8

Source: payment receipt copy.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: payment receipt copy.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: payment receipt copy.bat.exe, 00000000.00000002.1436717336.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: payment receipt copy.bat.exe, 00000000.00000002.1436717336.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0056BA59 FindFirstFileExA,	2_2_0056BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00527848 FindFirstFileW,FindNextFileW,FindClose,	2_2_00527848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0053A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0053A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005268CD FindFirstFileW,FindNextFileW,	2_2_005268CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0052AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0052AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0052B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0052B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00537AAB FindFirstFileW,	2_2_00537AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005287A0 FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_005287A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004068CD FindFirstFileW,FindNextFileW,	6_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044BA59 FindFirstFileExA,	6_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040AC78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49705 -> 109.248.151.221:2195

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 00.dynamic-dns.net

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 109.248.151.221:2195

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: DATACLUBLV DATACLUBLV

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00544A66 recv,

2_2_00544A66

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: teebro1800.dynamic-dns.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: InstallUtil.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp6
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp634
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpKq
Source: InstallUtil.exe, 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpM
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpkp~
Source: payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.00000000039CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00529340 SetWindowsHookExA 0000000D,0052932C,00000000

2_2_00529340

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_0052A65A OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0052A65A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00534EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		2_2_00534EC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		6_2_00414EC1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_0052A65A OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0052A65A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00529468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

2_2_00529468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0053A76C SystemParametersInfoW,		2_2_0053A76C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0041A76C SystemParametersInfoW,		6_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: payment receipt copy.bat.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_0053B344 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,

2_2_0053B344

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00534DB0 ExitWindowsEx,LoadLibraryA,GetProcAddress,		2_2_00534DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		6_2_00414DB4

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F6CA60	0_2_00F6CA60
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F68A10	0_2_00F68A10
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F68A01	0_2_00F68A01
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F690A0	0_2_00F690A0
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F69091	0_2_00F69091
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_00F6DD30	0_2_00F6DD30
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_06740040	0_2_06740040
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_06740007	0_2_06740007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0055D9CC	2_2_0055D9CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00555286	2_2_00555286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005713D4	2_2_005713D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0055DBFB	2_2_0055DBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00553C0B	2_2_00553C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0057050B	2_2_0057050B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00554D8A	2_2_00554D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0055DE2A	2_2_0055DE2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005516FB	2_2_005516FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0055569E	2_2_0055569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00563700	2_2_00563700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00545152	2_2_00545152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00545964	2_2_00545964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00544BC3	2_2_00544BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005457FB	2_2_005457FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0053B917	2_2_0053B917
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B98A10	5_2_00B98A10
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B9CA60	5_2_00B9CA60
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B98A01	5_2_00B98A01
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B990A0	5_2_00B990A0
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B99091	5_2_00B99091
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B9DD30	5_2_00B9DD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00425152	6_2_00425152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00435286	6_2_00435286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004513D4	6_2_004513D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0045050B	6_2_0045050B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00436510	6_2_00436510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004316FB	6_2_004316FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0043569E	6_2_0043569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00443700	6_2_00443700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004257FB	6_2_004257FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004128E3	6_2_004128E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00425964	6_2_00425964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0041B917	6_2_0041B917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0043D9CC	6_2_0043D9CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00435AD3	6_2_00435AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00424BC3	6_2_00424BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0043DBFB	6_2_0043DBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044ABA9	6_2_0044ABA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00433C0B	6_2_00433C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00434D8A	6_2_00434D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0043DE2A	6_2_0043DE2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0041CEAF	6_2_0041CEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00435F08	6_2_00435F08

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00552B90 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00432B90 appears 53 times

Source: payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1424433261.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1436717336.0000000005F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGhtlmhevtpb.dll" vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1435835208.0000000005D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXaunl.exe, vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000000.1413668538.00000000008B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXaunl.exe, vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe, 00000000.00000002.1434705563.00000000058F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGhtlmhevtpb.dll" vs payment receipt copy.bat.exe
Source: payment receipt copy.bat.exe	Binary or memory string: OriginalFilenameXaunl.exe, vs payment receipt copy.bat.exe

Source: payment receipt copy.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: payment receipt copy.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ShouldExitCurrentIteration.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/4@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00535C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		2_2_00535C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		6_2_00415C90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_0052E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

2_2_0052E2E7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00539493 FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_00539493

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00538A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,

2_2_00538A00

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-AJ9FFW

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs"

Source: payment receipt copy.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: payment receipt copy.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: payment receipt copy.bat.exe	Virustotal: Detection: 52%
Source: payment receipt copy.bat.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File read: C:\Users\user\Desktop\payment receipt copy.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\payment receipt copy.bat.exe "C:\Users\user\Desktop\payment receipt copy.bat.exe"
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe "C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe"
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe "C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: payment receipt copy.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: payment receipt copy.bat.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: payment receipt copy.bat.exe

Static file information: File size 1265152 > 1048576

Source: payment receipt copy.bat.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x134400

Source: payment receipt copy.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: payment receipt copy.bat.exe, 00000000.00000002.1436717336.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: payment receipt copy.bat.exe, 00000000.00000002.1436717336.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.payment receipt copy.bat.exe.5f70000.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.payment receipt copy.bat.exe.5cf0000.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.payment receipt copy.bat.exe.5cf0000.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.payment receipt copy.bat.exe.5cf0000.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.payment receipt copy.bat.exe.5cf0000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.payment receipt copy.bat.exe.5cf0000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.5e50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1436101779.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00526071 LoadLibraryA,GetProcAddress,

2_2_00526071

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Code function: 0_2_06747108 push edx; ret	0_2_0674710B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005742E6 push ecx; ret	2_2_005742F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00552BD6 push ecx; ret	2_2_00552BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00574C08 push eax; ret	2_2_00574C26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0056B506 push esp; retf	2_2_0056B507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0056AF08 push esp; retf	2_2_0056AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00542764 push esi; ret	2_2_00542766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0053529F pushfd ; retf	2_2_005352A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00534BD5 push edx; retf	2_2_00534BD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00528724 push esi; ret	2_2_00528728
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Code function: 5_2_00B910CD pushfd ; iretd	5_2_00B910D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004000D8 push es; iretd	6_2_004000D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040008C push es; iretd	6_2_0040008D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004542E6 push ecx; ret	6_2_004542F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0045B4FD push esi; ret	6_2_0045B506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00432BD6 push ecx; ret	6_2_00432BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00454C08 push eax; ret	6_2_00454C26

Source: payment receipt copy.bat.exe	Static PE information: section name: .text entropy: 7.8222001465089654
Source: ShouldExitCurrentIteration.exe.0.dr	Static PE information: section name: .text entropy: 7.8222001465089654

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_004063C6 ShellExecuteW,URLDownloadToFileW,

6_2_004063C6

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File created: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Jump to behavior

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00538A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,

2_2_00538A00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00553C0B GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00553C0B

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0052E18D Sleep,ExitProcess,		2_2_0052E18D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040E18D Sleep,ExitProcess,		6_2_0040E18D

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		2_2_005386FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		6_2_004186FE

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3286			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6704			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_2-36223

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_2-36226

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API coverage: 6.4 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API coverage: 4.9 %

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe TID: 7600	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe TID: 7652	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7672	Thread sleep count: 3286 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7672	Thread sleep time: -9858000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7672	Thread sleep count: 6704 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7672	Thread sleep time: -20112000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe TID: 7956	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe TID: 7960	Thread sleep count: 197 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe TID: 7960	Thread sleep count: 99 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0056BA59 FindFirstFileExA,	2_2_0056BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00527848 FindFirstFileW,FindNextFileW,FindClose,	2_2_00527848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0053A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0053A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005268CD FindFirstFileW,FindNextFileW,	2_2_005268CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0052AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0052AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0052B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0052B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00537AAB FindFirstFileW,	2_2_00537AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005287A0 FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_005287A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004068CD FindFirstFileW,FindNextFileW,	6_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0044BA59 FindFirstFileExA,	6_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040AC78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00406D28

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.3881194573.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3881194573.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API call chain: ExitProcess graph end node

graph_2-36441

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_005598AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_005598AC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00526071 LoadLibraryA,GetProcAddress,

2_2_00526071

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005607B5 mov eax, dword ptr fs:[00000030h]		2_2_005607B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004407B5 mov eax, dword ptr fs:[00000030h]		6_2_004407B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_0056CD2D GetProcessHeap,

2_2_0056CD2D

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005528FC SetUnhandledExceptionFilter,	2_2_005528FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005598AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005598AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00552D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00552D5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005527AD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005527AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_005527AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005527AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004327AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004328FC SetUnhandledExceptionFilter,	6_2_004328FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004398AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00432D5C

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

6_2_00410B5C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_005375E1 mouse_event,

2_2_005375E1

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe "C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager8^
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager)^
Source: InstallUtil.exe, 00000002.00000002.3880864994.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_005529DA cpuid

2_2_005529DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	2_2_0056F17B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	2_2_00565914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	2_2_0056F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	2_2_0056F216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	2_2_0056F4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	2_2_0056F4E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	2_2_00565E1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0056F61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_0056EEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	2_2_0056F723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0056F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	2_2_0052E2BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0044F17B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0044F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0044F216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0044F2A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	6_2_0040E2BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_0044F4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0044F61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_0044F723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0044F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_00445914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_00445E1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_0044EEB8

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Queries volume information: C:\Users\user\Desktop\payment receipt copy.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment receipt copy.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Queries volume information: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00552BEB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00552BEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_005395F8 GetComputerNameExW,GetUserNameW,

2_2_005395F8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_00566894 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_00566894

Source: C:\Users\user\Desktop\payment receipt copy.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

6_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		6_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \key3.db		6_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-AJ9FFW			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-AJ9FFW			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment receipt copy.bat.exe.3d86138.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment receipt copy.bat.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShouldExitCurrentIteration.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8012, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: cmd.exe

6_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	2 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Windows Service	3 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Scheduled Task/Job	22 Process Injection	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
payment receipt copy.bat.exe	53%	Virustotal		Browse
payment receipt copy.bat.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealer
payment receipt copy.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealer
C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe	53%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
teebro1800.dynamic-dns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
00.dynamic-dns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
teebro1800.dynamic-dns.net	109.248.151.221	true	true	8%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
00.dynamic-dns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-neti	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpkp~	InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.00000000039CB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp/C	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://geoplugin.net/json.gp634	InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpM	InstallUtil.exe, 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	payment receipt copy.bat.exe, 00000000.00000002.1433294002.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, payment receipt copy.bat.exe, 00000000.00000002.1435504850.0000000005CF0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://geoplugin.net/json.gp6	InstallUtil.exe, 00000002.00000002.3880864994.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	payment receipt copy.bat.exe, 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, ShouldExitCurrentIteration.exe, 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpKq	InstallUtil.exe, 00000002.00000002.3880864994.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false
109.248.151.221	teebro1800.dynamic-dns.net	Russian Federation		52048	DATACLUBLV	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561725
Start date and time:	2024-11-24 08:01:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	payment receipt copy.bat.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@8/4@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 99 Number of non-executed functions: 329
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ShouldExitCurrentIteration.exe, PID 7920 because it is empty
Execution Graph export aborted for target payment receipt copy.bat.exe, PID 7560 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:02:46	API Interceptor	4439003x Sleep call for process: InstallUtil.exe modified
08:02:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	800399031-18.11.2024.pdf.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Purchase Inquiry_002.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	APPENDIX FORM_N#U00b045013-20241120.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	wE1inOhJA5.msi	Get hash	malicious	Remcos, RHADAMANTHYS	Browse	geoplugin.net/json.gp
	ORDER AND SPECIFICATIONS.scr.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
109.248.151.221	product sample requirement.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
teebro1800.dynamic-dns.net	product sample requirement.exe	Get hash	malicious	XWorm	Browse	109.248.151.221
	z1ProductSampleRequirement.exe	Get hash	malicious	Remcos	Browse	51.75.166.98
	HSBC Payment Swift Copy.exe	Get hash	malicious	Remcos	Browse	140.228.29.6
geoplugin.net	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	800399031-18.11.2024.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Purchase Inquiry_002.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	APPENDIX FORM_N#U00b045013-20241120.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	wE1inOhJA5.msi	Get hash	malicious	Remcos, RHADAMANTHYS	Browse	178.237.33.50
	ORDER AND SPECIFICATIONS.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUBLV	product sample requirement.exe	Get hash	malicious	XWorm	Browse	109.248.151.221
	COTIZACIONSyCONSULTA#46789NOV24.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	46.183.220.125
	Finvasken.exe	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.196
	Finvasken.exe	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.196
	USD Payment Receipt 12112024.exe	Get hash	malicious	NoCry, XWorm	Browse	109.248.151.21
	86#U041b.exe	Get hash	malicious	XWorm	Browse	84.38.130.134
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	iENcsTur6E.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	6ehOuQ8ifL.exe	Get hash	malicious	AgentTesla	Browse	109.248.150.169
ATOM86-ASATOM86NL	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	800399031-18.11.2024.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Purchase Inquiry_002.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	APPENDIX FORM_N#U00b045013-20241120.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	wE1inOhJA5.msi	Get hash	malicious	Remcos, RHADAMANTHYS	Browse	178.237.33.50
	ORDER AND SPECIFICATIONS.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.015105568788186
Encrypted:	false
SSDEEP:	12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	8937B63DC0B37E949F38E7874886D999
SHA1:	62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
SHA-256:	AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
SHA-512:	077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

Download File

Process:	C:\Users\user\Desktop\payment receipt copy.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	102
Entropy (8bit):	4.751801970596245
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoCHyg4EaKC5FQnXOwAIDNHHHn:FER/lFHICHhJaZ5gOwBR
MD5:	5A10E60B725ED03BC823E9AC1E47C6A5
SHA1:	EC9D39C541A5F90CBB87837FBC8CFBC3A2742097
SHA-256:	61278A2BD88861043C20FFB77A0066D2D98DF8851556DED5D5F60972EB97CF2C
SHA-512:	1769684B44C6EA5EB64AFDCF8EC4F2D236FE604CE6BF589EB29E7FAF1FCC5D6EF366AEDEF43D9D254DBA7FEA8B25EFF4837E2AE7CD21C84D0E035431B30B4894
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe"""

C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe

Download File

Process:	C:\Users\user\Desktop\payment receipt copy.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1265152
Entropy (8bit):	7.81943826484351
Encrypted:	false
SSDEEP:	24576:lY2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YnYAqYDYAH46OwoZav/pV8ymXRuX:xLoiVVAREJTXAMQCtMUdRQ9G
MD5:	1712324115EB0E31F7FA6DF81F799315
SHA1:	626FE2DA083FD11D95ED4BDCC4E109284D83D4A2
SHA-256:	02FE0D6DE9551EFD2F96B35ADCB8C709FA40B9413C0A8183073AD0F6B25564DC
SHA-512:	6B2BB24636A5ACE2BDC16F081C9AE839623DFF197BFFA54CBDC6B42F16626C8DC5A1F6673606A4B0144AF84F32B15049037801E30309B1E01DA3C0B60C26FF4D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?g.................D...........b... ........@.. ....................................`.................................`b..K.................................................................................... ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................b......H.......................................................................?.C.:....g\|........>~.g?..!.....t}....]...W........>6#S....>.....`T?.(.>_'.>.......&!?.V!......>&..^..f.....O.n?T.>b,.>.......xcm?>.........7.._...h".......{..7?..&.......w..9..8f........f?.Q.>........+.d?Y.............<.'....?......r?a.G..`}>....*..>..N.G......r6a?.?.>.Y.>....z..?AH2?...>....-'....\|..Yk.....g....8..7.O?.........:u>..A.....,J.>..I...n.....q.Z...a..l......PY?6..>+l.....H...../.

C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\payment receipt copy.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.81943826484351
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	payment receipt copy.bat.exe
File size:	1'265'152 bytes
MD5:	1712324115eb0e31f7fa6df81f799315
SHA1:	626fe2da083fd11d95ed4bdcc4e109284d83d4a2
SHA256:	02fe0d6de9551efd2f96b35adcb8c709fa40b9413c0a8183073ad0f6b25564dc
SHA512:	6b2bb24636a5ace2bdc16f081c9ae839623dff197bffa54cbdc6b42f16626c8dc5a1f6673606a4b0144af84f32b15049037801e30309b1e01da3c0b60c26ff4d
SSDEEP:	24576:lY2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YnYAqYDYAH46OwoZav/pV8ymXRuX:xLoiVVAREJTXAMQCtMUdRQ9G
TLSH:	DE45F1D02E851416E3FDC8B7E4F7BC286166E85D489366AB588CF094DFE4B4F340B299
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?g.................D...........b... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5362ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F141C [Thu Nov 21 11:06:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x136260	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1342b4	0x134400	1f8884d7d52176fa0cb376aa3dc71d0e	False	0.8442188767234388	data	7.8222001465089654	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x138000	0x586	0x600	ee2bfab5deaf3bda771a365d1c43905b	False	0.4140625	data	4.022499156998603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13a000	0xc	0x200	606bd7836d8a96d6510e33636b6afe8a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1380a0	0x2fc	data			0.43717277486910994
RT_MANIFEST	0x13839c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T08:02:13.124095+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.8	49705	109.248.151.221	2195	TCP
2024-11-24T08:02:16.175398+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49706	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:02:11.632244110 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:11.751921892 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:11.752019882 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:11.765058041 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:11.884646893 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.072387934 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.124094963 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:13.305160046 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.309962988 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:13.429514885 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.429603100 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:13.549218893 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.996498108 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:13.997853994 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:14.117407084 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:14.191354036 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:14.233473063 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:14.813812017 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:02:14.933360100 CET	80	49706	178.237.33.50	192.168.2.8
Nov 24, 2024 08:02:14.933445930 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:02:14.933628082 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:02:15.053406954 CET	80	49706	178.237.33.50	192.168.2.8
Nov 24, 2024 08:02:16.173326015 CET	80	49706	178.237.33.50	192.168.2.8
Nov 24, 2024 08:02:16.175398111 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:02:16.322777033 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:16.442265987 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:17.172424078 CET	80	49706	178.237.33.50	192.168.2.8
Nov 24, 2024 08:02:17.172501087 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:02:44.248509884 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:02:44.250123024 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:02:44.369796991 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:03:14.538542032 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:03:14.540806055 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:03:14.660439968 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:03:44.798971891 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:03:44.805666924 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:03:44.925256968 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:04:04.671288967 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:04.983588934 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:05.592972994 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:06.796111107 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:09.202341080 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:14.014854908 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:15.038851976 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:04:15.040534019 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:04:15.160032034 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:04:23.624324083 CET	49706	80	192.168.2.8	178.237.33.50
Nov 24, 2024 08:04:45.237579107 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:04:45.239146948 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:04:45.358870983 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:05:15.470273018 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:05:15.472261906 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:05:15.591876030 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:05:45.684072018 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:05:45.733716011 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:05:45.753684998 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:05:45.873251915 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:06:15.950174093 CET	2195	49705	109.248.151.221	192.168.2.8
Nov 24, 2024 08:06:15.951873064 CET	49705	2195	192.168.2.8	109.248.151.221
Nov 24, 2024 08:06:16.071310997 CET	2195	49705	109.248.151.221	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:02:10.915482044 CET	64674	53	192.168.2.8	1.1.1.1
Nov 24, 2024 08:02:11.628302097 CET	53	64674	1.1.1.1	192.168.2.8
Nov 24, 2024 08:02:14.669306040 CET	61034	53	192.168.2.8	1.1.1.1
Nov 24, 2024 08:02:14.810244083 CET	53	61034	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:02:10.915482044 CET	192.168.2.8	1.1.1.1	0x99d8	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:02:14.669306040 CET	192.168.2.8	1.1.1.1	0x7c9d	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:02:11.628302097 CET	1.1.1.1	192.168.2.8	0x99d8	No error (0)	teebro1800.dynamic-dns.net		109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:02:14.810244083 CET	1.1.1.1	192.168.2.8	0x7c9d	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	178.237.33.50	80	7660	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:02:14.933628082 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Nov 24, 2024 08:02:16.173326015 CET	1170	IN	HTTP/1.1 200 OK date: Sun, 24 Nov 2024 07:02:15 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	02:02:09
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\payment receipt copy.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\payment receipt copy.bat.exe"
Imagebase:	0x780000
File size:	1'265'152 bytes
MD5 hash:	1712324115EB0E31F7FA6DF81F799315
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1433294002.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1436101779.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1425125548.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1433294002.0000000003E1B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:02:09
Start date:	24/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x150000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3880640441.000000000068A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3879800075.0000000000588000.00000002.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:02:22
Start date:	24/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs"
Imagebase:	0x7ff6c0ff0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:02:22
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe"
Imagebase:	0x440000
File size:	1'265'152 bytes
MD5 hash:	1712324115EB0E31F7FA6DF81F799315
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1575370047.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1563793582.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:02:23
Start date:	24/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xfc0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1562100020.000000000154A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00F6CA60 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a979e8ea6ee20cd0b4635a2dcffb4b97bc070f1d84ac4ccc8765cd3987dbe27b
Instruction ID: 3035519f059006007647c9ee1238e8f30f855ab26e1c9439334fc79aa641f5c0
Opcode Fuzzy Hash: a979e8ea6ee20cd0b4635a2dcffb4b97bc070f1d84ac4ccc8765cd3987dbe27b
Instruction Fuzzy Hash: F5A2A275E00228DFDB64CF69C984A99BBB2FF89304F1581E9D509AB325DB319E81DF40

Function 00F68A01 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a44a5b2e0698457fec4204fbc7c855fd7952569c80d5ebb1b4e716b30b58657
Instruction ID: 1a23747c93bba0520fdbc4c0f76b993c45f66f5bb30e3169b588f970d301310c
Opcode Fuzzy Hash: 5a44a5b2e0698457fec4204fbc7c855fd7952569c80d5ebb1b4e716b30b58657
Instruction Fuzzy Hash: 21711875A006098FD748EFBFE95169ABBF3BBC9300F14C12AD004AB379EB7159068B51

Function 00F68A10 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea702edf687a7aa03c55cddbe13b835b682563cd6d2eaf2a341884d1851b1e1e
Instruction ID: 97b190e15764e2702b9a3f62ee13a50031d69a3efc3853d6e02370986a239077
Opcode Fuzzy Hash: ea702edf687a7aa03c55cddbe13b835b682563cd6d2eaf2a341884d1851b1e1e
Instruction Fuzzy Hash: 07710875A006098FD748EFBFE95069ABBF2BBC9300F14C12AD004AB379EB7559068B41

Function 00F60870 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Q, xrefs: 00F60884

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-1825433241
Opcode ID: 5e87276d702cff3336c8ebf1c9ab4154767e5003eb7f7486ee39b9ba62975811
Instruction ID: f97f141c684698d3a53a6ba3c4a85dca9e602629558764c750aa8caa4528a7f6
Opcode Fuzzy Hash: 5e87276d702cff3336c8ebf1c9ab4154767e5003eb7f7486ee39b9ba62975811
Instruction Fuzzy Hash: 10112934E042058FCB44DF79C885A6EBBF1EF45304F2585AAE515DB3A2D734D8458B90

Function 00F6091B Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

hB, xrefs: 00F6097E

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID: hB
API String ID: 0-709800444
Opcode ID: ad4757afc9cf8c8ec76ba7e9211bb7bd4f0db1bda3a689991f5a778cc0f88792
Instruction ID: 4981bf61849474d28fd32976acd499afccc3b54847fb01742b357de3af82f853
Opcode Fuzzy Hash: ad4757afc9cf8c8ec76ba7e9211bb7bd4f0db1bda3a689991f5a778cc0f88792
Instruction Fuzzy Hash: 9DF08C32E1070A8BDB04DBA5DC404EEFB72EFCA721F155612D51537294EBB0229ACBA1

Function 00F687CD Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af1307535868ff2e5819f89011cda62fdccb9a46b92d8e7c8aecc771781fd87
Instruction ID: 9e93637f4b9ae4216bafade69804e90fb1c8b7aa3bf89907749ac6a3340afc0b
Opcode Fuzzy Hash: 0af1307535868ff2e5819f89011cda62fdccb9a46b92d8e7c8aecc771781fd87
Instruction Fuzzy Hash: ED61F47590E3849FD7028F78C4A53A97FB0AF57350F5942DBC0809B2A3DB34994ADB22

Function 00F60B28 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980b79af849abc6e76a2d4d269f29e8bd00f0a58b7efa58e8ee5593e4ca6dd24
Instruction ID: aaff3e40713d4cb4f1f1384c7a201028f7716d643c020106d321eb25688b4d71
Opcode Fuzzy Hash: 980b79af849abc6e76a2d4d269f29e8bd00f0a58b7efa58e8ee5593e4ca6dd24
Instruction Fuzzy Hash: 9C215C31B002189FDB14DB69C840A9FFBF6EFC9760B24C16AE846A7315DB30AD449B90

Function 00F68CB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cdbfc1afe0d04accd6b3ed26c8e670e720475e1d344c0258b8b14a9a25a521
Instruction ID: c0f0960229aab2ef821a64ea299085f125866be1532edef1a9a53e7e4f468f1d
Opcode Fuzzy Hash: 72cdbfc1afe0d04accd6b3ed26c8e670e720475e1d344c0258b8b14a9a25a521
Instruction Fuzzy Hash: 813148B5D00209DFDB04DFA9C484A9EBBF1FF48350F2485A9D405E7260EB749A45DF60

Function 00F60C51 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddc057bb621f21ad1022521d9fbfb84f24e5a9279aaf771cfb565bba5e74b19
Instruction ID: a54a0eed7c9a15c4e983ab6199dadac77cd0941ada2baee0b8d64c4b2598ad53
Opcode Fuzzy Hash: cddc057bb621f21ad1022521d9fbfb84f24e5a9279aaf771cfb565bba5e74b19
Instruction Fuzzy Hash: FD314B70E006198FCB54DFA9D584AEDBBF1FF48320F558169E819AB251DB34AC81DFA0

Function 00F68CC8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634a25a36f3def991eb9ccfcdc110c4b80b4cce4ddba169b292e6dcf850a6bf0
Instruction ID: d57116e142f54c9b53e06cfbaa9e1dab9f43875a2f2305d6381e794224eb2968
Opcode Fuzzy Hash: 634a25a36f3def991eb9ccfcdc110c4b80b4cce4ddba169b292e6dcf850a6bf0
Instruction Fuzzy Hash: F73156B4D00209CFDB04DFA9C484AAEBBF1FF89350F2485A9D405E7260EB709A46DF60

Function 00F60C60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d169d8f65c4cdf84811c178d6aab52f979d40c828198fad4e9089e68ae1f790
Instruction ID: 2821dfd9f1a8911c60a21d47ae99666a3c701141a472c1e4d6006bcc05e1b183
Opcode Fuzzy Hash: 7d169d8f65c4cdf84811c178d6aab52f979d40c828198fad4e9089e68ae1f790
Instruction Fuzzy Hash: BD314D70E00619CFCB14DBA9D544AADBBF1FF48324F658169D419BB251DB30AC41DBA4

Function 00E9D048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424166462.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005fd45aebbe54f216b705a476412940db2e9d8300b4aa8d34892157724950fc
Instruction ID: 0b32837c60757462cc0f063aff1a97a17dda6ca6940762b4a5e44339aa5bb72c
Opcode Fuzzy Hash: 005fd45aebbe54f216b705a476412940db2e9d8300b4aa8d34892157724950fc
Instruction Fuzzy Hash: 1521F5B2508344DFDF14DF14DDC0B26BB66FB84718F24C569E9096B246C336D846CBA2

Function 00F688D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9931d045e4f8444528822d17adcbca224d0aad50c80bf3e2e7575606ab76e4e8
Instruction ID: 435d956da941e24c43bc72d3c2d7049c8ac357360cbdd3bc6051bb9c84cfa801
Opcode Fuzzy Hash: 9931d045e4f8444528822d17adcbca224d0aad50c80bf3e2e7575606ab76e4e8
Instruction Fuzzy Hash: 6F3129B4D05208DFDB44DFA8C0497ADBBF1EB49754F2082A9D415B3344DB748A89EF12

Function 00F60A23 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa6b500a2a65b0b911133ee702ae26d13580addb09422cebe6ca1c6e48f1ae4
Instruction ID: ef024085518be2b1832cd819ed226ce897c2a847fa57f12615a38999eb70d0c7
Opcode Fuzzy Hash: baa6b500a2a65b0b911133ee702ae26d13580addb09422cebe6ca1c6e48f1ae4
Instruction Fuzzy Hash: 8B21B072A007558FDF25CF79C804A9EBBF1FF88350B204A6EE496E7291DB349844CB60

Function 00F6DC40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ac4aa890fba1a4aae527fc7601650717a527e196c54dbd5b1640fcbd7eb96e
Instruction ID: 9d24b054cec76def6a699a8bea168f2b79287e6ca9b70c26376c9d93dab012d9
Opcode Fuzzy Hash: 19ac4aa890fba1a4aae527fc7601650717a527e196c54dbd5b1640fcbd7eb96e
Instruction Fuzzy Hash: CF11F975E0421DDBDB04CF9AC4446EEBBF5FB8D311F14802AD515B3210D7B45A45DBA0

Function 00E9D043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424166462.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction ID: 07f1840794e9f05b02d1b5a27c97b6c4c587c50c9ff8b0b9b68340748bc5278d
Opcode Fuzzy Hash: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction Fuzzy Hash: CB11E276508284DFCF15CF10D9C4B16BF72FB84318F24C2A9D8095B656C33AD85ACBA2

Function 0675F000 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7938db883fa7efc546bdc471e9f7befe5bbcd62bd69d11a991500718c94adcfe
Instruction ID: c30552ceb8a3b9c3f13385f1a0eb6189cf3584c38f17fe5b48daee442adc894c
Opcode Fuzzy Hash: 7938db883fa7efc546bdc471e9f7befe5bbcd62bd69d11a991500718c94adcfe
Instruction Fuzzy Hash: B811A5B4E002099FDB48DFA9D8457AFBBF1FF88300F50846A9418A7350DA755A419F91

Function 00E7D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424078020.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60397c1e3a989aa8a36fa9f0ce867283d020ad80afcaaa2ccdbc3074a46b32d0
Instruction ID: 54e6368627096775a733b0f729191d2bc12c737a1357f827765ec35171aef817
Opcode Fuzzy Hash: 60397c1e3a989aa8a36fa9f0ce867283d020ad80afcaaa2ccdbc3074a46b32d0
Instruction Fuzzy Hash: 0F01296100E3C09ED7128B258C94B52BFB49F53224F19C1DBD8889F1A3C2695848CB72

Function 00E7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424078020.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfe986aa415084a8c8a06282961c36c96b8c1294de9d461235803d4d73a33d1
Instruction ID: 2e08cea637614a967fe7d8f5cf28093974634fd37fb147dd625ab4cc9d27931a
Opcode Fuzzy Hash: acfe986aa415084a8c8a06282961c36c96b8c1294de9d461235803d4d73a33d1
Instruction Fuzzy Hash: 6101F771408304AAE7204A25DC80B67BFA8EF81764F18E019EC0C6A286C3799801CAB2

Function 00F609A0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff23328997179b85203d72509164a986f21c5a21f50565ffff6c323af8d0caa
Instruction ID: 833d89ac443fb995986f66d9091aac526692eb8d97ed3449808934e9971acc3f
Opcode Fuzzy Hash: 0ff23328997179b85203d72509164a986f21c5a21f50565ffff6c323af8d0caa
Instruction Fuzzy Hash: B6F08232E10209DBDF05DBB4C425AEFBBB69B88700F15852AD413BB380DFB5690697C2

Function 00F6DA38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9363f2c498aa47e5082e761e994151eef4f58725588b1a27621d9785d5a309
Instruction ID: a76e0a0375cf0b33680a49e9472df37583fb53d4e8008592e42dabf8a34ac92e
Opcode Fuzzy Hash: 8b9363f2c498aa47e5082e761e994151eef4f58725588b1a27621d9785d5a309
Instruction Fuzzy Hash: 5AF0A575E08208EFCB84DFA9D840A9DBBF5EB49310F10C0AA9818A3351D6369A55EF40

Function 0675A330 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction ID: 8f3f1c68f2137784c5f23381cb85e0f30bd51f6a59284befab73f7e88ea21846
Opcode Fuzzy Hash: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction Fuzzy Hash: D2E0C275E04208EFCB84DFA9D845AADBBF8EB49314F14C1EA9C18A3350D6729A51DF80

Function 06744F8F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6985c35d9339b53b5efa87a73716f426d98b57db13ede5c998b71ced4938a0
Instruction ID: 8f9dc881c0ff51674d8ac831d6fc2e5274c52e88fb7e748ca5e444e9ec2e0944
Opcode Fuzzy Hash: 9d6985c35d9339b53b5efa87a73716f426d98b57db13ede5c998b71ced4938a0
Instruction Fuzzy Hash: 1DF01D38A052198FD798EF14D899A5977B1FB89700F1090D8F01DA7384EA34AE848F11

Function 0675D058 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction ID: 68483e8c24b3da4d08df96bf5f1d61954b6adbe53652eb31f73cfc84f9b2af8e
Opcode Fuzzy Hash: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction Fuzzy Hash: 71E0C974D04208EFCB94DFA9D440AADBBF4EB49310F10C0EA9C18A7350D6719A52DF84

Function 06746110 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d7206409b6996e58cf8a8282daad82e8abe21ef23c57f4daa66098dffeebee
Instruction ID: 0a73f03bd0d62b4f2c7144e0a8631b7be1b63dc519b797d4c99e648289684b77
Opcode Fuzzy Hash: 24d7206409b6996e58cf8a8282daad82e8abe21ef23c57f4daa66098dffeebee
Instruction Fuzzy Hash: C0F06734906219CFCBA0AF64D48C7E877F8AB04344F2040E6E069A7645DBB44AC9CF01

Function 06755980 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction ID: a9bc04858b05f68ccad18427238f8659db324f62bf18f480dba596656434c85d
Opcode Fuzzy Hash: 05a2d59d88507ff6999ece5b61d995d1ddff15e4547a655d6c7ff5cf312f63eb
Instruction Fuzzy Hash: 6EE0A574D04208AFDB84DFA9D440AADFBB4EB49310F10C0AA9818A3350D6759A51DF85

Function 06759FC0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8d034906b7eda2e8d93a095b2819ffbe289546253176060974f0f1b35ed84f
Instruction ID: 545a1ac6d360a4878833011cd6073e18e4f1bdcdd68b58986ee23e2d07cf943a
Opcode Fuzzy Hash: 6d8d034906b7eda2e8d93a095b2819ffbe289546253176060974f0f1b35ed84f
Instruction Fuzzy Hash: 61E0E574E04208EFCB84DFA9D440AACBBF4EB49304F20C0EA9818A3340D6719A42CF80

Function 0675FEE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21898a7ac649fc09bfef7647e10a147ad1b42808f798e1eda6f1611dbb8a534f
Instruction ID: f3998eaf160162200ff8fea77977843f1d78d96f2047ff83d48b6f72048d0182
Opcode Fuzzy Hash: 21898a7ac649fc09bfef7647e10a147ad1b42808f798e1eda6f1611dbb8a534f
Instruction Fuzzy Hash: 1AE04F75908208EFC744DF95D84196DBBBCAB46311F14C0EADC4567381C6719A41DF94

Function 06758700 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b78a4c761c555715b42ad138f327d89c160dee4a92cadccdf9c33a1541af278
Instruction ID: d2f3abc0b9553de150792a74a6daba8cc7e863f964e4bd634ed847d5ba310078
Opcode Fuzzy Hash: 9b78a4c761c555715b42ad138f327d89c160dee4a92cadccdf9c33a1541af278
Instruction Fuzzy Hash: 12E01A34E04208EFCB44DFE5D4406ACFBB4EB49204F10C0EA8C1863341C6715A41DF81

Function 0674618A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f874bf95870f5af37f0a2c6c5467605640fc594202bca09bf0c5be508821c12c
Instruction ID: e630a288b077698df94f8191402ffc8d22831af3a5c0dbb66321949d0d227bfc
Opcode Fuzzy Hash: f874bf95870f5af37f0a2c6c5467605640fc594202bca09bf0c5be508821c12c
Instruction Fuzzy Hash: ABF0F274C0226ACFDBA0AF24D88D7D8BBF4BB05358F5140E6D169A6550E7B84AC8CF00

Function 0675B2D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c5a5df518418fab0660166f74dc0000fa741c6e53e0b4f24e005808dcc57ef
Instruction ID: 631ae49b48af37553d9226d816c2599a5a4f4af359ffeb46ab5e68f071cbdba9
Opcode Fuzzy Hash: 61c5a5df518418fab0660166f74dc0000fa741c6e53e0b4f24e005808dcc57ef
Instruction Fuzzy Hash: 90E0127290120CDFD700EBF6D814BAE77F8EB46600F5044EB9545A3150EE755A44AB95

Function 0675DF30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cc639892ecb5d09337173bf417bd489066a7c61492d6134dbc764b96b3acc5
Instruction ID: 8a2e8b9de3805667cb222f0ed732747d8af6fdec150978e920982fa5cdfe239e
Opcode Fuzzy Hash: 49cc639892ecb5d09337173bf417bd489066a7c61492d6134dbc764b96b3acc5
Instruction Fuzzy Hash: E3E08C34D08208DFCB04DB94D84596CBBB8EB86304F2080EA8C1823380C6725E42CF84

Function 00F6CA10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9255d0e62558162e630a35fcf5bcf98343362ea1b81cc645ae74907019bc1c9
Instruction ID: fc258b16bee5ec90f5041bd29336f25f0d29456b50cbd9ef9c158827b20276a5
Opcode Fuzzy Hash: d9255d0e62558162e630a35fcf5bcf98343362ea1b81cc645ae74907019bc1c9
Instruction Fuzzy Hash: 17E0C272900208DFCB00EFF1D808B5EBBF9EB0A301F0044EAD404E3210EE361A04EBA2

Function 06742AD9 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12728a63d3b5f06a87282dbbfeab542c710e13809a5312600cd7300fa80c66a
Instruction ID: bd40c2af9a5e7ad39d8bb0f63ed0b0ced305032c79ee0a0a353980fab68bec5e
Opcode Fuzzy Hash: b12728a63d3b5f06a87282dbbfeab542c710e13809a5312600cd7300fa80c66a
Instruction Fuzzy Hash: 47E0C278A102188FDB69EF18D859A99B7B9BB89300F5050D4F48DA7744DB74AF85CF00

Function 00F68DD1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e603942b8a2bbd1c614ea44ff12cbd7f921d33c2ebac4116f0b16d65c4a3b85a
Instruction ID: bc177e2a7348738c81c0b712ce51a9e43a80db8edc5c0af4d6df7e14f5f78d76
Opcode Fuzzy Hash: e603942b8a2bbd1c614ea44ff12cbd7f921d33c2ebac4116f0b16d65c4a3b85a
Instruction Fuzzy Hash: 3FD022F2C883004FD72023A1A4A9BF67BA49723393F1639EA4C48230C15959089BFE54

Function 0675E2E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557f37f9fb7cfe872919fd3674083ad9c3555c370d661170eb753181db789902
Instruction ID: b9c7c248880ec3ff28cfaf6e36e6df13ef6d7d8fd79a302720a54512c8f14b67
Opcode Fuzzy Hash: 557f37f9fb7cfe872919fd3674083ad9c3555c370d661170eb753181db789902
Instruction Fuzzy Hash: 7BC02B3149AB068FE34497CAA44F73132DCE303346F041CD38D2C114B0C6E000D5CA49

Function 00F6C840 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcefd535c1bcb1c2be97a3845724e4446c6f4dc0200ad6ebf175e8caa7f22da
Instruction ID: 425d5f09e58f467aeb7a1a37b369ce7ee490bf2dd39fd660aa036c02e9b92123
Opcode Fuzzy Hash: bdcefd535c1bcb1c2be97a3845724e4446c6f4dc0200ad6ebf175e8caa7f22da
Instruction Fuzzy Hash: 0EC080314417044BD75437E1AC0D735369CB741366F401056D24C230504E748450EA97

Function 00F60848 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbc3869cfd904205ecce6b76fb99a4e0990454e0a7315d2f4c713b16106b98e
Instruction ID: a61723405375a03a66dcf2aeccb1a068bea791a3e62c7f9b6e7951bc3f053196
Opcode Fuzzy Hash: 3dbc3869cfd904205ecce6b76fb99a4e0990454e0a7315d2f4c713b16106b98e
Instruction Fuzzy Hash: F3A02222B02C003FCF0A33F3202E3AC22A2CBC030038028EFA203FB080CC2008088308

Non-executed Functions

Function 00F6DD30 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

', xrefs: 00F6EC70
U, xrefs: 00F6EC9C

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID: '$U
API String ID: 0-682282410
Opcode ID: 0afdd810691a9d7692f73e4cfb888ded1403da79de4136db34dae63ebe5c5368
Instruction ID: 8246b1b9baf667b207002321879abef219de65836f3b2cb73865fd30a5a6de0b
Opcode Fuzzy Hash: 0afdd810691a9d7692f73e4cfb888ded1403da79de4136db34dae63ebe5c5368
Instruction Fuzzy Hash: 2A318C71E056188BEB58DF6B8C4879EFBF7AFD9300F14C1BA840CA6264DB300A859F51

Function 06740040 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6f66386cf0e6757b66acc9c053122dbc5db3f829bd22289d0488170e7726a4
Instruction ID: c00dd1b344ede8ffba565638e5daa33c58a2cbc9d1c332132d94edf7779967f6
Opcode Fuzzy Hash: cb6f66386cf0e6757b66acc9c053122dbc5db3f829bd22289d0488170e7726a4
Instruction Fuzzy Hash: 80410C75E05619CFEB68DF6AC8486D9B7F6BF89300F10C1EAE40CA7654DB741A858F01

Function 00F690A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6589ee6160bfa139642a440d9c9e174f25afaca3a499c450a6e10c763d6422ad
Instruction ID: 9dc065bb4fc0b308c6d2db41aef574ad2710e72aba0c0e9175496919a723ef72
Opcode Fuzzy Hash: 6589ee6160bfa139642a440d9c9e174f25afaca3a499c450a6e10c763d6422ad
Instruction Fuzzy Hash: E04188B1D05628CBEB28CF5BC94879EFBF6BF85304F14C1AAC40CA6254DBB409859F41

Function 06740007 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437026899.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e3851323ba3764136923d439ea2df96f55bd38bb8a8520b20fb2a264257f11
Instruction ID: e6316c1aed88aae8cf27df0b39cfe0fd14e92609b6095341455e9d989a0b4815
Opcode Fuzzy Hash: e9e3851323ba3764136923d439ea2df96f55bd38bb8a8520b20fb2a264257f11
Instruction Fuzzy Hash: 69313071D057598FE769CF678C08799BBF6AF86300F04C0FAD448AA265EB740A86CF11

Function 00F69091 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424383914.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_payment receipt copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b20ddb1e65d7362be71fb86c98b4cb216765cf4a23479fb6aa6bc4cb2afa3fe
Instruction ID: 8436aa912ecbc2d376e5ab97df4626435bb85a83bc5f54aa2f49539cf69900b1
Opcode Fuzzy Hash: 5b20ddb1e65d7362be71fb86c98b4cb216765cf4a23479fb6aa6bc4cb2afa3fe
Instruction Fuzzy Hash: E53196B1D056188BEB58CF5BCD4878EFBF7AFC9300F14C1AAC408AA264DB751A859F41

Analysis Process: InstallUtil.exePID: 7660, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.7%
Total number of Nodes:	454
Total number of Limit Nodes:	30

Executed Functions

Function 0052E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00531F34: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00531F54
Part of subcall function 00531F34: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,p#h), ref: 00531F72
Part of subcall function 00531F34: RegCloseKey.KERNELBASE(?), ref: 00531F7D

Sleep.KERNELBASE(00000BB8), ref: 0052E243
ExitProcess.KERNEL32 ref: 0052E2B4

Strings

$AX, xrefs: 0052E1C5
pth_unenc, xrefs: 0052E1A3, 0052E1EC, 0052E25B
!Y, xrefs: 0052E19E
p#h, xrefs: 0052E199

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: $AX$p#h$pth_unenc$!Y
API String ID: 2281282204-477810873
Opcode ID: 805c8705422ec2e4702e5751d20160d5dd055ab4d0b0671d6603418712822574
Instruction ID: b4aac2d6f28cafbb46a9c6240773b302528b3c8c4527497166cc1b8c6b8ef8c6
Opcode Fuzzy Hash: 805c8705422ec2e4702e5751d20160d5dd055ab4d0b0671d6603418712822574
Instruction Fuzzy Hash: CE21F370B407126BDA08B6B4AC5FA6F3E89BFE2700F000418F9165B2C6EE618E44C7D6

Function 005515EC Relevance: 4.5, APIs: 3, Instructions: 30
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00551274,00000034), ref: 005515FE
CryptGenRandom.ADVAPI32(?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,00551274,00000034), ref: 00551614
CryptReleaseContext.ADVAPI32(?,00000000,?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,00551274,00000034), ref: 00551626

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 009e4a4334d1dc34e6098546b2189652f9c1f720841a5e516953cffec21eb231
Instruction ID: 74002e3d196a36df3aee466146fe08f5dadd9d08ca5f5f07c771c377ddc922c9
Opcode Fuzzy Hash: 009e4a4334d1dc34e6098546b2189652f9c1f720841a5e516953cffec21eb231
Instruction Fuzzy Hash: 5BE0D83530C610BFEB300F21BC1CF173E55FB95762F340A2AF515E80E4E6518888A55C

Function 005395F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNELBASE(00000001,?,00000037,00591FFC), ref: 00539615
GetUserNameW.ADVAPI32(?,00000010), ref: 0053962D

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 8413791fdcbf4383635d560466ac68e9deb7b3f9cfa26b7ad8d026a9a4a4ff6a
Instruction ID: 8ec8cb7f652084574985a40f03914761d49c67db57a05d56cb8324d76ce55a07
Opcode Fuzzy Hash: 8413791fdcbf4383635d560466ac68e9deb7b3f9cfa26b7ad8d026a9a4a4ff6a
Instruction Fuzzy Hash: 4801627290012DABCB04EBD0EC49DEEBBBCFF54310F000156F805B2191EE706A89CB94

Function 0052E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,00533F34,00591E78,00592910,00591E78,00000000,00591E78,00000000,00591E78,00584144), ref: 0052E2CF

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d9638abb1d96ca86792c862933346baa71c94953277c7e33a759ef2555e10347
Instruction ID: 00ffd3e7af99d9ecf41514e3ebc518e6ea05743a460339cd3b140389b5c2a4a9
Opcode Fuzzy Hash: d9638abb1d96ca86792c862933346baa71c94953277c7e33a759ef2555e10347
Instruction Fuzzy Hash: 70D05B3074411C7BE51097859C0EEAA7B9CD701751F000155B908D72D0D9E15E0497D1

Function 00544A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00544A70

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000542000.00000020.00000400.00020000.00000000.sdmp, Offset: 00542000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_542000_InstallUtil.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 253170a2fdfc18f896b43f039fef7da8083a09db9965728c7cc2e6ff2230416d
Instruction ID: bb12c5e6a0e1b8012d84ecbcf40bf03944dc8226f3ef285d7c67fcd4c57a555a
Opcode Fuzzy Hash: 253170a2fdfc18f896b43f039fef7da8083a09db9965728c7cc2e6ff2230416d
Instruction Fuzzy Hash: 63B092B9109202BF8A060B60EC048AA7EAAEBC8380F008D0CB14A40170C6328494BB21

Function 0052D3F0 Relevance: 46.3, APIs: 8, Strings: 18, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0053A8DA: LoadLibraryA.KERNELBASE(00589920,GetModuleFileNameExA,?,?,?,?,0052D40C), ref: 0053A8EF

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0052D603

Strings

Inj, xrefs: 0052D626, 0052D62C, 0052D641
Access Level: , xrefs: 0052DD3D
!Y, xrefs: 0052D8B6
Remcos, xrefs: 0052D742
Rmc-AJ9FFW, xrefs: 0052D52A, 0052D586, 0052D656
H"Y, xrefs: 0052D904
!Y, xrefs: 0052D8F2
`"Y, xrefs: 0052DCA3
!Y, xrefs: 0052D919
(#Y, xrefs: 0052D596
!Y, xrefs: 0052D8AC
4@X, xrefs: 0052D5A9, 0052DD23, 0052D5B1
p#h, xrefs: 0052D501, 0052D6FC, 0052D923, 0052D9D5, 0052DA27
Software\, xrefs: 0052D4E6
Exe, xrefs: 0052D539
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0052D68F, 0052D8A7
!Y, xrefs: 0052D9F6
H"Y, xrefs: 0052D9B8

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LibraryLoadMutexOpen
String ID: (#Y$4@X$Access Level: $C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Exe$H"Y$H"Y$Inj$Remcos$Rmc-AJ9FFW$Software\$`"Y$p#h$!Y$!Y$!Y$!Y$!Y
API String ID: 553236734-1534493547
Opcode ID: 5c226fcae2d1ee206ddd6a10b3a0da76c5399f999946e308264ff8d6bd5fca4b
Instruction ID: de474080c9b6ff7bb9835b210633d22487b6c35227751e0ae89fdf9a490ab7e3
Opcode Fuzzy Hash: 5c226fcae2d1ee206ddd6a10b3a0da76c5399f999946e308264ff8d6bd5fca4b
Instruction Fuzzy Hash: F822F660B04A722BDB2577707C2FA3F2E99BFE3700F010829B9529B2D2DE648D458375

Function 00533980 Relevance: 28.8, APIs: 5, Strings: 11, Instructions: 785
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 005339D1
WSAGetLastError.WS2_32(00000000,00000001), ref: 00533BE2
Sleep.KERNEL32(00000000), ref: 005344C7

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

Strings

Exe, xrefs: 00533E37
H"Y, xrefs: 00533D96
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 00533E16
Connection Error: , xrefs: 00533BF5
Connected | , xrefs: 00533CA4
Rmc-AJ9FFW, xrefs: 00533E6E
`"Y, xrefs: 00533F36
P0X, xrefs: 00533A15
Connecting | , xrefs: 00533B5E
!Y, xrefs: 00533E30
p#h, xrefs: 00533DB6

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Connected | $Connecting | $Connection Error: $Exe$H"Y$P0X$Rmc-AJ9FFW$`"Y$p#h$!Y
API String ID: 524882891-749070507
Opcode ID: 8a9f547b9c73b0e75cfe59c37740a1dd3057ea8a7794a23f34905740d5eddfdf
Instruction ID: 18fccb78c81c2343ac57798386cae19239176923dae9a766974ea33d02104e2e
Opcode Fuzzy Hash: 8a9f547b9c73b0e75cfe59c37740a1dd3057ea8a7794a23f34905740d5eddfdf
Instruction Fuzzy Hash: F942B031A005265ADB18F770FE5AAFEBB69BFE6300F1041A9F40A661D2EF305F45CA54

Function 0053A8DA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 130
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00589920,GetModuleFileNameExA,?,?,?,?,0052D40C), ref: 0053A8EF

Strings

GetModuleFileNameExW, xrefs: 0053A919, 0053A91E, 0053A937
kernel32.dll, xrefs: 0053A987, 0053AA14, 0053AA1E, 0053AA3A
GetModuleFileNameExA, xrefs: 0053A8E4, 0053A8E9, 0053A909
`Wu, xrefs: 0053A8FA
user32, xrefs: 0053A964, 0053A9DF, 0053A9E9, 0053A9F4, 0053AA04
kernel32, xrefs: 0053A996, 0053A9A0, 0053A9AB, 0053A9CF

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID: GetModuleFileNameExA$GetModuleFileNameExW$`Wu$kernel32$kernel32.dll$user32
API String ID: 1029625771-2214307891
Opcode ID: 613a61fe05ad7b584836cdfa8111a5df29e928171d3ea4c092ca643d686899e7
Instruction ID: 1f66e88eb5abfe03f9f587bdb73dfb288aef8a9112751074047bb279989fb59a
Opcode Fuzzy Hash: 613a61fe05ad7b584836cdfa8111a5df29e928171d3ea4c092ca643d686899e7
Instruction Fuzzy Hash: 413170A0E4176E7ADB107BB76C09D7B7E9CFA5079470A041BF805F3550EA789804DFA8

Function 00531F34 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00531F54
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,p#h), ref: 00531F72
RegCloseKey.KERNELBASE(?), ref: 00531F7D

Strings

pth_unenc, xrefs: 00531F34
hu, xrefs: 00531F7D
p#h, xrefs: 00531F5E

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: hu$p#h$pth_unenc
API String ID: 3677997916-3649777279
Opcode ID: f3b599f5e85e4f56fcc2feeca0715f00b416dbd94211d9a7dcaaa81c63efe89e
Instruction ID: 04963a4c7f37b279721a1b9629b7075b6341f8375a82c0e317aa142c9ec83ef5
Opcode Fuzzy Hash: f3b599f5e85e4f56fcc2feeca0715f00b416dbd94211d9a7dcaaa81c63efe89e
Instruction Fuzzy Hash: 4CF01D76900208FFDF119FA0AC45FED7BBCEF04710F1041A5BA08E6151D6315A58ABA0

Function 005248A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 005248C0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 005249E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 005249EE
WSAGetLastError.WS2_32 ref: 00524A01

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

Strings

8/X, xrefs: 005248E4

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: 8/X
API String ID: 994465650-2727709841
Opcode ID: d77fc3aaa85bc77fd502e965b803bde3de62a87b34be1cd96496f5ccbdf07e7f
Instruction ID: e429dfd4d2648ffc94176fde95c9a47ed29d86af87ccbfad68f70b0dc92503be
Opcode Fuzzy Hash: d77fc3aaa85bc77fd502e965b803bde3de62a87b34be1cd96496f5ccbdf07e7f
Instruction Fuzzy Hash: 2641C375A806227BAA04B779A95F83D7E66BFD3300F400519FC01566D2EB219C25CBD7

Function 005320E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,p#h), ref: 00532104
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0053211D
RegCloseKey.KERNELBASE(00000000), ref: 00532128

Strings

hu, xrefs: 00532128
p#h, xrefs: 005320F4

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: hu$p#h
API String ID: 3677997916-1423500109
Opcode ID: 7dca189ea5112349b250227bad85c0ce328da466d3816161318ed6405c248b8a
Instruction ID: 33cb43141bed4e4c5a07d6a017ac41c864ddb312b33607cdcd6cea1eef00bf77
Opcode Fuzzy Hash: 7dca189ea5112349b250227bad85c0ce328da466d3816161318ed6405c248b8a
Instruction Fuzzy Hash: 5501F63680012DFBCF219FA1EC49DEA7F29FF15350F004194BA0862161D63299AAEBA0

Function 0053215F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,005830C0), ref: 0053216E
RegSetValueExA.KERNELBASE(005830C0,005898D0,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0053A83B,005898D0,005830C0), ref: 00532196
RegCloseKey.KERNELBASE(005830C0,?,?,0053A83B,005898D0,005830C0), ref: 005321A1

Strings

Control Panel\Desktop, xrefs: 00532168, 00532178
hu, xrefs: 005321A1

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu$Control Panel\Desktop
API String ID: 1818849710-3901742824
Opcode ID: c55d4e5ceee085e98d0516cbddac0e4ef233b652691f4820a57f5ece9160b17a
Instruction ID: a718aab95bc56e08e5c84f26ee874e1a32fd5d13dfba28224e7f3746f605490b
Opcode Fuzzy Hash: c55d4e5ceee085e98d0516cbddac0e4ef233b652691f4820a57f5ece9160b17a
Instruction Fuzzy Hash: BDF06D32540518BBDB10AFA0ED09EEA7B6CEF55750F108254BE09A6150EB329E58EBA0

Function 00531F91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00531FB5
RegQueryValueExA.KERNELBASE(?,00583184,00000000,00000000,?,00000400), ref: 00531FD2
RegCloseKey.KERNELBASE(?), ref: 00531FDD

Strings

hu, xrefs: 00531FDD

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: hu
API String ID: 3677997916-423011080
Opcode ID: 312b53c8a57604b4264fe01c762fabf4e1a2478ab90c27f15e4c809fdaaed2aa
Instruction ID: 2f7c038b7bf8fa7025ffbe3b403b6e3cc1a4eb80d86bb56b6a0ae01b5ccfc62c
Opcode Fuzzy Hash: 312b53c8a57604b4264fe01c762fabf4e1a2478ab90c27f15e4c809fdaaed2aa
Instruction Fuzzy Hash: 36018676900128FBCB209B95ED0CDEE7F7DEB84750F104155BA09A2110DB719E59EBB4

Function 00524CA3 Relevance: 6.1, APIs: 4, Instructions: 121
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00591EE8), ref: 00524D93
CreateThread.KERNELBASE(00000000,00000000,?,00591E90,00000000,00000000), ref: 00524DA7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00524DB2
CloseHandle.KERNELBASE(00000000,?,00000000), ref: 00524DBB

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 7668216751ad32503cf57b3c8da35c9df3e04057e238ec780fb9c4881e29cf28
Instruction ID: d7bf3c14bfa2be993289ba6497f73738e9206f53bb7ec05ec3a3b35dcbb8d18c
Opcode Fuzzy Hash: 7668216751ad32503cf57b3c8da35c9df3e04057e238ec780fb9c4881e29cf28
Instruction Fuzzy Hash: 23419471204311AFCB15FB60ED19D6FBFEDBFE6310F400A1DB896822D1DB2499099A61

Function 0053936B Relevance: 4.6, APIs: 3, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00539392
InternetOpenUrlW.WININET(00000000,00589434,00000000,00000000,80000000,00000000), ref: 005393A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 005393C1

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Internet$Open$FileRead
String ID:
API String ID: 72386350-0
Opcode ID: 5e883d345cac8d325ceb79d72766b1254b81157a9beabced82c1f447c160ff6e
Instruction ID: 9f67169a6a1a93dedd3fbcd86ae97f15a298c92398fa990b4a6feb0494615923
Opcode Fuzzy Hash: 5e883d345cac8d325ceb79d72766b1254b81157a9beabced82c1f447c160ff6e
Instruction Fuzzy Hash: 0A118FB11053236BD624EB25AC49DAB7FACFFD6761F00083DF809A2281DB649948D6B1

Function 00524F31 Relevance: 4.6, APIs: 3, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00524F61
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00524FAD
CreateThread.KERNELBASE(00000000,00000000,Function_00004130,?,00000000,00000000), ref: 00524FC0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Create$EventLocalThreadTime
String ID:
API String ID: 2532271599-0
Opcode ID: f11183ee7175821d734d84b35ddea3093abc03fc8caca21300b00ffdda025603
Instruction ID: 83c986b4b0ce89a27d59100b3767ac7014c274b511a2d140923a4ba43a947454
Opcode Fuzzy Hash: f11183ee7175821d734d84b35ddea3093abc03fc8caca21300b00ffdda025603
Instruction Fuzzy Hash: 9C1106359006906ADB20BB76BC0DA9BBFB8BFE7710F44050DF84552292D6B05449DBB1

Function 00539797 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 005397AB

Strings

@, xrefs: 005397A1

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: a1f03e6018a3085122b31388d7b427cccf4f94a048e1b657f11b2c9bbd7f533c
Instruction ID: 2098fdf9e1c6cc9c27416997d6716feb16e8232d3451e2bc92385684b7dc6561
Opcode Fuzzy Hash: a1f03e6018a3085122b31388d7b427cccf4f94a048e1b657f11b2c9bbd7f533c
Instruction Fuzzy Hash: D5D017B58023289FC720DFA8E904A8DBBFCFB08214F00026AEC49E3300E770AC048B84

Function 00563697 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 005636B8

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

RtlReAllocateHeap.NTDLL(00000000,?,?,00000004), ref: 005636F4

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 2829e7ff136d9e0eda1eda391c60ee48528b42725f35ef53ec2cf6eea904eb40
Instruction ID: 73450678dc51087cb856e02ca76c528d45aecdcd2fdaa35d975691cbb6bf45a8
Opcode Fuzzy Hash: 2829e7ff136d9e0eda1eda391c60ee48528b42725f35ef53ec2cf6eea904eb40
Instruction Fuzzy Hash: 93F0BB322015267BDB212A66EC08B6B3F58BFC1771F218516FC15AB3A1EF30DE0097A5

Function 0052480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00697080,00000001,00000006), ref: 00524832
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,005252EB,?,?,00000000,00000000,?,?,00000000,005251E8,?,00000000), ref: 0052486E

Part of subcall function 0052487E: WSAStartup.WS2_32(00000202,00000000), ref: 00524893

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 6be5df2f6d2a0bd2b3436d44ca149b05aa775c6ca7e0f44ad31975f08af0efee
Instruction ID: 9ed61c751f542c503eea4036c5e9913a25af503f688636aee418194e194a0ca0
Opcode Fuzzy Hash: 6be5df2f6d2a0bd2b3436d44ca149b05aa775c6ca7e0f44ad31975f08af0efee
Instruction Fuzzy Hash: A401B171418BD09FD7388F28B8442967FE0AF2A310F04495EF4CA97BA1C3B1A444DF10

Function 00539A77 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00539A9B
GetWindowTextW.USER32(00000000,?,00000200), ref: 00539AAA

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: ce27031cbe80e6de2c0c66301fe2c2bd14f2c40055ccfa1ab22cbee96c8cadb7
Instruction ID: dc97fb62ca57aea52c0299c6c312438f5da63332bd9f48c35dda4671eef099cc
Opcode Fuzzy Hash: ce27031cbe80e6de2c0c66301fe2c2bd14f2c40055ccfa1ab22cbee96c8cadb7
Instruction Fuzzy Hash: 4FE0657690022827EB2067A5BC8DFA6BB6CEB91710F04019AB918C3141E9605944CAE1

Function 0053393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,0058FACC,00591FFC,00000000,00533BDE,00000000,00000001), ref: 00533961
WSASetLastError.WS2_32(00000000), ref: 00533966

Part of subcall function 005337DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0053382B
Part of subcall function 005337DC: LoadLibraryA.KERNEL32(?), ref: 0053386D
Part of subcall function 005337DC: LoadLibraryA.KERNEL32(?), ref: 005338CC
Part of subcall function 005337DC: GetProcAddress.KERNEL32(00000000,?), ref: 005338F4

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryErrorLastProcSystemgetaddrinfo
String ID:
API String ID: 261940356-0
Opcode ID: c9122937c8743672352d6e935da5584f9e9f811252efa76c2ec29263b8e55e68
Instruction ID: 6e6c09f9fbfe51ed03a60e028bcd5aa5522d5f26803948b64e757d9e03d34a38
Opcode Fuzzy Hash: c9122937c8743672352d6e935da5584f9e9f811252efa76c2ec29263b8e55e68
Instruction Fuzzy Hash: A4D05B32300162BB9310B75DAC44F7B6B9CFFE5760F050027F805D3511D7904E0557A4

Function 0052C5ED Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0052C753

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 7c9498100673bcae98ca5754c65d29a546643c629e8e3b9c06f1cd26c240a63c
Instruction ID: cba269d2c9d8e158b5d9a5acc67940354de5439aef90534051a9dfb123bd7f47
Opcode Fuzzy Hash: 7c9498100673bcae98ca5754c65d29a546643c629e8e3b9c06f1cd26c240a63c
Instruction Fuzzy Hash: 17413B315046529AC304FB60FC578AFBFACBEF6750F10091EF956520D2DF609A49CA56

Function 00534569 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0053457C

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: d969177962daee51bcfec8c625e0111245ee92fce7ee13ac1502c70f294c4e0f
Instruction ID: bba080a030aa0912bd609a16a683a07fad799890d3186f275fab3cdb0d884a30
Opcode Fuzzy Hash: d969177962daee51bcfec8c625e0111245ee92fce7ee13ac1502c70f294c4e0f
Instruction Fuzzy Hash: D44195312086525BC318FB60E95AAEFBB957FF6300F50493DB546461D2EF309D09C656

Function 005392AE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00539F23: GetCurrentProcess.KERNEL32(?,?,?,0052C663,00583EFC,00000000), ref: 00539F34
Part of subcall function 00539F23: IsWow64Process.KERNEL32(00000000,?,?,0052C663,00583EFC,00000000), ref: 00539F3B

Part of subcall function 00531F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00531FB5
Part of subcall function 00531F91: RegQueryValueExA.KERNELBASE(?,00583184,00000000,00000000,?,00000400), ref: 00531FD2
Part of subcall function 00531F91: RegCloseKey.KERNELBASE(?), ref: 00531FDD

StrToIntA.SHLWAPI(00000000,00589710,00000000,00000000,00000000,00591FFC,00000001,?,?,?,?,?,?,?,?,0052D6A0), ref: 00539327

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID:
API String ID: 782494840-0
Opcode ID: c4435bed04537d1f362e3472382b0591bcee353ee82737b05c2d22e71e1280d8
Instruction ID: 9c10200eaba5d38a6d0974b1b96a60649f337df4722d600564f4c5bea091d6e8
Opcode Fuzzy Hash: c4435bed04537d1f362e3472382b0591bcee353ee82737b05c2d22e71e1280d8
Instruction Fuzzy Hash: 3111C6A1A045122AC700B764EC5FA7FBF59FBE6711F580924F906A71D2FAA04D46C3B1

Function 0056D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00563005: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00563046

_free.LIBCMT ref: 0056D320

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6fbd5f5913d77dcf5a6d82c6498df87f4057002eddcf30cb4877e2dc73b1850c
Instruction ID: ed437cefb89149b999027c05ef799eae4ffb3dc04509435033c62fa2a448a0b6
Opcode Fuzzy Hash: 6fbd5f5913d77dcf5a6d82c6498df87f4057002eddcf30cb4877e2dc73b1850c
Instruction Fuzzy Hash: 570126766003056BE3218E698885A5AFFE8FB85370F25091DE184832C0EA30A905C734

Function 00563005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00563046

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 149783f4192788eb1bd6daf3c08a8c0e10f92b99669fe9fa4f95a62683fa6bda
Instruction ID: 1f77c8c92804b8b38bd06b34571efcc45dffb1eee3df84fb8b4568b1ff4872d6
Opcode Fuzzy Hash: 149783f4192788eb1bd6daf3c08a8c0e10f92b99669fe9fa4f95a62683fa6bda
Instruction Fuzzy Hash: 26F0BE32201625AAEB316A62DD0DA5A3F88BF807B1F148521EC09EB081CA70DE0892A0

Function 00563649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d67543ce02f46c445ee9cde00ba815508028e5e2a1a4004d07a6ef40ad7b3415
Instruction ID: 2d91290787fcd90f4093e74c7045d7c7f901b7f69c406c7fd378e9bce3707a3e
Opcode Fuzzy Hash: d67543ce02f46c445ee9cde00ba815508028e5e2a1a4004d07a6ef40ad7b3415
Instruction Fuzzy Hash: EDE0ED312012227BDB712662DC08B6B3E58BB913B1F164224AC49EB2C0CA71CE0082B4

Function 0052487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00524893

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: f947161caa83245c3b044c0dc52e023f969daf55f3db9b1205ec9531e9b8e965
Instruction ID: 8811576e72c406c47a7bfb195d4c1400e6605b4148382573a2db771cd39253fc
Opcode Fuzzy Hash: f947161caa83245c3b044c0dc52e023f969daf55f3db9b1205ec9531e9b8e965
Instruction Fuzzy Hash: 45D012326586084ED610ABB4AD0F8A57B5CC326A21F0003AAACB9825D3F640171CD3B7

Function 00544A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00544A87

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000542000.00000020.00000400.00020000.00000000.sdmp, Offset: 00542000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_542000_InstallUtil.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: e3d26f0942c1626f4b74a512232bf9030c91ef59544289b4321716d122a7dfbd
Instruction ID: 5f00dec659b30069a25a6c4bf7bb0a4564087ee952cf8fc4e9ca5f31384813a0
Opcode Fuzzy Hash: e3d26f0942c1626f4b74a512232bf9030c91ef59544289b4321716d122a7dfbd
Instruction Fuzzy Hash: 04B092B9108202BF8A060B60EC0886A7EA6FBC8780F008D0CF14A40170D63284A0BB22

Non-executed Functions

Function 0053A01B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0053A076
FindNextFileW.KERNEL32(00000000,?), ref: 0053A0A6
SetFileAttributesW.KERNEL32(?,00000080), ref: 0053A118
DeleteFileW.KERNEL32(?), ref: 0053A125

Part of subcall function 0053A01B: RemoveDirectoryW.KERNEL32(?), ref: 0053A0FB

GetLastError.KERNEL32 ref: 0053A146
FindClose.KERNEL32(00000000), ref: 0053A15C
RemoveDirectoryW.KERNEL32(00000000), ref: 0053A163
FindClose.KERNEL32(00000000), ref: 0053A16C

Strings

p2Wup3Wu 2Wu, xrefs: 0053A0A6
pth_unenc, xrefs: 0053A01B
05Wu`Wu, xrefs: 0053A118
p#h, xrefs: 0053A02B

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: 05Wu`Wu$p#h$p2Wup3Wu 2Wu$pth_unenc
API String ID: 2341273852-3626508354
Opcode ID: 9ea5325323502124c204ed302883ec4e46069d5da5ca223c6b5e1868dfd69204
Instruction ID: ee15a29975e9c572029b6b0a25f80c57ae97f56789eca32240e7ef4137f25184
Opcode Fuzzy Hash: 9ea5325323502124c204ed302883ec4e46069d5da5ca223c6b5e1868dfd69204
Instruction Fuzzy Hash: 0931B67680421D5ADB60EB60EC4DEDB7BBCBF54301F0406A6E958D2062EF359AC8DF61

Function 00534EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00534EC2
EmptyClipboard.USER32 ref: 00534ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00534EF0
GlobalLock.KERNEL32(00000000), ref: 00534EF9
GlobalUnlock.KERNEL32(00000000), ref: 00534F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00534F38
CloseClipboard.USER32 ref: 00534F55
OpenClipboard.USER32 ref: 00534F5C
GetClipboardData.USER32(0000000D), ref: 00534F6C
GlobalLock.KERNEL32(00000000), ref: 00534F75
GlobalUnlock.KERNEL32(00000000), ref: 00534F7E
CloseClipboard.USER32 ref: 00534F84

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: f134fd42088803cbb81aa4a2f517ff0f579ec192e0b6d772003e70a03d8ab46e
Instruction ID: 60492f9c61d69fc398f8681aa7095ee941e7796c1e220a5970d63237d0a703d3
Opcode Fuzzy Hash: f134fd42088803cbb81aa4a2f517ff0f579ec192e0b6d772003e70a03d8ab46e
Instruction Fuzzy Hash: C0212C31604A115BD714BB70BC5EA6E7FA8BFF1701F440C2DB90A82192EE308949EA62

Function 0053B344 Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0053B38F
GetCursorPos.USER32(?), ref: 0053B39E
SetForegroundWindow.USER32(?), ref: 0053B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0053B3C1
Shell_NotifyIcon.SHELL32(00000002,00591AE0), ref: 0053B412
ExitProcess.KERNEL32 ref: 0053B41A
CreatePopupMenu.USER32 ref: 0053B420
AppendMenuA.USER32(00000000,00000000,00000000,00589B1C), ref: 0053B435

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID:
API String ID: 1665278180-0
Opcode ID: a9c6e4e95889bdf7f9bdc8d8dc077b3beb805d9ebdbd6272928c77dcb192787e
Instruction ID: fe9935d1645bd7e8c5512d4c0b78294e5d1fafb581eba2e843135fed321872c2
Opcode Fuzzy Hash: a9c6e4e95889bdf7f9bdc8d8dc077b3beb805d9ebdbd6272928c77dcb192787e
Instruction Fuzzy Hash: 9C211936100519AFEF099FA4FC0DA6A3F65FB24301F184915F60A960B1D7729D68FB58

Function 005375E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

0, xrefs: 0053760B
2, xrefs: 005376AC
7, xrefs: 005377E2
3, xrefs: 0053770C
5, xrefs: 005377C1
1, xrefs: 0053764D
4, xrefs: 00537770
6, xrefs: 005377CB

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 2819a3de97d9b3a6c7a9b7c0c58df079e26f18d0ff647a809b6ac6f20d91416c
Instruction ID: 22c90a065eaa36b24e83ae006c597a9b1595fb061eacd68220b794a16a9f3afb
Opcode Fuzzy Hash: 2819a3de97d9b3a6c7a9b7c0c58df079e26f18d0ff647a809b6ac6f20d91416c
Instruction Fuzzy Hash: AF61D6B19183129ED714EF20E86AFAABFD4BFD9310F10490DF592571D1EA709A08C7A7

Function 005386FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,005927F8), ref: 00538714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00538763
GetLastError.KERNEL32 ref: 00538771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 005387A9

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: aa75850551f911fbb5b0345a06c519d3939a0ed7c67144f051e49fabf0ab3e70
Instruction ID: 566ebb7653898ce5d8873b5046391485615825b67de569ea81e3bba53618f165
Opcode Fuzzy Hash: aa75850551f911fbb5b0345a06c519d3939a0ed7c67144f051e49fabf0ab3e70
Instruction Fuzzy Hash: 16813E71508355ABC304EF61EC9A9AFBFACFFE5310F50081DF58652191EE70AA48CB96

Function 00529340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0052935B
SetWindowsHookExA.USER32(0000000D,0052932C,00000000), ref: 00529369
GetLastError.KERNEL32 ref: 00529375

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 005293C3
TranslateMessage.USER32(?), ref: 005293D2
DispatchMessageA.USER32(?), ref: 005293DD

Strings

`Wu, xrefs: 0052935B
@3X, xrefs: 00529389

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: @3X$`Wu
API String ID: 3219506041-3800866272
Opcode ID: aa28528a2b4d0a36c497d11e11a5d723f742ad3fd60b3393a88524e1e881682a
Instruction ID: 13643d4cbdbcd16ddb3c92f5d25635263623d1b7986644586d237ebe5c663dff
Opcode Fuzzy Hash: aa28528a2b4d0a36c497d11e11a5d723f742ad3fd60b3393a88524e1e881682a
Instruction Fuzzy Hash: A4113D71604612AB9710BB75AC0D86BBFACFEE6711F100D2DB899D2291EA708948D7A1

Function 0052AA71 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 0052AAF0
FindClose.KERNEL32(00000000), ref: 0052AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0052AC2D
FindClose.KERNEL32(00000000), ref: 0052AC53

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 92cc4648b996eec2f61379ddc860c80435e44ba8ed87f096058d24dfb577bab8
Instruction ID: b4d1e0b1eb2d7d2d3aef0ec8a1dcbdf861f1913ce1c96c5efb4c68e36885d260
Opcode Fuzzy Hash: 92cc4648b996eec2f61379ddc860c80435e44ba8ed87f096058d24dfb577bab8
Instruction Fuzzy Hash: 18514D7190052A9BDB14FBA0FD5A9EEBF24BFA6700F000569F416A20D2FF205B898A55

Function 005287A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 222fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0052881D
FindNextFileW.KERNEL32(00000000,?), ref: 00528846
FindClose.KERNEL32(?), ref: 0052885D

Strings

p2Wup3Wu 2Wu, xrefs: 00528846
OW, xrefs: 005287A0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: p2Wup3Wu 2Wu$OW
API String ID: 3541575487-1181029902
Opcode ID: 33469aed1a6fe118fbca019c42ea4497be62abed114f07ea841c215923f79b88
Instruction ID: 2b7a530d7966f062db408abb7d2cd8f1f16a3be57b143bc095cd5581db6d3703
Opcode Fuzzy Hash: 33469aed1a6fe118fbca019c42ea4497be62abed114f07ea841c215923f79b88
Instruction Fuzzy Hash: 5B81473280112A9BCB15EFE0EC959EE7B78BFA6310F10416AE416A71D1EF305B49DF54

Function 0052E2E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00539F23: GetCurrentProcess.KERNEL32(?,?,?,0052C663,00583EFC,00000000), ref: 00539F34
Part of subcall function 00539F23: IsWow64Process.KERNEL32(00000000,?,?,0052C663,00583EFC,00000000), ref: 00539F3B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0052E305
Process32FirstW.KERNEL32(00000000,?), ref: 0052E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0052E338
CloseHandle.KERNEL32(00000000), ref: 0052E4EF

Part of subcall function 00539F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0052DFB9,00000000,?,?,00000001), ref: 00539F66
Part of subcall function 00539F51: IsWow64Process.KERNEL32(00000000,?,?,?,00000001), ref: 00539F71

Part of subcall function 00539F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00539F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0052E4E0

Strings

XAX, xrefs: 0052E346

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Process$Process32$NextOpenWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID: XAX
API String ID: 44284711-289145240
Opcode ID: c6f4df1fdf2b6c070acc503e39cdad092aebcf0cdd341d82cba7f77be5204998
Instruction ID: a6bca8b85e0442802928e32304f3a12db395a9952b3ce97485de5530143bbc6a
Opcode Fuzzy Hash: c6f4df1fdf2b6c070acc503e39cdad092aebcf0cdd341d82cba7f77be5204998
Instruction Fuzzy Hash: A04132311086529BC325F760ED59AEFBBD9BFE5300F10492DF45A821D1EF309A4AC756

Function 0052B28E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,005838FC,00000000,?), ref: 0052B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0052B3AF
FindClose.KERNEL32(00000000), ref: 0052B3BE
FindClose.KERNEL32(00000000), ref: 0052B3E9

Strings

p2Wup3Wu 2Wu, xrefs: 0052B3AF

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID: p2Wup3Wu 2Wu
API String ID: 1164774033-2303657890
Opcode ID: a5868321e455587e9b866bf2d6e5d600184184e1e6d191068c9f38bb5089e8cb
Instruction ID: 184af6ade45f485332b3c805609b5ff293882273f781ca003a54e6f830ab0745
Opcode Fuzzy Hash: a5868321e455587e9b866bf2d6e5d600184184e1e6d191068c9f38bb5089e8cb
Instruction Fuzzy Hash: 6C31023190426A96DB14FBA0FC9A9FE7F7C7FA2710F100559F405A20D2EF649A8ADA44

Function 00529468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0052949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 005294A7
GetKeyboardLayout.USER32(00000000), ref: 005294AE
GetKeyState.USER32(00000010), ref: 005294B8
GetKeyboardState.USER32(?), ref: 005294C5
ToUnicodeEx.USER32(0065006D,006F0077,?,?,00000010,00000000,00000000), ref: 005294E1

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 5290a8ddfff00bb5e05fc43e1ebc1b382018155eecac12f83e1b95bce0a4927e
Instruction ID: 19c35fe2fe045cecfdbe0298fc4754c28e7199bd707cb8224927eab2cbdfb71f
Opcode Fuzzy Hash: 5290a8ddfff00bb5e05fc43e1ebc1b382018155eecac12f83e1b95bce0a4927e
Instruction Fuzzy Hash: D6110072900209ABDB109BA4EC49FDA7BACEB58705F100455F608D7190E675A998EBA0

Function 00537AAB Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00537D01

Part of subcall function 0053A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,00535A44), ref: 0053A228

Strings

H"Y, xrefs: 00537BA1
p2Wup3Wu 2Wu, xrefs: 00537D67
`'Y, xrefs: 00537DE4
`'Y, xrefs: 00537C7E

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CreateFindFirst
String ID: H"Y$`'Y$`'Y$p2Wup3Wu 2Wu
API String ID: 41799849-2688392685
Opcode ID: e581d415be6990639ff7a98b6db27c2338b094a6e719669afdde562cee76b3ab
Instruction ID: d64c34d9ac6d3bcceabf053db3720cacf4a1287463ab28a907313ad5ad3e0b33
Opcode Fuzzy Hash: e581d415be6990639ff7a98b6db27c2338b094a6e719669afdde562cee76b3ab
Instruction Fuzzy Hash: 208160315086626AC324FB60ED5A9EFBFA9BFE6300F40092DF456531D2EF309A49C656

Function 0056F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0056F93B,?,00000000), ref: 0056F6B5
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0056F93B,?,00000000), ref: 0056F6DE
GetACP.KERNEL32(?,?,0056F93B,?,00000000), ref: 0056F6F3

Strings

ACP, xrefs: 0056F63A
OCP, xrefs: 0056F670

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7b2feebf2946fc7d4364f3c3e5d4ee22581cc0efcd00ea94bf55eb8a9dccdf39
Instruction ID: d67e645f354ba3600d530f7cf6b0a3534364361b1a11070892a20657f47ac538
Opcode Fuzzy Hash: 7b2feebf2946fc7d4364f3c3e5d4ee22581cc0efcd00ea94bf55eb8a9dccdf39
Instruction Fuzzy Hash: 6621C532F00101A6DB308F64F905A977BA7FF50B54B668535E90ADB234EB32DD80D390

Function 0056F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

Part of subcall function 00565725: _free.LIBCMT ref: 00565784
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 00565791

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0056F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0056F957
IsValidLocale.KERNEL32(?,00000001), ref: 0056F966
GetLocaleInfoW.KERNEL32(?,00001001,00561F7E,00000040,?,0056209E,00000055,00000000,?,?,00000055,00000000), ref: 0056F9AE
GetLocaleInfoW.KERNEL32(?,00001002,00561FFE,00000040), ref: 0056F9CD

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 6682d811f432494ae5df077fdbf012bcca0a8c0068c46b74c695f9336f4a86ea
Instruction ID: c23de05addb7896aa0c223b10b30295d8e4e91220d8ef22e4b849972c69f7095
Opcode Fuzzy Hash: 6682d811f432494ae5df077fdbf012bcca0a8c0068c46b74c695f9336f4a86ea
Instruction Fuzzy Hash: F1518171E00206ABEB20DFA5EC45BBE7BB8FF55700F044479E914EB151E7709A44DB61

Function 00566894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0057C1E4), ref: 005668FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0058F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00566976
WideCharToMultiByte.KERNEL32(00000000,00000000,0058F7A8,000000FF,?,0000003F,00000000,?), ref: 005669A3
_free.LIBCMT ref: 005668EC

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 00566AB8

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: decb30a3510b82ac2e36bb0d485fe771353c917746334abf4f36a43ce735f212
Instruction ID: bcb6583ef2e126f017dfa1ca551be83e0e3b8427bd33686cac6d89db9278afc1
Opcode Fuzzy Hash: decb30a3510b82ac2e36bb0d485fe771353c917746334abf4f36a43ce735f212
Instruction Fuzzy Hash: 0351D67190020AEFDB10DFA9DC859AABFBCFF95310B10467AE854E7291EB309E44DB50

Function 00535C90 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00535C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00535CA4
LookupPrivilegeValueA.ADVAPI32(00000000,005894F0,?), ref: 00535CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00535CD5
GetLastError.KERNEL32 ref: 00535CDB

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: 6d589d7ed04e05910c4263a900e6cd0fe0077c6b57027de888c1cfa31d2d7f5b
Instruction ID: 88f3531a46f273b8fc62f895edc493a66326ed1ee47a1343044b234d29a6f312
Opcode Fuzzy Hash: 6d589d7ed04e05910c4263a900e6cd0fe0077c6b57027de888c1cfa31d2d7f5b
Instruction Fuzzy Hash: F2F034B5902129ABDB10ABA1ED4DEEFBFBCEF05215F000054B80AA1151D6344A48EBB1

Function 00563700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

A%W, xrefs: 0056371D, 005638C8, 00563AEC, 00563A86, 00563916, 005638A4
A%W, xrefs: 00563B68, 00563952, 005637E1

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID: A%W$A%W
API String ID: 0-3786862019
Opcode ID: 2e9e7627b5c2dab72867ffc5c03d178ede98e90be01674bf3d14253555f4bd87
Instruction ID: fb4a4c4020f39e29c87659f1991653ccf68773dc6ec356e0bb109071e4c07ca2
Opcode Fuzzy Hash: 2e9e7627b5c2dab72867ffc5c03d178ede98e90be01674bf3d14253555f4bd87
Instruction Fuzzy Hash: 91021C71E012199BDF14CFA9D8806ADFBF1FF88324F258269E819E7345D731AA41CB80

Function 00527848 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,005832A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00527906
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0052793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00527A51

Strings

p2Wup3Wu 2Wu, xrefs: 0052793B

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: p2Wup3Wu 2Wu
API String ID: 3541575487-2303657890
Opcode ID: 95e9a7e068cbf4c2e869a7fceb5408a56fa9bb56c66eb8511fb433e6161d31e1
Instruction ID: ffd64cdbb08c981672216c673d3bb010c60198539fd36f6e65bf17cb6a7160c2
Opcode Fuzzy Hash: 95e9a7e068cbf4c2e869a7fceb5408a56fa9bb56c66eb8511fb433e6161d31e1
Instruction Fuzzy Hash: FF51767190122A9ACB04FBA0ED5E9EE7F7CBFA6310F500115B816631D1EF349B49CB95

Function 0056EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00561F85,?,?,?,?,005619DC,?,00000004), ref: 0056EF9A
_wcschr.LIBVCRUNTIME ref: 0056F02A
_wcschr.LIBVCRUNTIME ref: 0056F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00561F85,00000000,005620A5), ref: 0056F0DB

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 12c8b4ef2bf5e0d88acb281bf920956256de90124095427b70ed42d34708b066
Instruction ID: 9130e5cd279cae0b70a9c4ab0e93b9c665e4429cf4cbee9b80037992cf9d64fd
Opcode Fuzzy Hash: 12c8b4ef2bf5e0d88acb281bf920956256de90124095427b70ed42d34708b066
Instruction Fuzzy Hash: 5761F935A01202EBDB24AB34EC4BAA6BBA8FF44750F144579F909DB182EB71DD40C760

Function 005527AD Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005527BB
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00552883
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 005528A2
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 005528AC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e8fbf4a957d392b2410c229cc33ece735c0fe482d9ff26053dbf52feec8aeacc
Instruction ID: fb6d786ec539e7f15fcd4bbc771122559e6eb64093c0834ad00dd5a9c45c7fa5
Opcode Fuzzy Hash: e8fbf4a957d392b2410c229cc33ece735c0fe482d9ff26053dbf52feec8aeacc
Instruction Fuzzy Hash: 8F310A75C1222D9BCF20DFA5D989ACDBBB8FF18305F1041AAE40DA7211E7314A88DF40

Function 005527AE Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005527BB
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00552883
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 005528A2
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 005528AC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d37495af22f4c4a7790d0558fa422c828c6d9290f1905d383f6354568a279b26
Instruction ID: a98cbb58cc99c8dcb5f866c74aacc2aa734d8da618d89e17d059fc7bd6f929e3
Opcode Fuzzy Hash: d37495af22f4c4a7790d0558fa422c828c6d9290f1905d383f6354568a279b26
Instruction Fuzzy Hash: 2A311C75C0222DDBCB10DFA5D949ACDBBB8FF08305F0041AAE40CA7211E7315A88DF50

Function 00538A00 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00538656,00000000), ref: 00538A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00538656,00000000), ref: 00538A1E
CloseServiceHandle.ADVAPI32(00000000,?,00538656,00000000), ref: 00538A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00538656,00000000), ref: 00538A36

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: a81376ef2735df273a991750bec07f4d74b2a9769b9d037a62b0865f6588aa5d
Instruction ID: f8a149d1e3da2a39d4e973fc65aa95e1b1196dd6fb9b469cd87dba0aba353548
Opcode Fuzzy Hash: a81376ef2735df273a991750bec07f4d74b2a9769b9d037a62b0865f6588aa5d
Instruction Fuzzy Hash: DCF08271511A256FD215AB60BC8DDBF2FACEFE57A1B01041AF809931508F648D8DB9B1

Function 00539493 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(0058972C,0000000A), ref: 005394A4
LoadResource.KERNEL32(00000000,?,?,?,0052DD9E), ref: 005394B8
LockResource.KERNEL32(00000000,?,?,?,0052DD9E), ref: 005394BF
SizeofResource.KERNEL32(00000000,?,?,?,0052DD9E), ref: 005394CE

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 08f469d4934dbc46da254f96dd37e45a382489d752ff1df8151e55b9c6a85195
Instruction ID: 968b39c085d959c726358f48e2928e906c123745a94c929a64134356ae4c9908
Opcode Fuzzy Hash: 08f469d4934dbc46da254f96dd37e45a382489d752ff1df8151e55b9c6a85195
Instruction Fuzzy Hash: E1E09A76600610ABCB211BA5FD5CD177F69F7EA7637440464FA05A2222D6718C58FB50

Function 005268CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 005268E8
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 005269B0

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Strings

p2Wup3Wu 2Wu, xrefs: 005269B0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: FileFind$FirstNextsend
String ID: p2Wup3Wu 2Wu
API String ID: 4113138495-2303657890
Opcode ID: d0de10974ff34205373594dda9dbdce41f01550653c18efbad36c444f68ab8e0
Instruction ID: a9d973c283e7aee6c7bc9331f181429bab2922193624e37a15499225d1fda915
Opcode Fuzzy Hash: d0de10974ff34205373594dda9dbdce41f01550653c18efbad36c444f68ab8e0
Instruction Fuzzy Hash: D82193311046225BC714FBA0EC998EFBFACBFE6350F400D29F596520D1EF309A49CA66

Function 00534DB0 Relevance: 4.6, APIs: 3, Instructions: 100libraryloadershutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000000), ref: 00534E56
LoadLibraryA.KERNEL32(00589498,00589488,00000000,00000000,00000000), ref: 00534E6B
GetProcAddress.KERNEL32(00000000), ref: 00534E72

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: AddressExitLibraryLoadProcWindows
String ID:
API String ID: 1366546845-0
Opcode ID: 638908c3f3fbf96b38ba8cea60bf0e85f53daa0aca532c3d4400b056c29ee567
Instruction ID: 2e3d0ed38f5997160739b8ac1c63ab4ab6ede2d0e053debe9484af595a967c8a
Opcode Fuzzy Hash: 638908c3f3fbf96b38ba8cea60bf0e85f53daa0aca532c3d4400b056c29ee567
Instruction Fuzzy Hash: 1B217360604B1257CA14FBB0A85EAAF2F9DBFE2301F010D29B9015B1D2EE358D089666

Function 005598AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005599A4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005599AE
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 005599BB

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a96dcb5e0dd4435d814dbb6467f32bf6e970efca3f7e73ec8c3cd776e068d7d8
Instruction ID: 8a339edbbabbeb6a0367dfd91c4c9bbef19ce1f435ef245f1ce1a9ed2c048f08
Opcode Fuzzy Hash: a96dcb5e0dd4435d814dbb6467f32bf6e970efca3f7e73ec8c3cd776e068d7d8
Instruction Fuzzy Hash: A331F27590122DABCB21DF25D8887DCBBB8BF58311F1041EAE80CA7261E7349F898F44

Function 005607B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0056078B,00000003,0058B4F8,0000000C,005608E2,00000003,00000002,00000000,?,00563648,00000003), ref: 005607D6
TerminateProcess.KERNEL32(00000000,?,0056078B,00000003,0058B4F8,0000000C,005608E2,00000003,00000002,00000000,?,00563648,00000003), ref: 005607DD
ExitProcess.KERNEL32 ref: 005607EF

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7744cfaff5cc84d94bcfce49dc1f3c3ecc794e0aabb5ef2c06bdc5ce5214308d
Instruction ID: 259512c68444e10ab8454ba0f395955ccc286843a38330e26d7cd59cc01d82d9
Opcode Fuzzy Hash: 7744cfaff5cc84d94bcfce49dc1f3c3ecc794e0aabb5ef2c06bdc5ce5214308d
Instruction Fuzzy Hash: DBE0B635001909AFCF556F64ED4DA493F69FB94341B004024F9098B172CB39ED86EA80

Function 0052A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0052A65D
GetClipboardData.USER32(0000000D), ref: 0052A669
CloseClipboard.USER32 ref: 0052A671

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: a4abe161e975d38b9d5619a389b1574ade6475a12c6943379732106b2f7fccc0
Instruction ID: f7aaa3fcc847bba0dbb9811fd1f7b8b1b935aa871449bc58b35bdcb714e0aef5
Opcode Fuzzy Hash: a4abe161e975d38b9d5619a389b1574ade6475a12c6943379732106b2f7fccc0
Instruction Fuzzy Hash: 7BE0C230A443309BD3206BB0FC4CB9A7F54BF61B11F084918B40D9B1D0DB30A888EEA2

Function 005529DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005529F3

Strings

, xrefs: 00552B5A

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: d0a1e331fa9687083abc123fe56778496c51351a59955e0ed0471e768c258a12
Instruction ID: 1370d368bb218fdefab0e38df9b12a1ebd0ba9d2942f80dfe65f911aea2b1c47
Opcode Fuzzy Hash: d0a1e331fa9687083abc123fe56778496c51351a59955e0ed0471e768c258a12
Instruction Fuzzy Hash: 3E518C71D012099BDB28CF69D89679EBBF4FB49311F24886BDC14EB250D3B49908DF90

Function 0056BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0056BBEC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c5fdbc4c299a7b932e60a689b5bfb8e7d93b748a58158c7f889ed95140e361d6
Instruction ID: 7a3a00535aba5ec44e8ebfc431e8fa7cef87ac8f1b0402f42ff39b5746e363c3
Opcode Fuzzy Hash: c5fdbc4c299a7b932e60a689b5bfb8e7d93b748a58158c7f889ed95140e361d6
Instruction Fuzzy Hash: EB31E771900209AFEB248E78CC89EEA7FBDEB85314F140199F959D7251EB319E85CB50

Function 0053A76C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0053A861

Part of subcall function 0053215F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,005830C0), ref: 0053216E
Part of subcall function 0053215F: RegSetValueExA.KERNELBASE(005830C0,005898D0,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0053A83B,005898D0,005830C0), ref: 00532196
Part of subcall function 0053215F: RegCloseKey.KERNELBASE(005830C0,?,?,0053A83B,005898D0,005830C0), ref: 005321A1

Strings

Control Panel\Desktop, xrefs: 0053A7A7, 0053A7DA, 0053A82A

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: 8f1b35eb3310ed8e4b4f7379cdd6bfd0eb5bf0e4d5f3f1a2a052336d5866c4cb
Instruction ID: ed9176d726c8dd57bf1d84b8983bd45c3d87821c2b2a90d47206cd3a825a3397
Opcode Fuzzy Hash: 8f1b35eb3310ed8e4b4f7379cdd6bfd0eb5bf0e4d5f3f1a2a052336d5866c4cb
Instruction Fuzzy Hash: 75116D22F8021177EA1835394D6FB7E2D16B783B90F540568FA023F6DAD8C24A5293D7

Function 00526071 Relevance: 3.1, APIs: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0058309C,00583088,?,?,00526039,?), ref: 00526090
GetProcAddress.KERNEL32(00000000), ref: 00526097

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c602bd6640440c88fcd80af0741165401ef7cdd53835476b5c1da6efc2b477e4
Instruction ID: 89bd0c6d55d1f5a24d82138497be9b845aeee1e4b661eda2da4db5c16e24d8f2
Opcode Fuzzy Hash: c602bd6640440c88fcd80af0741165401ef7cdd53835476b5c1da6efc2b477e4
Instruction Fuzzy Hash: 3201D839A04215ABCB18CFB9EC589AFBFB8FF59310B00426EED59D3281D631D904D790

Function 0056F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

Part of subcall function 00565725: _free.LIBCMT ref: 00565784
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 00565791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056F547

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 58fd5c3700beacc31b14270a5fa7a35f0950cfe4707225e5366e2ecaac07f037
Instruction ID: b32cc3a2a69f4a3b2b864511a260c68cd6c2da8457a449c3ae552d9740b87d15
Opcode Fuzzy Hash: 58fd5c3700beacc31b14270a5fa7a35f0950cfe4707225e5366e2ecaac07f037
Instruction Fuzzy Hash: D621B072900207ABDB24AF29EC4AEBA7BE8FB55310F10017AFD06CB141EB75AD55DB50

Function 0056F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

EnumSystemLocalesW.KERNEL32(0056F2A3,00000001,00000000,?,00561F7E,?,0056F8D0,00000000,?,?,?), ref: 0056F1ED

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 5f9cc5b9971d1cdda3d32fdd3174f361a6eff2edf02fd43d0e192bcc45bfbb7a
Instruction ID: eb319f6fa2657d652ca91443c08ccf06b8fc64364592bb801c63f16660cafaf4
Opcode Fuzzy Hash: 5f9cc5b9971d1cdda3d32fdd3174f361a6eff2edf02fd43d0e192bcc45bfbb7a
Instruction Fuzzy Hash: B0110C3B6007019FDB189F39E8A557ABF91FF80358B14443CE94647A40E7717942CB40

Function 0056F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0056F4C1,00000000,00000000,?), ref: 0056F74F

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e1ac35e03c7e5cdb7fbac7c2e2438e2d0eee611bac97cd81214ad3f4ce2d73fd
Instruction ID: 60271bf6be6086e842449999fd04021e1842fcc7c1586970c0151c6f50e31912
Opcode Fuzzy Hash: e1ac35e03c7e5cdb7fbac7c2e2438e2d0eee611bac97cd81214ad3f4ce2d73fd
Instruction Fuzzy Hash: 4AF0C836E00116BBDB285B64FC49BBA7F68FB40754F154479EC19A3180EA74BD51CBD0

Function 0056F4E9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

Part of subcall function 00565725: _free.LIBCMT ref: 00565784
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 00565791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056F547

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 45a410861ffeb62d0e23b18d5ca0fd2cdf836baf61bbfb6aaf8bd34f30ea00fe
Instruction ID: cbeec8fef337af4c1b9b160b9b8892dcfbf9e2a0fbf65d876c9d9da013d11272
Opcode Fuzzy Hash: 45a410861ffeb62d0e23b18d5ca0fd2cdf836baf61bbfb6aaf8bd34f30ea00fe
Instruction Fuzzy Hash: 0F012632A41106EBCB14AF34EC899FA77A8EF55310F0040BEF902DB242EA755D059790

Function 0056F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

EnumSystemLocalesW.KERNEL32(0056F4F3,00000001,?,?,00561F7E,?,0056F894,00561F7E,?,?,?,?,?,00561F7E,?,?), ref: 0056F262

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: b0efd64e9ae075f048924e427ed30da9638f973ef16dd85033d2b3081f6d6df2
Instruction ID: 5f24eeb9f78a21ff53cbb8d69802bbe751dcc94fae6618ff324404fab3d13ee8
Opcode Fuzzy Hash: b0efd64e9ae075f048924e427ed30da9638f973ef16dd85033d2b3081f6d6df2
Instruction Fuzzy Hash: CAF0223A6003055FDB245F39AC95A7A7F95FF803A8B04403CF9458B690D6B19C428B10

Function 00565E1C Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,005619DC,?,00000004), ref: 00565E6F

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3d066ba161944ce36e806157dbe60e6c7cf070d3f48670fd756da82f22ef16cb
Instruction ID: 504860dd4b244dbd7cd7da120dca45ed305bfc32fee131e95dc4b7a75c107071
Opcode Fuzzy Hash: 3d066ba161944ce36e806157dbe60e6c7cf070d3f48670fd756da82f22ef16cb
Instruction Fuzzy Hash: F4F0F031A40608BBCF016F60EC0AE6E7F65FB54710F008059FC096B261DA728E14FB94

Function 00565914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00562D9A: RtlEnterCriticalSection.NTDLL(?), ref: 00562DA9

EnumSystemLocalesW.KERNEL32(005658CE,00000001,0058B680,0000000C), ref: 0056594C

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 54163d30674d529d661c4ff146e821c57950f3ef4991d91a91cb189d8203e0c2
Instruction ID: 8d9739a4a4f62424eb1e5feeac6ca595138cd1a6794bdd687dfccf0a77051c70
Opcode Fuzzy Hash: 54163d30674d529d661c4ff146e821c57950f3ef4991d91a91cb189d8203e0c2
Instruction Fuzzy Hash: 7EF04F32A50701EFEB00EF68D84AB5D7BF0FB58321F105516F800EB2A1D7754948DB45

Function 0056F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

EnumSystemLocalesW.KERNEL32(0056F087,00000001,?,?,?,0056F8F2,00561F7E,?,?,?,?,?,00561F7E,?,?,?), ref: 0056F167

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 74f5620b0f956c4f20c1e7b103e5ad7003a561508a55f82ec48070ebd94b209a
Instruction ID: 28bf79524de404e52867645f0da1bd8afad792c35a95ac7921cb365b0e8e2612
Opcode Fuzzy Hash: 74f5620b0f956c4f20c1e7b103e5ad7003a561508a55f82ec48070ebd94b209a
Instruction Fuzzy Hash: E8F0A33970020597CB049F35FC49A7A7F60FFC27A4F060068EA098B551C7319842C750

Function 005528FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004908,0055262F), ref: 00552901

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3db2601b9998ef7e09e215c4cb9370b89af8cf2e35cecfa7f85994f583d621c7
Instruction ID: cc8d7ad38e700c68628f6a26a43b6d8a9116e42a76b891712aef0e0c6d154b6f
Opcode Fuzzy Hash: 3db2601b9998ef7e09e215c4cb9370b89af8cf2e35cecfa7f85994f583d621c7
Instruction Fuzzy Hash:

Function 0056CD2D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0056CD2D

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e3c09be584846725dcca25e43a163f239f69cf63179939bb427122a7eb2d0670
Instruction ID: 3650dc4d7b7a1887ddd54de9f38478a862a56e47071bb5cce715147a8e5b2d0d
Opcode Fuzzy Hash: e3c09be584846725dcca25e43a163f239f69cf63179939bb427122a7eb2d0670
Instruction Fuzzy Hash: C0A011302002008B83208F32AA082083AA8AA282A0300802AA80EC0020EA30C088BF02

Function 00530EDA Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,p#h,00591FFC,00000000), ref: 00530EF9
ExitProcess.KERNEL32(00000000), ref: 00530F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00530F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00530F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00530F99
CloseHandle.KERNEL32(00000000), ref: 00530FA0
GetCurrentProcessId.KERNEL32 ref: 00530FA6
PathFileExistsW.SHLWAPI(?), ref: 00530FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0053103A
GetTempFileNameW.KERNEL32(?,005892B4,00000000,?), ref: 00531054
lstrcatW.KERNEL32(?,005892C0), ref: 00531066

Part of subcall function 0053A17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,0053A29A,00000000,00000000,00000000), ref: 0053A1BA

Sleep.KERNEL32(000001F4), ref: 005310E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 005310FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00531107
CloseHandle.KERNEL32(00000000), ref: 0053110E
GetCurrentProcessId.KERNEL32 ref: 00531114

Strings

WDH, xrefs: 00530FAD, 0053111B
H"Y, xrefs: 00530F0B
(#Y, xrefs: 00530EE8
p#h, xrefs: 00530EED, 00530F2B, 005310A8, 00531120

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
String ID: (#Y$H"Y$WDH$p#h
API String ID: 1507772987-2886042588
Opcode ID: fa706a641f03bcea16cfa569aac5593e21781095881959911558ba3b1bb845af
Instruction ID: acc8e428a434ed128b1c50305dedf7e5d0356810764420f863530c10e7d5d9af
Opcode Fuzzy Hash: fa706a641f03bcea16cfa569aac5593e21781095881959911558ba3b1bb845af
Instruction Fuzzy Hash: 3951B175A00A16ABDF10A7A0AC5DEBF3B6CBF55710F000164F906A31D1EF744E899B65

Function 00536E7E Relevance: 28.8, APIs: 19, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00589594,00000000,00000000,00000000), ref: 00536E98
CreateCompatibleDC.GDI32(00000000), ref: 00536EA5

Part of subcall function 005372DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0053730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00536F1B
DeleteObject.GDI32(00000000), ref: 00536F38
SelectObject.GDI32(00000000,00000000), ref: 00536F59
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00536F91
GetCursorInfo.USER32(?), ref: 00536FAF
GetIconInfo.USER32(?,?), ref: 00536FC5
DeleteObject.GDI32(?), ref: 00536FF4
DeleteObject.GDI32(?), ref: 00537001
DrawIcon.USER32(00000000,?,?,?), ref: 0053700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00537026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00537095
GlobalAlloc.KERNEL32(00000000,?), ref: 00537104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00537128
DeleteObject.GDI32(00000000), ref: 00537142
GlobalFree.KERNEL32(?), ref: 0053714D
DeleteObject.GDI32(00000000), ref: 00537201
GlobalFree.KERNEL32(?), ref: 00537208

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID:
API String ID: 2309981249-0
Opcode ID: e037756ff558b9577c71873478efe4a0f792ef8eb7dc2cdf8af17c55e9a2f2de
Instruction ID: 0361e7f09eca82fe1acf1f1451366ce4212d60746b1d804987b786eec81d03dd
Opcode Fuzzy Hash: e037756ff558b9577c71873478efe4a0f792ef8eb7dc2cdf8af17c55e9a2f2de
Instruction Fuzzy Hash: A4B15675508715AFD724DF24E848B6BBBE9FF98700F00481DF98993290DA30EA49DB62

Function 0053642D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00536555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0053656D
GetThreadContext.KERNEL32(?,00000000), ref: 00536583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 005365A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0053662B
TerminateProcess.KERNEL32(?,00000000), ref: 0053663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0053667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00536749
SetThreadContext.KERNEL32(?,00000000), ref: 00536766
ResumeThread.KERNEL32(?), ref: 00536773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0053678A
GetCurrentProcess.KERNEL32(?), ref: 00536795
TerminateProcess.KERNEL32(?,00000000), ref: 005367B0
GetLastError.KERNEL32 ref: 005367B8

Strings

`Wu, xrefs: 0053643E, 00536649

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: `Wu
API String ID: 3275803005-3261129705
Opcode ID: 11819a96316787dab1f4ebf72d0f517737dfd5c72c5e46d244ecc1deb883631d
Instruction ID: a1ba9782af4ab67ddd2e74c2e4bec8ae7a4ea727ece82649b5f443e21e50faba
Opcode Fuzzy Hash: 11819a96316787dab1f4ebf72d0f517737dfd5c72c5e46d244ecc1deb883631d
Instruction Fuzzy Hash: 0AA179B0604301AFDB109F60DC89B6ABBE8FF58749F44482DFA45D62A1D770E848DB55

Function 0056C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0056C69F
_free.LIBCMT ref: 0056C6C5
_free.LIBCMT ref: 0056C6EE
_free.LIBCMT ref: 0056C726
_free.LIBCMT ref: 0056C757
_free.LIBCMT ref: 0056C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0056C819
_free.LIBCMT ref: 0056C832
_wcschr.LIBVCRUNTIME ref: 0056C86F
_free.LIBCMT ref: 0056C8DB
_free.LIBCMT ref: 0056C901
_free.LIBCMT ref: 0056C92A
_free.LIBCMT ref: 0056C95F
_free.LIBCMT ref: 0056C990
_free.LIBCMT ref: 0056C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0056CA56
_free.LIBCMT ref: 0056CA6F

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: ffe6ef8044e350eb6d9e6621d3fb4ed1309a33f92ee2f6650190f6c2b455c190
Instruction ID: 70b6e7df5c1f4891ddaefc21d652b02b417675b4698df8d87f255d3bed265096
Opcode Fuzzy Hash: ffe6ef8044e350eb6d9e6621d3fb4ed1309a33f92ee2f6650190f6c2b455c190
Instruction Fuzzy Hash: 17D113719003066FDB21AF78C899A7A7FA4BF55320F15416EFDC5AB292FB319D048B90

Function 0056E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0056E4EA

Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D6FF
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D711
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D723
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D735
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D747
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D759
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D76B
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D77D
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D78F
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D7A1
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D7B3
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D7C5
Part of subcall function 0056D6E2: _free.LIBCMT ref: 0056D7D7

_free.LIBCMT ref: 0056E4DF

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 0056E501
_free.LIBCMT ref: 0056E516
_free.LIBCMT ref: 0056E521
_free.LIBCMT ref: 0056E543
_free.LIBCMT ref: 0056E556
_free.LIBCMT ref: 0056E564
_free.LIBCMT ref: 0056E56F
_free.LIBCMT ref: 0056E5A7
_free.LIBCMT ref: 0056E5AE
_free.LIBCMT ref: 0056E5CB
_free.LIBCMT ref: 0056E5E3

Strings

xX, xrefs: 0056E4BC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: xX
API String ID: 161543041-2068168035
Opcode ID: 38b657ad54f69917ebab4b266f80b7a47fa8cbb624bd6e28954e7dc7a17477e8
Instruction ID: 12d84a475739658b553b83a6b071b05a6b7c83210176d4fc09c01d6b68a5e100
Opcode Fuzzy Hash: 38b657ad54f69917ebab4b266f80b7a47fa8cbb624bd6e28954e7dc7a17477e8
Instruction Fuzzy Hash: DA314D756013069FEB20AA78D94AB5A7BE9FF50314F558429F48AE7191FE30ED40CB20

Function 00563268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005632D8
_free.LIBCMT ref: 005632EE
_free.LIBCMT ref: 005632FF
_free.LIBCMT ref: 00563310
_free.LIBCMT ref: 00563327
GetCPInfo.KERNEL32(?,?), ref: 0056336F

Part of subcall function 00570054: _free.LIBCMT ref: 005700BF

_free.LIBCMT ref: 0056351B
_free.LIBCMT ref: 0056352E
_free.LIBCMT ref: 0056353C
_free.LIBCMT ref: 00563547
_free.LIBCMT ref: 00563589
_free.LIBCMT ref: 00563591
_free.LIBCMT ref: 00563599
_free.LIBCMT ref: 005635A1
_free.LIBCMT ref: 005635AF

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 3b6f9cebac123cb1ae0c41adb053f0066268be883a18082a550e222a7f02e6ea
Instruction ID: 75079cc68dabd734aa962055de0b2139b7ab59969120a2f5a20e07a2a641b9a6
Opcode Fuzzy Hash: 3b6f9cebac123cb1ae0c41adb053f0066268be883a18082a550e222a7f02e6ea
Instruction Fuzzy Hash: D1B19F719003069FDB219F68C889BEEBFF4BF48300F14446DF599A7292EB759E458B60

Function 00530B5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00530B6B

Part of subcall function 00532268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0X), ref: 00532276
Part of subcall function 00532268: RegSetValueExA.ADVAPI32(P0X,000000AF,00000000,00000004,00000001,00000004,?,?,?,0052B093,005838E0,00000001,000000AF,00583050), ref: 00532291
Part of subcall function 00532268: RegCloseKey.ADVAPI32(?,?,?,?,0052B093,005838E0,00000001,000000AF,00583050), ref: 0053229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00530BAB
CloseHandle.KERNEL32(00000000), ref: 00530BBA
CreateThread.KERNEL32(00000000,00000000,00531253,00000000,00000000,00000000), ref: 00530C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00530E7F

Strings

(#Y, xrefs: 00530B98
T/X, xrefs: 00530BD2
WDH, xrefs: 00530C1A, 00530C20, 00530E85
!Y, xrefs: 00530C47
p#h, xrefs: 00530B72

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#Y$T/X$WDH$p#h$!Y
API String ID: 3018269243-3610923788
Opcode ID: 3566fb6555fc7efa7a0c5c45231f791441696fce5ccab1db8d9eaee12b5b0837
Instruction ID: accf32d43805c242ddfda5403fd7d2a05824c9c987e0868a899b1354295abf98
Opcode Fuzzy Hash: 3566fb6555fc7efa7a0c5c45231f791441696fce5ccab1db8d9eaee12b5b0837
Instruction Fuzzy Hash: 2E71A43560471267C604FB70EC6FCAF7FA8BEE2310F40092DF846521D2EE609A09C79A

Function 0052B871 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 296COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00591FFC), ref: 0052B89B
ShellExecuteW.SHELL32(00000000,005830AC,00000000,00589654,00589654,00000000), ref: 0052BC2A
ExitProcess.KERNEL32 ref: 0052BC36

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0052B916, 0052B91B, 0052B94B, 0052B9DA, 0052B9DF, 0052B9E6, 0052BAAA
!Y, xrefs: 0052B8F8
Remcos, xrefs: 0052B927, 0052B9F5
$.X, xrefs: 0052BA9D
05Wu`Wu, xrefs: 0052BA1B
!Y, xrefs: 0052B8C6
t<X, xrefs: 0052BA91
6, xrefs: 0052B95C

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CreateDirectoryExecuteExitProcessShell
String ID: $.X$05Wu`Wu$6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Remcos$t<X$!Y$!Y
API String ID: 3833028991-920945353
Opcode ID: a45af78f90c3f32d3935a741d8d20670692fa008594a888820fa19f537dbc3f4
Instruction ID: d0dba8d5aa99b8685a81c34b9959477ee9f2e4360be7a43e7ee754dbf968d1ff
Opcode Fuzzy Hash: a45af78f90c3f32d3935a741d8d20670692fa008594a888820fa19f537dbc3f4
Instruction Fuzzy Hash: 929180316086626AD318FB64FC5AEAF7FECBFE2710F10041DF946921D2DE209949C65A

Function 0052BC59 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005312B5: TerminateProcess.KERNEL32(00000000,005921E8,0052E2B2), ref: 005312C5
Part of subcall function 005312B5: WaitForSingleObject.KERNEL32(000000FF), ref: 005312D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,005921E8), ref: 0052BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0052BD76

Part of subcall function 0052A7F2: TerminateThread.KERNEL32(00529305,00000000,005921E8,0052BC76,?,p#h,pth_unenc,005921E8), ref: 0052A801
Part of subcall function 0052A7F2: UnhookWindowsHookEx.USER32(00592008), ref: 0052A811
Part of subcall function 0052A7F2: TerminateThread.KERNEL32(005292EF,00000000,?,p#h,pth_unenc,005921E8), ref: 0052A823

Part of subcall function 00539959: GetCurrentProcessId.KERNEL32(00000000,05Wu`Wu,00000000,?,?,?,?,00589654,0052BDCB,00583D60), ref: 00539980

ShellExecuteW.SHELL32(00000000,005830AC,00000000,00589654,00589654,00000000), ref: 0052BFD0
ExitProcess.KERNEL32 ref: 0052BFD7

Strings

0;X, xrefs: 0052BCF6
l=X, xrefs: 0052BE52
H"Y, xrefs: 0052BD1C
Remcos, xrefs: 0052BCA0
pth_unenc, xrefs: 0052BC60
05Wu`Wu, xrefs: 0052BD8F
p#h, xrefs: 0052BC61, 0052BD39

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ProcessTerminate$Thread$CurrentDeleteExecuteExitFileHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: 05Wu`Wu$0;X$H"Y$Remcos$l=X$p#h$pth_unenc
API String ID: 97251228-3206541893
Opcode ID: b7f967d78590729acccde02186ec887111359972c38b7773f041580e1a9fcad9
Instruction ID: 95e84a8294cf46258b86c15a3cc81d561aadfa4a17ded6f6484c99161d266e85
Opcode Fuzzy Hash: b7f967d78590729acccde02186ec887111359972c38b7773f041580e1a9fcad9
Instruction Fuzzy Hash: AD81A3716042625BD718FB60FC5A9AF7FA8BFE6700F10442DF846931D2EE609E09C796

Function 0052DE34 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00592248,00591FFC,?,00000001), ref: 0052DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0052DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0052DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0052DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0052DF23

Part of subcall function 00539F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00539F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0052E047
CloseHandle.KERNEL32(00000000,00584098,?,00000001), ref: 0052E133

Strings

Inj, xrefs: 0052E14F
Rmc-AJ9FFW, xrefs: 0052E02D
!Y, xrefs: 0052E061
p#h, xrefs: 0052E154

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Rmc-AJ9FFW$p#h$!Y
API String ID: 193334293-4244590614
Opcode ID: 7b09f4c712459d2c605de000d38bbc23555b6984a9f4cd61c9a3b8d420a627e5
Instruction ID: a46a7dc92660105b4ddf32e9c4cc7ca07f36629fe16e6acffb28c55afc7f48ed
Opcode Fuzzy Hash: 7b09f4c712459d2c605de000d38bbc23555b6984a9f4cd61c9a3b8d420a627e5
Instruction Fuzzy Hash: C48120315087529BC714EB60E8599AFBFE8BFE6300F40092DB986531D2EF70994DCB5A

Function 0052BFDE Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005312B5: TerminateProcess.KERNEL32(00000000,005921E8,0052E2B2), ref: 005312C5
Part of subcall function 005312B5: WaitForSingleObject.KERNEL32(000000FF), ref: 005312D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0052C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0052C0E9

Part of subcall function 0052A7F2: TerminateThread.KERNEL32(00529305,00000000,005921E8,0052BC76,?,p#h,pth_unenc,005921E8), ref: 0052A801
Part of subcall function 0052A7F2: UnhookWindowsHookEx.USER32(00592008), ref: 0052A811
Part of subcall function 0052A7F2: TerminateThread.KERNEL32(005292EF,00000000,?,p#h,pth_unenc,005921E8), ref: 0052A823

Part of subcall function 0053A17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,0053A29A,00000000,00000000,00000000), ref: 0053A1BA

ShellExecuteW.SHELL32(00000000,005830AC,00000000,00589654,00589654,00000000), ref: 0052C37D
ExitProcess.KERNEL32 ref: 0052C389

Strings

l=X, xrefs: 0052C172
Remcos, xrefs: 0052C025
H"Y, xrefs: 0052C088
05Wu`Wu, xrefs: 0052C0EF
0;X, xrefs: 0052C07B
p#h, xrefs: 0052C0AB

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Terminate$FileProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: 05Wu`Wu$0;X$H"Y$Remcos$l=X$p#h
API String ID: 1454597144-2272463472
Opcode ID: a1fe1778a5cd4dcf81bb1cf3cd31399905595f823c58eecb2df206f3327b4ff6
Instruction ID: 9238a4eb3f0a7ad9811ded1a794b15cad94ff14ad77b3ddd304bb6b9ef1e38bf
Opcode Fuzzy Hash: a1fe1778a5cd4dcf81bb1cf3cd31399905595f823c58eecb2df206f3327b4ff6
Instruction Fuzzy Hash: 1D9193316046615AC718FB60FC5A9AF7FE9BFE6710F00042DF846931E2EE209E49C75A

Function 00572DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00572A89: CreateFileW.KERNEL32(?,00000008,00000007,d.W,?,?,00000000,?,00572E64,00000000,0000000C), ref: 00572AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00572ECF
__dosmaperr.LIBCMT ref: 00572ED6
GetFileType.KERNEL32(00000000), ref: 00572EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00572EEC
__dosmaperr.LIBCMT ref: 00572EF5
CloseHandle.KERNEL32(00000000), ref: 00572F15
CloseHandle.KERNEL32(00000000), ref: 0057305F
GetLastError.KERNEL32 ref: 00573091
__dosmaperr.LIBCMT ref: 00573098

Strings

H, xrefs: 0057301D

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 51a755e5568ef051ae585428b4896dd1424e879df7414b8f3f7d656ab2c75336
Instruction ID: fa0ccfd3487fb68d8914d393caebcffeec185a3d3f60d10fe6aeee230c9614a2
Opcode Fuzzy Hash: 51a755e5568ef051ae585428b4896dd1424e879df7414b8f3f7d656ab2c75336
Instruction Fuzzy Hash: 4EA13532A101059FDF19EF68E856BAD7FB0BB4A320F144259EC19EB291DB318D06EB51

Function 005585DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 00558632
GetLastError.KERNEL32 ref: 0055863F
__dosmaperr.LIBCMT ref: 00558646
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 00558672
GetLastError.KERNEL32 ref: 0055867C
__dosmaperr.LIBCMT ref: 00558683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 005586C6
GetLastError.KERNEL32 ref: 005586D0
__dosmaperr.LIBCMT ref: 005586D7
_free.LIBCMT ref: 005586E3
_free.LIBCMT ref: 005586EA

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 81c9c94a948b45858d011371842ec2d866ab2a83eca9518b065b3db79ce85572
Instruction ID: 2d2cef8f2b5232ec62a37190a0c36476622c5c9df81ce17290fddc71773ca920
Opcode Fuzzy Hash: 81c9c94a948b45858d011371842ec2d866ab2a83eca9518b065b3db79ce85572
Instruction Fuzzy Hash: 3C31A07640020ABFDF116FA4DC598BF3F69BF55362B10421AFC1466161EE31CD589B61

Function 0056DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0056DC74
_free.LIBCMT ref: 0056DC82
_free.LIBCMT ref: 0056DDB0
_free.LIBCMT ref: 0056DDBB

Strings

pX, xrefs: 0056DC30, 0056DDF5
tX, xrefs: 0056DE0C

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free
String ID: pX$tX
API String ID: 269201875-2113027670
Opcode ID: 79b763e1a260ae6414ec6e84b9485e7bf4520b47177ec484bbfbee646af0cd0a
Instruction ID: 873672db76fbd3d8ca9ed0f8fbafa723439b457c53bab9954163022e8fd14fd8
Opcode Fuzzy Hash: 79b763e1a260ae6414ec6e84b9485e7bf4520b47177ec484bbfbee646af0cd0a
Instruction Fuzzy Hash: 12618171E00209AFDB20DF69C846BAABFF4FF45710F15496AE944EB281E7709D41DBA0

Function 0052971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00529738

Part of subcall function 0052966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00529745), ref: 005296A3
Part of subcall function 0052966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00529745), ref: 005296B2
Part of subcall function 0052966D: Sleep.KERNEL32(00002710,?,?,?,00529745), ref: 005296DF
Part of subcall function 0052966D: CloseHandle.KERNEL32(00000000,?,?,?,00529745), ref: 005296E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00529774
GetFileAttributesW.KERNEL32(00000000), ref: 00529785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0052979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00529816

Part of subcall function 0053A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,00535A44), ref: 0053A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00589654,?,00000000,00000000,00000000,00000000,00000000), ref: 0052991F

Strings

H"Y, xrefs: 005297FA
05Wu`Wu, xrefs: 0052979C, 0052991F
H"Y, xrefs: 005297EF

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 05Wu`Wu$H"Y$H"Y
API String ID: 3795512280-3187443029
Opcode ID: eacd79ab86256b180369ff173a11e93d97720b6375fcf8395055a83898d5db80
Instruction ID: 69df886fd8870a9962a441a873e419e6a220af6d1f366bdb6c18017427609e8f
Opcode Fuzzy Hash: eacd79ab86256b180369ff173a11e93d97720b6375fcf8395055a83898d5db80
Instruction Fuzzy Hash: 74518F312046221BCB14FB70EC6AABF7F99BFE6300F04092DB556972D2DF219949C656

Function 00525480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0052549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0052554F
TranslateMessage.USER32(?), ref: 0052555E
DispatchMessageA.USER32(?), ref: 00525569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00591F10), ref: 00525621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00525659

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Strings

40X, xrefs: 005255D8
@0X, xrefs: 005255E9
$0X, xrefs: 005255CC

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: $0X$40X$@0X
API String ID: 2956720200-881727545
Opcode ID: c3e67868c8a34be70cb00cab0818fc527ceb8e9b1bf3fcee85e9075a19ce60d6
Instruction ID: b62847e08ea8a4db07dde37256ca760a895eee431774b339f2a39f772314f03c
Opcode Fuzzy Hash: c3e67868c8a34be70cb00cab0818fc527ceb8e9b1bf3fcee85e9075a19ce60d6
Instruction Fuzzy Hash: C5418F35A046129BCA14FB74AC5E86E7FA9BFD6710F40092CB916971D1EF309A09CB51

Function 0053601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00583050), ref: 0053611A
CloseHandle.KERNEL32(00000000), ref: 00536123
DeleteFileA.KERNEL32(00000000), ref: 00536132
ShellExecuteEx.SHELL32(0000003C), ref: 005360E6

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Strings

@%Y, xrefs: 005360F3
@, xrefs: 005360C8
<, xrefs: 005360C1
P0X, xrefs: 005360EE
@%Y, xrefs: 0053615F

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@%Y$@%Y$P0X
API String ID: 1107811701-795964013
Opcode ID: 1ea6b89b03d4d0bd19a48932057a961f516e795b5f885085648257038c7cb417
Instruction ID: 6aaadd4e42716881433899550fd93e6b38f9d1bbd89e03e6f005e36de2be8976
Opcode Fuzzy Hash: 1ea6b89b03d4d0bd19a48932057a961f516e795b5f885085648257038c7cb417
Instruction Fuzzy Hash: 6341713190011AABDB14FB60ED5AAFEBF39BFA1300F504168F405660D2EF741B89CB90

Function 00565631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00565645

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 00565651
_free.LIBCMT ref: 0056565C
_free.LIBCMT ref: 00565667
_free.LIBCMT ref: 00565672
_free.LIBCMT ref: 0056567D
_free.LIBCMT ref: 00565688
_free.LIBCMT ref: 00565693
_free.LIBCMT ref: 0056569E
_free.LIBCMT ref: 005656AC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43379cda8ef627b5b287d74109705552d6973ddc7a98afad4005e8638c611106
Instruction ID: 45f44e579277dcae32e13847450c2670fd295db4f3aa74ad3d8bd909f7201092
Opcode Fuzzy Hash: 43379cda8ef627b5b287d74109705552d6973ddc7a98afad4005e8638c611106
Instruction Fuzzy Hash: 7F11A47610010DAFDB01EF94C85ACDD3FA5FF84350B4285A5BA889B262FA32DF509B80

Function 0052567A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278sleepfileprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00593AD0,00593BA4), ref: 0052581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00525877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0052589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 005258C9

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

WriteFile.KERNEL32(00000000,00000000,?,00000000,00591F28,0058306C,00000062,00583050), ref: 005259C4
Sleep.KERNEL32(00000064,00000062,00583050), ref: 005259DE
TerminateProcess.KERNEL32(00000000), ref: 005259F7

Strings

T0X, xrefs: 0052572D

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: FileProcessSleep$CreateNamedPeekPipeReadTerminateWritesend
String ID: T0X
API String ID: 729113801-771928139
Opcode ID: f9706628181fe01aa192111568fb610f829d1c9ab4fc32fb5cf6c83b3f5c04ef
Instruction ID: b71e371028a6912d4824d157ff14493bc1d25609b33ba0f8741354c40b498a8b
Opcode Fuzzy Hash: f9706628181fe01aa192111568fb610f829d1c9ab4fc32fb5cf6c83b3f5c04ef
Instruction Fuzzy Hash: C491D871600615EFCB04BB24FC5A92E7FAAFF96750F00042EF945961E2EB709E48DB61

Function 00538FFD Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 005390F2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00583050), ref: 0053912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 00539144
SetEvent.KERNEL32 ref: 005391CF
WaitForSingleObject.KERNEL32(000001F4), ref: 005391E0
CloseHandle.KERNEL32 ref: 005391F0

Strings

P0X, xrefs: 0053910B
open ", xrefs: 00539086

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: P0X$open "
API String ID: 1811012380-3350921741
Opcode ID: f43a60f87c06fa3160cdb7dbe181a45285363dbfd2a3095ef0005085cee81647
Instruction ID: 6f807a563d266da195801a71ea34328a0c0cb0c61b8da5b0a87e77f87b1820c5
Opcode Fuzzy Hash: f43a60f87c06fa3160cdb7dbe181a45285363dbfd2a3095ef0005085cee81647
Instruction Fuzzy Hash: D351B3B56046166FD614FB70AC9ADBF3F9DBFE2354F10041EB406921D2EE604D08DA6A

Function 00533606 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 005336B6, 005336BE, 005336C2
65535, xrefs: 00533609

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 393fc1c764897eabdcd89d921cfb65a4f165077d3a21dfdb241fe557223e9fc8
Instruction ID: 2e08e0dcdf3a292c1c89b18c77e97f7709c645c08c2ea333453457b1d78adbc5
Opcode Fuzzy Hash: 393fc1c764897eabdcd89d921cfb65a4f165077d3a21dfdb241fe557223e9fc8
Instruction Fuzzy Hash: A751C3F5209302AFD7249A24D84AB3B7FD4FF84B40F180929F885962A0EB65DF449762

Function 0053601A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00583050), ref: 0053611A
CloseHandle.KERNEL32(00000000), ref: 00536123
DeleteFileA.KERNEL32(00000000), ref: 00536132
ShellExecuteEx.SHELL32(0000003C), ref: 005360E6

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Strings

@%Y, xrefs: 005360F3
@, xrefs: 005360C8
<, xrefs: 005360C1
P0X, xrefs: 005360EE

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@%Y$P0X
API String ID: 1107811701-1939607964
Opcode ID: b8384b64e3606eb50aeed339084788175cc7c7c8a91dd898758d5b1575635eee
Instruction ID: fe87f7e4a045e330f6cc0a41f3a7776d857f1f13deec2dd53a5fe9a09236c6fa
Opcode Fuzzy Hash: b8384b64e3606eb50aeed339084788175cc7c7c8a91dd898758d5b1575635eee
Instruction Fuzzy Hash: E631733190051AABDB14FB60ED5AAEEBF35BFA1300F504168F405660D2EF741A89CB90

Function 00569F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e3840e9b292fc6542dc79e41c31a335a354fa287c0e068aafa1e2de955419e
Instruction ID: c6d7cd5e072e824467caa23723fe2b985bb7916b8dbb2f4f0251a48e86b6c5a0
Opcode Fuzzy Hash: 45e3840e9b292fc6542dc79e41c31a335a354fa287c0e068aafa1e2de955419e
Instruction Fuzzy Hash: 26C11174E4424AAFDB12DFA8C854BADBFB0BF5A310F044199E805B7392C7358945CF62

Function 00531899 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 417fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 005318B2

Part of subcall function 00539959: GetCurrentProcessId.KERNEL32(00000000,05Wu`Wu,00000000,?,?,?,?,00589654,0052BDCB,00583D60), ref: 00539980

Part of subcall function 005368A6: CloseHandle.KERNEL32(005240D5,?,?,005240D5,00582E24), ref: 005368BC
Part of subcall function 005368A6: CloseHandle.KERNEL32($.X,?,?,005240D5,00582E24), ref: 005368C5

DeleteFileW.KERNEL32(00000000,00582E24,00582E24,00582E24), ref: 00531B9F
DeleteFileW.KERNEL32(00000000,00582E24,00582E24,00582E24), ref: 00531BCF
DeleteFileW.KERNEL32(00000000,00582E24,00582E24,00582E24), ref: 00531C05

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Strings

@#Y, xrefs: 00531D72
$.X, xrefs: 005319B6
@#Y, xrefs: 00531E45

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: $.X$@#Y$@#Y
API String ID: 1937857116-3137631707
Opcode ID: 0d6541c4da1a8a26555cdfead9d4081c235be419bd8825abd3cc74eb7c55852c
Instruction ID: 7f2963b9063303f6866b316650095153991e872359706a25b061480a7423b65b
Opcode Fuzzy Hash: 0d6541c4da1a8a26555cdfead9d4081c235be419bd8825abd3cc74eb7c55852c
Instruction Fuzzy Hash: CCF141315087525AC328FB74E95AAEFBFD9BFE5300F40092DF486421D2EF309A49C65A

Function 0056268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

_memcmp.LIBVCRUNTIME ref: 00562935
_free.LIBCMT ref: 005629A6
_free.LIBCMT ref: 005629BF
_free.LIBCMT ref: 005629F1
_free.LIBCMT ref: 005629FA
_free.LIBCMT ref: 00562A06

Strings

C, xrefs: 005627F3

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9afc147a0a98bd35a8628f0ead04e5a262bfde8181a5c6799ea1bfa42317e64f
Instruction ID: 7e6af689f8a915b8e0839e18a5e66bceaddacd22c915870ad767a4fe835927e7
Opcode Fuzzy Hash: 9afc147a0a98bd35a8628f0ead04e5a262bfde8181a5c6799ea1bfa42317e64f
Instruction Fuzzy Hash: DCB12D7590161ADFDB24DF18C888AADBBB4FF48314F1485AAE949A7350E771AE90CF40

Function 00530763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00530201: SetLastError.KERNEL32(0000000D,00530781,00000000,l=X,?,?,?,?,?,?,?,?,?,?,?,0053075F), ref: 00530207

SetLastError.KERNEL32(000000C1,00000000,l=X,?,?,?,?,?,?,?,?,?,?,?,0053075F), ref: 0053079C
GetNativeSystemInfo.KERNEL32(?,?,00000000,l=X,?,?,?,?,?,?,?,?,?,?,?,0053075F), ref: 0053080A
SetLastError.KERNEL32(0000000E), ref: 0053082E

Part of subcall function 00530708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0053084C,?,00000000,00003000,00000004,00000000), ref: 00530718

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00530875
RtlAllocateHeap.NTDLL(00000000), ref: 0053087C
SetLastError.KERNEL32(0000045A), ref: 0053098F

Part of subcall function 00530ADC: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00530B4C
Part of subcall function 00530ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0053075F), ref: 00530B53

Strings

l=X, xrefs: 00530767

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
String ID: l=X
API String ID: 2227336758-2983492142
Opcode ID: 18d9641cba259d4f569e073928a3858549131245273604bb6f6779595eed79b3
Instruction ID: f16baba0c4c6ced6077e0d801ea93ec50228d9ed2f945c8e7d72cdadf3efa724
Opcode Fuzzy Hash: 18d9641cba259d4f569e073928a3858549131245273604bb6f6779595eed79b3
Instruction Fuzzy Hash: 8B61E175200311ABDB50AF25CCA5B2A7FE5FF84310F146128F90A8B6C2DBB4E845DBD1

Function 0052FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0052FF79
inet_ntoa.WS2_32(?), ref: 00530014

Strings

GetDirectListeningPort, xrefs: 00530117
StopReverse, xrefs: 00530106
StopForward, xrefs: 005300F5
StartForward, xrefs: 005300D8
StartReverse, xrefs: 005300E4

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 1648146969e5a568cc28731963db8d088ccb5719fba54702bd0b0fc3dc6f6055
Instruction ID: c0f027abae9a7b75221f0487b77b15425ee230ee87ecf7398ea70ecf5788d90d
Opcode Fuzzy Hash: 1648146969e5a568cc28731963db8d088ccb5719fba54702bd0b0fc3dc6f6055
Instruction Fuzzy Hash: FE51A131A047129BC714FB34EC2EA6E7FA5BFE6300F501929F901972D2EF248949C796

Function 00534F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00534F41
EmptyClipboard.USER32 ref: 00534F4F
CloseClipboard.USER32 ref: 00534F55
OpenClipboard.USER32 ref: 00534F5C
GetClipboardData.USER32(0000000D), ref: 00534F6C
GlobalLock.KERNEL32(00000000), ref: 00534F75
GlobalUnlock.KERNEL32(00000000), ref: 00534F7E
CloseClipboard.USER32 ref: 00534F84

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 7d830656a38ca23c09da6c6e7445e0ed2af336a561070ed078ead3aef880012f
Instruction ID: dda896cea9055414dfa313bf1c82d7349bd2f53a0813e6d914f34d21353f493d
Opcode Fuzzy Hash: 7d830656a38ca23c09da6c6e7445e0ed2af336a561070ed078ead3aef880012f
Instruction Fuzzy Hash: 85016131204B118BD714BB71FC5E66A7BA8FFF1301F800D2DB40A821A1EF30994CEA52

Function 005666BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00566741
_free.LIBCMT ref: 00566765
_free.LIBCMT ref: 005668EC
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0057C1E4), ref: 005668FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0058F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00566976
WideCharToMultiByte.KERNEL32(00000000,00000000,0058F7A8,000000FF,?,0000003F,00000000,?), ref: 005669A3
_free.LIBCMT ref: 00566AB8

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 683e87f401c5e09d6bef4f7582759cec60bb0e1caa5b90f04e84ff8da7659d69
Instruction ID: 99a62321a5f5701185d7f74b6a106af9bf5f3f1d420e4bebe9e0fc206e853b9f
Opcode Fuzzy Hash: 683e87f401c5e09d6bef4f7582759cec60bb0e1caa5b90f04e84ff8da7659d69
Instruction Fuzzy Hash: 26C13771A00246AFDB249F78CC55AAA7FF8FF95310F18456EE894E7241E7309E45C790

Function 00570F63 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0057123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0057100F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0057123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00571092
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0057123C,?,0057123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00571125
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0057123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0057113C

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0057123C,00000000,00000000,?,00000001,?,?,?,?), ref: 005711B8
__freea.LIBCMT ref: 005711E3
__freea.LIBCMT ref: 005711EF

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c8b33d860e09f85b63d6006a332a364bb27cf8e8c9ac81605aabce4d852cb7a2
Instruction ID: 2d80d04ea9e51839aca761d9fe75d971c9fde35d651e8b3a2c0f9921a8e663fb
Opcode Fuzzy Hash: c8b33d860e09f85b63d6006a332a364bb27cf8e8c9ac81605aabce4d852cb7a2
Instruction Fuzzy Hash: 1791F471E006169BDB208EB8EC85EEEBFB5BF09310F148619E909EB181D725DD84E764

Function 00533360 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 0053349C

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: 1f64af6e33007f9dbd131803dcf2e2acf122fe091b0b6ad667a9ec4b5f2a4110
Instruction ID: 53a91d9e8e1a682a2ea99817644bfb1ac3664a194805d54e9706df79b455d0e2
Opcode Fuzzy Hash: 1f64af6e33007f9dbd131803dcf2e2acf122fe091b0b6ad667a9ec4b5f2a4110
Instruction Fuzzy Hash: E6718970608302CFDB258F55D48962ABFE0FF98745F14882EF88697261EB74CE44DB92

Function 00573DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00573F23

Strings

$-W, xrefs: 00573EEA
$-W, xrefs: 00573E47, 00573F38

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free
String ID: $-W$$-W
API String ID: 269201875-1387171631
Opcode ID: d07b746f907d2657406ea647d61f4008e737bd824b93d7890a9a8d0a36c19ecf
Instruction ID: 0ef6554abc97708f0023fb17e89119d71c78b6f03f609b7e4cc9134047f66499
Opcode Fuzzy Hash: d07b746f907d2657406ea647d61f4008e737bd824b93d7890a9a8d0a36c19ecf
Instruction Fuzzy Hash: 54412B31A045026ADB256AB8AC4AA7E3EB8FF85370F148A15FC1CD7191DB348E457762

Function 00567757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000001,0055B3A2,E0830C40,?,?,?,?,?,?,00567ECC,000000FF,0055B3A2,00000001,0055B3A2,0055B3A2,000000FF), ref: 00567799
__fassign.LIBCMT ref: 00567814
__fassign.LIBCMT ref: 0056782F
WideCharToMultiByte.KERNEL32(?,00000000,0055B3A2,00000001,00000001,00000005,00000000,00000000), ref: 00567855
WriteFile.KERNEL32(?,00000001,00000000,00567ECC,00000000,?,?,?,?,?,?,?,?,?,00567ECC,000000FF), ref: 00567874
WriteFile.KERNEL32(?,000000FF,00000001,00567ECC,00000000,?,?,?,?,?,?,?,?,?,00567ECC,000000FF), ref: 005678AD

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e263cc26460dd67ee7fe2c2695228784ab438844464a15c9d639ba16900a2a92
Instruction ID: 7872f0430af6b687d5eaeb7c4741a38b2c3f73595d2f5d0646401dac85238d70
Opcode Fuzzy Hash: e263cc26460dd67ee7fe2c2695228784ab438844464a15c9d639ba16900a2a92
Instruction Fuzzy Hash: 9251CF70A042499FDB10CFA8D889AEEBFF8FF5D304F14412AE955E7292E7309945CB60

Function 00573D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8406a233d02045864fe85cc8d5bee692125805e3d3d5e6cf085f3f6f399ead7f
Instruction ID: 4d34b3887b354542798af22defe81906bced2f529a2e79953536e19f40450237
Opcode Fuzzy Hash: 8406a233d02045864fe85cc8d5bee692125805e3d3d5e6cf085f3f6f399ead7f
Instruction Fuzzy Hash: 7811E472504126BFCB212F76EC09D6B7EACFFC57B1B118616F81AC7161EB318904B661

Function 0056E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0056DE21: _free.LIBCMT ref: 0056DE4A

_free.LIBCMT ref: 0056E128

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 0056E133
_free.LIBCMT ref: 0056E13E
_free.LIBCMT ref: 0056E192
_free.LIBCMT ref: 0056E19D
_free.LIBCMT ref: 0056E1A8
_free.LIBCMT ref: 0056E1B3

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: 023c1e803e9c6bfaf61912d9c611926939f48b61b29be9c836229821027f49b3
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 42110371A40709AAD630B7F0CC5FFCB7FACBF94700F408C25B2996B492DA76AE044660

Function 005580FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005580F1,0055705E), ref: 00558108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00558116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0055812F
SetLastError.KERNEL32(00000000,?,005580F1,0055705E), ref: 00558181

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 33954962d583e7cb9076d96e025f9bc2baad2ced9385218024cbdb2881931bc8
Instruction ID: 7fd56ed7dc1516c238ada902627e9740bcee27c6f40958173ef33c9f39a78843
Opcode Fuzzy Hash: 33954962d583e7cb9076d96e025f9bc2baad2ced9385218024cbdb2881931bc8
Instruction Fuzzy Hash: 6501DD32109B129E97242B747C9EA362E54FB52776730072BFC14B50E1EF619C0EE344

Function 0053B212 Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0053B22B

Part of subcall function 0053B2C4: RegisterClassExA.USER32(00000030), ref: 0053B310
Part of subcall function 0053B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0053B32B
Part of subcall function 0053B2C4: GetLastError.KERNEL32 ref: 0053B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0053B262
lstrcpyn.KERNEL32(00591AF8,00589B04,00000080), ref: 0053B27C
Shell_NotifyIcon.SHELL32(00000000,00591AE0), ref: 0053B292
TranslateMessage.USER32(?), ref: 0053B29E
DispatchMessageA.USER32(?), ref: 0053B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0053B2B5

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID:
API String ID: 1970332568-0
Opcode ID: e296a699d5546b094d2c40ab8e40193fd9349583af4b924d9ea743be03d79795
Instruction ID: 32eafe6d614498268c5db278b03e8cfe8ec52d7dc3b1dfe3451deca4f2e5f6fc
Opcode Fuzzy Hash: e296a699d5546b094d2c40ab8e40193fd9349583af4b924d9ea743be03d79795
Instruction Fuzzy Hash: 18016D7190161AABD710DFA1FD0DE9B7FBCBBA5700F00051AF61992160DBB4544DEBA8

Function 00532204 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,005921E8), ref: 0053220F
RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,p#h,?,?,00000001), ref: 0053223E
RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 00532249

Strings

pth_unenc, xrefs: 00532204
hu, xrefs: 00532249
p#h, xrefs: 00532219

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu$p#h$pth_unenc
API String ID: 1818849710-3649777279
Opcode ID: b7281369ecb42154b6f639441d8a7f0b1ab88f0bb7f12bd3d60837284baadee6
Instruction ID: 601733ec785344e6bd278516812eaa2a7213d72aab98158d521cff050995ebc6
Opcode Fuzzy Hash: b7281369ecb42154b6f639441d8a7f0b1ab88f0bb7f12bd3d60837284baadee6
Instruction Fuzzy Hash: 62F06271440518BBCF009FA1FC09EEE7B6CFF55750F108559FD0996150E6369E14EB90

Function 00561548 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00561566

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 00561578
_free.LIBCMT ref: 0056158B
_free.LIBCMT ref: 0056159C
_free.LIBCMT ref: 005615AD

Strings

pX, xrefs: 0056155C

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pX
API String ID: 776569668-1261827746
Opcode ID: 6205f192dc965fbe03f3c4ab4b5931de072a7273d41d61a21b78e0136bb57935
Instruction ID: e19247fb4c6e45d86ec6811c328f155103ac0a940972367c5bdeb7ee6da5ae3f
Opcode Fuzzy Hash: 6205f192dc965fbe03f3c4ab4b5931de072a7273d41d61a21b78e0136bb57935
Instruction Fuzzy Hash: 2CF05E718012218BD7096F24BC4B4053FA0FBB9730316A566FC5DB7AB0DB300E5AAF84

Function 0055887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00558A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00558A25
__allrem.LIBCMT ref: 00558A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00558A5A
__allrem.LIBCMT ref: 00558A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00558A8F

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e98660cb0612ba402a269405ce3337c5746c900acac1385876a1bbc330e92897
Instruction ID: c3faafba3c7d251c30c0ffffe9fa5c2fd245e1b30f5bd11662c7f42adb59b489
Opcode Fuzzy Hash: e98660cb0612ba402a269405ce3337c5746c900acac1385876a1bbc330e92897
Instruction Fuzzy Hash: D88118726007069BE724AA78CC65B7A7BB9FF80332F14452BF915E7681EF70D9088791

Function 00566FC4 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000001,7FFFFFFF,?,?,?,?,00567215,00000001,00000001,00000000), ref: 0056701E
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00567215,00000001,00000001,00000000,?,?,?), ref: 005670A4
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0056719E
__freea.LIBCMT ref: 005671AB

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

__freea.LIBCMT ref: 005671B4
__freea.LIBCMT ref: 005671D9

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f219cfade15ad399161f1dfb11c964c1a3ab01f89e2dbdf8c366f85e4de716eb
Instruction ID: 90dba23014cc4b465a82ba6f6e9e50140366747f5dec0a34a9da0e96c520254a
Opcode Fuzzy Hash: f219cfade15ad399161f1dfb11c964c1a3ab01f89e2dbdf8c366f85e4de716eb
Instruction Fuzzy Hash: A251057260421BAFDB258F64CC45EAB7FA9FB89764F25462AFC04D7140EB34DC84D6A0

Function 00562E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00562E37
__cftoe.LIBCMT ref: 00562E69

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: bff1478aaa0909b1ad4b9d087da9b9c723d30e7d100b126a51aa3e4648ccd2bb
Instruction ID: 62543631d211cce38d1ea09bde23a70b2fe544ba6cb0abdce6241c6db2cc2452
Opcode Fuzzy Hash: bff1478aaa0909b1ad4b9d087da9b9c723d30e7d100b126a51aa3e4648ccd2bb
Instruction Fuzzy Hash: 8251EF32904606ABDF255B59CC4AEBEBFBCFF49370F14412AF815A7181EB35DD408664

Function 005269F4 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00526A56
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 00526A9E

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

CloseHandle.KERNEL32(00000000), ref: 00526ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00526AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 00526B26
DeleteFileW.KERNEL32(00000000), ref: 00526B36

Part of subcall function 00524B76: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00591E90,00524C29,00000000,00000000), ref: 00524B85
Part of subcall function 00524B76: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0052546B,00525480), ref: 00524BA3

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: cae538d914e3cc6e779cc28fcb035de9459979134dbff864f1578d96a8506499
Instruction ID: 3888ad1e8eec59a765ff32cec3d63528edff5eb57488f0f5fcf87e0f2068f674
Opcode Fuzzy Hash: cae538d914e3cc6e779cc28fcb035de9459979134dbff864f1578d96a8506499
Instruction Fuzzy Hash: 71319F715043229FC350EF60EC499AFBBACFFA5710F00491EB98592191DF74AE48CB56

Function 00531140 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005320E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,p#h), ref: 00532104
Part of subcall function 005320E8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0053211D
Part of subcall function 005320E8: RegCloseKey.KERNELBASE(00000000), ref: 00532128

Sleep.KERNEL32(00000BB8), ref: 005311DF

Strings

X=X, xrefs: 00531168
Remcos, xrefs: 005311EE
!Y, xrefs: 00531155
H"Y, xrefs: 00531163
p#h, xrefs: 005311A2, 0053122A

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQuerySleepValue
String ID: H"Y$Remcos$X=X$p#h$!Y
API String ID: 4119054056-3102352657
Opcode ID: af8393452d371b11e690ea00160aa0561598bf440fb9b65b83970d7a1c37ee3e
Instruction ID: 776a45d9ae0509403883a35f02276c9c05e7c4fed9211b1ca03ed668e137ef14
Opcode Fuzzy Hash: af8393452d371b11e690ea00160aa0561598bf440fb9b65b83970d7a1c37ee3e
Instruction Fuzzy Hash: 6F21C7A570061526DE14B6757C5AA7F2F8DAFE6310F000839BD16D72C3DE649D0982A9

Function 00538AC3 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 00538AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 00538AE9
CloseServiceHandle.ADVAPI32(00000000), ref: 00538AF6
ControlService.ADVAPI32(00000000,00000001,?), ref: 00538B05

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 4058ce63159687adb1449edfb31f73671c8103be9e46fd5702835a76e0e01a73
Instruction ID: 8ef6e8d47ec2d60fd78bc31b39c46a2001081da984f3557c2a467fa2b23012f6
Opcode Fuzzy Hash: 4058ce63159687adb1449edfb31f73671c8103be9e46fd5702835a76e0e01a73
Instruction Fuzzy Hash: 9E11E171A006196FD614AB64FC8DCBF7F6CEF663A0B000016FA0993241DF645D8EBAB1

Function 00565725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
_free.LIBCMT ref: 0056575C
_free.LIBCMT ref: 00565784
SetLastError.KERNEL32(00000000), ref: 00565791
SetLastError.KERNEL32(00000000), ref: 0056579D
_abort.LIBCMT ref: 005657A3

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8b46e56e58115d4e2435c32b140ed93adfc379f29eafec064204a093bc9fa49a
Instruction ID: 42b6e507ae54b8f226c43690302d1028b2fa0a290c476907854bbd3fbfee8bda
Opcode Fuzzy Hash: 8b46e56e58115d4e2435c32b140ed93adfc379f29eafec064204a093bc9fa49a
Instruction Fuzzy Hash: 62F08135184F12A6D7123634BC4EB2A1E29FFD17A1F250114F819A7192FF218D45A620

Function 0053A419 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,005897F8,00000000,00020019,?), ref: 0053A43B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0053A47F

Strings

hu, xrefs: 0053A485

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: EnumOpen
String ID: hu
API String ID: 3231578192-423011080
Opcode ID: 742819056d39d0be255b0b3d7f69ff5000a6a8fb39a5a9490a8f12231c722cdb
Instruction ID: d2b6e670dc60faec9abb48ecac855a3f4cf5de28a4d2c6922de4890ab5335743
Opcode Fuzzy Hash: 742819056d39d0be255b0b3d7f69ff5000a6a8fb39a5a9490a8f12231c722cdb
Instruction Fuzzy Hash: 7B8120315082929BD328EB51EC59EEFBBE8FFE5304F10481DF58682191EF309949CB56

Function 00537F6A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 176timeCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0053802D
GetLocalTime.KERNEL32(?), ref: 005380BB

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00538050, 00538071, 005380DF
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00538055
3PW, xrefs: 00537F6A

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CreateDirectoryLocalTime
String ID: 3PW$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 467499730-2595787209
Opcode ID: 330e8f5469a88a30ab77fb6c30a8d14b2622c42c2e27ae08c089fedecd6e7507
Instruction ID: 33c81ba11d63164a967ffd999c7653555a54891377e4087366f94759e6ed3313
Opcode Fuzzy Hash: 330e8f5469a88a30ab77fb6c30a8d14b2622c42c2e27ae08c089fedecd6e7507
Instruction Fuzzy Hash: 72516171A0066A9ACB14FBB4DC5A9FE7FA8BFA6300F050029F805A71C2DE745E45C764

Function 0052C3B8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 005312B5: TerminateProcess.KERNEL32(00000000,005921E8,0052E2B2), ref: 005312C5
Part of subcall function 005312B5: WaitForSingleObject.KERNEL32(000000FF), ref: 005312D8

Part of subcall function 005320E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,p#h), ref: 00532104
Part of subcall function 005320E8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0053211D
Part of subcall function 005320E8: RegCloseKey.KERNELBASE(00000000), ref: 00532128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0052C412
ShellExecuteW.SHELL32(00000000,005830AC,00000000,00589654,00589654,00000000), ref: 0052C571
ExitProcess.KERNEL32 ref: 0052C57D

Strings

H"Y, xrefs: 0052C3C8
p#h, xrefs: 0052C3EF

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: H"Y$p#h
API String ID: 1913171305-328082389
Opcode ID: f72fd44ef8950918f2f61d949f32ae210b24e0c96d861f53f203d73ab018723d
Instruction ID: 92eeeae6e5d7042a52ee2a07f659e4777a29694b621109d83ad4f5ecf125dd79
Opcode Fuzzy Hash: f72fd44ef8950918f2f61d949f32ae210b24e0c96d861f53f203d73ab018723d
Instruction Fuzzy Hash: D34126319005256ACB14FBA4EC5ADFF7F7DBFA2710F010169F406A30D2EE205E8ACA94

Function 005337DC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0053382B
LoadLibraryA.KERNEL32(?), ref: 0053386D
LoadLibraryA.KERNEL32(?), ref: 005338CC
GetProcAddress.KERNEL32(00000000,?), ref: 005338F4

Strings

Wu, xrefs: 0053387B

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: Wu
API String ID: 4217395396-4083010176
Opcode ID: cf2ea272856b6f430c85a78c68b1d30328daa3b3ba8ce6e0a55ca703d4caab91
Instruction ID: 010f777aa363c70412f653529f9c82bd93e43b45c488675f03cfcf7e21eb5fa1
Opcode Fuzzy Hash: cf2ea272856b6f430c85a78c68b1d30328daa3b3ba8ce6e0a55ca703d4caab91
Instruction Fuzzy Hash: A431D572406715ABC720AF24DC49D9FBFECBF85754F040A15F845A3211DB74DB4887A2

Function 005266A6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,005830AC,00000000,00589654,00589654,00000000), ref: 00526775
ExitProcess.KERNEL32 ref: 00526782

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 00526730
H"Y, xrefs: 005266E8
p#h, xrefs: 00526715

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$H"Y$p#h
API String ID: 1124553745-4049567440
Opcode ID: 1e0d4a2ce8e82f8b89669f1523dcec62b08687b5fc9845df1f4c43a3ecb52817
Instruction ID: 4cd17eb16b80830ae3a8668dbc9527f8f9c23a4fbfa2578dc489cb72ec94bcd3
Opcode Fuzzy Hash: 1e0d4a2ce8e82f8b89669f1523dcec62b08687b5fc9845df1f4c43a3ecb52817
Instruction Fuzzy Hash: EE11EE31A445227ADB14B3A0FC5FFAF3F58BFA2B10F100014F916B61C2DE505A4583E5

Function 0052966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00529745), ref: 005296A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00529745), ref: 005296B2
Sleep.KERNEL32(00002710,?,?,?,00529745), ref: 005296DF
CloseHandle.KERNEL32(00000000,?,?,?,00529745), ref: 005296E6

Strings

h Y, xrefs: 00529698

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h Y
API String ID: 1958988193-1052151416
Opcode ID: bdc9b1e11fe6d56cb41f06e289554d7b903b3cd7daf5b442b742f47326e41a51
Instruction ID: 56af28cea378c6cffe2eca74c0f39ca3f09967bb3edf0e016c189de913861f8f
Opcode Fuzzy Hash: bdc9b1e11fe6d56cb41f06e289554d7b903b3cd7daf5b442b742f47326e41a51
Instruction Fuzzy Hash: 6011E3302016A07BDB75AB74BC9DA2E3EABBF97314F04040DE286826D2C651685C9326

Function 0053B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0053B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0053B32B
GetLastError.KERNEL32 ref: 0053B335

Strings

MsgWindowClass, xrefs: 0053B2DB
0, xrefs: 0053B2E0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 61b12bad9f5022efe1a3a8199c6855b621d6b10c03229978a107cda36028463b
Instruction ID: 7e1e9b89055adde30629ef07bb6df0297f3fea964b34d34bf2cedcf0c1d954f9
Opcode Fuzzy Hash: 61b12bad9f5022efe1a3a8199c6855b621d6b10c03229978a107cda36028463b
Instruction Fuzzy Hash: FC01E5B190021DAFDB10DFE5AC849AFBBBCFB44355F40092AF918A6240E77159098BA0

Function 00532268 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0X), ref: 00532276
RegSetValueExA.ADVAPI32(P0X,000000AF,00000000,00000004,00000001,00000004,?,?,?,0052B093,005838E0,00000001,000000AF,00583050), ref: 00532291
RegCloseKey.ADVAPI32(?,?,?,?,0052B093,005838E0,00000001,000000AF,00583050), ref: 0053229C

Strings

P0X, xrefs: 0053226C, 0053228E, 0053226F
hu, xrefs: 0053229C

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu$P0X
API String ID: 1818849710-732157075
Opcode ID: b3e140d1207923f2a1f4fa51e5258d2c2eddc14e700a4bef9a2d99ef41524846
Instruction ID: 01e31de7c134db85c84d9b72161077430720841067aa12c219cda2795dcd349b
Opcode Fuzzy Hash: b3e140d1207923f2a1f4fa51e5258d2c2eddc14e700a4bef9a2d99ef41524846
Instruction Fuzzy Hash: BFE03976600608BBDB209FA1AC09FEA7F6CEF15B51F104054BB09A6550D6318E58BBA0

Function 0055BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7170c565a78469afd2c9f0e3d63ab89a2a22ba9efeebdb93a86b4cdecd7d7f
Instruction ID: 2197dcd29098be1e11254a54a1fe967565a7b9dc78b8c0bbabc0f89688512348
Opcode Fuzzy Hash: bb7170c565a78469afd2c9f0e3d63ab89a2a22ba9efeebdb93a86b4cdecd7d7f
Instruction Fuzzy Hash: 12718C719002169BEF218B94C8A8BBEBF75FF51362F24462BEC1167191DB708D49CBA1

Function 0056220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

_free.LIBCMT ref: 00562318
_free.LIBCMT ref: 0056232F
_free.LIBCMT ref: 0056234E
_free.LIBCMT ref: 00562369
_free.LIBCMT ref: 00562380

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 2141efea184c9595c2dd28d0e8a73d098ffe9e7b60c370b2beb97f7ab20c5e6a
Instruction ID: 1cd115bae06354b84012517de6e61a570dbd535c9233f540c09930dffeb06a63
Opcode Fuzzy Hash: 2141efea184c9595c2dd28d0e8a73d098ffe9e7b60c370b2beb97f7ab20c5e6a
Instruction Fuzzy Hash: B651D331A00B05AFDB20DF29DC45A6A7BF5FF99720F144A69E809EB290E735DE01CB40

Function 00529C1F Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00529C8C
GetForegroundWindow.USER32 ref: 00529C92
GetWindowTextLengthW.USER32(00000000), ref: 00529C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00529CCF
Sleep.KERNEL32(000003E8), ref: 00529D9D

Part of subcall function 0052962E: SetEvent.KERNEL32(?,?,00000000,0052A156,00000000), ref: 0052965A

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Window$SleepText$EventForegroundLength
String ID:
API String ID: 828943121-0
Opcode ID: cdf8b589cd940dd31db02f563397f0f593eb1a3465424ca6d32f5ac4891abd89
Instruction ID: 28b0a1dc5c16ee9c4f1085907d34f4a2f4e5d0696467dc4175307b426ebf4d53
Opcode Fuzzy Hash: cdf8b589cd940dd31db02f563397f0f593eb1a3465424ca6d32f5ac4891abd89
Instruction Fuzzy Hash: 8E51C4716046629BC704FB70F85AA6EBF99BFD6300F00092DF446972D2EF649E49C792

Function 005612F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056136B
_free.LIBCMT ref: 0056138B

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b756a76683d0a20b18b01466987d4cb3d398291d425da6140a1c6fbf5e1f4980
Instruction ID: 0d82ed2511c5a9c33fc3046763f09195c724d1b28b74ce868f1676d4e9862004
Opcode Fuzzy Hash: b756a76683d0a20b18b01466987d4cb3d398291d425da6140a1c6fbf5e1f4980
Instruction Fuzzy Hash: B741D432F006009FDB14DF79C885A6EBBB5FF85710F194969E956EB341EA31AD01CB84

Function 00521BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00521BD9
waveInOpen.WINMM(0058FAB0,000000FF,0058FA98,Function_00000CEB,00000000), ref: 00521C6F
waveInPrepareHeader.WINMM(0058FA78,00000020), ref: 00521CC3
waveInAddBuffer.WINMM(0058FA78,00000020), ref: 00521CD2
waveInStart.WINMM ref: 00521CDE

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 948939e06e7f623af468288b0f39c29c4caeb3b9c85bd005f09b9d42b19acc7c
Instruction ID: 7c71a51d88e01f74695b37c0374e83c32b5a791a17dd31f86c5c43e891362c74
Opcode Fuzzy Hash: 948939e06e7f623af468288b0f39c29c4caeb3b9c85bd005f09b9d42b19acc7c
Instruction Fuzzy Hash: 23213932610A119BD70C9F25BC4991A7FA9FBBD720710603AA91DF66B0DB704449FB18

Function 0056C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0056C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0056C566

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0056C58C
_free.LIBCMT ref: 0056C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0056C5AE

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b7c5dde46bd80f5a1043754500ff5edf1755aea4a16bbe02f8f1d6c6965dce80
Instruction ID: dbcc5f46414c60bd0ecc04fd090be51d4793712d6b38373fab48f8cb674c8f13
Opcode Fuzzy Hash: b7c5dde46bd80f5a1043754500ff5edf1755aea4a16bbe02f8f1d6c6965dce80
Instruction Fuzzy Hash: A301F7726017557F632117B76C4CC7F7EACEED6BA0314012AF949C7201EE60EE01A5B0

Function 0053A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,0053A29A,00000000,00000000,00000000), ref: 0053A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,00000000,0053A29A,00000000,00000000,00000000,00000000,0053533F,00000002,00000001), ref: 0053A1D7
CloseHandle.KERNEL32(00000000,?,?,00000000,0053A29A,00000000,00000000,00000000,00000000,0053533F,00000002,00000001), ref: 0053A1E3
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,0053A29A,00000000,00000000,00000000,00000000,0053533F,00000002,00000001), ref: 0053A1F4
CloseHandle.KERNEL32(00000000,?,?,00000000,0053A29A,00000000,00000000,00000000,00000000,0053533F,00000002,00000001), ref: 0053A201

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 38a11e91ec728b539621efbd9d103b85a85d30679d46fbbdd51e9a1b3a5a255d
Instruction ID: a4380a289212e3dc21fe0c158b89de9b8e304f50ebcea0727fdc23565f3107b8
Opcode Fuzzy Hash: 38a11e91ec728b539621efbd9d103b85a85d30679d46fbbdd51e9a1b3a5a255d
Instruction Fuzzy Hash: 6711D2752092147FF7104B28AC88E7B7F9CFB96374F100A29F5A6C21D1D7618C49E672

Function 005657A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0055AD96,0056368C,?,?,00550C8C,?,0054F9CC,?,?,?,?,0054E4DD), ref: 005657AE
_free.LIBCMT ref: 005657E3
_free.LIBCMT ref: 0056580A
SetLastError.KERNEL32(00000000), ref: 00565817
SetLastError.KERNEL32(00000000), ref: 00565820

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 70134582eb5ecb992ce63faa1a84f177cf7ccad4a474bf8dbc1d34308228df0b
Instruction ID: b9b4fce068a35263c3cfa89abe0ea8993c62e353a2afee61c53a3670402d70a4
Opcode Fuzzy Hash: 70134582eb5ecb992ce63faa1a84f177cf7ccad4a474bf8dbc1d34308228df0b
Instruction Fuzzy Hash: 2801D6361C0F1267D31226246C8D92B2E69FBE57B4F314135F80AA3192FF318D05A620

Function 0056DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056DBB4

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

_free.LIBCMT ref: 0056DBC6
_free.LIBCMT ref: 0056DBD8
_free.LIBCMT ref: 0056DBEA
_free.LIBCMT ref: 0056DBFC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f60a2ddf6e41501350b51fe97d048a651fb9e0de33d4986d742a73e19cead91
Instruction ID: 8bcd07e86dc2a311114e4eed33be85606c546f393ec5a9df6160fda818333cfe
Opcode Fuzzy Hash: 4f60a2ddf6e41501350b51fe97d048a651fb9e0de33d4986d742a73e19cead91
Instruction Fuzzy Hash: EFF04F32A003196BE620EB68E99FC1A7BF9BE507103558C05F484E7554DE30FC808B60

Function 0056B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0056B918
_free.LIBCMT ref: 0056BA35

Part of subcall function 00559AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00559A75,00000000,?,00000004,00000000,?,?,?,?,00559A82,00000000,00000000,00000000,00000000,00000000), ref: 00559AA5
Part of subcall function 00559AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00559AC7
Part of subcall function 00559AA3: TerminateProcess.KERNEL32(00000000), ref: 00559ACE

Strings

*?, xrefs: 0056B90C
., xrefs: 0056BBEC

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3e68d73bd1be8b4c5ab9e0a4452e6342bdcbcba4da617a431fc041ab0e412334
Instruction ID: df44b9d5a6a84fc0026e931f56cd378f87da7ad587462b6d6b407ee0da31cca2
Opcode Fuzzy Hash: 3e68d73bd1be8b4c5ab9e0a4452e6342bdcbcba4da617a431fc041ab0e412334
Instruction Fuzzy Hash: 0A518071E0020A9FEF14CFA8C881AADBBB5FF98314F24816AE954E7341E7759E41CB50

Function 005326FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00532737

Part of subcall function 00532446: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 005324AD
Part of subcall function 00532446: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 005324DC

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

RegCloseKey.ADVAPI32(00000000,00583050,00583050,00589654,00589654,00000071), ref: 005328A5

Strings

P0X, xrefs: 00532886
hu, xrefs: 005328A5

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: hu$P0X
API String ID: 3114080316-732157075
Opcode ID: 47593e62a4aee28a2e51f275143f48870356aeab5839b7e69c43c5d0aa906e86
Instruction ID: 7c9e802191574c9572bf580fea453ecb956e466f4db9a7a726305cfda1816690
Opcode Fuzzy Hash: 47593e62a4aee28a2e51f275143f48870356aeab5839b7e69c43c5d0aa906e86
Instruction Fuzzy Hash: D541E5316082126BC324F764F95AAAFBFD9BFE6300F40093DB449531D2EE205E0A8766

Function 005326FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00532737

Part of subcall function 00532446: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 005324AD
Part of subcall function 00532446: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 005324DC

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

RegCloseKey.ADVAPI32(00000000,00583050,00583050,00589654,00589654,00000071), ref: 005328A5

Strings

P0X, xrefs: 00532886
hu, xrefs: 005328A5

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: hu$P0X
API String ID: 3114080316-732157075
Opcode ID: d99b24f9ab7396632c705de77cb59093da5909ae8ff26f52fe24c1c4d90b7f4c
Instruction ID: 2cc6b5bd01b845667d38952e5a3c50cabd4e3783e70a0bbcb9cd29829e0a3a76
Opcode Fuzzy Hash: d99b24f9ab7396632c705de77cb59093da5909ae8ff26f52fe24c1c4d90b7f4c
Instruction Fuzzy Hash: 5C41D6316082126BC314F764E95AAEFBFD5BFE6300F50093DF449531D2EE205E0A9666

Function 00560935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe,00000104), ref: 00560975
_free.LIBCMT ref: 00560A40
_free.LIBCMT ref: 00560A4A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0056096C, 00560973, 005609A2, 005609DA

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
API String ID: 2506810119-2118511638
Opcode ID: 377bf5a6bf844eb6e24cdedda0a45b675c20a62bada90df650c2b46ec632e53e
Instruction ID: 0a5fe4b846bf40e1cef5b520b8b70033a9bd200168a7840c06610293d3e1592c
Opcode Fuzzy Hash: 377bf5a6bf844eb6e24cdedda0a45b675c20a62bada90df650c2b46ec632e53e
Instruction Fuzzy Hash: 17318E71A00318AFDB21EF99D98599FBFF8FF99310F206066F808A7251D6708E84DB50

Function 005359BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,005830AC,005894D8,00000000,00000000,00000000), ref: 00535A1A

Part of subcall function 0053A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,00535A44), ref: 0053A228

Sleep.KERNEL32(00000064), ref: 00535A46
DeleteFileW.KERNEL32(00000000), ref: 00535A7A

Strings

/t , xrefs: 005359F9

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: be6a9573d89842ccdc71ac38954bd5d7df82b2e3fc55f77b6a700c6d1076bce7
Instruction ID: 180bdfc94ae84fe6a490bcaeff5595cd8727cc7f4b9c536a2a20e69b299b4717
Opcode Fuzzy Hash: be6a9573d89842ccdc71ac38954bd5d7df82b2e3fc55f77b6a700c6d1076bce7
Instruction Fuzzy Hash: C631353194052A5ADB04FBA0FC9ADFE7F28BFA1714F400125F906631D2EE605A8ACA95

Function 00568107 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,76U,?,00568025,76U,0058B740,0000000C), ref: 0056815D
GetLastError.KERNEL32(?,00568025,76U,0058B740,0000000C), ref: 00568167
__dosmaperr.LIBCMT ref: 00568192

Strings

76U, xrefs: 0056810C

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 76U
API String ID: 2583163307-1282940425
Opcode ID: ca2f5707e751921830c7c0a3862338c96295629e58175fd990d6d84600fa7313
Instruction ID: 5d226432ab02e717ae047e162c77aacd7bf1e0936cbac86c9231731500ecf477
Opcode Fuzzy Hash: ca2f5707e751921830c7c0a3862338c96295629e58175fd990d6d84600fa7313
Instruction Fuzzy Hash: C8016632B011241AC7602234E849B7E6F596BD3730F250719F81C8B1E2DE708CC6D260

Function 00557603 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0055761A

Part of subcall function 00557C52: ___AdjustPointer.LIBCMT ref: 00557C9C

_UnwindNestedFrames.LIBCMT ref: 00557631
CallCatchBlock.LIBVCRUNTIME ref: 00557667

Strings

/zU, xrefs: 00557626, 00557617

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: Catch$AdjustBlockBuildCallFramesNestedObjectPointerUnwind
String ID: /zU
API String ID: 1877052782-42069192
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: ded1a8810532cc880ebadebc3f0cfff662376421d38ebad2af9c26e366dfde7b
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 0001053200450DABCF125F95EC55E9A3FBAFF8C751F154056FD1866120C336E865DBA4

Function 00532006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,0058975C,00000000,00020019,00000000,00592248,00591FFC), ref: 00532030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0053204B
RegCloseKey.ADVAPI32(00000000), ref: 00532054

Strings

hu, xrefs: 00532054

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: hu
API String ID: 3677997916-423011080
Opcode ID: 73783d5d7a18f189c6590aa4c7f9b0c1ce6763a168ee76cbcae0a64bebe5d84a
Instruction ID: 83c51848b4cb5e8b5574044b9eb4219ba4e37baa03d07d4fc717dbef127157ee
Opcode Fuzzy Hash: 73783d5d7a18f189c6590aa4c7f9b0c1ce6763a168ee76cbcae0a64bebe5d84a
Instruction Fuzzy Hash: 24F0C231500118FBDB609B96EC4DEEFBFBCFB91B01F0040A5B908E2110DA711A98EBA0

Function 00531EEA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000000,?,?,0052B0DD,005838E0), ref: 00531F01
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,?,?,0052B0DD,005838E0), ref: 00531F15
RegCloseKey.ADVAPI32(?,?,?,0052B0DD,005838E0), ref: 00531F20

Strings

hu, xrefs: 00531F20

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: hu
API String ID: 3677997916-423011080
Opcode ID: b23eec732f86c442d783c3624880e46a5f232409630d75306ad3a603c2a6cf42
Instruction ID: 99b1ece5183321eb2087048a46e367673478e81efc954cf918191856aa274fc6
Opcode Fuzzy Hash: b23eec732f86c442d783c3624880e46a5f232409630d75306ad3a603c2a6cf42
Instruction Fuzzy Hash: CDE06D32802638FB9B204BA2AC0DDEB7F6CEF0A7A0B100144BD0CA6111D2214E54F6F0

Function 005322F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(?,?,?), ref: 005322FE
RegSetValueExW.ADVAPI32(?,?,00000000,0000000B,?,00000008,?,?,?,?), ref: 00532319
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00532324

Strings

hu, xrefs: 00532324

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu
API String ID: 1818849710-423011080
Opcode ID: f746c055b5ea7c7a0ecd01611329e236f2286a107a11faa5524bd2779c0cc5d9
Instruction ID: f3ef20fbe0fb9518be6249957d86d71db15ce7dbb1077703b3626373a082c356
Opcode Fuzzy Hash: f746c055b5ea7c7a0ecd01611329e236f2286a107a11faa5524bd2779c0cc5d9
Instruction Fuzzy Hash: B5E06D72540608BFDF208FA1AC09FEA7F6CFF15B50F008554BA0996150D6358E04BBA0

Function 005322B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(?,?,?), ref: 005322BA
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?), ref: 005322D5
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 005322E0

Strings

hu, xrefs: 005322E0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu
API String ID: 1818849710-423011080
Opcode ID: 589a233e9772ba868c7e17fbb758426099f8214472e70e74a3e5af0578777200
Instruction ID: 567b3f07ff1e2bab1c7322ddd1bb1e37e5d2da9167882daa78879de00c4388b0
Opcode Fuzzy Hash: 589a233e9772ba868c7e17fbb758426099f8214472e70e74a3e5af0578777200
Instruction Fuzzy Hash: E4E06D76500608BBDF209FA1AD09FEA7F6CFB05B60F004155BE09A6150D2318E04BBA0

Function 005321C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(?,?,?), ref: 005321CA
RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?), ref: 005321E5
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 005321F0

Strings

hu, xrefs: 005321F0

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseCreateValue
String ID: hu
API String ID: 1818849710-423011080
Opcode ID: 3169977c080ec321c9ae567817a57aa371ef8efc24d0b714148c74f14cbe97c4
Instruction ID: 8ec4cde2ff655877b6deffecb705f27fd360cb13704a04fc9bc35cdb51ed4c81
Opcode Fuzzy Hash: 3169977c080ec321c9ae567817a57aa371ef8efc24d0b714148c74f14cbe97c4
Instruction Fuzzy Hash: 5DE03972400608FF8F114FA1AE089EA7F7DFF05750B004154FE0992120D6328E24BBA0

Function 00568C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00568C9E
__alldvrm.LIBCMT ref: 00568E9F
__alldvrm.LIBCMT ref: 00568EC1

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a456c7f58c6377d8f6eb88eaaa67e981364c8710727db07158f84f3808a21ce2
Instruction ID: 930e59e000c843b3fa278aa8c627583c25e4f8f7bb6d342873044637d49f4845
Opcode Fuzzy Hash: a456c7f58c6377d8f6eb88eaaa67e981364c8710727db07158f84f3808a21ce2
Instruction Fuzzy Hash: D8A14732A007869FEB21CF18C8917BEBFE9FF51310F18466DE5959B281CA359D45CB60

Function 00524351 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 005244A4

Strings

|.X, xrefs: 0052457F
p.X, xrefs: 0052456E
d.X, xrefs: 00524562

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Sleep
String ID: d.X$p.X$|.X
API String ID: 3472027048-2869535015
Opcode ID: 22d7ab9e8b00f9fa60ec1bcf517e91bb6591368bd9febf43027a4f0ca4c25401
Instruction ID: 76904e5815e740e239ba3746855c8908917c499c5ba3bc4448792cfb1f3d68b3
Opcode Fuzzy Hash: 22d7ab9e8b00f9fa60ec1bcf517e91bb6591368bd9febf43027a4f0ca4c25401
Instruction Fuzzy Hash: 5151D735B0423267CA14FB74E85EA6E3F95BFE6750F040528F846976D2DF348A08C796

Function 0055FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4ea783a5a6b1ecc78931cecd599788b9a132421b2e9fc78d207588569ed1bd
Instruction ID: 7d3c818c150e2be932c11b30f34f1058fb65eece7902c968f8119018021aac7e
Opcode Fuzzy Hash: dc4ea783a5a6b1ecc78931cecd599788b9a132421b2e9fc78d207588569ed1bd
Instruction Fuzzy Hash: E9412471A00705AFD7249F78D856B6ABFF9FB88312F10863BF945DB281D37199058790

Function 0056E30C Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0057A4C8,00000000,00000000,8B56FF8B,005619DC,?,00000004,00000001,0057A4C8,0000007F,?,8B56FF8B,00000001), ref: 0056E359
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056E3E2
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0056E3F4
__freea.LIBCMT ref: 0056E3FD

Part of subcall function 00563649: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0056367B

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8c8fe4f675f99bc189368beb0e214e39817fda8aadc9212e25896579bcf41786
Instruction ID: 3319cbc1d1bc5693bc4a66c49909f7a4b347645665cb9d3f6cab63fbad3644c8
Opcode Fuzzy Hash: 8c8fe4f675f99bc189368beb0e214e39817fda8aadc9212e25896579bcf41786
Instruction Fuzzy Hash: 4431EE32A0121AABDF259F64DC8ADAE7FA5FB40710F040528FC04DB251EB35DD94DB90

Function 0053747E Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,00537589,00000000), ref: 005374AF
EnumDisplayDevicesW.USER32(?), ref: 005374DF
EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 00537554
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 00537571

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: 41c7ed5e73b2531c2af7e1e84c4e89f7b0ba44af1c69f049e070f7365721a929
Instruction ID: f5be695332f9c520df069e14f694070e8a36f51bc81742970a1849516df26b05
Opcode Fuzzy Hash: 41c7ed5e73b2531c2af7e1e84c4e89f7b0ba44af1c69f049e070f7365721a929
Instruction Fuzzy Hash: 722181725083556BD321DB15EC89DABBFECFFE5750F00052EB859D2190EB709A08C6A6

Function 0052547F Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0052549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0052554F
TranslateMessage.USER32(?), ref: 0052555E
DispatchMessageA.USER32(?), ref: 00525569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00591F10), ref: 00525621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00525659

Part of subcall function 00524A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00524B16

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: 882bda32ba440e054219584232688572e538d8958a8d4b127a5d2e7bdc26650a
Instruction ID: e648acb03cd70072703d6431c5e24a13e5ed5ff5b6ecc8068035e6f611992359
Opcode Fuzzy Hash: 882bda32ba440e054219584232688572e538d8958a8d4b127a5d2e7bdc26650a
Instruction Fuzzy Hash: 09218075904612ABCA10FB74ED8E89E7FB9BFD6710F400A18F916831D1EB348A08CB52

Function 00538C2E Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 00538C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 00538C52
CloseServiceHandle.ADVAPI32(00000000), ref: 00538C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00538C94

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$ChangeCloseConfigHandleManager
String ID:
API String ID: 110783151-0
Opcode ID: 23238af815b61ec66c68cdcc415c54b4cbf277dcac8e4a3cdaa15a4c97772031
Instruction ID: 57dc4fde0d7c7e3e532c3fafe3280f82d4c07caf2e7a53cc1613c3fb74067e45
Opcode Fuzzy Hash: 23238af815b61ec66c68cdcc415c54b4cbf277dcac8e4a3cdaa15a4c97772031
Instruction Fuzzy Hash: FB0149711966283AD2194B346C4EE7B3F6CEB52370F040309F9259A1C0DE608E49A1B1

Function 00560F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfb753b25fdd130174c9e28f6df849674cbbe9e9ac9f017442ba03ce18850f8
Instruction ID: 1999144bfd77d05ad4288745cfcf28bd061c6d7daa5ad217fe8bfc414f5793e7
Opcode Fuzzy Hash: fdfb753b25fdd130174c9e28f6df849674cbbe9e9ac9f017442ba03ce18850f8
Instruction Fuzzy Hash: AB018FB26096267EF6702A786CC8F67AA0CEF913B4B211726B525621D2EE60CD545260

Function 00560FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e738977674ed4cd980c7be05cec58de6b239055139975b06b54ad0ca6e83ce2
Instruction ID: fda8af5dd6d9fe80d318c8925318108daefcd482b7efdf25d9d572b4aba2d486
Opcode Fuzzy Hash: 9e738977674ed4cd980c7be05cec58de6b239055139975b06b54ad0ca6e83ce2
Instruction Fuzzy Hash: 5A01A2B2109A263FEB201AB86CCDD376A1DFF953783254325F521531D6EF248C846160

Function 00565A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00565A3C,?,00000000,00000000,00000000,?,00565D68,00000006,00577384), ref: 00565AC7
GetLastError.KERNEL32(?,00565A3C,?,00000000,00000000,00000000,?,00565D68,00000006,00577384,0057C110,0057C118,00000000,00000364,?,005657F7), ref: 00565AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00565A3C,?,00000000,00000000,00000000,?,00565D68,00000006,00577384,0057C110,0057C118,00000000), ref: 00565AE1

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b9e08564fcb0e18316c0be8dad623bd548b1c36a233c64af6193bc91343a69a3
Instruction ID: 1c33a46d8376f0b282d811edd5f0ebfe28b453f740a85cafaf9262d52ba93fd2
Opcode Fuzzy Hash: b9e08564fcb0e18316c0be8dad623bd548b1c36a233c64af6193bc91343a69a3
Instruction Fuzzy Hash: 4C01D832242A275BC7214AA8AC84D967F58BB15761B210730F91AE3250E720D844D6E0

Function 0053A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,00535A44), ref: 0053A228
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00535A44), ref: 0053A23C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00535A44), ref: 0053A261
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00535A44), ref: 0053A26F

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f70df7a82532bdbbb0dc2d2980bf04590fadafdccb63f55084e2acb6e2c99122
Instruction ID: b4200f9e88f0eac29b062f2cb4ae006a72bd003a6977b3acc8f47415ece52bfc
Opcode Fuzzy Hash: f70df7a82532bdbbb0dc2d2980bf04590fadafdccb63f55084e2acb6e2c99122
Instruction Fuzzy Hash: 6CF0F6B92022187FE6511B21BC88FBF3B9CEBC77A4F00022DF945A21C1CA224C096531

Function 00538A5C Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 00538A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 00538A7F
CloseServiceHandle.ADVAPI32(00000000), ref: 00538A8C
ControlService.ADVAPI32(00000000,00000001,?), ref: 00538A9B

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 17d5e14c5f0d2b6a261c3a83d31df3834d0989d6222d9838284bb235463d26bc
Instruction ID: ea03f967142f562b19c9d9209c9ec8958cc92b4a1aa695597494c07f80d5935e
Opcode Fuzzy Hash: 17d5e14c5f0d2b6a261c3a83d31df3834d0989d6222d9838284bb235463d26bc
Instruction Fuzzy Hash: AEF0CD315116286BD210ABA4BC8DEBF3FACEFA5260F000016FD0982141DF248D8AAAE1

Function 00538B60 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 00538B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 00538B83
CloseServiceHandle.ADVAPI32(00000000), ref: 00538B90
ControlService.ADVAPI32(00000000,00000002,?), ref: 00538B9F

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 6d816900433f22a863e44025542268cb0e11d733a0d977e67ddc7c85fdada1e1
Instruction ID: df4c6a74217ec24182d1091249bfdea9a79d1524c712722af4759fb70aad04ec
Opcode Fuzzy Hash: 6d816900433f22a863e44025542268cb0e11d733a0d977e67ddc7c85fdada1e1
Instruction Fuzzy Hash: ACF0C2715406296BD210AB64BC4DDBF3F6CEFA5260F000055FE0D92141DE248D49A5A5

Function 00538BC7 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 00538BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 00538BEA
CloseServiceHandle.ADVAPI32(00000000), ref: 00538BF7
ControlService.ADVAPI32(00000000,00000003,?), ref: 00538C06

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 2d8d72e6305f25896e952383f6c6aece64c479ba35b8169a703dc9828e706db0
Instruction ID: 5b5f1f3e30d6c6c79c7622e58a0a48099d00ec2a1075683b82537fcb10477835
Opcode Fuzzy Hash: 2d8d72e6305f25896e952383f6c6aece64c479ba35b8169a703dc9828e706db0
Instruction Fuzzy Hash: 08F0C2715016296BD210AB64BC4DDBF3F6CEF95260F000016FE0D96140DF289D89A9B5

Function 00539F87 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00539F9C
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00539FBE
CloseHandle.KERNEL32(00000000), ref: 00539FC9
CloseHandle.KERNEL32(00000000), ref: 00539FD1

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: e27e0baaafd00d5a23d048a9d7fb78689921edb949f6bae02de2e8fc6adf04ec
Instruction ID: 7f9c08b063370b04c51f3e1d0585e7d095361ed2c4adad90993b26a838cc2c2c
Opcode Fuzzy Hash: e27e0baaafd00d5a23d048a9d7fb78689921edb949f6bae02de2e8fc6adf04ec
Instruction Fuzzy Hash: B4F027712403156BD7616368AC0DFBB3B7CEBE0B51F000265F90CD2191EEE18C895BE1

Function 005250C4 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00525100
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00524E5A,00000001), ref: 0052510C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00524E5A,00000001), ref: 00525117
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00524E5A,00000001), ref: 00525120

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: ca23246026309900a57aa0732197d73469ee93d049f80c7ba3033e386d927275
Instruction ID: 30de52e3ffab760e0b34d6186051fba599a6736d2785f9a97d862c1067de2fe0
Opcode Fuzzy Hash: ca23246026309900a57aa0732197d73469ee93d049f80c7ba3033e386d927275
Instruction Fuzzy Hash: 1DF0BB79904721BFEF503774AC0E96A7F98BF53310F000909FC86852F2E9B18894EB51

Function 00556CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00556CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00556CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00556CDB

Part of subcall function 005581DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 005581EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00556CF0

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 8c62fec7e8cdb7beba4acaf68fd116f98c46c47fd91086a3dea980bea090f6fe
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 71C002580809C3541C5177B4623A2BD1F50B8E2387BE955C7AC91370038D058C0FD632

Function 005594CB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00559637

Strings

-, xrefs: 00559567
+, xrefs: 00559574

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: ae1da59e38bd545b1a858f7f36163e45788b93b45fa80454f61e4e133e2721bb
Instruction ID: c93a2922b2d2b9622feecb85cfbdc3a9e4f1dc566ae21bfc6a467814dbad1625
Opcode Fuzzy Hash: ae1da59e38bd545b1a858f7f36163e45788b93b45fa80454f61e4e133e2721bb
Instruction Fuzzy Hash: D291B470905149DFCF21CF6888716EDBFB1FF86322F24865BEC65A7291E238990D8B51

Function 0052184A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 005218D6
waveInUnprepareHeader.WINMM(00001D90,00000020,00000000,?,00000020,00591E78,00000000), ref: 005219E4

Strings

8:Y, xrefs: 00521868

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ExitHeaderThreadUnprepareUserwave
String ID: 8:Y
API String ID: 799343363-3794229779
Opcode ID: 8c234145cf202ed68ee940e7baf59ae39d2242d714e8204019c4c2d1639fd9d4
Instruction ID: 101e1483e4ec2b2f4747f2e908047010560df6f0f5db83d632d36f71c85fda44
Opcode Fuzzy Hash: 8c234145cf202ed68ee940e7baf59ae39d2242d714e8204019c4c2d1639fd9d4
Instruction Fuzzy Hash: B841D6325046219BC324FB24F99AAAF7BA9BFE6310F00052EF455421E1DF309E0ADB55

Function 00556D60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00556E03

Strings

FsU, xrefs: 00556DF5, 00556DFE, 00556E0F
csm, xrefs: 00556DED

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CurrentImageNonwritable
String ID: FsU$csm
API String ID: 3104724169-307831362
Opcode ID: 6574a7d518eb1dae7522841af6aa9978d517ff30fdeee360e17fbede8d9b558d
Instruction ID: 3f92aa422fc707c06b6c09cad01c899cd37611e8335283f8b715fc0d6917a053
Opcode Fuzzy Hash: 6574a7d518eb1dae7522841af6aa9978d517ff30fdeee360e17fbede8d9b558d
Instruction Fuzzy Hash: 8041C334A00349DFCB10DF68D8A6AAFBFB9BF44315F40895ADC15A7252D731AA0DCB91

Function 00556D4E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00556E03

Strings

FsU, xrefs: 00556DF5, 00556DFE, 00556E0F
csm, xrefs: 00556DED

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CurrentImageNonwritable
String ID: FsU$csm
API String ID: 3104724169-307831362
Opcode ID: 539a1cbf9e9f41fba4be479125ddadc41ea18aa17116600ff8366db4f15ed1cf
Instruction ID: b47c8c1980f63354fd94f81ca5c1fcc2f10a5fd19482d2516e8aeb79a747ed5b
Opcode Fuzzy Hash: 539a1cbf9e9f41fba4be479125ddadc41ea18aa17116600ff8366db4f15ed1cf
Instruction Fuzzy Hash: 3B319234A00349DFCB10DF68D896AAFBFB9BF44305F44881ADC15A7252D771EA09CB91

Function 0056C138 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

Part of subcall function 0056C257: _abort.LIBCMT ref: 0056C289
Part of subcall function 0056C257: _free.LIBCMT ref: 0056C2BD

Part of subcall function 0056BECC: GetOEMCP.KERNEL32(00000000,?,?,0056C155,?), ref: 0056BEF7

_free.LIBCMT ref: 0056C1B0
_free.LIBCMT ref: 0056C1E6

Strings

pX, xrefs: 0056C1DA

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: pX
API String ID: 2991157371-1261827746
Opcode ID: 5214374ed47bae0f4772ccda0cf04aa0fcda7ea05d247ae3fabb64847f0dbc50
Instruction ID: 041df5ab6dc42e603a0b809952dda56bae2a127fd59f5460f2cef75279304dac
Opcode Fuzzy Hash: 5214374ed47bae0f4772ccda0cf04aa0fcda7ea05d247ae3fabb64847f0dbc50
Instruction Fuzzy Hash: 7231D631900209AFEB10EFA9D845BBD7FF4FF82320F25409AE8549B292EB315E40CB40

Function 0056ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0056EF72,?,00000050,?,?,?,?,?), ref: 0056EDF2

Strings

ACP, xrefs: 0056ED35
OCP, xrefs: 0056ED6B

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 14598ae4fe3b76f0e063a85e02aa2e0591e7e779e076aecc6aaf41367be36c4c
Instruction ID: 3022371fcd7fafe666dcc9027ae95dd1f239235a7647d1ad4ceb495e5c0da0ae
Opcode Fuzzy Hash: 14598ae4fe3b76f0e063a85e02aa2e0591e7e779e076aecc6aaf41367be36c4c
Instruction Fuzzy Hash: 2421D67AA02101A6EB348B54CD07BAB7BBAFF55B50F56482CE90AD7204E732DD40C350

Function 0052AE2A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00531F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00531FB5
Part of subcall function 00531F91: RegQueryValueExA.KERNELBASE(?,00583184,00000000,00000000,?,00000400), ref: 00531FD2
Part of subcall function 00531F91: RegCloseKey.KERNELBASE(?), ref: 00531FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0052AEAC
PathFileExistsA.SHLWAPI(?), ref: 0052AEB9

Strings

P0X, xrefs: 0052AE6B

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: P0X
API String ID: 1133728706-688593047
Opcode ID: bffd875581f3a1bc439c3b096e655b8126c28a034b593446431ca7f8529e6a52
Instruction ID: dad6dee56ad1a1ccc0dcc315c9cecb411fcdbe6dd07d31add4d2dac0d3fc827f
Opcode Fuzzy Hash: bffd875581f3a1bc439c3b096e655b8126c28a034b593446431ca7f8529e6a52
Instruction Fuzzy Hash: B9218271A50126ABDB04F7E0ED5F8EE7F68BFA6700F400528B801671C2EF615A49CBD2

Function 00535B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00535B2E
IsWindowVisible.USER32(?), ref: 00535B37

Strings

(%Y, xrefs: 00535BDC

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: Window$TextVisible
String ID: (%Y
API String ID: 1670992164-861665277
Opcode ID: 3ad021aed72fb043a2f80855b356c6408757e9ceedfbb799a5066f9053e35b1d
Instruction ID: 5bf0d1a0eada7612bf314e5036c26d151059c44b04c4a5725e679e5d312bc6f8
Opcode Fuzzy Hash: 3ad021aed72fb043a2f80855b356c6408757e9ceedfbb799a5066f9053e35b1d
Instruction Fuzzy Hash: 242182315086529BC314FB60E955DEFBBE9BFE5300F50492DF49A820E1EF309A49C752

Function 0055A3B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0055A47A

Strings

@X, xrefs: 0055A430
@X, xrefs: 0055A429

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @X$@X
API String ID: 4062629308-20540172
Opcode ID: 0441543590e3285c4525826047e96f708876d881f38016dc97ada8610f081385
Instruction ID: f206fff882ca66b7fab609e9b656c5acf30a1a611f4cfacf1cddd21b147859b7
Opcode Fuzzy Hash: 0441543590e3285c4525826047e96f708876d881f38016dc97ada8610f081385
Instruction Fuzzy Hash: 2D21B6316101019ADF186BB89C3A76E2F927FD5336F284B1BFC215A1E1DBB4894A8703

Function 0055A7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0055A8BC

Strings

@X, xrefs: 0055A86B
@X, xrefs: 0055A872

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @X$@X
API String ID: 4062629308-20540172
Opcode ID: efd6333537e1a12635441365b4bfb45b5b1d28bf504ae5187a9825192724ec82
Instruction ID: 131d09dc22f9dbe094ca0c3cb06f0569210f01b9618e8a9de6412027622da9fa
Opcode Fuzzy Hash: efd6333537e1a12635441365b4bfb45b5b1d28bf504ae5187a9825192724ec82
Instruction Fuzzy Hash: BD210771A105159AC7156B788C3A36D3FA1BFC5336F284B1BFC226A1D2DB34994B8743

Function 00524FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00525010

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

GetLocalTime.KERNEL32(?), ref: 00525067

Strings

T/X, xrefs: 00525004

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: LocalTime
String ID: T/X
API String ID: 481472006-3814244053
Opcode ID: 18b9af63b39ee91424706e29e5b0e97eee681d06a7b6d96017f7df15d880e4ad
Instruction ID: 4d2cfde72cbcca50b1ce7650e4b81c35ae56798014bdd5cbe8ab2caea63f7089
Opcode Fuzzy Hash: 18b9af63b39ee91424706e29e5b0e97eee681d06a7b6d96017f7df15d880e4ad
Instruction Fuzzy Hash: E02126719052506BD705B724AC6E72A7F94BFA6304F41051DF845071E3EB355A4CDBE3

Function 0055A8F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0055A924
_free.LIBCMT ref: 0055A94A

Strings

XX, xrefs: 0055A9B1

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: _free
String ID: XX
API String ID: 269201875-3129250407
Opcode ID: bcc37b2139cb1ec70b05375366d5e6bbbb861dc31b2a6846da10d9d091eeafb5
Instruction ID: ba5fd52c25e8a4eb761514db0f11f513bfc468de9e903de8b23b810d98704fff
Opcode Fuzzy Hash: bcc37b2139cb1ec70b05375366d5e6bbbb861dc31b2a6846da10d9d091eeafb5
Instruction Fuzzy Hash: 7211E671B007205ED7205B29AC59B563EA4BBA4730F165B37FD20EB2D0E770D84A5B92

Function 00532077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0053209B
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005320D1

Strings

P0X, xrefs: 00532096

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: QueryValue
String ID: P0X
API String ID: 3660427363-688593047
Opcode ID: e1eb834439baae1dc99c22e459bd7122fd45e8eb59db6ba09b7bc6c1637f1a67
Instruction ID: dfd4441d95c3989e0de66df8e9af3a0d80208f0c4328bc2ff21afa8b2e7b4d6b
Opcode Fuzzy Hash: e1eb834439baae1dc99c22e459bd7122fd45e8eb59db6ba09b7bc6c1637f1a67
Instruction Fuzzy Hash: 28018476A01108FFEF149B95EC4ADFE7BBDEB84210F100066F904E2210E6715F44AB70

Function 00539959 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,05Wu`Wu,00000000,?,?,?,?,00589654,0052BDCB,00583D60), ref: 00539980

Strings

abcdefghijklmnopqrstuvwxyz, xrefs: 0053996C
05Wu`Wu, xrefs: 00539960

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CurrentProcess
String ID: 05Wu`Wu$abcdefghijklmnopqrstuvwxyz
API String ID: 2050909247-1745086779
Opcode ID: f18759a82bbee9d3310c6be278b60fe248692e6dda6ff0c6ae492e2593fdbf49
Instruction ID: 1a5fe34106c4b34f020f295de2053e2b27fae2034af8976f137b77db4662376b
Opcode Fuzzy Hash: f18759a82bbee9d3310c6be278b60fe248692e6dda6ff0c6ae492e2593fdbf49
Instruction Fuzzy Hash: F2F02D73E0021556D61076B9BD4B6AB7B99BF95321F010437FD04D71C3CC978C0996B1

Function 0052B0A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00009F4D,00000000,00000000,00000000), ref: 0052B10A

Part of subcall function 00531EEA: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000000,?,?,0052B0DD,005838E0), ref: 00531F01
Part of subcall function 00531EEA: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,?,?,0052B0DD,005838E0), ref: 00531F15
Part of subcall function 00531EEA: RegCloseKey.ADVAPI32(?,?,?,0052B0DD,005838E0), ref: 00531F20

Part of subcall function 00531F34: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00531F54
Part of subcall function 00531F34: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,p#h), ref: 00531F72
Part of subcall function 00531F34: RegCloseKey.KERNELBASE(?), ref: 00531F7D

Strings

8X, xrefs: 0052B0C1
p#h, xrefs: 0052B0C9

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: CloseOpenQueryValue$CreateThread
String ID: p#h$8X
API String ID: 3520877709-353104336
Opcode ID: ea23341f86665e1f32d92d5c9aee07b9b241bbd5472ea802efb13d4f9fe3d1b8
Instruction ID: 76cb985c5e821498cf3240cb5c1725622b2a0bb7ade265d0bb15dfd79d2b1699
Opcode Fuzzy Hash: ea23341f86665e1f32d92d5c9aee07b9b241bbd5472ea802efb13d4f9fe3d1b8
Instruction Fuzzy Hash: 60F04434A02628774B149B757C59CABBF9DFE87760B20042AF804A7281CA318E05E3F4

Function 00538CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 00538CF2

Strings

x(Y, xrefs: 00538CFC
P0X, xrefs: 00538D01

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ExistsFilePath
String ID: P0X$x(Y
API String ID: 1174141254-2298016533
Opcode ID: 6de636c31daf4d694a3ce3015e34ce5f4f40b651088ef4440d1a476060c1c5c6
Instruction ID: 840ad7392b1f1bfce184c545130b6af99ad996a88ebf257768f97012df3a6b6b
Opcode Fuzzy Hash: 6de636c31daf4d694a3ce3015e34ce5f4f40b651088ef4440d1a476060c1c5c6
Instruction Fuzzy Hash: 40017920744712568A08F774BC1E6BF3F857FE2350F400959B846571D2EE615D05D3DA

Function 0056C257 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00565725: GetLastError.KERNEL32(?,?,00562AA3,0058B5C0,0000000C,00552948), ref: 00565729
Part of subcall function 00565725: _free.LIBCMT ref: 0056575C
Part of subcall function 00565725: SetLastError.KERNEL32(00000000), ref: 0056579D
Part of subcall function 00565725: _abort.LIBCMT ref: 005657A3

_abort.LIBCMT ref: 0056C289
_free.LIBCMT ref: 0056C2BD

Strings

pX, xrefs: 0056C2B4

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: pX
API String ID: 289325740-1261827746
Opcode ID: 030eb57e8d74b39f394d8d09eaa757c17cc8e04fb7f460b5505b3e7242254025
Instruction ID: 903c2bfd0ac60e4ea8c8d4d7bf3a324bc8810dc23a3d80e762cd6152c96cfc96
Opcode Fuzzy Hash: 030eb57e8d74b39f394d8d09eaa757c17cc8e04fb7f460b5505b3e7242254025
Instruction Fuzzy Hash: BE01923AD02B229BC7A1AFA8941266DBF70BF45B20B15060AFCE473281CB346D41DFC1

Function 00538D76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005394DA: GetLocalTime.KERNEL32(00000000), ref: 005394F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00538DA8
Sleep.KERNEL32(00002710), ref: 00538DBD

Strings

`Wu, xrefs: 00538DA8

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: HandleLocalModuleSleepTime
String ID: `Wu
API String ID: 1683243174-3261129705
Opcode ID: 208f55b3fa424a10faa51a8614398587da42a02ff878c362a71cdbd21e0310ef
Instruction ID: 486f1081848148f61a916fcbd75ebd0f42ada78ec69f243d83ae97d1e38c4684
Opcode Fuzzy Hash: 208f55b3fa424a10faa51a8614398587da42a02ff878c362a71cdbd21e0310ef
Instruction Fuzzy Hash: 9EE0482AA4016177A614337A7D0FC3F3E29EED3B61B05005DFD0956192ED500845D7F3

Function 00568300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00568322

Part of subcall function 00563C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?), ref: 00563CA8
Part of subcall function 00563C92: GetLastError.KERNEL32(?,?,0056DE4F,?,00000000,?,00000000,?,0056E0F3,?,00000007,?,?,0056E63E,?,?), ref: 00563CBA

Strings

76U, xrefs: 00568306
76U, xrefs: 00568305

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: 76U$76U
API String ID: 1353095263-1309745115
Opcode ID: 710c3d3839c8f713d757c8febbba968a6a1f5e639dd10886ab9cec73768219b3
Instruction ID: fbf7a37572ab34657cf931c2cc5d85d546337d5ff012f97a9e76b7ff798461fb
Opcode Fuzzy Hash: 710c3d3839c8f713d757c8febbba968a6a1f5e639dd10886ab9cec73768219b3
Instruction Fuzzy Hash: 73E092362007059F8720CF6CD800A96BBE4FF94765320C929F89EE3310D731E812CB40

Function 0052A7B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,p#h,?,p#h,pth_unenc,005921E8), ref: 0052A7C2
RemoveDirectoryW.KERNEL32(00000000,?,p#h,pth_unenc,005921E8), ref: 0052A7E7

Strings

p#h, xrefs: 0052A7B6

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID: p#h
API String ID: 3325800564-1450192713
Opcode ID: 8bc12e53f21e7992f5c70b14c625d4d1141e48a86da9eb32631cc279514359ed
Instruction ID: ef48d342b9d5a41cfd91e57cbb56cfa4474d74ea74de91e7a7b05abbe1fa8996
Opcode Fuzzy Hash: 8bc12e53f21e7992f5c70b14c625d4d1141e48a86da9eb32631cc279514359ed
Instruction Fuzzy Hash: A3E08C35001A218BD714BB72AC488E73F9CBE6A320304091BA853936B2DF24DC89EA14

Function 005213F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00589570,00589560), ref: 005213FC
GetProcAddress.KERNEL32(00000000), ref: 00521403

Strings

`Wu, xrefs: 005213FC

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: `Wu
API String ID: 1646373207-3261129705
Opcode ID: af77b1bc7613abb036592f735cc01b6084b2e30ffea076ad7bffa1d88cae9983
Instruction ID: 0d39225f8608d326008c51d8fa7afe3b377d16f8183f10a12ba17b05b57141ff
Opcode Fuzzy Hash: af77b1bc7613abb036592f735cc01b6084b2e30ffea076ad7bffa1d88cae9983
Instruction Fuzzy Hash: B3B092BDA82601AFCA42BFB1BE0D8153EA8BE24702B080141B907A1961EB70014CFB11

Function 0055B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0055B4DB
GetLastError.KERNEL32 ref: 0055B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0055B544

Memory Dump Source

Source File: 00000002.00000002.3879370313.000000000054E000.00000020.00000400.00020000.00000000.sdmp, Offset: 0054E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_54e000_InstallUtil.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7f6f6d5406fa650845c0083262b25d9bc9849c097b725402fe606074359e330c
Instruction ID: eadfb777f39739acedb982e0f99bd0c01d79fdf4c418d961da560df441566554
Opcode Fuzzy Hash: 7f6f6d5406fa650845c0083262b25d9bc9849c097b725402fe606074359e330c
Instruction Fuzzy Hash: A741E470600216AFEF298F64D86CB6A7FB5BF41312F14415AEC59AB1A1FB308D48D750

Function 005305C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 005305F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 005306BD
SetLastError.KERNEL32(0000007F), ref: 005306DF
SetLastError.KERNEL32(0000007E,00530955), ref: 005306F6

Memory Dump Source

Source File: 00000002.00000002.3879370313.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00521000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_521000_InstallUtil.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: d59cc7b1b1b839fbdf3ae82f142a08310950db31becdf3295b68c228cc67b181
Instruction ID: 592233a8c473100a09e92534dec2c7221d02d95b0d69bcc1dc297176668b81b5
Opcode Fuzzy Hash: d59cc7b1b1b839fbdf3ae82f142a08310950db31becdf3295b68c228cc67b181
Instruction Fuzzy Hash: A041BF71604705DFE7209F18DC9AB26BBE8FF84714F00182DE94AC7695EB71E864DB21

Analysis Process: ShouldExitCurrentIteration.exePID: 7920, Parent PID: 7868COMMON

Executed Functions

Function 00B9CA60 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad24cd65a67a5c816641b91bec6d8a9cdf7834c62bd6cc22c35e6bd24811ee71
Instruction ID: c0b65d371001f6c328d0d2f8c9cc964c53d5769d442ab987d095388154e044d8
Opcode Fuzzy Hash: ad24cd65a67a5c816641b91bec6d8a9cdf7834c62bd6cc22c35e6bd24811ee71
Instruction Fuzzy Hash: A3A2B375A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Function 00B98A01 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1ebb53150700e4c007b21a5d3c9a621e14ba1ca3cbaa53b0fb73ed8ea2e80e
Instruction ID: bc1976ee0e6d385927cc7b507b875ad0d4f7b976d1efcb82a62307ab34822708
Opcode Fuzzy Hash: 6f1ebb53150700e4c007b21a5d3c9a621e14ba1ca3cbaa53b0fb73ed8ea2e80e
Instruction Fuzzy Hash: 42710D75A01A09CFD758EFAAE940ADABBF3FBC8300F04C179D01497269EB7959468B50

Function 00B98A10 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9a48a533bafdf93aad8360663ae490c29ba5af29067c27dbf11b35be22959e
Instruction ID: df24f9a59d41771245c954106fb7c6cf838acf5c930111764fa54b962b2ac039
Opcode Fuzzy Hash: 6b9a48a533bafdf93aad8360663ae490c29ba5af29067c27dbf11b35be22959e
Instruction Fuzzy Hash: CA710E75A01A09CFD708EFAAE940ADABBF3FBC8300F04C179D01497268EB7559468B50

Function 00B90870 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf35287c64a842ad15fd92ed72032e3a68a3c8fc8c09dd792b92497e902019cb
Instruction ID: 8374e5a0e7af0d81adfc094e39b358caad68f4b543d8367666f708297b4d9aa3
Opcode Fuzzy Hash: bf35287c64a842ad15fd92ed72032e3a68a3c8fc8c09dd792b92497e902019cb
Instruction Fuzzy Hash: 52317031E0070A8FDB05DFB8C8459AEBBF2FF89311F1585A9D505AB261D770A985CB90

Function 00B90B18 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec277f83730b7650548ee150a9002d25765e64a84554f094970ad52b0ab021ef
Instruction ID: 9655d62dfb53227d0c40e0f83a9360379c947e67bfad44c563514154bc6f220b
Opcode Fuzzy Hash: ec277f83730b7650548ee150a9002d25765e64a84554f094970ad52b0ab021ef
Instruction Fuzzy Hash: 6B318D71A002049FDF04EF68C8806DFFBF2EFC9750B24816AE845AB315DB30AD458B90

Function 00B98CB9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34b5f8a9296888cedeb731c58dd9218f3b95f8ce230bf92428b016e40c8fd98
Instruction ID: efdf46861eb48653850fb499ce823e56166907430bc8bcae8bc2874707f01887
Opcode Fuzzy Hash: c34b5f8a9296888cedeb731c58dd9218f3b95f8ce230bf92428b016e40c8fd98
Instruction Fuzzy Hash: 0231D3B4D016099FDB04DFA9C8446ADBBF1FF8A300F1484B9D415E7260DB759A48CF55

Function 00B90C51 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39de3ab568e4008e2f096747bf2c97e4c864a87cc516981f6782c59ccc0cee1a
Instruction ID: de1ad77662eeb07746e92cb39a14dcfc63076bedd845af66057bed2042227906
Opcode Fuzzy Hash: 39de3ab568e4008e2f096747bf2c97e4c864a87cc516981f6782c59ccc0cee1a
Instruction Fuzzy Hash: FE314070A10219CFCB14EFACD584AADBBF1FF48315F5581B6E819AB251D730A981CBA4

Function 00B98CC8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631bb52b3bc1ece9c9aafd461fa0e290a391c9130769730b00e8f8d04413e651
Instruction ID: 0250fb878a4050f83132fb5b5375eb16a14a142726516d9f710bbc912e6a6179
Opcode Fuzzy Hash: 631bb52b3bc1ece9c9aafd461fa0e290a391c9130769730b00e8f8d04413e651
Instruction Fuzzy Hash: 3931D2B4D01609DFDB04DFA9D4846ADBBF1EF8A300F1484B9D405E72A0DB759A45CF51

Function 00B988C1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224c616c3f9e79d68c25113153e2a933802f1fdb674388e577530ad93e23e1ff
Instruction ID: 2f5d6b696a18817e4d1415c8d1358d23eac1b326094bb521f2e8797d21ad3cde
Opcode Fuzzy Hash: 224c616c3f9e79d68c25113153e2a933802f1fdb674388e577530ad93e23e1ff
Instruction Fuzzy Hash: 00314AB4D09208DFDB44DFA8D5897ADBBF1EB4A305F2091F9D015A7281DBB44A88CF52

Function 00B988D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071cc9ddfe09e942d628159560c3ea6c135f8a5393dc6ca7a231527a0478a9cd
Instruction ID: 06c9785f6f770a3e193f19e5e82361d48b8a64d573c74fc5a1fb4303d426d639
Opcode Fuzzy Hash: 071cc9ddfe09e942d628159560c3ea6c135f8a5393dc6ca7a231527a0478a9cd
Instruction Fuzzy Hash: FA315CB4D09208DFDB44DFA8D5897ADBBF1EB4A305F20D1B9D015A7241DB744A88CF52

Function 00A2D048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562003065.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a2d000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52859a07b48abd446568f4ccc9ac32b3a3ba0218338fb21ab731f74f9d76e771
Instruction ID: a735ee63ab068d2635e1201611251b51c96e5d1ba4bfdea2f3ccc1dae0997da5
Opcode Fuzzy Hash: 52859a07b48abd446568f4ccc9ac32b3a3ba0218338fb21ab731f74f9d76e771
Instruction Fuzzy Hash: 0A21F571508244EFDB14DF18E9C0B26BB65FB84714F24C679E90A0B656C336D816CBA2

Function 00B90A20 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d631f18b87e04f6501f462bad1d0c59246989d28036c6e62ad26066cd155120
Instruction ID: 56410b862c1a67dd72301dc235bca77e71e6f57330f12607dadd928d98b8e70d
Opcode Fuzzy Hash: 7d631f18b87e04f6501f462bad1d0c59246989d28036c6e62ad26066cd155120
Instruction Fuzzy Hash: 3121CF31A007159FDF24DF79C8449DEBBF1FF88350B100A79E496AB290DB30A944CB60

Function 00B90A0F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6db6be1d0c4d42dc60ba5f2f806af6aceb32ed65a2db38e8e252b2fed836e57
Instruction ID: 609955fcd074e2b758e8ea5c41e2069f0c481d9a9b47e092a47f42fbe03f9bf0
Opcode Fuzzy Hash: a6db6be1d0c4d42dc60ba5f2f806af6aceb32ed65a2db38e8e252b2fed836e57
Instruction Fuzzy Hash: B521F231A103159FCF14DF68C84499EBBF1FF84710B1448BEE4459B2A1DB309944CBA0

Function 00B9081F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8c2ee0edc2299c6a60be4d4b373ee696de6fa82e1b7d09f0943fa512cec30c
Instruction ID: 5f26711dd18985888e2a6a3fcd0b0205bac86f0886319175dbb2101755d048dd
Opcode Fuzzy Hash: 5e8c2ee0edc2299c6a60be4d4b373ee696de6fa82e1b7d09f0943fa512cec30c
Instruction Fuzzy Hash: 5A116730A042408FDB05EBB8D899AADBFF2FF46304F1581E9E5459B262C735D842CB81

Function 00B9DC40 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e074ced704b0207ae1ddaf4ce9fba06f884d246c053cd684341192b4122a09
Instruction ID: 147c63049d058d953bf193b2f6b2ea68bc262c4211703d23e59047232bd0802f
Opcode Fuzzy Hash: e3e074ced704b0207ae1ddaf4ce9fba06f884d246c053cd684341192b4122a09
Instruction Fuzzy Hash: 7C1126B1D04209DBDF04CF9AC884AEEBBF6FB88310F10807AD515B3210D7B41A45CBA0

Function 00A2D043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562003065.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a2d000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction ID: 2b0eac5a8cd45f89e84daf12dac5f8d1a2f009071ae0f70305093b3e14d4f95b
Opcode Fuzzy Hash: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction Fuzzy Hash: D2119076504284DFCB15CF14E9C4B16BFB2FB84314F24C6A9D8494B657C33AD85ACBA2

Function 00B90861 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f05db66508d79d11d44866fabbf91a5b594a7b51acc0c4d413470f6fb44d8f
Instruction ID: a447883f9dd616d1184dd6cb298645b53b1998e181baa5958c70cf6960aae171
Opcode Fuzzy Hash: 69f05db66508d79d11d44866fabbf91a5b594a7b51acc0c4d413470f6fb44d8f
Instruction Fuzzy Hash: EB110274E002458FCB04EFA9C485AAEBFF2FF49300F2585A9E505DB362D731D9418B80

Function 00A1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1561921933.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a1d000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d83fef5ccd2b234f25ffcda1c9dd9fa69cc216d98bda0286a0b51f82008b54
Instruction ID: 4f5869f1bb639afb9938c40a01d5a33dbe91ee2a9b9e71850b63cb83d2508954
Opcode Fuzzy Hash: b2d83fef5ccd2b234f25ffcda1c9dd9fa69cc216d98bda0286a0b51f82008b54
Instruction Fuzzy Hash: F501F771404304EAE7104B25D880BA7BBD8EF49760F18C019ED4A1F282C3799981CAB2

Function 00A1D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1561921933.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a1d000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c6fe2f1a7accd317e2bbbdd42065d602420cf776402353cd73364cbeb56270
Instruction ID: f0267f465fb52f1f4fe7954b2351d96953157a5b5420fed1acdf24ae5d7bdb68
Opcode Fuzzy Hash: 23c6fe2f1a7accd317e2bbbdd42065d602420cf776402353cd73364cbeb56270
Instruction Fuzzy Hash: 90015E7140E3C09FD7128B258C94B52BFB8EF56224F1981CBE9898F1A3C2699844CB72

Function 00B90992 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e82a329b253c79b47a09ac52f738265dc7e72f094aa8c826e3c3c2d5b5d3720
Instruction ID: ca6916a3b6459e75e192a5225ce33c38738b2b783fb3904c77e90ad1a368a0cf
Opcode Fuzzy Hash: 0e82a329b253c79b47a09ac52f738265dc7e72f094aa8c826e3c3c2d5b5d3720
Instruction Fuzzy Hash: 85F0C831E10249CBEF05DB74C4659AFBFB56B85300F09C57AC442AB291DF7059068791

Function 00B9DA38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7edc460674b35b33a01c611d22ff9e86fc799ceacaab1cc0ceb249d3cb7f4fa
Instruction ID: 43de126634ebdbd4dbc277423d9a0b21416d3a4d25e5a62f1e2e1d9a097f080d
Opcode Fuzzy Hash: c7edc460674b35b33a01c611d22ff9e86fc799ceacaab1cc0ceb249d3cb7f4fa
Instruction Fuzzy Hash: 29F0A575E04208EFCB84DFA9D840AADBBF5EB49310F10C0AA9918A3350D6329A56EF40

Function 00B9CA10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a0fc303dfe16c1cacb242eeabb4ebc0ef29b3f717bca5ccfd851e9361e6378
Instruction ID: 85d1971caeca9c97c8b696fbf2f84609fd58168e456745d4408d5ea40705bd8a
Opcode Fuzzy Hash: 52a0fc303dfe16c1cacb242eeabb4ebc0ef29b3f717bca5ccfd851e9361e6378
Instruction Fuzzy Hash: F1E0EC7190120CDFDB10EFF5D408A9E7BF9DB4A201F1045F99405E3154EA725E14DBA6

Function 00B98DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aba0ccf91df811c118be42559d8b048b791a979cf257f387c89580ee4933aba
Instruction ID: d187268553998d88e4ec3c9d44d0a343944b9b5c31a428265a5fd261a034cb08
Opcode Fuzzy Hash: 1aba0ccf91df811c118be42559d8b048b791a979cf257f387c89580ee4933aba
Instruction Fuzzy Hash: 80D0A7350566088BDA441345DC4D371739CDB13301F1009B8550CC0090C6505418AA4D

Function 00B9C840 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1562386627.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b90000_ShouldExitCurrentIteration.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f9c13207968f8a3e53e46f61cd77fdcad84522ef99ae765dfea1f3cc0ee3a5
Instruction ID: 0189a7ac74d011d2795aca7e0f7300e4640d5bca452b44732c190546a7f107d6
Opcode Fuzzy Hash: d4f9c13207968f8a3e53e46f61cd77fdcad84522ef99ae765dfea1f3cc0ee3a5
Instruction Fuzzy Hash: EEC08031043308C7D71477E5B40DB3C3B58D701317F0000F4D04C500505A705855CA5F

Analysis Process: InstallUtil.exePID: 8012, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	617
Total number of Limit Nodes:	12

Executed Functions

Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
ExitProcess.KERNEL32 ref: 004407EF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

SetProcessDpiAware, xrefs: 0041A95F
SetProcessDpiAwareness, xrefs: 0041A947
IsWow64Process, xrefs: 0041A991
Shell32, xrefs: 0041A9BB
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
GetConsoleWindow, xrefs: 0041AA35
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937
shcore, xrefs: 0041A94C
IsUserAnAdmin, xrefs: 0041A9B6
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A
EnumDisplayMonitors, xrefs: 0041A9EF
ntdll.dll, xrefs: 0041A978
Psapi.dll, xrefs: 0041A8EA, 0041A91F
Shlwapi.dll, xrefs: 0041AA26
GetSystemTimes, xrefs: 0041AA0F
GetComputerNameExW, xrefs: 0041A9A6
SetProcessDEPPolicy, xrefs: 0041A9CA
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
NtUnmapViewOfSection, xrefs: 0041A973
GetMonitorInfoW, xrefs: 0041A9FF
kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
GlobalMemoryStatusEx, xrefs: 0041A982
EnumDisplayDevicesW, xrefs: 0041A9DA
Kernel32.dll, xrefs: 0041A90A, 0041A938

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

(#G, xrefs: 0040D596
licence, xrefs: 0040DA22
`"G, xrefs: 0040DCA3
H"G, xrefs: 0040D9B8
exepath, xrefs: 0040D931, 0040D9DB
!G, xrefs: 0040D919
Remcos Agent initialized, xrefs: 0040DA83
Exe, xrefs: 0040D534
Software\, xrefs: 0040D4E6
Inj, xrefs: 0040D626, 0040D62C, 0040D641
Access Level: , xrefs: 0040DD3D
!G, xrefs: 0040D9F6
!G, xrefs: 0040D8AC
origmsc, xrefs: 0040D6F7
H"G, xrefs: 0040D904
0"G, xrefs: 0040D656
!G, xrefs: 0040D8F2
0"G, xrefs: 0040D586
User, xrefs: 0040DD2C
0"G, xrefs: 0040D52A
Administrator, xrefs: 0040DD08
!G, xrefs: 0040D8B6
license_code.txt, xrefs: 0040D465

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
API String ID: 1529173511-1365410817
Opcode ID: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
closesocket.WS2_32(?), ref: 00404E3A
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Non-executed Functions

Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

\system32\, xrefs: 00410C6E
rmclient.exe, xrefs: 00410D4F
WinDir, xrefs: 00410C80, 00410CD5
fsutil.exe, xrefs: 00410D74
\SysWOW64\, xrefs: 00410CC6
Watchdog module activated, xrefs: 00410BE9, 00410E41
Remcos restarted by watchdog!, xrefs: 00410BC5
WDH, xrefs: 00410C1A, 00410C20, 00410E85
(#G, xrefs: 00410B98
!G, xrefs: 00410C47
svchost.exe, xrefs: 00410D2A
Watchdog launch failed!, xrefs: 00410DE8

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
API String ID: 3018269243-1736093966
Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406D4A
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
DeleteFileW.KERNEL32(00000000), ref: 00406E3A

Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
DeleteFileA.KERNEL32(?), ref: 0040768E

Strings

Unable to rename file!, xrefs: 004074A4
Downloading file: , xrefs: 0040700E
Executing file: , xrefs: 0040723E
open, xrefs: 00407222
Browsing directory: , xrefs: 004072C9
Failed to download file: , xrefs: 00407136
Unable to delete: , xrefs: 00406E98
Downloaded file: , xrefs: 004070BF
Deleted file: , xrefs: 00406E59

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1385304114-1507758755
Opcode ID: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
Opcode Fuzzy Hash: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

cmd.exe, xrefs: 0040572D
SystemDrive, xrefs: 00405741

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

\key3.db, xrefs: 0040ABB7
UserProfile, xrefs: 0040AAA1
\logins.json, xrefs: 0040AB75
[Firefox StoredLogins Cleared!], xrefs: 0040AC40
[Firefox StoredLogins not found], xrefs: 0040AB15
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

UserProfile, xrefs: 0040ACA1
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
\cookies.sqlite, xrefs: 0040AD6D
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
[Firefox cookies found, cleared!], xrefs: 0040AE20

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C

Strings

05Wu`Wu, xrefs: 0041A118

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: 05Wu`Wu
API String ID: 2341273852-3643370980
Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

AppData, xrefs: 0040B299
\cookies.sqlite, xrefs: 0040B34A
\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D

Sleep.KERNEL32(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

3.8.0 Pro, xrefs: 0040E21E, 0040E28D
!G, xrefs: 0040E19E
override, xrefs: 0040E1B2
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.8.0 Pro$override$pth_unenc$!G
API String ID: 2281282204-1386060931
Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

UserProfile, xrefs: 0040A95F
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
[Chrome StoredLogins not found], xrefs: 0040A9B3
[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393

Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC

Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C

FindClose.KERNEL32(00000000), ref: 004086F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Strings

H"G, xrefs: 00417BA1
`'G, xrefs: 00417C7E
`'G, xrefs: 00417DE4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: H"G$`'G$`'G
API String ID: 341183262-2774397156
Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

SetSuspendState, xrefs: 00414E61
PowrProf.dll, xrefs: 00414E66

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3

Strings

ACP, xrefs: 0044F63A
OCP, xrefs: 0044F670

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

A%E, xrefs: 00443B68, 00443952, 004437E1
A%E, xrefs: 0044371D, 004438C8, 00443AEC, 00443A86, 00443916, 004438A4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: A%E$A%E
API String ID: 0-137320553
Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1

Strings

TileWallpaper, xrefs: 0041A84B
Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A
WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

open, xrefs: 004064CC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: open
API String ID: 2825088817-2758837156
Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
GetThreadContext.KERNEL32(?,00000000), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
GetCurrentProcess.KERNEL32(?), ref: 00416795
TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
GetLastError.KERNEL32 ref: 004167B8

Strings

ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6
ZwUnmapViewOfSection, xrefs: 0041648D
ZwCreateSection, xrefs: 0041645A
ZwMapViewOfSection, xrefs: 00416479
`Wu, xrefs: 00416649
ZwClose, xrefs: 004164A1

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
API String ID: 4188446516-529412701
Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
ExitProcess.KERNEL32 ref: 0040C389

Strings

exepath, xrefs: 0040C0B0
open, xrefs: 0040C377
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C02A
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C07B
Temp, xrefs: 0040C139
""", 0, xrefs: 0040C2A0
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C32C
wend, xrefs: 0040C242
fso.DeleteFolder ", xrefs: 0040C264
On Error Resume Next, xrefs: 0040C172
fso.DeleteFile ", xrefs: 0040C1F3
H"G, xrefs: 0040C088
\update.vbs, xrefs: 0040C134
"), xrefs: 0040C18E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C163
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C2BA
while fso.FileExists(", xrefs: 0040C1A5
t<F, xrefs: 0040C2F0, 0040C331

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
API String ID: 1861856835-1953526029
Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

H"G, xrefs: 00410F0B
temp_, xrefs: 00411048
(#G, xrefs: 00410EE8
exepath, xrefs: 00410F31
WDH, xrefs: 00410FAD, 0041111B
open, xrefs: 004110A0
.exe, xrefs: 0041105A

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
API String ID: 2649220323-71629269
Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

exepath, xrefs: 0040BD3F
open, xrefs: 0040BFCA
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
Temp, xrefs: 0040BE04
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
wend, xrefs: 0040BF22
fso.DeleteFolder ", xrefs: 0040BF48
On Error Resume Next, xrefs: 0040BE52
fso.DeleteFile ", xrefs: 0040BED3
H"G, xrefs: 0040BD1C
.vbs, xrefs: 0040BDBF
05Wu`Wu, xrefs: 0040BD8F
pth_unenc, xrefs: 0040BC60
"), xrefs: 0040BE6F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
while fso.FileExists(", xrefs: 0040BE86

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$05Wu`Wu$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2910377041
Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

6, xrefs: 0040B95C
\install.vbs, xrefs: 0040BA3E
fso.DeleteFile , xrefs: 0040BAB6
!G, xrefs: 0040B8F8
!G, xrefs: 0040B8C6
open, xrefs: 0040BC24
Temp, xrefs: 0040BA43
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
WScript.Sleep 1000, xrefs: 0040BA6D
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
""", 0, xrefs: 0040BB47
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
API String ID: 2743683619-2376316431
Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
SetEvent.KERNEL32 ref: 004191CF
WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
CloseHandle.KERNEL32 ref: 004191F0
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C

Strings

stopped, xrefs: 004191B8
status audio mode, xrefs: 004191AD
open ", xrefs: 00419086
" type , xrefs: 0041908B
close audio, xrefs: 00419217
play audio, xrefs: 00419101
resume audio, xrefs: 00419198
alias audio, xrefs: 0041906E
stop audio, xrefs: 0041920D
pause audio, xrefs: 00419180

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

fmt , xrefs: 00401B0D
RIFF, xrefs: 00401ADD
WAVE, xrefs: 00401AFD
data, xrefs: 00401B91

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

getaddrinfo, xrefs: 004137E9, 00413887, 004138D8
`3A, xrefs: 00413933
freeaddrinfo, xrefs: 00413808
\ws2_32, xrefs: 00413855
getnameinfo, xrefs: 004137F8
\wship6, xrefs: 004138B4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-3443138237
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

pF, xrefs: 0044E4BC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pF
API String ID: 161543041-2973420481
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

@#G, xrefs: 00411D72
$.F, xrefs: 004119B6
@#G, xrefs: 00411E45
/stext ", xrefs: 0041198C, 00411A2E, 00411ACD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$$.F$@#G$@#G
API String ID: 1223786279-2596709126
Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

0"G, xrefs: 0040E02D
!G, xrefs: 0040E061
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
ielowutil.exe, xrefs: 0040E0FA
ieinstal.exe, xrefs: 0040E0B9
Inj, xrefs: 0040E14F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
API String ID: 193334293-3226144251
Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

Publisher, xrefs: 0041A4DB
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041A431
InstallLocation, xrefs: 0041A506
DisplayName, xrefs: 0041A4C6
DisplayVersion, xrefs: 0041A4F2
UninstallString, xrefs: 0041A52E
InstallDate, xrefs: 0041A51A

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

SetFilePointerEx error, xrefs: 00408010
Uploading file to Controller: , xrefs: 00407E11
ReadFile error, xrefs: 00408004

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

.vbs, xrefs: 0040C418
exepath, xrefs: 0040C3EA
open, xrefs: 0040C56B
H"G, xrefs: 0040C3C8
Temp, xrefs: 0040C453
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2
""", 0, xrefs: 0040C49A

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
API String ID: 1913171305-2600661426
Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004048C0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
WSAGetLastError.WS2_32 ref: 00404A01

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

TLS Error 1, xrefs: 00404917
Connection Refused, xrefs: 00404A56
TLS Error 3, xrefs: 004049B8
Connection Failed: , xrefs: 00404A23
TLS Error 2, xrefs: 00404935
TLS Authentication Failed, xrefs: 00404979
TLS Handshake... | , xrefs: 004048E4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Strings

H, xrefs: 0045301D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 00413609
udp, xrefs: 004136B6, 004136BE, 004136C2

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNEL32(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

{ User has been idle for , xrefs: 00409DCF
[, xrefs: 00409D37
minutes }, xrefs: 00409DC3
], xrefs: 00409D31

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753

Strings

AppData, xrefs: 0040C70A
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
\system32, xrefs: 0040C667
\SysWOW64, xrefs: 0040C6B9
ProgramData, xrefs: 0040C718
Temp, xrefs: 0040C61F
SystemDrive, xrefs: 0040C64A
ProgramFiles, xrefs: 0040C727
UserProfile, xrefs: 0040C711

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

4, xrefs: 00417770
6, xrefs: 004177CB
1, xrefs: 0041764D
7, xrefs: 004177E2
0, xrefs: 0041760B
2, xrefs: 004176AC
3, xrefs: 0041770C
5, xrefs: 004177C1

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

pF, xrefs: 0044DC30, 0044DDF5
tF, xrefs: 0044DE0C

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNEL32(00000000), ref: 00409785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F

Strings

05Wu`Wu, xrefs: 0040979C, 0040991F
H"G, xrefs: 004097FA
H"G, xrefs: 004097EF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 05Wu`Wu$H"G$H"G
API String ID: 3795512280-2552467925
Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

GetMessage, xrefs: 004055D8
CloseChat, xrefs: 004055E9
DisplayMessage, xrefs: 004055CC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

Temp, xrefs: 0041603E
<, xrefs: 004160C1
@%G, xrefs: 0041615F
@, xrefs: 004160C8
@%G, xrefs: 004160F3

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$@%G$@%G$Temp
API String ID: 1704390241-4139030828
Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107

Strings

log10, xrefs: 00453151, 004531A1
exp, xrefs: 004531CC, 0045322E
pow, xrefs: 004531EB, 00453297, 004532AA
sqrt, xrefs: 0045328B
acos, xrefs: 0045327F
log, xrefs: 004531AD, 004531B9
asin, xrefs: 00453273

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

/t , xrefs: 004159F9
temp, xrefs: 004159CA
open, xrefs: 00415A14
\sysinfo.txt, xrefs: 004159C5
dxdiag, xrefs: 00415A0F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

origmsc, xrefs: 00406710
mscfile\shell\open\command, xrefs: 004066D4
eventvwr.exe, xrefs: 0040674F
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
open, xrefs: 0040676E
H"G, xrefs: 004066E8

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-1488154373
Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

`Wu, xrefs: 0040935B
Keylogger initialization failure: error , xrefs: 00409389

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`Wu
API String ID: 3219506041-303027793
Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

3.8.0 Pro, xrefs: 0041AAC2
* Remcos v, xrefs: 0041AAB4
--------------------------, xrefs: 0041AAA6
* BreakingSecurity.net, xrefs: 0041AAD0
--------------------------, xrefs: 0041AADE
CONOUT$, xrefs: 0041AA89

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AllocConsoleShowWindow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 4118500197-4025029772
Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 004134C9
udp, xrefs: 0041349C

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
HeapAlloc.KERNEL32(00000000), ref: 0041087C
SetLastError.KERNEL32(0000045A), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53

Strings

$.F, xrefs: 00410767

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: $.F
API String ID: 3950776272-1421728423
Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

StopReverse, xrefs: 00410106
StartReverse, xrefs: 004100E4
StartForward, xrefs: 004100D8
GetDirectListeningPort, xrefs: 00410117
StopForward, xrefs: 004100F5

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00446741
_free.LIBCMT ref: 00446765
_free.LIBCMT ref: 004468EC
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E

Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Strings

$-E, xrefs: 00453E47, 00453F38
$-E, xrefs: 00453EEA

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID: $-E$$-E
API String ID: 269201875-3140958853
Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

.wav, xrefs: 00401D49
%Y-%m-%d %H.%M, xrefs: 00401D21

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
[IE cookies not found], xrefs: 0040AE81
Cookies, xrefs: 0040AE3E

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

(64 bit), xrefs: 00419353
(32 bit), xrefs: 0041935A
CurrentBuildNumber, xrefs: 00419308
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
ProductName, xrefs: 004192BD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
UserProfile, xrefs: 0040A9EE
[Chrome Cookies found, cleared!], xrefs: 0040AA4E
[Chrome Cookies not found], xrefs: 0040AA42

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

`Wu, xrefs: 00418DA8
Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered$`Wu
API String ID: 614609389-1738255680
Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

Offline Keylogger Started, xrefs: 0040A0B7
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7
], xrefs: 0040A0CC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

0, xrefs: 0041B2E0
MsgWindowClass, xrefs: 0041B2DB

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040E542
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890

Strings

CorExitProcess, xrefs: 00440865
mscoree.dll, xrefs: 00440853

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
GetProcAddress.KERNEL32(00000000), ref: 00401403

Strings

User32.dll, xrefs: 004013F7
`Wu, xrefs: 004013FC
GetCursorInfo, xrefs: 004013F2

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`Wu
API String ID: 1646373207-4024354691
Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E

Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044A4

Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC

Strings

CloseCamera, xrefs: 0040456E
OpenCamera, xrefs: 00404562
GetFrame, xrefs: 0040457F
FreeFrame, xrefs: 00404590

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
Opcode Fuzzy Hash: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E

Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E

Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 1735047541-0
Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000), ref: 00445817
SetLastError.KERNEL32(00000000), ref: 00445820

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044B918
_free.LIBCMT ref: 0044BA35

Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE

Strings

*?, xrefs: 0044B90C
., xrefs: 0044BBEC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94

Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

H"GH"G, xrefs: 00442B5D
H"G, xrefs: 00442B40, 00442B60, 00442B89, 00442C65, 00442C83

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: H"G$H"GH"G
API String ID: 1635606685-3036711414
Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

8:G, xrefs: 00401868

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 8:G
API String ID: 1649129571-405301104
Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
API String ID: 2506810119-2118511638
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

_wcslen.LIBCMT ref: 00419744

Strings

program files\, xrefs: 0041972A, 00419731, 00419743
program files (x86)\, xrefs: 0041973E
.exe, xrefs: 00419696

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$program files (x86)\$program files\
API String ID: 37874593-1203593143
Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404F61
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 2532271599-507513762
Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

crypt32, xrefs: 0040608B
CryptUnprotectData, xrefs: 00406086

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::failbit set, xrefs: 0040D240
ios_base::badbit set, xrefs: 0040D21A
ios_base::eofbit set, xrefs: 0040D24D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
RegCloseKey.ADVAPI32(00000000), ref: 00412128

Strings

origmsc, xrefs: 004120F4

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc
API String ID: 3677997916-68016026
Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

/C , xrefs: 00414859
cmd.exe, xrefs: 00414870
open, xrefs: 00414875

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 0041220D

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

Strings

P0F, xrefs: 0041226C, 0041228E, 0041226F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: P0F
API String ID: 1818849710-3540264436
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
GetProcAddress.KERNEL32(00000000), ref: 004014A8

Strings

User32.dll, xrefs: 0040149C
GetLastInputInfo, xrefs: 00401497

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B025
Cleared browsers logins and cookies., xrefs: 0040B036

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

H"G, xrefs: 00411163
!G, xrefs: 00411155
exepath, xrefs: 00411168, 004111A8, 00411229

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: H"G$exepath$!G
API String ID: 4119054056-2148977334
Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

], xrefs: 00409562
[ , xrefs: 00409576

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Sleep.KERNEL32(000000FA,00462E24), ref: 00404118

Strings

/sort "Visit Time" /stext ", xrefs: 00404092

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[End of clipboard], xrefs: 0040A725
[Text copied to clipboard], xrefs: 0040A732

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2

Strings

ACP, xrefs: 0044ED35
OCP, xrefs: 0044ED6B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 481472006-507513762
Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F

Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

(F, xrefs: 00432E71

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F
API String ID: 3761405300-3109638091
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

%02i:%02i:%02i:%03i , xrefs: 00419509
| , xrefs: 00419527

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

alarm.wav, xrefs: 00418CDD
x(G, xrefs: 00418CFC

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$x(G
API String ID: 1174141254-2413638199
Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CloseHandle.KERNEL32(?), ref: 00409FFD
UnhookWindowsHookEx.USER32 ref: 0040A010

Strings

Online Keylogger Stopped, xrefs: 00409FAA, 00409FB2, 00409FD9

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040B421
UserProfile, xrefs: 0040B40B

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

AppData, xrefs: 0040B4D1
\Opera Software\Opera Stable\, xrefs: 0040B4E7

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[AltL], xrefs: 0040A5D9
[AltR], xrefs: 0040A5CD

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlR], xrefs: 0040A60E
[CtrlL], xrefs: 0040A61F

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
RegDeleteValueW.ADVAPI32(?,?), ref: 00412436

Strings

6h@, xrefs: 00412414

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: 6h@
API String ID: 2654517830-73392143
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
SetLastError.KERNEL32(0000007F), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 00000006.00000002.1561526325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report payment receipt copy.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShouldExitCurrentIteration.vbs

C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe

C:\Users\user\AppData\Roaming\ShouldExitCurrentIteration.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
payment receipt copy.bat.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre