Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1581124
MD5:	4961c8e09bf6e5c6b6fdbc3756af7402
SHA1:	6388d514ca9737735130dc90742ef62e035239be
SHA256:	8c0161b40998ecd74d4de76d6fbc51b596cc664748087fef127e45ce1d60173d
Tags:	exeLummaStealeruser-ventoy
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup.exe (PID: 2408 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 4961C8E09BF6E5C6B6FDBC3756AF7402)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

setup.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 4961C8E09BF6E5C6B6FDBC3756AF7402)

setup.exe (PID: 5488 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 4961C8E09BF6E5C6B6FDBC3756AF7402)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["scentniej.buzz", "prisonyfork.buzz", "inherineau.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "bellflamre.click", "appliacnesot.buzz"], "Build id": "LPnhqo--gwxjvijiwcrp"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:01:56.581121+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.197.192	443	TCP
2024-12-27T03:01:58.463918+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.197.192	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:01:57.784747+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.197.192	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:01:57.784747+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.197.192	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:01:54.623158+0100	2058212	1	Domain Observed Used for C2 Detected	192.168.2.5	49156	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://prisonyfork.buzz/api

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["scentniej.buzz", "prisonyfork.buzz", "inherineau.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "bellflamre.click", "appliacnesot.buzz"], "Build id": "LPnhqo--gwxjvijiwcrp"}

Multi AV Scanner detection for submitted file

Source: setup.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bellflamre.click
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--gwxjvijiwcrp

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007B2560 GetCurrentThreadId,CryptEncrypt,CryptDestroyKey,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		0_2_007B2560
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007B2560 GetCurrentThreadId,CryptEncrypt,CryptDestroyKey,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		3_2_007B2560

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.197.192:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D2028 FindFirstFileExW,	0_2_007D2028
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D20D9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_007D20D9
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D2028 FindFirstFileExW,	3_2_007D2028
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D20D9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_007D20D9

Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0043D929
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0043D357
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [eax], cl	4_2_0041C051
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then lea ebx, dword ptr [eax+eax]	4_2_0041C051
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042D05A
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	4_2_0041F0E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	4_2_0043F080
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00435880
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042D0AE
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi]	4_2_0043B910
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov ecx, eax	4_2_0040B11D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_004221E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_004221E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov ecx, eax	4_2_004269E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then jmp eax	4_2_0043E1F4
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+0Ah]	4_2_0041C980
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-67h]	4_2_00425986
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_0041B18C
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 4B1BF3DAh	4_2_0041499B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi]	4_2_0041499B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0827F28Dh	4_2_0041499B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ecx+esi*8], 37A3DD63h	4_2_0041499B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00429241
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], DA026237h	4_2_00423257
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0042AAE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	4_2_00438AE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+6ED1A348h]	4_2_004382F0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp byte ptr [eax+edi+09h], 00000000h	4_2_004382F0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edx], bl	4_2_004092A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov ecx, eax	4_2_004092A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov edx, ecx	4_2_0042B3C0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3A8FE122h]	4_2_00419BE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_00419BE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11A82DE9h	4_2_00419BE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then jmp eax	4_2_00428BFE
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	4_2_00439459
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov eax, edx	4_2_0040C404
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000001F0h]	4_2_00415C3B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 344CE4E0h	4_2_00415C3B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00429241
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx edi, byte ptr [ebp+esi-2Ch]	4_2_0043DCE7
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then jmp eax	4_2_00424C80
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042A4B0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00422540
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042CD4D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [edi], ax	4_2_0040C551
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_00407500
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov edx, ecx	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 6E87DD67h	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], 31E2A9F4h	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then test eax, eax	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp edx, esi	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov ecx, eax	4_2_0041B5DD
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_0041D5EC
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx ebx, bx	4_2_0042459E
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp cl, 0000002Eh	4_2_00426E50
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_00426E50
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042C62D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_0041D603
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042C62F
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042DE30
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Eh]	4_2_004096A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov edi, ecx	4_2_0041BF5D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001F0h]	4_2_00415729
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000001F0h]	4_2_00415729
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 344CE4E0h	4_2_00415729

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.5:49156 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.197.192:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.197.192:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: bellflamre.click
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.197.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.197.192:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: prisonyfork.buzz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: bellflamre.click
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz

Source: unknown

Source: setup.exe, 00000004.00000003.2055556297.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057106382.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057700935.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/
Source: setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057700935.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/%XVa
Source: setup.exe, 00000004.00000003.2056191431.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/api
Source: setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/api2
Source: setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/apir

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 172.67.197.192:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\setup.exe

Code function: 4_2_00432C00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00432C00

Source: C:\Users\user\Desktop\setup.exe

Code function: 4_2_00432C00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00432C00

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007B1000	0_2_007B1000
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007C40A2	0_2_007C40A2
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007BF645	0_2_007BF645
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D7882	0_2_007D7882
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D5D4E	0_2_007D5D4E
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007C9DB0	0_2_007C9DB0
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007B1000	3_2_007B1000
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007C40A2	3_2_007C40A2
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007BF645	3_2_007BF645
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D7882	3_2_007D7882
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D5D4E	3_2_007D5D4E
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007C9DB0	3_2_007C9DB0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00408680	4_2_00408680
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041C051	4_2_0041C051
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042F856	4_2_0042F856
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00438000	4_2_00438000
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004038C0	4_2_004038C0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004058D0	4_2_004058D0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004260E0	4_2_004260E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00428882	4_2_00428882
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041E080	4_2_0041E080
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004120A0	4_2_004120A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004210B0	4_2_004210B0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042C8BC	4_2_0042C8BC
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042BF5D	4_2_0042BF5D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00418968	4_2_00418968
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043E970	4_2_0043E970
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043B910	4_2_0043B910
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0040B11D	4_2_0040B11D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004471CB	4_2_004471CB
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004269E0	4_2_004269E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0040E1FA	4_2_0040E1FA
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041C980	4_2_0041C980
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041499B	4_2_0041499B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004089A0	4_2_004089A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041D9A0	4_2_0041D9A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043F1A0	4_2_0043F1A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004219B0	4_2_004219B0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00429241	4_2_00429241
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00432A40	4_2_00432A40
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0040AA50	4_2_0040AA50
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00423257	4_2_00423257
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00404270	4_2_00404270
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00424200	4_2_00424200
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043EA20	4_2_0043EA20
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00415230	4_2_00415230
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004382F0	4_2_004382F0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00406290	4_2_00406290
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004092A0	4_2_004092A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042D2B3	4_2_0042D2B3
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043EAB0	4_2_0043EAB0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042DB4C	4_2_0042DB4C
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00402B20	4_2_00402B20
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043FB30	4_2_0043FB30
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00419BE0	4_2_00419BE0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00429BE1	4_2_00429BE1
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0040FB82	4_2_0040FB82
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00404BA0	4_2_00404BA0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041E3A0	4_2_0041E3A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00439459	4_2_00439459
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00424460	4_2_00424460
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042846C	4_2_0042846C
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043BC30	4_2_0043BC30
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00415C3B	4_2_00415C3B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00422C3F	4_2_00422C3F
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043F4C0	4_2_0043F4C0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00429241	4_2_00429241
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043B4D0	4_2_0043B4D0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00427CD5	4_2_00427CD5
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043DCE7	4_2_0043DCE7
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00411480	4_2_00411480
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041DC80	4_2_0041DC80
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00427C8F	4_2_00427C8F
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00422540	4_2_00422540
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042A550	4_2_0042A550
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00411D74	4_2_00411D74
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00423D78	4_2_00423D78
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00407500	4_2_00407500
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00438D10	4_2_00438D10
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041ADD0	4_2_0041ADD0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0041E5E0	4_2_0041E5E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00418D9F	4_2_00418D9F
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00436DBA	4_2_00436DBA
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042EE4B	4_2_0042EE4B
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00426E50	4_2_00426E50
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0040EE60	4_2_0040EE60
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043EE60	4_2_0043EE60
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00424600	4_2_00424600
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00428E34	4_2_00428E34
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00402EC0	4_2_00402EC0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004376E0	4_2_004376E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00405EF0	4_2_00405EF0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004096A0	4_2_004096A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00416745	4_2_00416745
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042CF46	4_2_0042CF46
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0042BF5D	4_2_0042BF5D
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043E700	4_2_0043E700
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00406720	4_2_00406720
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00408F20	4_2_00408F20
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00415729	4_2_00415729
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043F7C0	4_2_0043F7C0

Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 007C81E8 appears 42 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 007C0820 appears 40 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 007BFBD4 appears 34 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 007CD0C6 appears 40 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 00414510 appears 76 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 007BFB50 appears 100 times
Source: C:\Users\user\Desktop\setup.exe	Code function: String function: 00408060 appears 46 times

Source: setup.exe, 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe
Source: setup.exe, 00000003.00000000.2009487737.000000000083E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe
Source: setup.exe, 00000004.00000000.2012851173.000000000083E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe
Source: setup.exe, 00000004.00000003.2014347560.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe
Source: setup.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs setup.exe

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: setup.exe

Static PE information: Section: .bss ZLIB complexity 1.0003282289933444

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@2/1

Source: C:\Users\user\Desktop\setup.exe

Code function: 4_2_00432000 CoCreateInstance,

4_2_00432000

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe

Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior

Source: setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007BFC73 push ecx; ret	0_2_007BFC86
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007BFC73 push ecx; ret	3_2_007BFC86
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043B870 push eax; mov dword ptr [esp], 68696A6Bh	4_2_0043B87E
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00444918 push cs; iretd	4_2_0044491F
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_004471CB push ds; retf	4_2_004476AE
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00447AB0 push E0669587h; iretd	4_2_00447AB5
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00444CF4 push esp; ret	4_2_00444CF9
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_00444ED1 push edi; ret	4_2_00444ED3
Source: C:\Users\user\Desktop\setup.exe	Code function: 4_2_0043E6B0 push eax; mov dword ptr [esp], AFAEAD9Ch	4_2_0043E6B1

Source: C:\Users\user\Desktop\setup.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-20276

Source: C:\Users\user\Desktop\setup.exe TID: 1020	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\setup.exe TID: 4196	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D2028 FindFirstFileExW,	0_2_007D2028
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007D20D9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_007D20D9
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D2028 FindFirstFileExW,	3_2_007D2028
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007D20D9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_007D20D9

Source: setup.exe, 00000004.00000002.2057106382.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2056191431.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC6
Source: setup.exe, 00000004.00000002.2057106382.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057106382.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2056191431.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\setup.exe

Code function: 4_2_0043CFA0 LdrInitializeThunk,

4_2_0043CFA0

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_007BF9D9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007BF9D9

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007B2060 mov edi, dword ptr fs:[00000030h]	0_2_007B2060
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007EA19E mov edi, dword ptr fs:[00000030h]	0_2_007EA19E
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007B2060 mov edi, dword ptr fs:[00000030h]	3_2_007B2060

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_007CD9D0 GetProcessHeap,

0_2_007CD9D0

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007BF61D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007BF61D
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007BF9D9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007BF9D9
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007BF9CD SetUnhandledExceptionFilter,	0_2_007BF9CD
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_007C7F20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007C7F20
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007BF61D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_007BF61D
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007BF9D9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_007BF9D9
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007BF9CD SetUnhandledExceptionFilter,	3_2_007BF9CD
Source: C:\Users\user\Desktop\setup.exe	Code function: 3_2_007C7F20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_007C7F20

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_007EA19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_007EA19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory written: C:\Users\user\Desktop\setup.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: setup.exe, 00000000.00000002.2014609899.00000000006D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bellflamre.click

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"			Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	0_2_007CD2AD
Source: C:\Users\user\Desktop\setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_007D1377
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	0_2_007D15C8
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_007D1670
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	0_2_007D18C3
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	0_2_007D1930
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	0_2_007D1A50
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	0_2_007D1A05
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_007D1AF7
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	0_2_007D1BFD
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	0_2_007CCD05
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	3_2_007CD2AD
Source: C:\Users\user\Desktop\setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_007D1377
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	3_2_007D15C8
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	3_2_007D18C3
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	3_2_007D1930
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	3_2_007D1A50
Source: C:\Users\user\Desktop\setup.exe	Code function: EnumSystemLocalesW,	3_2_007D1A05
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_007D1AF7
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	3_2_007D1BFD
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,	3_2_007CCD05

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_007C01A4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_007C01A4

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setup.exe	40%	Virustotal		Browse
setup.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://prisonyfork.buzz/%XVa	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/api2	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/apir	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
prisonyfork.buzz	172.67.197.192	true	true		unknown
bellflamre.click	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
prisonyfork.buzz	false		high
rebuildeso.buzz	false		high
hummskitnj.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
https://prisonyfork.buzz/api	true	Avira URL Cloud: malware	unknown
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
bellflamre.click	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://prisonyfork.buzz/	setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057106382.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057700935.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	setup.exe, 00000004.00000003.2055556297.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/%XVa	setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000002.2057700935.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://prisonyfork.buzz/api2	setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://prisonyfork.buzz/apir	setup.exe, 00000004.00000003.2056191431.0000000002E47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.197.192	prisonyfork.buzz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581124
Start date and time:	2024-12-27 03:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 37 Number of non-executed functions: 170
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target setup.exe, PID 6728 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:01:54	API Interceptor	3x Sleep call for process: setup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.197.192	https://new.express.adobe.com/webpage/sAiKE1YBfM7xe	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
prisonyfork.buzz	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse	104.21.74.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.218.163
	http://kxyaiaqyijjz.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pdf-ezy.com/pdf-ez.exe	Get hash	malicious	Unknown	Browse	172.67.152.3
	b8ygJBG5cb.msi	Get hash	malicious	Unknown	Browse	172.67.194.29
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.49.159
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.214.186
	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	Z4D3XAZ2jB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.93.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	172.67.197.192
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.197.192
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	9idglWFv95.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	tJd3ArrDAm.exe	Get hash	malicious	LummaC	Browse	172.67.197.192

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	low
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.558131729722523
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	559'616 bytes
MD5:	4961c8e09bf6e5c6b6fdbc3756af7402
SHA1:	6388d514ca9737735130dc90742ef62e035239be
SHA256:	8c0161b40998ecd74d4de76d6fbc51b596cc664748087fef127e45ce1d60173d
SHA512:	c68258222592066225627e10802842a0c054d6b8ff237cfc30497f27c740f7705f2f9c972a12ef549f9897c8ec5d49addd0b154c6a737e83c53b8f37378c3fed
SSDEEP:	12288:miiy2LA/I0xusciua5z2NEpYBRupKm7BfHgq155ppbdGax1Ou75vunMGZa6+QDKT:miiy2LA/I0xusciua5CNEpYBRupKm7Bv
TLSH:	73C4E0423691C4B3C95315769978D779493EBC200F716AC7A3A80BBECEB06C19F31A5E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....[mg..........................................@.................................Y.....@..................................j..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x410590
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676D5BDA [Thu Dec 26 13:36:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	35f2e35a9ab5b63b150853141ee62e01

Entrypoint Preview

Instruction
call 00007F3D608E536Ah
jmp 00007F3D608E51CDh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F3D608E5366h
test esi, ecx
jne 00007F3D608E5388h
call 00007F3D608E5391h
mov ecx, eax
cmp ecx, edi
jne 00007F3D608E5369h
mov ecx, BB40E64Fh
jmp 00007F3D608E5370h
test esi, ecx
jne 00007F3D608E536Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D0Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CC4h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CC0h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D5Ch]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D34h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F3D608EC143h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a8c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32618	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2eaa8	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c4c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b5ba	0x2b600	8e72f979a692e30591852f96987fd08f	False	0.5447136167146974	data	6.592696701047982	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc564	0xc600	d34fae497fb62cbb1bc8f3b2d6d79c25	False	0.4033696338383838	data	4.744194731846056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	f57039ea5e709bc930aadb529c6e1a9d	False	0.29794921875	data	5.024446305521937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2758	0x2800	26cb1ac5cc2461d1d4d4b059e129fd1f	False	0.751953125	data	6.531626083298937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4b200	0x4b200	e6d0d5515789cfdc57607719a54ceac5	False	1.0003282289933444	data	7.999422397458325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e000	0x3fc	0x400	4243bfa36d7c6187562be2edfa0b46c2	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ADVAPI32.dll

CryptDestroyKey, CryptEncrypt

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T03:01:54.623158+0100	2058212	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)	1	192.168.2.5	49156	1.1.1.1	53	UDP
2024-12-27T03:01:56.581121+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.197.192	443	TCP
2024-12-27T03:01:57.784747+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	172.67.197.192	443	TCP
2024-12-27T03:01:57.784747+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	172.67.197.192	443	TCP
2024-12-27T03:01:58.463918+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	172.67.197.192	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:01:55.332803965 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:55.332897902 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:55.333004951 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:55.336116076 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:55.336149931 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:56.580977917 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:56.581120968 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:56.585341930 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:56.585371971 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:56.585685015 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:56.631052017 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:56.641194105 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:56.641231060 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:56.641302109 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.784760952 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.784854889 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.784981966 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.786902905 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.786947012 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.786976099 CET	49704	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.786990881 CET	443	49704	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.801563025 CET	49705	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.801615000 CET	443	49705	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:57.801703930 CET	49705	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.801985979 CET	49705	443	192.168.2.5	172.67.197.192
Dec 27, 2024 03:01:57.802009106 CET	443	49705	172.67.197.192	192.168.2.5
Dec 27, 2024 03:01:58.463917971 CET	49705	443	192.168.2.5	172.67.197.192

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:01:54.623157978 CET	49156	53	192.168.2.5	1.1.1.1
Dec 27, 2024 03:01:54.845175028 CET	53	49156	1.1.1.1	192.168.2.5
Dec 27, 2024 03:01:54.937525034 CET	50315	53	192.168.2.5	1.1.1.1
Dec 27, 2024 03:01:55.317775965 CET	53	50315	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 03:01:54.623157978 CET	192.168.2.5	1.1.1.1	0xadcf	Standard query (0)	bellflamre.click	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:01:54.937525034 CET	192.168.2.5	1.1.1.1	0xbcd3	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 03:01:54.845175028 CET	1.1.1.1	192.168.2.5	0xadcf	Name error (3)	bellflamre.click	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:01:55.317775965 CET	1.1.1.1	192.168.2.5	0xbcd3	No error (0)	prisonyfork.buzz		172.67.197.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:01:55.317775965 CET	1.1.1.1	192.168.2.5	0xbcd3	No error (0)	prisonyfork.buzz		104.21.74.40	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

prisonyfork.buzz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.197.192	443	5488	C:\Users\user\Desktop\setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:01:56 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: prisonyfork.buzz
2024-12-27 02:01:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 02:01:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:01:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tchu13gd7h5cttk248506hpi1r; expires=Mon, 21 Apr 2025 19:48:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hTVhDeyG5Y%2FDsn8%2B1LXTt5sQfnPOkp54BnUd8yBBohIPRcmQaooAgKxVwzAaVDX5RMSVJ8CohZym0KN9O%2BcKMTf8C5VCGP0FnuhK3sW187G5WqGd61EPTa%2B%2Byi6XtZPTn6Mr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85b9c27dc17d0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2074&min_rtt=2043&rtt_var=788&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1429270&cwnd=227&unsent_bytes=0&cid=b39965ffde84c0e1&ts=764&x=0"
2024-12-27 02:01:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 02:01:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:01:52
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x7b0000
File size:	559'616 bytes
MD5 hash:	4961C8E09BF6E5C6B6FDBC3756AF7402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:01:52
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:01:53
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x7b0000
File size:	559'616 bytes
MD5 hash:	4961C8E09BF6E5C6B6FDBC3756AF7402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:01:53
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x7b0000
File size:	559'616 bytes
MD5 hash:	4961C8E09BF6E5C6B6FDBC3756AF7402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	5.4%
Total number of Nodes:	811
Total number of Limit Nodes:	13

Executed Functions

Function 007EA19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,007EA110,007EA100), ref: 007EA334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007EA347
Wow64GetThreadContext.KERNEL32(000000E8,00000000), ref: 007EA365
ReadProcessMemory.KERNELBASE(000000D8,?,007EA154,00000004,00000000), ref: 007EA389
VirtualAllocEx.KERNELBASE(000000D8,?,?,00003000,00000040), ref: 007EA3B4
TerminateProcess.KERNELBASE(000000D8,00000000), ref: 007EA3D3
WriteProcessMemory.KERNELBASE(000000D8,00000000,?,?,00000000,?), ref: 007EA40C
WriteProcessMemory.KERNELBASE(000000D8,00400000,?,?,00000000,?,00000028), ref: 007EA457
WriteProcessMemory.KERNELBASE(000000D8,?,?,00000004,00000000), ref: 007EA495
Wow64SetThreadContext.KERNEL32(000000E8,00760000), ref: 007EA4D1
ResumeThread.KERNELBASE(000000E8), ref: 007EA4E0

Strings

SetThreadContext, xrefs: 007EA2C2
aryA, xrefs: 007EA1E2
TerminateProcess, xrefs: 007EA3C3
GetThreadContext, xrefs: 007EA276
VirtualAlloc, xrefs: 007EA263
ress, xrefs: 007EA226
VirtualAllocEx, xrefs: 007EA29C
ReadProcessMemory, xrefs: 007EA289
ResumeThread, xrefs: 007EA2D8
GetP, xrefs: 007EA21E
CreateProcessW, xrefs: 007EA250
WriteProcessMemory, xrefs: 007EA2AF
Load, xrefs: 007EA1DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 007EA333

Memory Dump Source

Source File: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 2142d251515d50eb13be205f78db54674f724a926961d4836fe69f93aa76549c
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: E7B1F87260128AAFDB60CF69CC80BDA73A5FF8C714F158124EA08AB341D774FA51CB94

Function 007B2560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
encryptionthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 007B25D0

Part of subcall function 007BF20D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,007B25EA,?,?,00000000), ref: 007BF219
Part of subcall function 007BF20D: GetExitCodeThread.KERNEL32(?,00000000,?,?,007B25EA,?,?,00000000), ref: 007BF232
Part of subcall function 007BF20D: CloseHandle.KERNEL32(?,?,?,007B25EA,?,?,00000000), ref: 007BF244

CryptEncrypt.ADVAPI32 ref: 007B2617
CryptDestroyKey.ADVAPI32(00000000), ref: 007B261F
std::_Throw_Cpp_error.LIBCPMT ref: 007B264B
std::_Throw_Cpp_error.LIBCPMT ref: 007B265C
std::_Throw_Cpp_error.LIBCPMT ref: 007B266D
std::_Throw_Cpp_error.LIBCPMT ref: 007B267E

Strings

`Gu, xrefs: 007B2617

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CryptThread$CloseCodeCurrentDestroyEncryptExitHandleObjectSingleWait
String ID: `Gu
API String ID: 1492798345-3040337507
Opcode ID: 3c7cfa7ee5eff0433f21a31380ada2d8e0b2bcc42e811740d70b4b6da48784c6
Instruction ID: bd6f5333676778764bfa25686b7a3a21bc8d9659310be327bcf376215347d501
Opcode Fuzzy Hash: 3c7cfa7ee5eff0433f21a31380ada2d8e0b2bcc42e811740d70b4b6da48784c6
Instruction Fuzzy Hash: DE3184F1D41349ABEB10EF94CC0ABEEBBB4BB04714F040129E91576681E3B95A44CBE7

Function 007B2060 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007B1240: _strlen.LIBCMT ref: 007B12BA

CreateFileA.KERNELBASE ref: 007B20E6
GetFileSize.KERNEL32(00000000,00000000), ref: 007B20F6
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 007B211B
CloseHandle.KERNELBASE(00000000), ref: 007B212A
_strlen.LIBCMT ref: 007B217D
CloseHandle.KERNEL32(00000000), ref: 007B22AD

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: e6d83d38f4ab90753b38290d0fcee017d46b24e25436cf12765e785e7d589fb6
Instruction ID: b5ae4ab70f0045922739233eb9036be4eb01a9eb704f227617fe38fa9b5658e7
Opcode Fuzzy Hash: e6d83d38f4ab90753b38290d0fcee017d46b24e25436cf12765e785e7d589fb6
Instruction Fuzzy Hash: 2071C6B2D01208DBCB10DFA4DC457EEBBB4FF48310F150628E814A7392E7399946CBA5

Function 007B1000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d521f8e1291d56e71430cf8754c5b7b803721b4f61eb95a967fb7175b864246e
Instruction ID: 7475b618ef3f7539a757128737c91724a72c169a054ae55c7db1993a6b4217de
Opcode Fuzzy Hash: d521f8e1291d56e71430cf8754c5b7b803721b4f61eb95a967fb7175b864246e
Instruction Fuzzy Hash: BA215C336101650B875CAF386CB2277FB4ADB865A0785573AED129F2C1F524DD1082E4

Function 007CCFFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BF3CFDEB,?,007CD10A,?,?,00000000), ref: 007CD0BC

Strings

api-ms-, xrefs: 007CD052
ext-ms-, xrefs: 007CD066

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0aab26ab86a24161e18fd657e55bea8e879ed064bce41010b78c3c97ba2d534b
Instruction ID: b0f4828ad1927e6a817aa76a64019befa5c093c34d5948b51be80811290696b0
Opcode Fuzzy Hash: 0aab26ab86a24161e18fd657e55bea8e879ed064bce41010b78c3c97ba2d534b
Instruction Fuzzy Hash: B521EB31B02251EBC7319B69EC85F5A3768DB957A0F25413CE905AB290E73CED41C6E0

Function 007B1800 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 007B1833

Strings

ios_base::eofbit set, xrefs: 007B1C9A
ios_base::badbit set, xrefs: 007B1CAA, 007B1CD0
ios_base::failbit set, xrefs: 007B1C9F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: dab466342d5ee02fde74796936b1075413e321f93e0377e33907c8a4da7477bc
Instruction ID: 0d6901081f940b0654c0500fc5a33fbb859c04115e0dbe78783dc935bab6f3ba
Opcode Fuzzy Hash: dab466342d5ee02fde74796936b1075413e321f93e0377e33907c8a4da7477bc
Instruction Fuzzy Hash: BAF14E75A01654CFCB14CF68C494BADBBF2FF48324F598269E815AB391D738AD41CB90

Function 007C5439 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015560,00000000,00000000,00000000), ref: 007C5482
GetLastError.KERNEL32(?,?,?,007B25BB,00000000,00000000), ref: 007C548E
__dosmaperr.LIBCMT ref: 007C5495

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: aadc81f54092657afaa611eb1ca469e09d564c5309849601a03cfba795513811
Instruction ID: be573da10f2d4607b4bd3b4a522993c61b03dfc714974e77b926d3f9d0535d9c
Opcode Fuzzy Hash: aadc81f54092657afaa611eb1ca469e09d564c5309849601a03cfba795513811
Instruction Fuzzy Hash: D2018C72505659EBCF09DFA0DC0AFAE3B69EF04362F10405CF80196150EF3AEA90DBA0

Function 007C55DE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007CC3AB: GetLastError.KERNEL32(00000000,?,007C77D9,007CD3F6,?,?,007CC2A7,00000001,00000364,?,00000006,000000FF,?,007C5585,007E8E90,0000000C), ref: 007CC3AF
Part of subcall function 007CC3AB: SetLastError.KERNEL32(00000000), ref: 007CC451

CloseHandle.KERNEL32(?,?,?,007C54C9,?,?,007C55BE,00000000), ref: 007C560F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,007C54C9,?,?,007C55BE,00000000), ref: 007C5625
ExitThread.KERNEL32 ref: 007C562E

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: fc0ab1aa4b67b1f8c360051e8dea4d6f858e9005b446abbb1b758b9d891b380d
Instruction ID: 2fa1c8c18076b6d5637a29b368a64601a294466521b91a4081abf5038ed07841
Opcode Fuzzy Hash: fc0ab1aa4b67b1f8c360051e8dea4d6f858e9005b446abbb1b758b9d891b380d
Instruction Fuzzy Hash: CCF05E31501E416BCB212B75CD4CF2A7B99EF04B64F58861CF869E70B1DB2AFC818A65

Function 007C574F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,007C5811,007C8486,007C8486,?,00000002,BF3CFDEB,007C8486,00000002), ref: 007C5760
TerminateProcess.KERNEL32(00000000,?,007C5811,007C8486,007C8486,?,00000002,BF3CFDEB,007C8486,00000002), ref: 007C5767
ExitProcess.KERNEL32 ref: 007C5779

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b4b05de08f51351b628db57e96372df11442451bc7b4633324c26821a163f17b
Instruction ID: 8c7e2fd4fbaa206ecb97d4c2a8375bb3bfa135a6feb8fd36a55bad5b6a4e7465
Opcode Fuzzy Hash: b4b05de08f51351b628db57e96372df11442451bc7b4633324c26821a163f17b
Instruction Fuzzy Hash: 80D06C31001588EBCF112F60ED4EE593F2AEA68391B58801CB9495A131DF7AB9929A98

Function 007D3CE4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007D408E: GetConsoleOutputCP.KERNEL32(BF3CFDEB,00000000,00000000,?), ref: 007D40F1

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,007C8674,?), ref: 007D3E69
GetLastError.KERNEL32(?,?,007C8674,?,007C88B8,00000000,?,00000000,007C88B8,?,?,?,007E9040,0000002C,007C87A4,?), ref: 007D3E73

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 01c7b714727c75486133cdbad55f61ee818cf9059a07d0334c36866218140bea
Instruction ID: a143e86339e9106314743957759cd79118f94c311769cb3730c02cf5e8f78061
Opcode Fuzzy Hash: 01c7b714727c75486133cdbad55f61ee818cf9059a07d0334c36866218140bea
Instruction Fuzzy Hash: 1C61B371900159AFDF11CFA8D884EEEBFBAAF19304F14014AE904A7355D779DE01CB61

Function 007D44BD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,007D3E4F,00000000,007C88B8,?,00000000,?,00000000), ref: 007D4559
GetLastError.KERNEL32(?,007D3E4F,00000000,007C88B8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,007C8674), ref: 007D457F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: ea2e2ce7875b008813f6a5c936c49030cf9ff7871574915dab15378bd9f78bf1
Instruction ID: 63cf14916ea8b0d288a0cdb3d646853d2a669ee556553fbe5f7fc0721cc8d646
Opcode Fuzzy Hash: ea2e2ce7875b008813f6a5c936c49030cf9ff7871574915dab15378bd9f78bf1
Instruction Fuzzy Hash: 0C216075A002599FCF16CF29EC809DDB7B9EB5C305F1440AAE946D7311EA34DE42CB64

Function 007B9290 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 007B9369
std::_Throw_Cpp_error.LIBCPMT ref: 007B9377

Part of subcall function 007BF0C2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,007B8FEA,007BA490), ref: 007BF0D7

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: e23b3f15a7a7641c316e2e47c903a9a5f8f717451882e2d872e5baf8d3e51168
Instruction ID: 56241403d0a68333883bd2a0f1c94465328790a09d82e75e1b15e5ac58f50893
Opcode Fuzzy Hash: e23b3f15a7a7641c316e2e47c903a9a5f8f717451882e2d872e5baf8d3e51168
Instruction Fuzzy Hash: C521E2B1A00645DBDB10AF648D46BEEBBF4FB04720F144228E629677C2D778A905CBD2

Function 007CDB42 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,007CDA31,007E9388,0000000C), ref: 007CDB8E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,007CDA31,007E9388,0000000C), ref: 007CDBA0

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 1d259a802e4f74d71a2664750a6087707e27247f6fab951e55b408f72cfe6f09
Instruction ID: 8f1aed61494338521d6009edefcfa47bba80af007647bc0cf2780af32f87ce75
Opcode Fuzzy Hash: 1d259a802e4f74d71a2664750a6087707e27247f6fab951e55b408f72cfe6f09
Instruction Fuzzy Hash: 271154B15047514ACB304F3E8C88F22BB95A79A334B3A072ED5B6975F1C638DC86D645

Function 007B1FA0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007B1240: _strlen.LIBCMT ref: 007B12BA

FreeConsole.KERNELBASE(?,?,?,?,?,007B17EF,?,?,?,00000000,?), ref: 007B1FD1
VirtualProtect.KERNELBASE(007EA011,00000549,00000040,?), ref: 007B2028

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 0c39a74698850cc6c5298b2ffd87178fa209a611b2479818e4f868d152c5834a
Instruction ID: ca6d37c0aef7156b083022243da17dfc228e56b3c2607eac749bad5ea2b99456
Opcode Fuzzy Hash: 0c39a74698850cc6c5298b2ffd87178fa209a611b2479818e4f868d152c5834a
Instruction Fuzzy Hash: 5511E771A01108BBDB04BB659C06FEF7764EF48700F408439F605AB2C2FA79695147D5

Function 007C5560 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(007E8E90,0000000C), ref: 007C5573
ExitThread.KERNEL32 ref: 007C557A

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: df5c714ecbfa6607bf150a901b27c86b3b438ef6b5ca8f8a6f74c7d19fb0805a
Instruction ID: b6b7c6ca55e44736eca6aceef8fb26ad9ac2bf7e602f2274c9f8071886d2c63a
Opcode Fuzzy Hash: df5c714ecbfa6607bf150a901b27c86b3b438ef6b5ca8f8a6f74c7d19fb0805a
Instruction Fuzzy Hash: 86F0AF71A41A44DFDB11ABB0C84EF6E3B66FF04710F20414CF0059B262CB3D69818BA1

Function 007B2320 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 007B2338
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007B234C

Part of subcall function 007B2060: CreateFileA.KERNELBASE ref: 007B20E6
Part of subcall function 007B2060: GetFileSize.KERNEL32(00000000,00000000), ref: 007B20F6
Part of subcall function 007B2060: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 007B211B
Part of subcall function 007B2060: CloseHandle.KERNELBASE(00000000), ref: 007B212A
Part of subcall function 007B2060: _strlen.LIBCMT ref: 007B217D

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: b15846801759f84dd1abc2badb347533baa61e1f685749de560da7d53a40cb88
Instruction ID: a24cf09414580f5622fdb7422d456a464e29d8f8caf459f27bd6ff53fff1aa13
Opcode Fuzzy Hash: b15846801759f84dd1abc2badb347533baa61e1f685749de560da7d53a40cb88
Instruction Fuzzy Hash: 95F0E5B2A02244A7D5217724AC4FFEB7BA8EF99714F014419F58A8A182D978614587A3

Function 007CBFC7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,007D03A4,?,00000000,?,?,007D0044,?,00000007,?,?,007D098A,?,?), ref: 007CBFDD
GetLastError.KERNEL32(?,?,007D03A4,?,00000000,?,?,007D0044,?,00000007,?,?,007D098A,?,?), ref: 007CBFE8

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: ffbd99bd803019033e82623ce123f78fdcef536b809556f03eb314f15245a1f3
Instruction ID: f87f0b78e45ae88c9cd75c674b64d2a3516e9fe3faa72c2de95954908a52e916
Opcode Fuzzy Hash: ffbd99bd803019033e82623ce123f78fdcef536b809556f03eb314f15245a1f3
Instruction Fuzzy Hash: 84E08631105294ABDF116FA5EC4DF453B989B54791F10806CF6088A160CF3D9850CF94

Function 007BDFE0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ca761ffa511d8ecdba629f60dda92f2ab0d058078ad1e7b50910647d1b6709
Instruction ID: 50ab915f29874a28f07cafaf079fa36264261d7ebb439a8715fc4218e175575f
Opcode Fuzzy Hash: 89ca761ffa511d8ecdba629f60dda92f2ab0d058078ad1e7b50910647d1b6709
Instruction Fuzzy Hash: DE41A03190011AEFCB14EF68C494AEDB7F9FF08310B64412AE402E7740EB79E951DB90

Function 007BCC30 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4707653cb0fab0164c821b3f0204e9e8c5fc917dadfe37be8e31c373e2490e
Instruction ID: bbb439c31952f2df26a25cbe124e3f1bd9f97ce65f5e2de47b2857fa7b2536e8
Opcode Fuzzy Hash: 7e4707653cb0fab0164c821b3f0204e9e8c5fc917dadfe37be8e31c373e2490e
Instruction Fuzzy Hash: CA31BA32A0010AEFCF15CF68D894AEDBBB8BF19320B14426AE511E7290D735F944CBA0

Function 007BB200 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 007BB164: GetModuleHandleExW.KERNEL32(00000002,00000000,007B8BCA,?,?,007BB127,007B8BCA,?,007BB0F8,007B8BCA,?,?,?), ref: 007BB170

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,BF3CFDEB,?,?,?,Function_0002BF84,000000FF), ref: 007BB267

Part of subcall function 007BB09A: std::_Throw_Cpp_error.LIBCPMT ref: 007BB0BB

Part of subcall function 007BF0C2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,007B8FEA,007BA490), ref: 007BF0D7

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: a55cd0631abd4843521d05c106a1605a4174aeaa1d5d11212848aa3a02773d7a
Instruction ID: 2925319e939d95db4a94f72c5c4b4c6576398e17d84450fddcab4b8d4a7c7b3f
Opcode Fuzzy Hash: a55cd0631abd4843521d05c106a1605a4174aeaa1d5d11212848aa3a02773d7a
Instruction Fuzzy Hash: BA11E636600644DBCA257B289C55BAE7764FB4DB70B10841AFC129B6A1CF7DD801CA50

Function 007CD0C6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941b1127845bf82d4cb4eb0aa74129fc8b88724c6ab4a48600010f39eb88fe56
Instruction ID: ac705f4a1970fe4f06c105703e6a06b02b31437c4188b1dcb781d43ec3a9348b
Opcode Fuzzy Hash: 941b1127845bf82d4cb4eb0aa74129fc8b88724c6ab4a48600010f39eb88fe56
Instruction Fuzzy Hash: 4901D233210269DB8F228E6CEC84E5737A9EBC836072A803CF9108F094EB39DC008694

Function 007BCC22 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 242601a936cee9aa846f92f8c5221d675d0e20aeca0a139d71e42a8c445b5f44
Instruction ID: 66eb2b284ac2908c41f947fdb2fc2ea66df73318a6b2c69468ce4df08a617b31
Opcode Fuzzy Hash: 242601a936cee9aa846f92f8c5221d675d0e20aeca0a139d71e42a8c445b5f44
Instruction Fuzzy Hash: F70149776082865ECF179B78E8397E87F10FF96334B20C16FD01285581CB1B5851C760

Function 007B7910 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 007B7966

Part of subcall function 007BB104: CloseThreadpoolWork.KERNEL32(?,00000000,?,007B7A7A,00000000), ref: 007BB112

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 7d084069d51bb10d3a02a69c761e401fce99883325e88c0ca2aaf11a9bb9c295
Instruction ID: bc2e9bd7275272eb3e48a9e0f63072cea15cf24a29fa62a0d2c4c157b216a5ea
Opcode Fuzzy Hash: 7d084069d51bb10d3a02a69c761e401fce99883325e88c0ca2aaf11a9bb9c295
Instruction Fuzzy Hash: FC0128B1C00649ABDB00EF94DC467DEBBB4FB44720F004239E81967741E379A645CAD2

Function 007CC001 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,007CE025,?,?,007CE025,00000220,?,00000000,?), ref: 007CC033

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca7238c1d2a5133d2757d2ad0f3b07fb9feff0c471a29bad057871a81305bb60
Instruction ID: 5b9085a7bb1d04b2e37502531a3d655a528880a90f923e3721e873d4fa848d47
Opcode Fuzzy Hash: ca7238c1d2a5133d2757d2ad0f3b07fb9feff0c471a29bad057871a81305bb60
Instruction Fuzzy Hash: 8CE0ED212012A0D6EA336B659C09F6A37489B11BE0F1901ACFC0D9A0C1EF2CDC8082A5

Function 007B9A90 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 007B9AAF

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 457fb479718da7c53233e4787741697dff68f310d3a7e8cbbaa30f2403520b34
Instruction ID: 0c41457eb00bf2fc4d34a7b5b524fa2488053eb70c50d22109e3e07e0fcf8371
Opcode Fuzzy Hash: 457fb479718da7c53233e4787741697dff68f310d3a7e8cbbaa30f2403520b34
Instruction Fuzzy Hash: 04D0A7397020604F87157B29A8589AE73A1FFCC7303664459ED41D7315C72CEC0286C0

Non-executed Functions

Function 007D1377 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 007D147F
IsValidCodePage.KERNEL32(00000000), ref: 007D14BD
IsValidLocale.KERNEL32(?,00000001), ref: 007D14D0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007D1518
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007D1533

Strings

<K~, xrefs: 007D142C

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: <K~
API String ID: 415426439-1979715347
Opcode ID: 742e284f7a1d0515f61b80a7ca9705c44f2ca19f1424e238b9bf237f62dc416c
Instruction ID: 02e6fb25f32e4edc274298c83ed156656e41331755e313200757ca630a53ce90
Opcode Fuzzy Hash: 742e284f7a1d0515f61b80a7ca9705c44f2ca19f1424e238b9bf237f62dc416c
Instruction Fuzzy Hash: 3F515271A00249BBEF11DFA4DC85ABA77B8FF48700F94446AF915EB250D7789940C7A0

Function 007D7882 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007D7A99

Strings

1#QNAN, xrefs: 007D7995
1#IND, xrefs: 007D7987
1#INF, xrefs: 007D79B8
1#SNAN, xrefs: 007D798E

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: dd45bb75272b0990f3f56ad6e46aa3beb13af23f327a514bc8253ce79c936783
Instruction ID: edb486489d0c228e37ecc845c337d4ee3da910f2f1255442212849e932f3d8f1
Opcode Fuzzy Hash: dd45bb75272b0990f3f56ad6e46aa3beb13af23f327a514bc8253ce79c936783
Instruction Fuzzy Hash: FAD21971E092298FDBA5CE28DD44BEAB7B5EB44305F1441EBD40DE7240EB78AE858F41

Function 007D1AF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,007D14AD,00000002,00000000,?,?,?,007D14AD,?,00000000), ref: 007D1B90
GetLocaleInfoW.KERNEL32(?,20001004,007D14AD,00000002,00000000,?,?,?,007D14AD,?,00000000), ref: 007D1BB9
GetACP.KERNEL32(?,?,007D14AD,?,00000000), ref: 007D1BCE

Strings

ACP, xrefs: 007D1B15
OCP, xrefs: 007D1B4B

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 2002e89e8d9c0231947759717cb96cbd74d341884650e4ec2a477635c42db440
Instruction ID: 88218d907067f6542980d2b5f0b57cf9e754101fd91c24edbb675ea095ce618a
Opcode Fuzzy Hash: 2002e89e8d9c0231947759717cb96cbd74d341884650e4ec2a477635c42db440
Instruction Fuzzy Hash: EB2198A2B00104BADB358F55C900AA773B7EF54B64BE68467E946D7710F73ADD40C750

Function 007C9DB0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 176f836c5507b53d5ae4299a86eb0248853f0b6913986a9bb6a5b87b660dbd60
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: BA022B71E01219ABDF14CFA9C884BAEFBB1FF48314F24826DD919E7341D735AA418B91

Function 007D20D9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D21C9

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: aca20c7e31f9d0b15d1f63937839ddc7388f7eef1299b908dbe5548ebe40b7d4
Instruction ID: 91e25b6fd80a94b82a71a4c09b45a304fbc2610c3374167413625af61a8981b5
Opcode Fuzzy Hash: aca20c7e31f9d0b15d1f63937839ddc7388f7eef1299b908dbe5548ebe40b7d4
Instruction Fuzzy Hash: 1371C47190516D9FDF21AF248C8DAAEB7B9AF25300F1481DEE049A7312DB395E878F14

Function 007BF9D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 007BF9E5
IsDebuggerPresent.KERNEL32 ref: 007BFAB1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007BFACA
UnhandledExceptionFilter.KERNEL32(?), ref: 007BFAD4

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0868c0c7ddc21f05d84c985121b168f454032ee750c0f88c28ccff8ba66d9c99
Instruction ID: b7b7cc8f394eb5ce35d45e419474d645048db4cdbbd09ab577f64bf15a057a62
Opcode Fuzzy Hash: 0868c0c7ddc21f05d84c985121b168f454032ee750c0f88c28ccff8ba66d9c99
Instruction Fuzzy Hash: 2531F975D01218DBDF21DFA4DD897CDBBB8AF08740F1041AAE40CAB250EB759A858F45

Function 007D1670 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D16C4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D170E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D17D4

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: dd3d50b00c861206bc031e85542cf1637e8edfafc45fd8750e73eaa6df0a2efa
Instruction ID: 4d1348e2e1d5fb50257ab18a2a88d23f46c8f47a74855533471e0e487a852d6a
Opcode Fuzzy Hash: dd3d50b00c861206bc031e85542cf1637e8edfafc45fd8750e73eaa6df0a2efa
Instruction Fuzzy Hash: E6617F71900207ABEB29DF24CD86BBA77B8FF04321F50416AE905C6691E73DD981DB50

Function 007C7F20 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 007C8018
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 007C8022
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 007C802F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1952f4537cdb28119c38ba7b1b3a9044ef76e430be0224568fcc188d897d0867
Instruction ID: 88ee063c942cceb38acb703b3715575c104656afd9c19ef847c6d397070c1f57
Opcode Fuzzy Hash: 1952f4537cdb28119c38ba7b1b3a9044ef76e430be0224568fcc188d897d0867
Instruction Fuzzy Hash: B931D475901218EBCB61DF64DC89BCDBBB8BF08310F5041EAE41CA7251EB349B858F45

Function 007C01A4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 007C01DC
GetSystemTimeAsFileTime.KERNEL32(?,BF3CFDEB,007B8FD0,?,007DBF67,000000FF,?,007BFEA4,?,00000000,00000000,?,007BFEC8,?,007B8FD0,?), ref: 007C01E0

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 085c3514ff5a3a70cb2475f7557b06d6d77c52c493e54ef824ea8d63b21f7eef
Instruction ID: 0c01b25cefeafef6c73cb4a83c7ce911a6b88765d79e566d8727d8e10d53752e
Opcode Fuzzy Hash: 085c3514ff5a3a70cb2475f7557b06d6d77c52c493e54ef824ea8d63b21f7eef
Instruction Fuzzy Hash: 57F01276A05598DBCB019F44DC45F5DBBA8F708B54F05411AE8129B650D73969008AC4

Function 007D5D4E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007D5CA9,?,?,00000008,?,?,007DBD9B,00000000), ref: 007D5F7B

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2e428a136a4c467a5be60ac2c93378aa4ead4d070a3a26a5959a1518d14cfd2f
Instruction ID: bfb505349604b5a1cf31a5810c7c8df735e203a03f83f4916e1fa611969eda5b
Opcode Fuzzy Hash: 2e428a136a4c467a5be60ac2c93378aa4ead4d070a3a26a5959a1518d14cfd2f
Instruction Fuzzy Hash: D7B13A31610A08DFD715CF28C48AB657BB1FF45365F298659E899CF3A1C739EA82CB40

Function 007BF645 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007BF65B

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8b7dfbb2655780cd49efeaf41092bee0bb04edda43fb86adf44e481589ad57e7
Instruction ID: 8e25ef4886254921da2d88cd8a052fe60298fd98d5851e8536dd6cd6b5a9d355
Opcode Fuzzy Hash: 8b7dfbb2655780cd49efeaf41092bee0bb04edda43fb86adf44e481589ad57e7
Instruction Fuzzy Hash: ECA15AB29026459BEB19CF69DCC179ABBF4FB48724F24C16AD411EB360D3789980CF94

Function 007D2028 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007CD3A4: HeapAlloc.KERNEL32(00000008,?,?,?,007CC2A7,00000001,00000364,?,00000006,000000FF,?,007C5585,007E8E90,0000000C), ref: 007CD3E5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D21C9
FindNextFileW.KERNEL32(00000000,?), ref: 007D22BD
FindClose.KERNEL32(00000000), ref: 007D22FC
FindClose.KERNEL32(00000000), ref: 007D232F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 2f08a6769c01512012a971e6ae4e37eb5be424fd284e55ac2673ae1269d327c2
Instruction ID: 8db27a9d8f3d7fb2f1ac16686216a6bbfbf0792c1345cef9cc1f742d5702653a
Opcode Fuzzy Hash: 2f08a6769c01512012a971e6ae4e37eb5be424fd284e55ac2673ae1269d327c2
Instruction Fuzzy Hash: 4A51597190411CEFDF24AF288C89ABE77B9DFA5314F14819EF40997302EA399D439B60

Function 007D1930 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D1984

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1f59519ed7f13ff2f46e3d453f15f372ee040fb9a5cd05b0d78d5bc9b91dc572
Instruction ID: 36b42979f791b5910475075ef2249d220a73f99f2767803caa1c7b518d21ed20
Opcode Fuzzy Hash: 1f59519ed7f13ff2f46e3d453f15f372ee040fb9a5cd05b0d78d5bc9b91dc572
Instruction Fuzzy Hash: 9821B072615246FBDB289A64CC66EBA33B8EF44311B50407FF90AC7241EB3DED409750

Function 007C40A2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 007C4226

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a6dccbf413c009105ce8cd5eea0152b4a5d44e4126a14b1a58438a63aedd045a
Instruction ID: 5df96d99a2c91bc1e26bf5ff0c9960dd7d7dc304b17df834ce657f5dff483818
Opcode Fuzzy Hash: a6dccbf413c009105ce8cd5eea0152b4a5d44e4126a14b1a58438a63aedd045a
Instruction Fuzzy Hash: D7B1B37090064ACBCB24CE68C9B5FBEBBB1AF55300F18461DE992A7681C7399E81CB51

Function 007D15C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

EnumSystemLocalesW.KERNEL32(007D1670,00000001,00000000,?,-00000050,?,007D1453,00000000,-00000002,00000000,?,00000055,?), ref: 007D163A

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2a4a2e16e693f2fea38e9d094f859ef3e590120524c6bd679fa50d98ea28b688
Instruction ID: eb7d204036bbfa2cee83a260708f2ebfd3cac81ddb40139a911d53226139f4a4
Opcode Fuzzy Hash: 2a4a2e16e693f2fea38e9d094f859ef3e590120524c6bd679fa50d98ea28b688
Instruction Fuzzy Hash: 64114C37200701AFDB189F79C8A167AB7A2FF84368B58442DE58747B40D779B842C740

Function 007D1A50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D1AA4

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4529f4960cabf2a9edef36e034d028e4cd6f667e4b599a0c9ce94b92fb294e06
Instruction ID: 44a4c7c7908869a9731b36c611e28b9237c3631c56ca9151b198b90c5dfdedc8
Opcode Fuzzy Hash: 4529f4960cabf2a9edef36e034d028e4cd6f667e4b599a0c9ce94b92fb294e06
Instruction Fuzzy Hash: B1110632601506EBDB14AB68DC4AABB77B8EF44310B50817FF506C7241EB3CE9008790

Function 007D1BFD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007D188C,00000000,00000000,?), ref: 007D1C29

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 307e09ff5fa122ea5c1700d7fd2364858021f6df724450ccba31ae17ed5c29c1
Instruction ID: b57e1c52242e370dd8b73f8026bea61a4ab7a7d85b05c9b6506ed56a21383993
Opcode Fuzzy Hash: 307e09ff5fa122ea5c1700d7fd2364858021f6df724450ccba31ae17ed5c29c1
Instruction Fuzzy Hash: CB01FE36760212BBDB1856648C45BBA3774EB40754F55442AEC0AE3390DA3CFE41C6B0

Function 007D18C3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

EnumSystemLocalesW.KERNEL32(007D1930,00000001,?,?,-00000050,?,007D141B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 007D190D

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6ed656b33c1ddfee0d9965c7864621e0043eb64c22294b48beb350e5c0eeb7cd
Instruction ID: 72a87be3301ba9b5a27ca43ec54b9243bdd30c4842232ff654ce23b73a9e0401
Opcode Fuzzy Hash: 6ed656b33c1ddfee0d9965c7864621e0043eb64c22294b48beb350e5c0eeb7cd
Instruction Fuzzy Hash: 00F04632200304AFDB245F79D8A5A7A7BA1EF80368B49842EFA454B780C679AC42C750

Function 007CD2AD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007C81D1: EnterCriticalSection.KERNEL32(?,?,007CC6E8,?,007E92E8,00000008,007CC5DA,?,?,?), ref: 007C81E0

EnumSystemLocalesW.KERNEL32(007CD2A0,00000001,007E9368,0000000C,007CCC01,-00000050), ref: 007CD2E5

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d0e6551c6e8e62d7b0c15618ece516ca0a9c7b28d381255d661c9ef47347c8dd
Instruction ID: f6fb5b1afe01ff2e6eba8bad3323e264c79d011b3c76eaf29992b129ca53773c
Opcode Fuzzy Hash: d0e6551c6e8e62d7b0c15618ece516ca0a9c7b28d381255d661c9ef47347c8dd
Instruction Fuzzy Hash: F2F0E772A05345DFDB10EFA8E886B9DB7F0EB49721F10812EF5109B2A1DB7D59008F55

Function 007D1A05 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

EnumSystemLocalesW.KERNEL32(007D1A50,00000001,?,?,?,007D1475,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 007D1A3C

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5e8c1fd504581b61c9ecc92cadd10a5da89152722d25323fbb784fcc7f091650
Instruction ID: 044bd2123f44e1f0b977efa7a58087db229f11b3f71e2855ae7dc655a856b002
Opcode Fuzzy Hash: 5e8c1fd504581b61c9ecc92cadd10a5da89152722d25323fbb784fcc7f091650
Instruction Fuzzy Hash: 78F05C35300204A7CB049F75D8556667F70EFC1760B47805DEA0D8B251C6399882C790

Function 007CCD05 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,007C6F23,?,20001004,00000000,00000002,?,?,007C5E2D), ref: 007CCD39

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2749278a0c004fc2a28d0ca2339cde46a6c17995030cacdd3c74a8291db57f83
Instruction ID: c07daeda2734952c2a62f57858945e25702853eb9e7498d6af12adfeaf0b5f26
Opcode Fuzzy Hash: 2749278a0c004fc2a28d0ca2339cde46a6c17995030cacdd3c74a8291db57f83
Instruction Fuzzy Hash: 82E01A3560125CBBCB122F60DC09FAE3F26EB487A0F084028FC0966121CB3A9D21AA95

Function 007BF9CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FAF0), ref: 007BF9D2

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0f9d3101231f4adfb98a155b6d8a55cd2cf5e56fc11a5cab7860906d1ee4cdc2
Instruction ID: 94259dfdee983135b3d01a211097894ed4ff705aadecb650db6d7d88a3867b92
Opcode Fuzzy Hash: 0f9d3101231f4adfb98a155b6d8a55cd2cf5e56fc11a5cab7860906d1ee4cdc2
Instruction Fuzzy Hash:

Function 007CD9D0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007CD9D0

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4e3208e81f0a617a33cb79802b303171d31469f6e04da336727d148a77bfc10c
Instruction ID: 36e383a01edfcccdc8c6a68df113e99c973746d1f39dcaff0299573fda348550
Opcode Fuzzy Hash: 4e3208e81f0a617a33cb79802b303171d31469f6e04da336727d148a77bfc10c
Instruction Fuzzy Hash: D8A012302021818B43004F32594420935D8A5191C0300C0246800CD170DA3954105F08

Function 007DABD2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(029303F0,029303F0,00000000,7FFFFFFF,?,007DABBD,029303F0,029303F0,00000000,029303F0,?,?,?,?,029303F0,00000000), ref: 007DAC78
__alloca_probe_16.LIBCMT ref: 007DAD33
__alloca_probe_16.LIBCMT ref: 007DADC2
__freea.LIBCMT ref: 007DAE0D
__freea.LIBCMT ref: 007DAE13
__freea.LIBCMT ref: 007DAE49
__freea.LIBCMT ref: 007DAE4F
__freea.LIBCMT ref: 007DAE5F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: f1e7095a0d4751cd83e3ad4ed4d32ad2bdab9ee0fbb032e8795a6d839f114179
Instruction ID: 583ad1b51c8979a7d73a9bdfb9062ae91ed2078cc923563be427f49435253eff
Opcode Fuzzy Hash: f1e7095a0d4751cd83e3ad4ed4d32ad2bdab9ee0fbb032e8795a6d839f114179
Instruction Fuzzy Hash: FC71A372A00246BBDF219F548C46BAF7BB5BF45720F29045BE908A7382E63DDD40C762

Function 007BFF19 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 007BFF60
__alloca_probe_16.LIBCMT ref: 007BFF8C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 007BFFCB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007BFFE8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C0027
__alloca_probe_16.LIBCMT ref: 007C0044
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 007C0086
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 007C00A9

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 0e3118e07d703946271e4ffed884ccc8a7682eab6c47b3224649b17364c798de
Instruction ID: 0774d2a2e602861c8bb4fd9bf30e1122e5c52497496a118990db0989ae3e1fe7
Opcode Fuzzy Hash: 0e3118e07d703946271e4ffed884ccc8a7682eab6c47b3224649b17364c798de
Instruction Fuzzy Hash: 47519F72601206EFEF219F60CC49FAA7BA9EF44B51F15442DF9149A190DB388D90CBE0

Function 007CEF66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007CEFEC

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: d6dd01c7ea167fd46c5c418fb3bc0a06041722042ba6b96c6c370f776286e516
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: EEB14772A00259DFDB118F68CC81FAE7BB6EF59710F18416EE904AB382D7789941C7A1

Function 007B7580 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 007B76C6
___std_exception_copy.LIBVCRUNTIME ref: 007B7701

Part of subcall function 007BB0D7: CreateThreadpoolWork.KERNEL32(007BB200,007B8BCA,00000000), ref: 007BB0E6
Part of subcall function 007BB0D7: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 007BB0F3

Strings

Fail to schedule the chore!, xrefs: 007B7700
`w{, xrefs: 007B75F5, 007B7659, 007B7628
,q{`w{, xrefs: 007B758C
W.~, xrefs: 007B76F1

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: ,q{`w{$Fail to schedule the chore!$W.~$`w{
API String ID: 3683891980-2781824576
Opcode ID: 3af28a5bf4df7cff797a07e152f0b58072af018ecfbeb79b64a1883bdf378cf4
Instruction ID: cd744c43f27f044f01e27378c5b5daedd0e9e1e45eaaa228cc5e4f8c06345a8c
Opcode Fuzzy Hash: 3af28a5bf4df7cff797a07e152f0b58072af018ecfbeb79b64a1883bdf378cf4
Instruction Fuzzy Hash: C3519EB4D01208DFCB14DF94D885BEEBBB4FF88324F144129E8196B391D779AA05CB91

Function 007C0E30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007C0E67
___except_validate_context_record.LIBVCRUNTIME ref: 007C0E6F
_ValidateLocalCookies.LIBCMT ref: 007C0EF8
__IsNonwritableInCurrentImage.LIBCMT ref: 007C0F23
_ValidateLocalCookies.LIBCMT ref: 007C0F78

Strings

csm, xrefs: 007C0F0D

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 276b1a3e720b10aded3b7751315ba7fe174017721fbacd4bcfc07ba315a969af
Instruction ID: eff4521041f910a3d8a7d73a543d1047832499cf6d3a96901c27c859099f352d
Opcode Fuzzy Hash: 276b1a3e720b10aded3b7751315ba7fe174017721fbacd4bcfc07ba315a969af
Instruction Fuzzy Hash: 8241AE34A00219DBCF20EF68C885F9EBBA5AF44324F14855DF815AB392C739EA41CBD5

Function 007B3E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B3E45
std::_Lockit::_Lockit.LIBCPMT ref: 007B3E5F
std::_Lockit::~_Lockit.LIBCPMT ref: 007B3E80
__Getctype.LIBCPMT ref: 007B3F32
std::_Lockit::~_Lockit.LIBCPMT ref: 007B3F78

Strings

u.~, xrefs: 007B3F07

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID: u.~
API String ID: 3087743877-297871038
Opcode ID: 5c6a9ee36f3fe89af150fdbed5265f7066a84dea8dbcd0f6b0ac2f7ecd0debac
Instruction ID: 187081ebbdfac474779326030352f72573e0f5709433de0e893a66c1b4a5fd02
Opcode Fuzzy Hash: 5c6a9ee36f3fe89af150fdbed5265f7066a84dea8dbcd0f6b0ac2f7ecd0debac
Instruction Fuzzy Hash: 4A4148B5D01258DFCB15EF94C845BEEBBB1FB48720F048119E8256B391DB38A941CB91

Function 007C0170 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007C0176
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 007C0184
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 007C0195

Strings

GetSystemTimePreciseAsFileTime, xrefs: 007C017E
kernel32.dll, xrefs: 007C0171
GetTempPath2W, xrefs: 007C018A

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 1449a70b8dff04b9fc552fd4babd62e7f8786f54d6e2c7694dac79657a5a18e1
Instruction ID: 13fadb767708d58e47a35cf9c895dbebb34ca7a2dc69c748737d1211eddfc398
Opcode Fuzzy Hash: 1449a70b8dff04b9fc552fd4babd62e7f8786f54d6e2c7694dac79657a5a18e1
Instruction Fuzzy Hash: 4DD05EB65132E06B87105F797C5C8853AA5FA1C66031280A1F841DB234DB7C241186AC

Function 007D5071 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a8d0e2a272fe61be0356a76f7fa395b76eb1c889c84680939d921a102c0619
Instruction ID: 4e00994454ba5742cc4d0e248bf7bfef6f7c1e7a0a6c11f7dba983b713fa1dba
Opcode Fuzzy Hash: 70a8d0e2a272fe61be0356a76f7fa395b76eb1c889c84680939d921a102c0619
Instruction Fuzzy Hash: 48B1E474A08A49EFDB15CFA8C885BAD7BB1BF59344F14415AE4019B392CBB89D41CFA0

Function 007B9CD0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 007B9E37
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E48
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E5C
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E7D
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E8E
std::_Throw_Cpp_error.LIBCPMT ref: 007B9EA6

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e262b26a8daa59cfeedd56af1aa3edcc8e77f7a22b840d9d8c5bb5ca74096dea
Instruction ID: 9e1fb9fc28b9db8d4ed19dd98a52959a779d51c8663ceb5b41e17bc771521bc5
Opcode Fuzzy Hash: e262b26a8daa59cfeedd56af1aa3edcc8e77f7a22b840d9d8c5bb5ca74096dea
Instruction Fuzzy Hash: 7D41C7B1A00744DBDB30DF65894A7EBB7B8BF45720F14062DE77A262D2D778A500CB52

Function 007CADD7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007CADCE,007C0850,007BB86F,BF3CFDEB,?,?,?,?,007DC0BA,000000FF), ref: 007CADE5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007CADF3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007CAE0C
SetLastError.KERNEL32(00000000,?,007CADCE,007C0850,007BB86F,BF3CFDEB,?,?,?,?,007DC0BA,000000FF), ref: 007CAE5E

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7e21e138475157b7c7a4367613ac74248fa98a1262c0dca35857f7a0a1027c5b
Instruction ID: be8c80cea46e1837d778f9af77f040d9f026680790820c84d441ec56fb6a8154
Opcode Fuzzy Hash: 7e21e138475157b7c7a4367613ac74248fa98a1262c0dca35857f7a0a1027c5b
Instruction Fuzzy Hash: 7901DD3220776AED9A1427757CCAE172BA4D715F79720432EF210491E2EF1D6C025185

Function 007CB65E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007CB77D
CallUnexpected.LIBVCRUNTIME ref: 007CB9F6

Strings

csm, xrefs: 007CB69B
csm, xrefs: 007CB7B4
csm, xrefs: 007CB708

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 321f1a512e5d41bc05dfe390566bbd1aa0b26f405c23dfce1699959ee02622f2
Instruction ID: 85909ce820f404e088b5f5215780ce881f216b7dfeda67938dd97e488f14b6f9
Opcode Fuzzy Hash: 321f1a512e5d41bc05dfe390566bbd1aa0b26f405c23dfce1699959ee02622f2
Instruction Fuzzy Hash: 2FB18771800209EFCF19DFA4C886EAEBBB8BF44315F10455EF9056B216D739EA51CB92

Function 007BBF85 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 007BC034
std::_Ref_count_base::_Decref.LIBCPMT ref: 007BC118

Strings

MOC, xrefs: 007BBF8F
csm, xrefs: 007BBFA7
RCC, xrefs: 007BBF9B

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: ed2bef31a6f8c4ea35f5588551722969283748e5c29d31ae35c778f6b3e757d1
Instruction ID: f26924683f6a369250d483c30be04ac6d3e89e51926ac9f1e079baae85b0d4d9
Opcode Fuzzy Hash: ed2bef31a6f8c4ea35f5588551722969283748e5c29d31ae35c778f6b3e757d1
Instruction Fuzzy Hash: 0A419C74901209DFCF25EF68C949BEEB7B5FF48300B58816DE845AB252C77CAA44CB51

Function 007C56B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BF3CFDEB,?,?,00000000,007DBF84,000000FF,?,007C5775,00000002,?,007C5811,007C8486), ref: 007C56E9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007C56FB
FreeLibrary.KERNEL32(00000000,?,?,00000000,007DBF84,000000FF,?,007C5775,00000002,?,007C5811,007C8486), ref: 007C571D

Strings

CorExitProcess, xrefs: 007C56F3
mscoree.dll, xrefs: 007C56E2

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b83a3aea42cf8c9350db9fa0aab90ec49b5d0cdd0445d9f1504376d2cd84411f
Instruction ID: 725c0508ac8f064476c394a750aae53dc08ddf555f0ba26001eed99c96da8d39
Opcode Fuzzy Hash: b83a3aea42cf8c9350db9fa0aab90ec49b5d0cdd0445d9f1504376d2cd84411f
Instruction Fuzzy Hash: FE01DB71941659EFDB018F54CC45FAEB7B8FB08B65F00452DF811E62A0DB7DA940CAA0

Function 007CD7DA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 007CD85F
__alloca_probe_16.LIBCMT ref: 007CD928
__freea.LIBCMT ref: 007CD98F

Part of subcall function 007CC001: RtlAllocateHeap.NTDLL(00000000,007CE025,?,?,007CE025,00000220,?,00000000,?), ref: 007CC033

__freea.LIBCMT ref: 007CD9A2
__freea.LIBCMT ref: 007CD9AF

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 6bec33e9d9fd7d81c3a26aa1245c4bb229f2c06f6afcb0d8e838d9ce2c0e160e
Instruction ID: cf0aec47cfccd52de29d1d1c6bfcbc7f4b6c95ed062270876564f67316498e0d
Opcode Fuzzy Hash: 6bec33e9d9fd7d81c3a26aa1245c4bb229f2c06f6afcb0d8e838d9ce2c0e160e
Instruction Fuzzy Hash: 6851B176600206AFEB31AF64CC85FBB7BA9DF84710B25043DFD48DA111EB79EC5096A1

Function 007BF0E1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007BF0F5
AcquireSRWLockExclusive.KERNEL32(007B8FD8), ref: 007BF114
AcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF142
TryAcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF19D
TryAcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF1B4

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 093ba42a1b8f021bb380f2c553bd7b8aff73f668484f98457ae83236d27d61d5
Instruction ID: 4a3d333910a1512927cd54c5e1315977bed91085710d31cac8e4a49177f4ea9c
Opcode Fuzzy Hash: 093ba42a1b8f021bb380f2c553bd7b8aff73f668484f98457ae83236d27d61d5
Instruction Fuzzy Hash: 9341383560060EDBCB24CF68CC84AEAB3B5FF08B50B60893AE456D7A50D738E985CB51

Function 007BD5B2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BD5B9
std::_Lockit::_Lockit.LIBCPMT ref: 007BD5C3
int.LIBCPMT ref: 007BD5DA

Part of subcall function 007BC2D5: std::_Lockit::_Lockit.LIBCPMT ref: 007BC2E6
Part of subcall function 007BC2D5: std::_Lockit::~_Lockit.LIBCPMT ref: 007BC300

codecvt.LIBCPMT ref: 007BD5FD
std::_Lockit::~_Lockit.LIBCPMT ref: 007BD634

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: ac39996b398e287b2367e4ad96f65ae6669c3897167ff1900e05b5232b573677
Instruction ID: 050e2093fb3a44676b141f968bfe31cf9bff249979ea74ee5ed4bec5fe02e1ed
Opcode Fuzzy Hash: ac39996b398e287b2367e4ad96f65ae6669c3897167ff1900e05b5232b573677
Instruction Fuzzy Hash: F201D275900115DFCB16EBA8C94ABEE77B1BF94324F144419F810AB381EF7C9E018B91

Function 007BAF77 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BAF7E
std::_Lockit::_Lockit.LIBCPMT ref: 007BAF89
std::_Lockit::~_Lockit.LIBCPMT ref: 007BAFF7

Part of subcall function 007BAE4A: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007BAE62

std::locale::_Setgloballocale.LIBCPMT ref: 007BAFA4
_Yarn.LIBCPMT ref: 007BAFBA

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: c706e648eaac73f80a0597deae2af81d19c1f88a651c0d28dd28002909d4124c
Instruction ID: 7fdfe7a4e9363e430d6382797656011033807d236fc11c1f0d528f9e3271d403
Opcode Fuzzy Hash: c706e648eaac73f80a0597deae2af81d19c1f88a651c0d28dd28002909d4124c
Instruction Fuzzy Hash: 240184B9602251EFCB06FB20C89AABD7765FF88750B144049E8115B381DF7CAE42CF86

Function 007D0A66 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(?,?,007C5585,007E8E90,0000000C), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000), ref: 007CC300

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,007C5CC5,?,?,?,00000055,?,-00000050,?,?,?), ref: 007D0B25
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,007C5CC5,?,?,?,00000055,?,-00000050,?,?), ref: 007D0B5C

Strings

utf8, xrefs: 007D0C2E
<K~, xrefs: 007D0AD9

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: <K~$utf8
API String ID: 943130320-3768170800
Opcode ID: 92150207089b727fb15ef938c773a6afc43c25687a9273df31a63e1d820538ce
Instruction ID: fbee43acba49900d6029ed24c976495f43bbffcdb8c2e3652553c89c0b6ffaa9
Opcode Fuzzy Hash: 92150207089b727fb15ef938c773a6afc43c25687a9273df31a63e1d820538ce
Instruction Fuzzy Hash: A1512671614305EADB25AB708C4AFB673B8EF48700F14562BF6499B381E67CE980C6F5

Function 007BB845 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 007BB8F9

Strings

MOC, xrefs: 007BB879
RCC, xrefs: 007BB885
csm, xrefs: 007BB891

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 3824898c44c35f3997538246ab89a3b4341ca2c0619ec36588ac5e3e6618bcc6
Instruction ID: bf78df29322a5f13f4883d2039a8c172945ec9c727af2d5212a88048f5adbe8c
Opcode Fuzzy Hash: 3824898c44c35f3997538246ab89a3b4341ca2c0619ec36588ac5e3e6618bcc6
Instruction Fuzzy Hash: 1121B375904609EFDF349F64C445BEEB7A8EF40310F144A1EEC0197291DBBCAA41CB91

Function 007BF20D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,007B25EA,?,?,00000000), ref: 007BF219
GetExitCodeThread.KERNEL32(?,00000000,?,?,007B25EA,?,?,00000000), ref: 007BF232
CloseHandle.KERNEL32(?,?,?,007B25EA,?,?,00000000), ref: 007BF244

Strings

%{, xrefs: 007BF224

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: %{
API String ID: 2551024706-3407211727
Opcode ID: b1eb76a8b68f4239d988f297864ec96414cf55a340aa0d7443acf7afd9c8aa0b
Instruction ID: fef6d03afea22c85fdbcc0e922d2f528a2a2e17b56f04e89a514daa8c41a46ac
Opcode Fuzzy Hash: b1eb76a8b68f4239d988f297864ec96414cf55a340aa0d7443acf7afd9c8aa0b
Instruction Fuzzy Hash: 2BF05E35655115AFDF108F64DD06BED3B64FB05B70F244320F925EA2E0E739ED408694

Function 007D6A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007D6ACC,00000000,?,007ED2B0,?,?,?,007D6A03,00000004,InitializeCriticalSectionEx,007E0D44,007E0D4C), ref: 007D6A3D
GetLastError.KERNEL32(?,007D6ACC,00000000,?,007ED2B0,?,?,?,007D6A03,00000004,InitializeCriticalSectionEx,007E0D44,007E0D4C,00000000,?,007CBCAC), ref: 007D6A47
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007D6A6F

Strings

api-ms-, xrefs: 007D6A54

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: cd86f67648c6c78155d358e64c4effbfeee8ae70a31b20131acb729899516352
Instruction ID: 8e1440b8c65adb3b38a4a8b112ff823a16a572b090a0a20b5826afd5da548ef9
Opcode Fuzzy Hash: cd86f67648c6c78155d358e64c4effbfeee8ae70a31b20131acb729899516352
Instruction Fuzzy Hash: 48E04870380244FBDF215B61DC46B293B789B64B91F50C021F9CCB85F0D7ADD8148555

Function 007D408E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BF3CFDEB,00000000,00000000,?), ref: 007D40F1

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007D4343
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007D4389
GetLastError.KERNEL32 ref: 007D442C

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b4c9a23cb983038724bf96d5de2375a9f761f5280dbf4195ad1d236e72a87989
Instruction ID: 11f04dd4051328df14eb4c12ad0f2395895aa0e24b81a9e4d8c0b958f76c464f
Opcode Fuzzy Hash: b4c9a23cb983038724bf96d5de2375a9f761f5280dbf4195ad1d236e72a87989
Instruction Fuzzy Hash: 7BD16A75D012989FCF15CFE8C884AEDBBB5FF09314F24812AE856EB352D634A942CB50

Function 007CB385 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007CB44C
___AdjustPointer.LIBCMT ref: 007CB46F
___AdjustPointer.LIBCMT ref: 007CB50B

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 77d664a51141263506135266058da47d38d25787a208a17b601212ad3aa9bd26
Instruction ID: 62f76c7501159f61b4ce3bbfeaf8d9453da60486fa42c6b8bcc6ecc20d1bb8c7
Opcode Fuzzy Hash: 77d664a51141263506135266058da47d38d25787a208a17b601212ad3aa9bd26
Instruction Fuzzy Hash: 5D51E272A09A82DFDB288F54E856FAA77A4EF44310F14456DFD0687292D73DEE40CB90

Function 007B73C0 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007B7465
std::_Throw_Cpp_error.LIBCPMT ref: 007B7535
std::_Throw_Cpp_error.LIBCPMT ref: 007B7543
std::_Throw_Cpp_error.LIBCPMT ref: 007B7551

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 823eec816b9abd583dbb4c74d15e2a1d607ba4ce4c326eabeafb252919b01226
Instruction ID: beb981891790f5c723c116a085ede9b5c568519eff8608f2ff26dabf82fafb79
Opcode Fuzzy Hash: 823eec816b9abd583dbb4c74d15e2a1d607ba4ce4c326eabeafb252919b01226
Instruction Fuzzy Hash: 284109B1904345DBCB24EF64C8457DAB7B5FF84320F144639E45A57BA2EB38E811CB91

Function 007B4600 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B4635
std::_Lockit::_Lockit.LIBCPMT ref: 007B4652
std::_Lockit::~_Lockit.LIBCPMT ref: 007B4673
std::_Lockit::~_Lockit.LIBCPMT ref: 007B4720

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 33e803c735801c26ce442b8f5cd8f43fa072f23c2c921291b37ba1c624b3a715
Instruction ID: 9edf45ee35f69b8d8fe3acafe9757c4dbdfd2252e9f9b41d4479033d91455b41
Opcode Fuzzy Hash: 33e803c735801c26ce442b8f5cd8f43fa072f23c2c921291b37ba1c624b3a715
Instruction Fuzzy Hash: E54159B5D00258DFCB15EF94D885BEEBBB1FB49324F048219D8156B392DB38A941CFA1

Function 007D1EB6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 007D1F1A
__dosmaperr.LIBCMT ref: 007D1F21
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 007D1F5B
__dosmaperr.LIBCMT ref: 007D1F62

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: e2f4ffe517d494d210bca7effbadb10c42fec3f45542a0f8b5efaea310dc7e46
Instruction ID: 40ee349d5552a5f501b807919b7bbf6d97168e574f3ef893affa1bdaef413497
Opcode Fuzzy Hash: e2f4ffe517d494d210bca7effbadb10c42fec3f45542a0f8b5efaea310dc7e46
Instruction Fuzzy Hash: 14218371605219FF9B20AF65C885D6BB7B9FF04364790851EF89997251EB39EC00CBA0

Function 007C2C92 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5a864e8f08d57d55d061f8bcab54937568f3236cfe82176687bf29d9ee86ff
Instruction ID: 639507dc930bd6a69ad3ee78ee7267858540f36de327bba417e7fce5b3b228ea
Opcode Fuzzy Hash: fc5a864e8f08d57d55d061f8bcab54937568f3236cfe82176687bf29d9ee86ff
Instruction Fuzzy Hash: 3B21A171304209EFCB20AF75CC85F6A77A8EF64364710452DF91AD7162EB38EC028B60

Function 007D32AE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007D32B6

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007D32EE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007D330E

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 124bc09543b8df9f1eec9234406024ad45a23eb79137f64ca9270e318eb8ca75
Instruction ID: 9f0ab662ba895cde7a220411cfeb5e01d38391e3d8ccd379285b818266a4f707
Opcode Fuzzy Hash: 124bc09543b8df9f1eec9234406024ad45a23eb79137f64ca9270e318eb8ca75
Instruction Fuzzy Hash: EE11C4B1501155BFB71127765D8EDBF6A6CDEA83E4720442DF405D5201FF2CEE4086B6

Function 007BE982 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BE989
std::_Lockit::_Lockit.LIBCPMT ref: 007BE993
int.LIBCPMT ref: 007BE9AA

Part of subcall function 007BC2D5: std::_Lockit::_Lockit.LIBCPMT ref: 007BC2E6
Part of subcall function 007BC2D5: std::_Lockit::~_Lockit.LIBCPMT ref: 007BC300

std::_Lockit::~_Lockit.LIBCPMT ref: 007BEA04

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 47faae1335e305a82c9dd4012d075f05c746a89bea4b42ddba6af40b4445b8f0
Instruction ID: ad59b6c36033800c0cbef70f85b9be15bb9b2ab6e36c9c3274d42d0f55a924f6
Opcode Fuzzy Hash: 47faae1335e305a82c9dd4012d075f05c746a89bea4b42ddba6af40b4445b8f0
Instruction Fuzzy Hash: A211E175900215DBCB06EBA4C889BFD7B72BF54720F254419E4116B382DF7CAE41CB81

Function 007DAE90 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000), ref: 007DAEA7
GetLastError.KERNEL32(?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?,?,?,007D3DC6,00000000), ref: 007DAEB3

Part of subcall function 007DAF10: CloseHandle.KERNEL32(FFFFFFFE,007DAEC3,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?,?), ref: 007DAF20

___initconout.LIBCMT ref: 007DAEC3

Part of subcall function 007DAEE5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007DAE81,007DA3CC,?,?,007D4480,?,00000000,00000000,?), ref: 007DAEF8

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?), ref: 007DAED8

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8dc6b649676f32b4f98a0edf740108d9d86c5a5697f7747170e7b53eb1c6410c
Instruction ID: 422bd34e025edbfe62506c18b1b69d649a81d2f664194903ee4ed0a2585f6fe3
Opcode Fuzzy Hash: 8dc6b649676f32b4f98a0edf740108d9d86c5a5697f7747170e7b53eb1c6410c
Instruction Fuzzy Hash: 4CF01C36101158BBCF225FD1DC4999A3F26FF587B0B008011FA1889230C6368920EBA5

Function 007C05E5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 007C05F7
GetCurrentThreadId.KERNEL32 ref: 007C0606
GetCurrentProcessId.KERNEL32 ref: 007C060F
QueryPerformanceCounter.KERNEL32(?), ref: 007C061C

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: afdbd6503e3270154f43a41b0eff15be56ed0faafb22c658cf6d65a09da7ead2
Instruction ID: 6af5e4b25f484593751117c483177df9d1f9df847be84c1db50336e1d53a0d0b
Opcode Fuzzy Hash: afdbd6503e3270154f43a41b0eff15be56ed0faafb22c658cf6d65a09da7ead2
Instruction Fuzzy Hash: 78F06774D1120DEBCF00DBB4D98999EB7F4FF2C244BA18596A412EB150E734A744DB54

Function 007B35D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007B36CB

Strings

M5{, xrefs: 007B35DD
M5{, xrefs: 007B366F

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: M5{$M5{
API String ID: 2659868963-1358020863
Opcode ID: e27dd29b68acbbca234b95a1206dd84991626d4dfef24ce647401dfc8a3397d4
Instruction ID: c3ca533521e1f98f2ac31693493ddafc2a95e33f95bebfe18755fa64c11ee5c8
Opcode Fuzzy Hash: e27dd29b68acbbca234b95a1206dd84991626d4dfef24ce647401dfc8a3397d4
Instruction Fuzzy Hash: 0841C2B1D00204DFCB14DF64D884AEEBBB5EF89304F14852DE8159B342E739EA85CB91

Function 007CBA82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,007CB983,?,?,00000000,00000000,00000000,?), ref: 007CBAA7

Strings

RCC, xrefs: 007CBAC1
MOC, xrefs: 007CBAB9

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9d50a820f7fe7d1c6a382dff79f05544e55aa8c8b3762755812ce7f1d88022ed
Instruction ID: 8631f445f28f216bfc12539e1934017f6b2b33f7489a716606808808f9e21130
Opcode Fuzzy Hash: 9d50a820f7fe7d1c6a382dff79f05544e55aa8c8b3762755812ce7f1d88022ed
Instruction Fuzzy Hash: B4412571900209EFCF16DFA8CC82EAEBBB5AF48304F14815DF905A6265D339AD60DB91

Function 007B3460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 007B34A2

Strings

ios_base::badbit set, xrefs: 007B3465
c={, xrefs: 007B346B, 007B34A1, 007B34CA

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: _strlen
String ID: c={$ios_base::badbit set
API String ID: 4218353326-3175735026
Opcode ID: 64b9084948d3bc2d038a9c444d097e62241504e2d9472a9ffcc66c4eaa483f46
Instruction ID: ca47d93752396ebd7566d381fd1056836c8cfe3ff0d496960f99310d00635724
Opcode Fuzzy Hash: 64b9084948d3bc2d038a9c444d097e62241504e2d9472a9ffcc66c4eaa483f46
Instruction Fuzzy Hash: 8641C8B2D00258DBCB10EF64DC85BDEBBB5EF58310F150629F805A7241E7399A94C7A1

Function 007B4030 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B4066
std::_Lockit::~_Lockit.LIBCPMT ref: 007B41A2

Part of subcall function 007BAD65: _Yarn.LIBCPMT ref: 007BAD85
Part of subcall function 007BAD65: _Yarn.LIBCPMT ref: 007BADA9

Strings

bad locale name, xrefs: 007B40E6

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 194659fcae5d2e69ed08ad83f6803284d6f1f69d1c2fd2886e110c1845f6bb37
Instruction ID: 1b78a2a3b6906c94312acdc9616417e74a5301d10fb56d64d4de657b200f954e
Opcode Fuzzy Hash: 194659fcae5d2e69ed08ad83f6803284d6f1f69d1c2fd2886e110c1845f6bb37
Instruction Fuzzy Hash: 38416EF0A007499BDB10DF69D909B57BBE8BF14704F04462CE80997781E37AE518CBE2

Function 007CB2EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 007CB565

Strings

csm, xrefs: 007CB587
csm, xrefs: 007CB5F8

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d151c3a56505a7b15f597e6afd917df563bdd4eadb142599f16681cacc18c0cd
Instruction ID: ab604bf1968eef2adb391a50c74646453adc636e40b7cb34e9f30c2f924a9206
Opcode Fuzzy Hash: d151c3a56505a7b15f597e6afd917df563bdd4eadb142599f16681cacc18c0cd
Instruction Fuzzy Hash: 9F31E472400219EBCF224F50D886E6A7B66FF09315F18415EF85459111D33ADC75DB81

Function 007BB921 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 007BB9A9
RaiseException.KERNEL32(?,?,?,?,?), ref: 007BB9CE

Part of subcall function 007C06FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,007BF444,0292F2F8,?,?,?,007BF444,007B3EEA,007E75AC,007B3EEA), ref: 007C075D

Part of subcall function 007C8443: IsProcessorFeaturePresent.KERNEL32(00000017,007CC314), ref: 007C845F

Strings

csm, xrefs: 007BB95D

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: c52d9c29a312b92de24d04ec67b5906f294f176ce6c80baf2d1c5a506179eb32
Instruction ID: 0ced1c29c4744beaa41ad048a71055ca60051cb9647a9166d54ad127a4d0d053
Opcode Fuzzy Hash: c52d9c29a312b92de24d04ec67b5906f294f176ce6c80baf2d1c5a506179eb32
Instruction Fuzzy Hash: 7D216A31D00218EBCF24DF95C94ABEEB7B9AF44710F580419EA05AB250CBB8BD45CB81

Function 007BB555 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007B2853

Strings

ios_base::badbit set, xrefs: 007B2830
bad array new length, xrefs: 007B2806

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 21e305c281de7d14e84839546adf9885f13a118daea0299ba1123ba297ac52fb
Instruction ID: 921085d330ac7377a2452fc87d88d6b9dd499ab5c5b2f9030be83d58706f8bb4
Opcode Fuzzy Hash: 21e305c281de7d14e84839546adf9885f13a118daea0299ba1123ba297ac52fb
Instruction Fuzzy Hash: 5001B1F26093019BD7149F18D816B5B7BE8AF48318F01882DF5598B301D779E8058BC2

Function 007B27F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007C06FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,007BF444,0292F2F8,?,?,?,007BF444,007B3EEA,007E75AC,007B3EEA), ref: 007C075D

___std_exception_copy.LIBVCRUNTIME ref: 007B2853

Strings

ios_base::badbit set, xrefs: 007B2830
bad array new length, xrefs: 007B2806

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: 72d6dc5f3a63853cf8f6d860f8f63c2e7ab48a32fc4ab18100fec339d14965bc
Instruction ID: 78d07f85c3b42af48b81ce4e66727dd7a9a1280e961ee5f90100fb5b7fb048c4
Opcode Fuzzy Hash: 72d6dc5f3a63853cf8f6d860f8f63c2e7ab48a32fc4ab18100fec339d14965bc
Instruction Fuzzy Hash: 78F0FEF15193009BD3149F18DC19B4B7FE4EB49358F01882DF5989B301D3B9D8558BD2

Function 007BAD65 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 007BAD85
_Yarn.LIBCPMT ref: 007BADA9

Strings

u.~, xrefs: 007BAD79

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: Yarn
String ID: u.~
API String ID: 1767336200-297871038
Opcode ID: a4cad4368db887458e3ca6103585abb4fd1c5977e310d39e24a982c60c42a7fe
Instruction ID: d76154e3ad7b09fe86cdecc33447d267991cc6e229f7e2e7e87e5d4cf7b7065d
Opcode Fuzzy Hash: a4cad4368db887458e3ca6103585abb4fd1c5977e310d39e24a982c60c42a7fe
Instruction Fuzzy Hash: 68E03922308200BAEB08B666AC1AFB633D8DB04761F10013DFA0A8B9C1EE14EC448691

Function 007BA88F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(007EC690,H={,?,?,007B30E0,007EC668,ios_base::badbit set,?,007B3D48,?,00000001), ref: 007BA89A
ReleaseSRWLockExclusive.KERNEL32(007EC690,?,007B30E0,007EC668,ios_base::badbit set,?,007B3D48,?,00000001), ref: 007BA8D4

Strings

H={, xrefs: 007BA893

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: H={
API String ID: 17069307-754443616
Opcode ID: a978861ff708e516d7e70aa29b2fdcad68595c729a7fbfb1cab6076fb7f20dd5
Instruction ID: a42c485c2c468fce0842454c7a4a4132d3b39e99b84798d20ba8877d119a4cfa
Opcode Fuzzy Hash: a978861ff708e516d7e70aa29b2fdcad68595c729a7fbfb1cab6076fb7f20dd5
Instruction Fuzzy Hash: 13F0EC34501140EFC721AF59DC44BB5B7B4EB8D370F10426EE859476A0C73D2843CB56

Function 007BA5C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BA5C7

Strings

$}, xrefs: 007BA5CC, 007BA5F5
X}, xrefs: 007BA5D1

Memory Dump Source

Source File: 00000000.00000002.2015474634.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2015302812.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015499678.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015639430.00000000007EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015655875.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015678625.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015700410.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015759944.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: $}$X}
API String ID: 431132790-1730515081
Opcode ID: 0819a5e7e9b12ffc275598b2cad033cc2ec4fecd086cfe0bee394e833a813b71
Instruction ID: 181818e8529a7568752a45f1fdfedc3f2258b1b3de110c5d3ca9a0ca500dc77b
Opcode Fuzzy Hash: 0819a5e7e9b12ffc275598b2cad033cc2ec4fecd086cfe0bee394e833a813b71
Instruction Fuzzy Hash: 64E092F4A12345E6CB11EB90890A7EE3D70AB44718F508166E0106A2A1CBBC07408722

Analysis Process: setup.exePID: 6728, Parent PID: 2408COMMON

Non-executed Functions

Function 007D1377 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(00000000,?,007CE67D), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000,?,?,00000028,007C8453), ref: 007CC300

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 007D147F
IsValidCodePage.KERNEL32(00000000), ref: 007D14BD
IsValidLocale.KERNEL32(?,00000001), ref: 007D14D0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007D1518
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007D1533

Strings

<K~, xrefs: 007D142C

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: <K~
API String ID: 415426439-1979715347
Opcode ID: 96174edf92905f832e1815028070bdce4554de857c19943b94a3f28931423abe
Instruction ID: 02e6fb25f32e4edc274298c83ed156656e41331755e313200757ca630a53ce90
Opcode Fuzzy Hash: 96174edf92905f832e1815028070bdce4554de857c19943b94a3f28931423abe
Instruction Fuzzy Hash: 3F515271A00249BBEF11DFA4DC85ABA77B8FF48700F94446AF915EB250D7789940C7A0

Function 007B2560 Relevance: 10.6, APIs: 7, Instructions: 82encryptionthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007B25D0

Part of subcall function 007BF20D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,007B25EA,?,?,00000000), ref: 007BF219
Part of subcall function 007BF20D: GetExitCodeThread.KERNEL32(?,00000000,?,?,007B25EA,?,?,00000000), ref: 007BF232
Part of subcall function 007BF20D: CloseHandle.KERNEL32(?,?,?,007B25EA,?,?,00000000), ref: 007BF244

CryptEncrypt.ADVAPI32 ref: 007B2617
CryptDestroyKey.ADVAPI32(00000000), ref: 007B261F
std::_Throw_Cpp_error.LIBCPMT ref: 007B264B
std::_Throw_Cpp_error.LIBCPMT ref: 007B265C
std::_Throw_Cpp_error.LIBCPMT ref: 007B266D
std::_Throw_Cpp_error.LIBCPMT ref: 007B267E

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CryptThread$CloseCodeCurrentDestroyEncryptExitHandleObjectSingleWait
String ID:
API String ID: 1492798345-0
Opcode ID: 579443c5e224bef86a9899a17f6d296b20e775d8d493e0fb044da2bcd301a376
Instruction ID: bd6f5333676778764bfa25686b7a3a21bc8d9659310be327bcf376215347d501
Opcode Fuzzy Hash: 579443c5e224bef86a9899a17f6d296b20e775d8d493e0fb044da2bcd301a376
Instruction Fuzzy Hash: DE3184F1D41349ABEB10EF94CC0ABEEBBB4BB04714F040129E91576681E3B95A44CBE7

Function 007D1AF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,007D14AD,00000002,00000000,?,?,?,007D14AD,?,00000000), ref: 007D1B90
GetLocaleInfoW.KERNEL32(?,20001004,007D14AD,00000002,00000000,?,?,?,007D14AD,?,00000000), ref: 007D1BB9
GetACP.KERNEL32(?,?,007D14AD,?,00000000), ref: 007D1BCE

Strings

ACP, xrefs: 007D1B15
OCP, xrefs: 007D1B4B

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 2002e89e8d9c0231947759717cb96cbd74d341884650e4ec2a477635c42db440
Instruction ID: 88218d907067f6542980d2b5f0b57cf9e754101fd91c24edbb675ea095ce618a
Opcode Fuzzy Hash: 2002e89e8d9c0231947759717cb96cbd74d341884650e4ec2a477635c42db440
Instruction Fuzzy Hash: EB2198A2B00104BADB358F55C900AA773B7EF54B64BE68467E946D7710F73ADD40C750

Function 007B2060 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007B1240: _strlen.LIBCMT ref: 007B12BA

GetFileSize.KERNEL32(00000000,00000000), ref: 007B20F6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007B211B
CloseHandle.KERNEL32(00000000), ref: 007B212A
_strlen.LIBCMT ref: 007B217D
CloseHandle.KERNEL32(00000000), ref: 007B22AD

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: c292f19e640c265847b9bc7ae5b6f00f4de6cdd55249060783ec699457f48c24
Instruction ID: b5ae4ab70f0045922739233eb9036be4eb01a9eb704f227617fe38fa9b5658e7
Opcode Fuzzy Hash: c292f19e640c265847b9bc7ae5b6f00f4de6cdd55249060783ec699457f48c24
Instruction Fuzzy Hash: 2071C6B2D01208DBCB10DFA4DC457EEBBB4FF48310F150628E814A7392E7399946CBA5

Function 007C9DB0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 176f836c5507b53d5ae4299a86eb0248853f0b6913986a9bb6a5b87b660dbd60
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: BA022B71E01219ABDF14CFA9C884BAEFBB1FF48314F24826DD919E7341D735AA418B91

Function 007D20D9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D21C9

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9dc0ddff331548f49506772871ef5f604dc4a8e856e533ac1494f426ea0047ef
Instruction ID: 91e25b6fd80a94b82a71a4c09b45a304fbc2610c3374167413625af61a8981b5
Opcode Fuzzy Hash: 9dc0ddff331548f49506772871ef5f604dc4a8e856e533ac1494f426ea0047ef
Instruction Fuzzy Hash: 1371C47190516D9FDF21AF248C8DAAEB7B9AF25300F1481DEE049A7312DB395E878F14

Function 007BF9D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 007BF9E5
IsDebuggerPresent.KERNEL32 ref: 007BFAB1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007BFACA
UnhandledExceptionFilter.KERNEL32(?), ref: 007BFAD4

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0868c0c7ddc21f05d84c985121b168f454032ee750c0f88c28ccff8ba66d9c99
Instruction ID: b7b7cc8f394eb5ce35d45e419474d645048db4cdbbd09ab577f64bf15a057a62
Opcode Fuzzy Hash: 0868c0c7ddc21f05d84c985121b168f454032ee750c0f88c28ccff8ba66d9c99
Instruction Fuzzy Hash: 2531F975D01218DBDF21DFA4DD897CDBBB8AF08740F1041AAE40CAB250EB759A858F45

Function 007CCFFB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,007CD10A,007B1170,007BABA8,?,?), ref: 007CD0BC

Strings

api-ms-, xrefs: 007CD052
ext-ms-, xrefs: 007CD066
J>{, xrefs: 007CD004

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: FreeLibrary
String ID: J>{$api-ms-$ext-ms-
API String ID: 3664257935-1697914146
Opcode ID: 0aab26ab86a24161e18fd657e55bea8e879ed064bce41010b78c3c97ba2d534b
Instruction ID: b0f4828ad1927e6a817aa76a64019befa5c093c34d5948b51be80811290696b0
Opcode Fuzzy Hash: 0aab26ab86a24161e18fd657e55bea8e879ed064bce41010b78c3c97ba2d534b
Instruction Fuzzy Hash: B521EB31B02251EBC7319B69EC85F5A3768DB957A0F25413CE905AB290E73CED41C6E0

Function 007DABD2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,007DABBD,?,?,?,?,?,?,?,?,?,?), ref: 007DAC78
__alloca_probe_16.LIBCMT ref: 007DAD33
__alloca_probe_16.LIBCMT ref: 007DADC2
__freea.LIBCMT ref: 007DAE0D
__freea.LIBCMT ref: 007DAE13
__freea.LIBCMT ref: 007DAE49
__freea.LIBCMT ref: 007DAE4F
__freea.LIBCMT ref: 007DAE5F

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: a4a1cfe87018aa9ed87ef238dee5708c1c0bde5c7207b1a637bc1993864b32ee
Instruction ID: 583ad1b51c8979a7d73a9bdfb9062ae91ed2078cc923563be427f49435253eff
Opcode Fuzzy Hash: a4a1cfe87018aa9ed87ef238dee5708c1c0bde5c7207b1a637bc1993864b32ee
Instruction Fuzzy Hash: FC71A372A00246BBDF219F548C46BAF7BB5BF45720F29045BE908A7382E63DDD40C762

Function 007BFF19 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 007BFF60
__alloca_probe_16.LIBCMT ref: 007BFF8C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 007BFFCB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007BFFE8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C0027
__alloca_probe_16.LIBCMT ref: 007C0044
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 007C0086
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 007C00A9

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 0e3118e07d703946271e4ffed884ccc8a7682eab6c47b3224649b17364c798de
Instruction ID: 0774d2a2e602861c8bb4fd9bf30e1122e5c52497496a118990db0989ae3e1fe7
Opcode Fuzzy Hash: 0e3118e07d703946271e4ffed884ccc8a7682eab6c47b3224649b17364c798de
Instruction Fuzzy Hash: 47519F72601206EFEF219F60CC49FAA7BA9EF44B51F15442DF9149A190DB388D90CBE0

Function 007CEF66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007CEFEC

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: d6dd01c7ea167fd46c5c418fb3bc0a06041722042ba6b96c6c370f776286e516
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: EEB14772A00259DFDB118F68CC81FAE7BB6EF59710F18416EE904AB382D7789941C7A1

Function 007B7580 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 007B76C6
___std_exception_copy.LIBVCRUNTIME ref: 007B7701

Part of subcall function 007BB0D7: CreateThreadpoolWork.KERNEL32(007BB200,007B8BCA,00000000,00000000,?,007B8BCA,?,?,?,?), ref: 007BB0E6
Part of subcall function 007BB0D7: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 007BB0F3

Strings

Fail to schedule the chore!, xrefs: 007B7700
W.~, xrefs: 007B76F1
,q{`w{, xrefs: 007B758C
`w{, xrefs: 007B75F5, 007B7659, 007B7628

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: ,q{`w{$Fail to schedule the chore!$W.~$`w{
API String ID: 3683891980-2781824576
Opcode ID: ab854a49b0adf9436048daa67034abb1525d21a2f24970684d19b6a12c2551a4
Instruction ID: cd744c43f27f044f01e27378c5b5daedd0e9e1e45eaaa228cc5e4f8c06345a8c
Opcode Fuzzy Hash: ab854a49b0adf9436048daa67034abb1525d21a2f24970684d19b6a12c2551a4
Instruction Fuzzy Hash: C3519EB4D01208DFCB14DF94D885BEEBBB4FF88324F144129E8196B391D779AA05CB91

Function 007C0E30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007C0E67
___except_validate_context_record.LIBVCRUNTIME ref: 007C0E6F
_ValidateLocalCookies.LIBCMT ref: 007C0EF8
__IsNonwritableInCurrentImage.LIBCMT ref: 007C0F23
_ValidateLocalCookies.LIBCMT ref: 007C0F78

Strings

csm, xrefs: 007C0F0D

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 48fb1389e54ea49643bf30a3fb481d8a1382638eafe79d71cb9f94d86eba3264
Instruction ID: eff4521041f910a3d8a7d73a543d1047832499cf6d3a96901c27c859099f352d
Opcode Fuzzy Hash: 48fb1389e54ea49643bf30a3fb481d8a1382638eafe79d71cb9f94d86eba3264
Instruction Fuzzy Hash: 8241AE34A00219DBCF20EF68C885F9EBBA5AF44324F14855DF815AB392C739EA41CBD5

Function 007B3E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B3E45
std::_Lockit::_Lockit.LIBCPMT ref: 007B3E5F
std::_Lockit::~_Lockit.LIBCPMT ref: 007B3E80
__Getctype.LIBCPMT ref: 007B3F32
std::_Lockit::~_Lockit.LIBCPMT ref: 007B3F78

Strings

u.~, xrefs: 007B3F07

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID: u.~
API String ID: 3087743877-297871038
Opcode ID: 281fc76243c4186e87641dd26096bcc5bc26d7da22715071585964d0e4377e4d
Instruction ID: 187081ebbdfac474779326030352f72573e0f5709433de0e893a66c1b4a5fd02
Opcode Fuzzy Hash: 281fc76243c4186e87641dd26096bcc5bc26d7da22715071585964d0e4377e4d
Instruction Fuzzy Hash: 4A4148B5D01258DFCB15EF94C845BEEBBB1FB48720F048119E8256B391DB38A941CB91

Function 007C0170 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007C0176
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 007C0184
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 007C0195

Strings

GetSystemTimePreciseAsFileTime, xrefs: 007C017E
GetTempPath2W, xrefs: 007C018A
kernel32.dll, xrefs: 007C0171

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 1449a70b8dff04b9fc552fd4babd62e7f8786f54d6e2c7694dac79657a5a18e1
Instruction ID: 13fadb767708d58e47a35cf9c895dbebb34ca7a2dc69c748737d1211eddfc398
Opcode Fuzzy Hash: 1449a70b8dff04b9fc552fd4babd62e7f8786f54d6e2c7694dac79657a5a18e1
Instruction Fuzzy Hash: 4DD05EB65132E06B87105F797C5C8853AA5FA1C66031280A1F841DB234DB7C241186AC

Function 007D5071 Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1994b52b04f6fb71545f9e4b7737b412fff46e497d18db9bbad7fceea80deeba
Instruction ID: 4e00994454ba5742cc4d0e248bf7bfef6f7c1e7a0a6c11f7dba983b713fa1dba
Opcode Fuzzy Hash: 1994b52b04f6fb71545f9e4b7737b412fff46e497d18db9bbad7fceea80deeba
Instruction Fuzzy Hash: 48B1E474A08A49EFDB15CFA8C885BAD7BB1BF59344F14415AE4019B392CBB89D41CFA0

Function 007B9CD0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 007B9E37
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E48
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E5C
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E7D
std::_Throw_Cpp_error.LIBCPMT ref: 007B9E8E
std::_Throw_Cpp_error.LIBCPMT ref: 007B9EA6

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e262b26a8daa59cfeedd56af1aa3edcc8e77f7a22b840d9d8c5bb5ca74096dea
Instruction ID: 9e1fb9fc28b9db8d4ed19dd98a52959a779d51c8663ceb5b41e17bc771521bc5
Opcode Fuzzy Hash: e262b26a8daa59cfeedd56af1aa3edcc8e77f7a22b840d9d8c5bb5ca74096dea
Instruction Fuzzy Hash: 7D41C7B1A00744DBDB30DF65894A7EBB7B8BF45720F14062DE77A262D2D778A500CB52

Function 007CADD7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007CADCE,007C0850,007BB86F,BB40E64E,?,?,?,?,007DC0BA,000000FF), ref: 007CADE5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007CADF3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007CAE0C
SetLastError.KERNEL32(00000000,?,007CADCE,007C0850,007BB86F,BB40E64E,?,?,?,?,007DC0BA,000000FF), ref: 007CAE5E

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f026659fe70ec3c8231ca1fcc731505e0538dfbbdff2656176abf7c151ad032
Instruction ID: be8c80cea46e1837d778f9af77f040d9f026680790820c84d441ec56fb6a8154
Opcode Fuzzy Hash: 0f026659fe70ec3c8231ca1fcc731505e0538dfbbdff2656176abf7c151ad032
Instruction Fuzzy Hash: 7901DD3220776AED9A1427757CCAE172BA4D715F79720432EF210491E2EF1D6C025185

Function 007CB65E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007CB77D
CallUnexpected.LIBVCRUNTIME ref: 007CB9F6

Strings

csm, xrefs: 007CB69B
csm, xrefs: 007CB7B4
csm, xrefs: 007CB708

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: da0b2b08e3f00aea3257173ee669fd4190d2c48dadbc3e885b7e1b62d83eeaec
Instruction ID: 85909ce820f404e088b5f5215780ce881f216b7dfeda67938dd97e488f14b6f9
Opcode Fuzzy Hash: da0b2b08e3f00aea3257173ee669fd4190d2c48dadbc3e885b7e1b62d83eeaec
Instruction Fuzzy Hash: 2FB18771800209EFCF19DFA4C886EAEBBB8BF44315F10455EF9056B216D739EA51CB92

Function 007BBF85 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 007BC034
std::_Ref_count_base::_Decref.LIBCPMT ref: 007BC118

Strings

csm, xrefs: 007BBFA7
RCC, xrefs: 007BBF9B
MOC, xrefs: 007BBF8F

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 9917c5a5d2ce1aa4724e706e2c676ce35817b1de56981c6a475b836109e3a520
Instruction ID: f26924683f6a369250d483c30be04ac6d3e89e51926ac9f1e079baae85b0d4d9
Opcode Fuzzy Hash: 9917c5a5d2ce1aa4724e706e2c676ce35817b1de56981c6a475b836109e3a520
Instruction Fuzzy Hash: 0A419C74901209DFCF25EF68C949BEEB7B5FF48300B58816DE845AB252C77CAA44CB51

Function 007C56B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,007DBF84,000000FF,?,007C5775,?,?,007C5811,00000000), ref: 007C56E9
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,007DBF84,000000FF,?,007C5775,?,?,007C5811,00000000), ref: 007C56FB
FreeLibrary.KERNEL32(00000000,?,?,00000000,007DBF84,000000FF,?,007C5775,?,?,007C5811,00000000), ref: 007C571D

Strings

mscoree.dll, xrefs: 007C56E2
CorExitProcess, xrefs: 007C56F3

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b83a3aea42cf8c9350db9fa0aab90ec49b5d0cdd0445d9f1504376d2cd84411f
Instruction ID: 725c0508ac8f064476c394a750aae53dc08ddf555f0ba26001eed99c96da8d39
Opcode Fuzzy Hash: b83a3aea42cf8c9350db9fa0aab90ec49b5d0cdd0445d9f1504376d2cd84411f
Instruction Fuzzy Hash: FE01DB71941659EFDB018F54CC45FAEB7B8FB08B65F00452DF811E62A0DB7DA940CAA0

Function 007CD7DA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 007CD85F
__alloca_probe_16.LIBCMT ref: 007CD928
__freea.LIBCMT ref: 007CD98F

Part of subcall function 007CC001: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,007BA81D,00000018,?,007B3EEA,00000018,00000000), ref: 007CC033

__freea.LIBCMT ref: 007CD9A2
__freea.LIBCMT ref: 007CD9AF

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: ecefecd61cf6936c037c86726d3e1cb98b2690daf73fe2142e9fd32b22a71cce
Instruction ID: cf0aec47cfccd52de29d1d1c6bfcbc7f4b6c95ed062270876564f67316498e0d
Opcode Fuzzy Hash: ecefecd61cf6936c037c86726d3e1cb98b2690daf73fe2142e9fd32b22a71cce
Instruction Fuzzy Hash: 6851B176600206AFEB31AF64CC85FBB7BA9DF84710B25043DFD48DA111EB79EC5096A1

Function 007BF0E1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,007BF0BE,007B8FD0,00000000,?,007B8FD0,007BA490), ref: 007BF0F5
AcquireSRWLockExclusive.KERNEL32(007B8FD8), ref: 007BF114
AcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF142
TryAcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF19D
TryAcquireSRWLockExclusive.KERNEL32(007B8FD8,007BA490,?), ref: 007BF1B4

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 093ba42a1b8f021bb380f2c553bd7b8aff73f668484f98457ae83236d27d61d5
Instruction ID: 4a3d333910a1512927cd54c5e1315977bed91085710d31cac8e4a49177f4ea9c
Opcode Fuzzy Hash: 093ba42a1b8f021bb380f2c553bd7b8aff73f668484f98457ae83236d27d61d5
Instruction Fuzzy Hash: 9341383560060EDBCB24CF68CC84AEAB3B5FF08B50B60893AE456D7A50D738E985CB51

Function 007BD5B2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BD5B9
std::_Lockit::_Lockit.LIBCPMT ref: 007BD5C3
int.LIBCPMT ref: 007BD5DA

Part of subcall function 007BC2D5: std::_Lockit::_Lockit.LIBCPMT ref: 007BC2E6
Part of subcall function 007BC2D5: std::_Lockit::~_Lockit.LIBCPMT ref: 007BC300

codecvt.LIBCPMT ref: 007BD5FD
std::_Lockit::~_Lockit.LIBCPMT ref: 007BD634

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: ac39996b398e287b2367e4ad96f65ae6669c3897167ff1900e05b5232b573677
Instruction ID: 050e2093fb3a44676b141f968bfe31cf9bff249979ea74ee5ed4bec5fe02e1ed
Opcode Fuzzy Hash: ac39996b398e287b2367e4ad96f65ae6669c3897167ff1900e05b5232b573677
Instruction Fuzzy Hash: F201D275900115DFCB16EBA8C94ABEE77B1BF94324F144419F810AB381EF7C9E018B91

Function 007BAF77 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BAF7E
std::_Lockit::_Lockit.LIBCPMT ref: 007BAF89
std::_Lockit::~_Lockit.LIBCPMT ref: 007BAFF7

Part of subcall function 007BAE4A: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007BAE62

std::locale::_Setgloballocale.LIBCPMT ref: 007BAFA4
_Yarn.LIBCPMT ref: 007BAFBA

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: c706e648eaac73f80a0597deae2af81d19c1f88a651c0d28dd28002909d4124c
Instruction ID: 7fdfe7a4e9363e430d6382797656011033807d236fc11c1f0d528f9e3271d403
Opcode Fuzzy Hash: c706e648eaac73f80a0597deae2af81d19c1f88a651c0d28dd28002909d4124c
Instruction Fuzzy Hash: 240184B9602251EFCB06FB20C89AABD7765FF88750B144049E8115B381DF7CAE42CF86

Function 007B1800 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 007B1833

Strings

ios_base::badbit set, xrefs: 007B1CAA, 007B1CD0
ios_base::failbit set, xrefs: 007B1C9F
ios_base::eofbit set, xrefs: 007B1C9A

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: dab466342d5ee02fde74796936b1075413e321f93e0377e33907c8a4da7477bc
Instruction ID: 0d6901081f940b0654c0500fc5a33fbb859c04115e0dbe78783dc935bab6f3ba
Opcode Fuzzy Hash: dab466342d5ee02fde74796936b1075413e321f93e0377e33907c8a4da7477bc
Instruction Fuzzy Hash: BAF14E75A01654CFCB14CF68C494BADBBF2FF48324F598269E815AB391D738AD41CB90

Function 007D0A66 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 007CC25A: GetLastError.KERNEL32(00000000,?,007CE67D), ref: 007CC25E
Part of subcall function 007CC25A: SetLastError.KERNEL32(00000000,?,?,00000028,007C8453), ref: 007CC300

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,007C5CC5,?,?,?,00000055,?,-00000050,?,?,?), ref: 007D0B25
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,007C5CC5,?,?,?,00000055,?,-00000050,?,?), ref: 007D0B5C

Strings

<K~, xrefs: 007D0AD9
utf8, xrefs: 007D0C2E

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: <K~$utf8
API String ID: 943130320-3768170800
Opcode ID: 82c25351c73521fc7de0d80bc253161141bd00ec1f8e2fa0d800af240accb9dc
Instruction ID: fbee43acba49900d6029ed24c976495f43bbffcdb8c2e3652553c89c0b6ffaa9
Opcode Fuzzy Hash: 82c25351c73521fc7de0d80bc253161141bd00ec1f8e2fa0d800af240accb9dc
Instruction Fuzzy Hash: A1512671614305EADB25AB708C4AFB673B8EF48700F14562BF6499B381E67CE980C6F5

Function 007BB845 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 007BB8F9

Strings

csm, xrefs: 007BB891
MOC, xrefs: 007BB879
RCC, xrefs: 007BB885

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 3824898c44c35f3997538246ab89a3b4341ca2c0619ec36588ac5e3e6618bcc6
Instruction ID: bf78df29322a5f13f4883d2039a8c172945ec9c727af2d5212a88048f5adbe8c
Opcode Fuzzy Hash: 3824898c44c35f3997538246ab89a3b4341ca2c0619ec36588ac5e3e6618bcc6
Instruction Fuzzy Hash: 1121B375904609EFDF349F64C445BEEB7A8EF40310F144A1EEC0197291DBBCAA41CB91

Function 007BF20D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,007B25EA,?,?,00000000), ref: 007BF219
GetExitCodeThread.KERNEL32(?,00000000,?,?,007B25EA,?,?,00000000), ref: 007BF232
CloseHandle.KERNEL32(?,?,?,007B25EA,?,?,00000000), ref: 007BF244

Strings

%{, xrefs: 007BF224

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: %{
API String ID: 2551024706-3407211727
Opcode ID: b1eb76a8b68f4239d988f297864ec96414cf55a340aa0d7443acf7afd9c8aa0b
Instruction ID: fef6d03afea22c85fdbcc0e922d2f528a2a2e17b56f04e89a514daa8c41a46ac
Opcode Fuzzy Hash: b1eb76a8b68f4239d988f297864ec96414cf55a340aa0d7443acf7afd9c8aa0b
Instruction Fuzzy Hash: 2BF05E35655115AFDF108F64DD06BED3B64FB05B70F244320F925EA2E0E739ED408694

Function 007D6A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007D6ACC,00000000,?,007ED2B0,?,?,?,007D6A03,00000004,InitializeCriticalSectionEx,007E0D44,007E0D4C), ref: 007D6A3D
GetLastError.KERNEL32(?,007D6ACC,00000000,?,007ED2B0,?,?,?,007D6A03,00000004,InitializeCriticalSectionEx,007E0D44,007E0D4C,00000000,?,007CBCAC), ref: 007D6A47
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007D6A6F

Strings

api-ms-, xrefs: 007D6A54

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: cd86f67648c6c78155d358e64c4effbfeee8ae70a31b20131acb729899516352
Instruction ID: 8e1440b8c65adb3b38a4a8b112ff823a16a572b090a0a20b5826afd5da548ef9
Opcode Fuzzy Hash: cd86f67648c6c78155d358e64c4effbfeee8ae70a31b20131acb729899516352
Instruction Fuzzy Hash: 48E04870380244FBDF215B61DC46B293B789B64B91F50C021F9CCB85F0D7ADD8148555

Function 007D408E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 007D40F1

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007D4343
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007D4389
GetLastError.KERNEL32 ref: 007D442C

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b4c9a23cb983038724bf96d5de2375a9f761f5280dbf4195ad1d236e72a87989
Instruction ID: 11f04dd4051328df14eb4c12ad0f2395895aa0e24b81a9e4d8c0b958f76c464f
Opcode Fuzzy Hash: b4c9a23cb983038724bf96d5de2375a9f761f5280dbf4195ad1d236e72a87989
Instruction Fuzzy Hash: 7BD16A75D012989FCF15CFE8C884AEDBBB5FF09314F24812AE856EB352D634A942CB50

Function 007CB385 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007CB44C
___AdjustPointer.LIBCMT ref: 007CB46F
___AdjustPointer.LIBCMT ref: 007CB50B

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0d9c43e181de3de89f69d697fecc18cba3f30af176aaf044e5671a8cfbda0ac2
Instruction ID: 62f76c7501159f61b4ce3bbfeaf8d9453da60486fa42c6b8bcc6ecc20d1bb8c7
Opcode Fuzzy Hash: 0d9c43e181de3de89f69d697fecc18cba3f30af176aaf044e5671a8cfbda0ac2
Instruction Fuzzy Hash: 5D51E272A09A82DFDB288F54E856FAA77A4EF44310F14456DFD0687292D73DEE40CB90

Function 007B73C0 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007B7465
std::_Throw_Cpp_error.LIBCPMT ref: 007B7535
std::_Throw_Cpp_error.LIBCPMT ref: 007B7543
std::_Throw_Cpp_error.LIBCPMT ref: 007B7551

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 823eec816b9abd583dbb4c74d15e2a1d607ba4ce4c326eabeafb252919b01226
Instruction ID: beb981891790f5c723c116a085ede9b5c568519eff8608f2ff26dabf82fafb79
Opcode Fuzzy Hash: 823eec816b9abd583dbb4c74d15e2a1d607ba4ce4c326eabeafb252919b01226
Instruction Fuzzy Hash: 284109B1904345DBCB24EF64C8457DAB7B5FF84320F144639E45A57BA2EB38E811CB91

Function 007B4600 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B4635
std::_Lockit::_Lockit.LIBCPMT ref: 007B4652
std::_Lockit::~_Lockit.LIBCPMT ref: 007B4673
std::_Lockit::~_Lockit.LIBCPMT ref: 007B4720

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 33e803c735801c26ce442b8f5cd8f43fa072f23c2c921291b37ba1c624b3a715
Instruction ID: 9edf45ee35f69b8d8fe3acafe9757c4dbdfd2252e9f9b41d4479033d91455b41
Opcode Fuzzy Hash: 33e803c735801c26ce442b8f5cd8f43fa072f23c2c921291b37ba1c624b3a715
Instruction Fuzzy Hash: E54159B5D00258DFCB15EF94D885BEEBBB1FB49324F048219D8156B392DB38A941CFA1

Function 007D1EB6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 007D1F1A
__dosmaperr.LIBCMT ref: 007D1F21
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 007D1F5B
__dosmaperr.LIBCMT ref: 007D1F62

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 62be81f85f6b4d76f23f18d9b6f89706086c3425842efe1c019d92bcd841e306
Instruction ID: 40ee349d5552a5f501b807919b7bbf6d97168e574f3ef893affa1bdaef413497
Opcode Fuzzy Hash: 62be81f85f6b4d76f23f18d9b6f89706086c3425842efe1c019d92bcd841e306
Instruction Fuzzy Hash: 14218371605219FF9B20AF65C885D6BB7B9FF04364790851EF89997251EB39EC00CBA0

Function 007C2C92 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6026257e7eedeb3157f1d4673d14a15357a5bb3637eec90ebc33762165b2a7c
Instruction ID: 639507dc930bd6a69ad3ee78ee7267858540f36de327bba417e7fce5b3b228ea
Opcode Fuzzy Hash: d6026257e7eedeb3157f1d4673d14a15357a5bb3637eec90ebc33762165b2a7c
Instruction Fuzzy Hash: 3B21A171304209EFCB20AF75CC85F6A77A8EF64364710452DF91AD7162EB38EC028B60

Function 007D32AE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007D32B6

Part of subcall function 007CC111: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007CD985,?,00000000,-00000008), ref: 007CC172

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007D32EE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007D330E

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 2997143dee033ae21f737d249eaebf6155a36f9c867c2ebedce4f99dd5633864
Instruction ID: 9f0ab662ba895cde7a220411cfeb5e01d38391e3d8ccd379285b818266a4f707
Opcode Fuzzy Hash: 2997143dee033ae21f737d249eaebf6155a36f9c867c2ebedce4f99dd5633864
Instruction Fuzzy Hash: EE11C4B1501155BFB71127765D8EDBF6A6CDEA83E4720442DF405D5201FF2CEE4086B6

Function 007BE982 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007BE989
std::_Lockit::_Lockit.LIBCPMT ref: 007BE993
int.LIBCPMT ref: 007BE9AA

Part of subcall function 007BC2D5: std::_Lockit::_Lockit.LIBCPMT ref: 007BC2E6
Part of subcall function 007BC2D5: std::_Lockit::~_Lockit.LIBCPMT ref: 007BC300

std::_Lockit::~_Lockit.LIBCPMT ref: 007BEA04

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 47faae1335e305a82c9dd4012d075f05c746a89bea4b42ddba6af40b4445b8f0
Instruction ID: ad59b6c36033800c0cbef70f85b9be15bb9b2ab6e36c9c3274d42d0f55a924f6
Opcode Fuzzy Hash: 47faae1335e305a82c9dd4012d075f05c746a89bea4b42ddba6af40b4445b8f0
Instruction Fuzzy Hash: A211E175900215DBCB06EBA4C889BFD7B72BF54720F254419E4116B382DF7CAE41CB81

Function 007DAE90 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000), ref: 007DAEA7
GetLastError.KERNEL32(?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?,?,?,007D3DC6,00000000), ref: 007DAEB3

Part of subcall function 007DAF10: CloseHandle.KERNEL32(FFFFFFFE,007DAEC3,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?,?), ref: 007DAF20

___initconout.LIBCMT ref: 007DAEC3

Part of subcall function 007DAEE5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007DAE81,007DA3CC,?,?,007D4480,?,00000000,00000000,?), ref: 007DAEF8

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,007DA3DF,00000000,00000001,00000000,?,?,007D4480,?,00000000,00000000,?), ref: 007DAED8

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8dc6b649676f32b4f98a0edf740108d9d86c5a5697f7747170e7b53eb1c6410c
Instruction ID: 422bd34e025edbfe62506c18b1b69d649a81d2f664194903ee4ed0a2585f6fe3
Opcode Fuzzy Hash: 8dc6b649676f32b4f98a0edf740108d9d86c5a5697f7747170e7b53eb1c6410c
Instruction Fuzzy Hash: 4CF01C36101158BBCF225FD1DC4999A3F26FF587B0B008011FA1889230C6368920EBA5

Function 007C05E5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 007C05F7
GetCurrentThreadId.KERNEL32 ref: 007C0606
GetCurrentProcessId.KERNEL32 ref: 007C060F
QueryPerformanceCounter.KERNEL32(?), ref: 007C061C

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: afdbd6503e3270154f43a41b0eff15be56ed0faafb22c658cf6d65a09da7ead2
Instruction ID: 6af5e4b25f484593751117c483177df9d1f9df847be84c1db50336e1d53a0d0b
Opcode Fuzzy Hash: afdbd6503e3270154f43a41b0eff15be56ed0faafb22c658cf6d65a09da7ead2
Instruction Fuzzy Hash: 78F06774D1120DEBCF00DBB4D98999EB7F4FF2C244BA18596A412EB150E734A744DB54

Function 007B35D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007B36CB

Strings

M5{, xrefs: 007B35DD
M5{, xrefs: 007B366F

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: M5{$M5{
API String ID: 2659868963-1358020863
Opcode ID: 62f2f051956c90a9d73ab40f566a2d10bb08133610ee4ff5f82dd1a5a7d8708d
Instruction ID: c3ca533521e1f98f2ac31693493ddafc2a95e33f95bebfe18755fa64c11ee5c8
Opcode Fuzzy Hash: 62f2f051956c90a9d73ab40f566a2d10bb08133610ee4ff5f82dd1a5a7d8708d
Instruction Fuzzy Hash: 0841C2B1D00204DFCB14DF64D884AEEBBB5EF89304F14852DE8159B342E739EA85CB91

Function 007CBA82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,007CB983,?,?,00000000,00000000,00000000,?), ref: 007CBAA7

Strings

MOC, xrefs: 007CBAB9
RCC, xrefs: 007CBAC1

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6e15c510b95098a31b02f71c4a805d0fa2ce200c794a31919cc5f33158f12113
Instruction ID: 8631f445f28f216bfc12539e1934017f6b2b33f7489a716606808808f9e21130
Opcode Fuzzy Hash: 6e15c510b95098a31b02f71c4a805d0fa2ce200c794a31919cc5f33158f12113
Instruction Fuzzy Hash: B4412571900209EFCF16DFA8CC82EAEBBB5AF48304F14815DF905A6265D339AD60DB91

Function 007B3460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 007B34A2

Strings

c={, xrefs: 007B346B, 007B34A1, 007B34CA
ios_base::badbit set, xrefs: 007B3465

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: _strlen
String ID: c={$ios_base::badbit set
API String ID: 4218353326-3175735026
Opcode ID: f58c73a79c4012cef611e74f6bce00daeb4232e1d84ca51a135033efd232a351
Instruction ID: ca47d93752396ebd7566d381fd1056836c8cfe3ff0d496960f99310d00635724
Opcode Fuzzy Hash: f58c73a79c4012cef611e74f6bce00daeb4232e1d84ca51a135033efd232a351
Instruction Fuzzy Hash: 8641C8B2D00258DBCB10EF64DC85BDEBBB5EF58310F150629F805A7241E7399A94C7A1

Function 007B4030 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007B4066
std::_Lockit::~_Lockit.LIBCPMT ref: 007B41A2

Part of subcall function 007BAD65: _Yarn.LIBCPMT ref: 007BAD85
Part of subcall function 007BAD65: _Yarn.LIBCPMT ref: 007BADA9

Strings

bad locale name, xrefs: 007B40E6

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: fecd24290c7ca18ec7f77f50d0ce24b3349a9f7c0a1022ccffd9162cb3fb1b37
Instruction ID: 1b78a2a3b6906c94312acdc9616417e74a5301d10fb56d64d4de657b200f954e
Opcode Fuzzy Hash: fecd24290c7ca18ec7f77f50d0ce24b3349a9f7c0a1022ccffd9162cb3fb1b37
Instruction Fuzzy Hash: 38416EF0A007499BDB10DF69D909B57BBE8BF14704F04462CE80997781E37AE518CBE2

Function 007CB2EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 007CB565

Strings

csm, xrefs: 007CB5F8
csm, xrefs: 007CB587

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 5c88b61318cbfec2c982357edeb4296e7b28649983df71162919af4f6387438f
Instruction ID: ab604bf1968eef2adb391a50c74646453adc636e40b7cb34e9f30c2f924a9206
Opcode Fuzzy Hash: 5c88b61318cbfec2c982357edeb4296e7b28649983df71162919af4f6387438f
Instruction Fuzzy Hash: 9F31E472400219EBCF224F50D886E6A7B66FF09315F18415EF85459111D33ADC75DB81

Function 007BB921 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 007BB9A9
RaiseException.KERNEL32(?,?,?,?,?), ref: 007BB9CE

Part of subcall function 007C06FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,007BF444,00000000,?,?,?,007BF444,007B3EEA,007E75AC,007B3EEA), ref: 007C075D

Part of subcall function 007C8443: IsProcessorFeaturePresent.KERNEL32(00000017,007C387B,?,?,?,?,00000000,?,?,?,007BB69C,007BB5C9,00000000,?,?,007BB5C9), ref: 007C845F

Strings

csm, xrefs: 007BB95D

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: c21fb794196bebb015e5335294ba2d3a7b94a6627c0af58203b5b8a0bd72c4b4
Instruction ID: 0ced1c29c4744beaa41ad048a71055ca60051cb9647a9166d54ad127a4d0d053
Opcode Fuzzy Hash: c21fb794196bebb015e5335294ba2d3a7b94a6627c0af58203b5b8a0bd72c4b4
Instruction Fuzzy Hash: 7D216A31D00218EBCF24DF95C94ABEEB7B9AF44710F580419EA05AB250CBB8BD45CB81

Function 007BB555 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007B2853

Strings

ios_base::badbit set, xrefs: 007B2830
bad array new length, xrefs: 007B2806

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: f1ede2d10603bcbe483ab675a65dcbc32591190b22d810c782a19bdb110099f0
Instruction ID: 921085d330ac7377a2452fc87d88d6b9dd499ab5c5b2f9030be83d58706f8bb4
Opcode Fuzzy Hash: f1ede2d10603bcbe483ab675a65dcbc32591190b22d810c782a19bdb110099f0
Instruction Fuzzy Hash: 5001B1F26093019BD7149F18D816B5B7BE8AF48318F01882DF5598B301D779E8058BC2

Function 007B27F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 007C06FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,007BF444,00000000,?,?,?,007BF444,007B3EEA,007E75AC,007B3EEA), ref: 007C075D

___std_exception_copy.LIBVCRUNTIME ref: 007B2853

Strings

ios_base::badbit set, xrefs: 007B2830
bad array new length, xrefs: 007B2806

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: 72d6dc5f3a63853cf8f6d860f8f63c2e7ab48a32fc4ab18100fec339d14965bc
Instruction ID: 78d07f85c3b42af48b81ce4e66727dd7a9a1280e961ee5f90100fb5b7fb048c4
Opcode Fuzzy Hash: 72d6dc5f3a63853cf8f6d860f8f63c2e7ab48a32fc4ab18100fec339d14965bc
Instruction Fuzzy Hash: 78F0FEF15193009BD3149F18DC19B4B7FE4EB49358F01882DF5989B301D3B9D8558BD2

Function 007BAD65 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 007BAD85
_Yarn.LIBCPMT ref: 007BADA9

Strings

u.~, xrefs: 007BAD79

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: Yarn
String ID: u.~
API String ID: 1767336200-297871038
Opcode ID: a4cad4368db887458e3ca6103585abb4fd1c5977e310d39e24a982c60c42a7fe
Instruction ID: d76154e3ad7b09fe86cdecc33447d267991cc6e229f7e2e7e87e5d4cf7b7065d
Opcode Fuzzy Hash: a4cad4368db887458e3ca6103585abb4fd1c5977e310d39e24a982c60c42a7fe
Instruction Fuzzy Hash: 68E03922308200BAEB08B666AC1AFB633D8DB04761F10013DFA0A8B9C1EE14EC448691

Function 007BA88F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(007EC690,H={,?,?,007B30E0,007EC668,ios_base::badbit set,?,007B3D48,?,00000001), ref: 007BA89A
ReleaseSRWLockExclusive.KERNEL32(007EC690,?,007B30E0,007EC668,ios_base::badbit set,?,007B3D48,?,00000001), ref: 007BA8D4

Strings

H={, xrefs: 007BA893

Memory Dump Source

Source File: 00000003.00000002.2010641585.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.2010622866.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010674769.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010699161.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010739837.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010758329.00000000007F2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2010808748.000000000083E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: H={
API String ID: 17069307-754443616
Opcode ID: a978861ff708e516d7e70aa29b2fdcad68595c729a7fbfb1cab6076fb7f20dd5
Instruction ID: a42c485c2c468fce0842454c7a4a4132d3b39e99b84798d20ba8877d119a4cfa
Opcode Fuzzy Hash: a978861ff708e516d7e70aa29b2fdcad68595c729a7fbfb1cab6076fb7f20dd5
Instruction Fuzzy Hash: 13F0EC34501140EFC721AF59DC44BB5B7B4EB8D370F10426EE859476A0C73D2843CB56

Analysis Process: setup.exePID: 5488, Parent PID: 2408COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 00408680 Relevance: 7.7, APIs: 5, Instructions: 249
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004086A4
GetCurrentThreadId.KERNEL32 ref: 004086AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000,?), ref: 004087DD
GetForegroundWindow.USER32 ref: 004088A1

Part of subcall function 0040C830: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C843

Part of subcall function 0040B720: FreeLibrary.KERNEL32(00408978), ref: 0040B726
Part of subcall function 0040B720: FreeLibrary.KERNEL32 ref: 0040B747

ExitProcess.KERNEL32 ref: 00408991

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: e843ce397e95a7a4f9e2afb866568efc9843b9a29ca9dad48084fef23a3395c2
Instruction ID: 719c045ee3bb05490b25d200acc1df5498f9a5c5afb4084d0d06abb797ad2041
Opcode Fuzzy Hash: e843ce397e95a7a4f9e2afb866568efc9843b9a29ca9dad48084fef23a3395c2
Instruction Fuzzy Hash: 57713B77A047144FD318EF69CD5632BB6D6ABC8310F09C53EA8C5EB391EA789C018789

Function 0043CFA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(004401FA,?,00000018,?,?,00000018,?,?,?), ref: 0043CFCE

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043D929 Relevance: 1.4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D]+\, xrefs: 0043D990

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: D]+\
API String ID: 2994545307-1174097187
Opcode ID: 2cfa3c311a0e9c01cd225743fa52a5313a8d1775c02606c88f75f1f7f84942d4
Instruction ID: 7572c7809211613d87147b95baac5cf25656afb3abccc1c11bb3482e60d05e20
Opcode Fuzzy Hash: 2cfa3c311a0e9c01cd225743fa52a5313a8d1775c02606c88f75f1f7f84942d4
Instruction Fuzzy Hash: 0321F579B0C3458FD754AF55E88013F77A3ABCA310F28A52ED9C243356C6745C069A1A

Function 0043D357 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e537460dccc4a7b7ef12968f72ed291eab62e9864d205944ff9e0a6744b74f2
Instruction ID: 40e1c0e03dd7cb4f9cd5c8cc5c1a6d528c3109dc285a0f6b12963c487ef0f2fc
Opcode Fuzzy Hash: 1e537460dccc4a7b7ef12968f72ed291eab62e9864d205944ff9e0a6744b74f2
Instruction Fuzzy Hash: FE110479A092448FD7089F14E89053F77A2EB8A314F28A43EDA83C3351CB709C159A0A

Function 00409BEC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409CC8

Strings

@4C, xrefs: 00409C91

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: LibraryLoad
String ID: @4C
API String ID: 1029625771-2729656245
Opcode ID: be34798907d0c0e48b961aaf20c694c46cc9c752a02d3d3cd553411d0cde06da
Instruction ID: ed32fe20f9c2acc6b9e53cce2f2001b642a3f1e2c48bd5ab92002aa4c3cc17ee
Opcode Fuzzy Hash: be34798907d0c0e48b961aaf20c694c46cc9c752a02d3d3cd553411d0cde06da
Instruction Fuzzy Hash: 3C31DFB5E043148FDB04CFA9C98169EBBF1BF5A300F0A81AAD4407B366C7745909CBD5

Function 0043D1AA Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043D1AA
GetForegroundWindow.USER32 ref: 0043D1C0

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c4e5699213e8c8392b4d3a6b569e32cded55f0697a2c8afc432cfcaf34d365f3
Instruction ID: 3dbaf8c9d4b4cdac177c22d0d0fe4f5d6608661041d7d8772ec8f984dcac4e78
Opcode Fuzzy Hash: c4e5699213e8c8392b4d3a6b569e32cded55f0697a2c8afc432cfcaf34d365f3
Instruction Fuzzy Hash: ADD027FDD5310057C94C5B31ED1E41F36119B9B355714443DF40342372CD594807C54A

Function 0040C865 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C877

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 28478618b8bf013e95b7138ec7a52dc306bad92f05b26cb4ec7a7e52e234d450
Instruction ID: 1e3e2e598fd455d471313fdc32214382811b636f90739155dff12dd62cbeea8f
Opcode Fuzzy Hash: 28478618b8bf013e95b7138ec7a52dc306bad92f05b26cb4ec7a7e52e234d450
Instruction Fuzzy Hash: 97E05E79BC52047BF6284B18DD43F84220243C6B21F3D8224B310EE7D8CDF8A012420D

Function 0040C830 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C843

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9db20bcde595f6b808fc88834a66c7a984b9a00e406f242fa5d17b3b7a9d0ad7
Instruction ID: e5954fe18ae31227c9ebc57c7171ed4deaa3088f77e6c40460de058f9c649bee
Opcode Fuzzy Hash: 9db20bcde595f6b808fc88834a66c7a984b9a00e406f242fa5d17b3b7a9d0ad7
Instruction Fuzzy Hash: F2D05E256A41446BD348A76DAC46F2236989B87716F840239F252966D2E9506810C26A

Function 0043B4A0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0040AF96,?), ref: 0043B4BE

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 429c131509c383a8080d6349d90cad9e8071549669016c5803abf4d1718e22ef
Instruction ID: 58de357fc96c06f87596776b9ae076427f094bf4a21e5fbafae531d5480062ca
Opcode Fuzzy Hash: 429c131509c383a8080d6349d90cad9e8071549669016c5803abf4d1718e22ef
Instruction Fuzzy Hash: 1AD0127140A922EBC7101F15FC07B9A3A64EF09761F070865F4406B0B1C634DC51DAD8

Function 0043B47F Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B489

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e101f999de7608f65741e262228b5bb0f7081bf9408d8d083b24d78faad8d434
Instruction ID: 74af769b7eed74eb0bbf98d3c0715bab597ac674c92011b1c0092895a3fe5e5d
Opcode Fuzzy Hash: e101f999de7608f65741e262228b5bb0f7081bf9408d8d083b24d78faad8d434
Instruction Fuzzy Hash: 4CB00274156515B9E17127115CD5F7F1D6CDF47ED5F100058B204140D04E545401D57E

Function 0043B485 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B489

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e673e6dd3fec5261cced75f808d9bb89ecabcd96bcb259183d1e251c2252e486
Instruction ID: 1c973efff51b4848ffeff69cb2d809a45373ecc0414c0770032ce1ef959c8293
Opcode Fuzzy Hash: e673e6dd3fec5261cced75f808d9bb89ecabcd96bcb259183d1e251c2252e486
Instruction Fuzzy Hash: 0DA00274156511F9D16127115C95F7F2968AB47A95F100068A204140A04E645001D56E

Function 0040CCC9 Relevance: 1.3, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040CCC9

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 7ef87e3f99d376d0b233b459e1f60fbcd1255d821fe2209a420b43ccc18a0f2c
Instruction ID: 853da53b18f05102e5726faca6362375872020f509225c61f3991e00308ec8ed
Opcode Fuzzy Hash: 7ef87e3f99d376d0b233b459e1f60fbcd1255d821fe2209a420b43ccc18a0f2c
Instruction Fuzzy Hash: 8BC08C3C30C000CBC20CC720EC6826A336AB7CE3053514438D4034A225E2705802860C

Non-executed Functions

Function 004382F0 Relevance: 21.7, APIs: 10, Strings: 2, Instructions: 675memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C), ref: 004385B2
SysAllocString.OLEAUT32(0000AA09), ref: 00438617
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438654
SysAllocString.OLEAUT32(0000AA09), ref: 00438697
SysAllocString.OLEAUT32(0000AA09), ref: 00438744
VariantInit.OLEAUT32( )*+), ref: 004387AF
VariantClear.OLEAUT32(?), ref: 00438919
SysFreeString.OLEAUT32(?), ref: 0043893D
SysFreeString.OLEAUT32(?), ref: 00438943
SysFreeString.OLEAUT32(00000000), ref: 00438954

Strings

\]^_, xrefs: 00438A1F
)*+, xrefs: 0043833E

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: )*+$\]^_
API String ID: 2485776651-2322973909
Opcode ID: ad9a5df13a79529466875a2391a2d9c4f178ea59c0f8a74a64ccf3bd56a8d54e
Instruction ID: 2e71509d261cad856181e072583a0b97192b489e60390a5bbc3d405ab7213408
Opcode Fuzzy Hash: ad9a5df13a79529466875a2391a2d9c4f178ea59c0f8a74a64ccf3bd56a8d54e
Instruction Fuzzy Hash: 0712FEB6A083009BE314DF25C88176BBBE1EFC9314F14592EF5D49B391DB78D8068B96

Function 00415729 Relevance: 17.4, Strings: 13, Instructions: 1182COMMON

Download Yara Rule

Strings

kjih, xrefs: 004157AC
7\A, xrefs: 00415C31
MfA, xrefs: 00416646
kjih, xrefs: 004160D6
'+5>, xrefs: 00415C64
41##, xrefs: 00415C85
nVA, xrefs: 00415D9D
L4, xrefs: 00416020
>"0, xrefs: 00415C7A
$aA, xrefs: 0041611E
~t~{, xrefs: 004159DC
L4, xrefs: 004163F0
2)!*, xrefs: 00415C6F

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: $aA$'+5>$2)!*$41##$7\A$>"0$MfA$kjih$kjih$~t~{$nVA$L4$L4
API String ID: 0-705411989
Opcode ID: a038ddd7a4fba88be4bd41d0b89a0969865ad0c869122aac13da161970b1766d
Instruction ID: 51b238df478912f03407f53bcd861463622d7a63e5711f880fdd80badda0364d
Opcode Fuzzy Hash: a038ddd7a4fba88be4bd41d0b89a0969865ad0c869122aac13da161970b1766d
Instruction Fuzzy Hash: 32823475609242CFD724CF24D8817AFB7E2EBC5314F19893EE48987392D7389845CB8A

Function 00419BE0 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1330COMMON

Download Yara Rule

APIs

Part of subcall function 0043CFA0: LdrInitializeThunk.NTDLL(004401FA,?,00000018,?,?,00000018,?,?,?), ref: 0043CFCE

FreeLibrary.KERNEL32(?), ref: 0041A22A
FreeLibrary.KERNEL32(?), ref: 0041A2AB

Strings

kjih, xrefs: 00419C33
pq, xrefs: 00419F80
kjih, xrefs: 0041AA66
fI.K, xrefs: 00419F70
kjih, xrefs: 0041A14D
M"O, xrefs: 00419F78

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: M"O$fI.K$kjih$kjih$kjih$pq
API String ID: 764372645-57064758
Opcode ID: ca8ec4aa3c6a2665215101971d6ba1bdbaeb8bf3706cfe3159db190018bb5402
Instruction ID: fd54df58326f29ab5dcbf35c0345235bb947318f3f37ecb71676f87aa7f67674
Opcode Fuzzy Hash: ca8ec4aa3c6a2665215101971d6ba1bdbaeb8bf3706cfe3159db190018bb5402
Instruction Fuzzy Hash: 469269756093405FE7108F54D8807BBBBE2EBD5720F28C82EE5C497391D6799C82CB9A

Function 00424200 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 231COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004242DA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,-71D32B14), ref: 00424355

Strings

@AF, xrefs: 00424399
RDB, xrefs: 00424448
WQ, xrefs: 00424252
_Y, xrefs: 00424242
7KE, xrefs: 0042422A
.sM, xrefs: 0042421A

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: .sM$7KE$RDB$@AF$WQ$_Y
API String ID: 237503144-2889437315
Opcode ID: fd78b8c373c58d299f0efd85543560d449a9ccfd47c3bf4ca4055bad2ee08b59
Instruction ID: 85809d692e9afabcf63d0d0bcf8913d9c1483266ef3a87abd0c9896b8c6eff8a
Opcode Fuzzy Hash: fd78b8c373c58d299f0efd85543560d449a9ccfd47c3bf4ca4055bad2ee08b59
Instruction Fuzzy Hash: D58102B52083509FE710CF28E84175FBBE0FB86718F11883DF5959B281D775890A8B9B

Function 00415C3B Relevance: 11.9, Strings: 9, Instructions: 665COMMON

Download Yara Rule

Strings

nVA, xrefs: 00415D9D
L4, xrefs: 00416020
>"0, xrefs: 00415C7A
MfA, xrefs: 00416646
kjih, xrefs: 00416003
'+5>, xrefs: 00415C64
L4, xrefs: 004163F0
2)!*, xrefs: 00415C6F
41##, xrefs: 00415C85

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: '+5>$2)!*$41##$>"0$MfA$kjih$nVA$L4$L4
API String ID: 0-3043129773
Opcode ID: ea301c221e4f7209e4005bd83a573e57ebd9b891a4b9fdff834431d860e3db60
Instruction ID: fcf332fa4094b6d4c8e6d19021d207cb0fce23afcc655588a84ff703f5482b79
Opcode Fuzzy Hash: ea301c221e4f7209e4005bd83a573e57ebd9b891a4b9fdff834431d860e3db60
Instruction Fuzzy Hash: CE224676A09252CFD724CF28C8507AFB7E2ABC5304F1A893ED49997351DA38DC45CB86

Function 004092A0 Relevance: 10.4, Strings: 8, Instructions: 369COMMON

Download Yara Rule

Strings

SZVm, xrefs: 004092DD
\EEZ, xrefs: 004092ED
I3_1, xrefs: 004093DE
KJ, xrefs: 00409460
v, xrefs: 004092F5
S_SY, xrefs: 004093F6
fJG], xrefs: 004092D5
Xjbn, xrefs: 00409406

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: I3_1$KJ$SZVm$S_SY$Xjbn$\EEZ$fJG]$v
API String ID: 0-857426366
Opcode ID: 83eb09dffcbbdc965478d9f71f007973de22261fc9de05b1123d5afc216dca86
Instruction ID: f42e5032e00e911cfcbd82df24bde4ae6fb01620b43778d51bef518939847aa5
Opcode Fuzzy Hash: 83eb09dffcbbdc965478d9f71f007973de22261fc9de05b1123d5afc216dca86
Instruction Fuzzy Hash: 72B1D47160C3914AD726CF2988503ABBFE19F97344F0899ADE4D5AB383C23DC906C756

Function 00432C00 Relevance: 9.2, APIs: 6, Instructions: 157clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00432C22
GetClipboardData.USER32 ref: 00432C43
GlobalLock.KERNEL32 ref: 00432C60
CloseClipboard.USER32 ref: 00432DE1

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 38ddb1ce13d4ad96419e6f72ad5d578662d1422aa4eeb45f494bb9f640afa450
Instruction ID: 4b4268758659fb9edbbb30050a8655cc6678ffe48e55207d2636374afee827fe
Opcode Fuzzy Hash: 38ddb1ce13d4ad96419e6f72ad5d578662d1422aa4eeb45f494bb9f640afa450
Instruction Fuzzy Hash: 505127B1904B518FD700AF78C94939EBFE0AF09314F04863AD49597281D3BC9959C797

Function 0042B3C0 Relevance: 7.7, Strings: 6, Instructions: 234COMMON

Download Yara Rule

Strings

t, xrefs: 0042B5B2
CJMx, xrefs: 0042B4C1
', xrefs: 0042B452
LL[R, xrefs: 0042B4CC
Pk, xrefs: 0042B5A8
UgRQ, xrefs: 0042B587

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: '$CJMx$LL[R$Pk$UgRQ$t
API String ID: 0-841269659
Opcode ID: ad6ac4a83ce9c7b2206c5238d969d6c841d12ab1a149e2618a8805dbebfd9730
Instruction ID: a27ab65c82591e32e6bf893d3bde866ba41d28cee15bcb772b57012cf8e8fd86
Opcode Fuzzy Hash: ad6ac4a83ce9c7b2206c5238d969d6c841d12ab1a149e2618a8805dbebfd9730
Instruction Fuzzy Hash: 7B81CEB460D3918BD3358F29A5A13EBBFE1EF96300F18495DD4D94B392C739840A8B97

Function 00426E50 Relevance: 6.8, Strings: 5, Instructions: 600COMMON

Download Yara Rule

Strings

?ohm, xrefs: 00427400
0pB, xrefs: 00427372
:8!v, xrefs: 00426F4D
}, xrefs: 004274B0
r?, xrefs: 00426E6A

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: 0pB$:8!v$?ohm$r?$}
API String ID: 0-2715177541
Opcode ID: 749cc9b2b166e2aefd78e54216929a7a1d54e2de09e8ea6fbb84eebd505d5f3a
Instruction ID: 27fefe2fbb4672028c34b568132a3d04d557551c2bb752c391d38c84f1a92060
Opcode Fuzzy Hash: 749cc9b2b166e2aefd78e54216929a7a1d54e2de09e8ea6fbb84eebd505d5f3a
Instruction Fuzzy Hash: 621266B2A183918BD714CF29D85126BB7E1EFD6304F09896EE8D5C7382D739D805CB86

Function 0041C051 Relevance: 6.7, Strings: 5, Instructions: 455COMMON

Download Yara Rule

Strings

.L!r, xrefs: 0041C39A
%xy~, xrefs: 0041C3AF
E], xrefs: 0041C3F2
tz, xrefs: 0041C3A8
E], xrefs: 0041C152

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: %xy~$.L!r$E]$E]$tz
API String ID: 0-4134713695
Opcode ID: 85b03c56ca638a50f462700512feba379dcf4b2fb18c995238469c107829e80a
Instruction ID: 893324274ff4417acd688581e0214f6c4df399dd6a88d7d17f1ef9b959fda1b6
Opcode Fuzzy Hash: 85b03c56ca638a50f462700512feba379dcf4b2fb18c995238469c107829e80a
Instruction Fuzzy Hash: E2D1DFB0940B019FC320DF39C992663BFB1FF16300B54866DD4D68B755E338A459CBA6

Function 0041C980 Relevance: 5.7, Strings: 4, Instructions: 683COMMON

Download Yara Rule

Strings

A~, xrefs: 0041CA76
5F&D, xrefs: 0041CA66
Q3O-, xrefs: 0041CCDC
&', xrefs: 0041CCF4

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: &'$5F&D$A~$Q3O-
API String ID: 0-675504753
Opcode ID: 812f62e87a523b56efcce59179e77158da321b0c9cf250dad7521a95bb97face
Instruction ID: 633e36ed10f3989885d87796e4429ae6f20bcc81ed0b5666aa2646e33d91a16f
Opcode Fuzzy Hash: 812f62e87a523b56efcce59179e77158da321b0c9cf250dad7521a95bb97face
Instruction Fuzzy Hash: 702211B2A4C3108FD714DF69CC916AFB7E2EFD5314F09892DE4C59B341E63889458B8A

Function 00423D78 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00423F0C

Strings

74, xrefs: 0042411C
t@, xrefs: 00423FDB

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: DrivesLogical
String ID: 74$t@
API String ID: 999431828-3855452393
Opcode ID: e6493996eb5fd517559c0d72a5a97f6fc41877c730dd7ed30f2c307e77615d90
Instruction ID: d8fda7944a744acaf0d178b2b36fa13dc41ebd5ea8d3209462f2d5dd7201e77a
Opcode Fuzzy Hash: e6493996eb5fd517559c0d72a5a97f6fc41877c730dd7ed30f2c307e77615d90
Instruction Fuzzy Hash: 12B197B5608380CFD310CF58D98122BBBE1EBC6704F55892DEAC59B321D7799946CB8B

Function 00424460 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

@AF, xrefs: 00424399
RDB, xrefs: 00424448

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: RDB$@AF
API String ID: 0-293929955
Opcode ID: f15f5163eaab6831977543f007d43be88b34e39f7c2b7db232dd98a3b66f87d2
Instruction ID: 8e72b51382bd84331a0b3652428f3f841449d97c4acde29aa1b9e14835349b3b
Opcode Fuzzy Hash: f15f5163eaab6831977543f007d43be88b34e39f7c2b7db232dd98a3b66f87d2
Instruction Fuzzy Hash: 876111B16083409FE724CF29EC41BDBB7E4EB86308F01883DF6899B281D77595058B9B

Function 004096A0 Relevance: 5.4, Strings: 4, Instructions: 391COMMON

Download Yara Rule

Strings

y{, xrefs: 0040991F
_[G], xrefs: 004098F5
,-, xrefs: 004099C7
_[G], xrefs: 00409768, 00409840

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: ,-$_[G]$_[G]$y{
API String ID: 0-1845238737
Opcode ID: 9edd87a1e525675c0c32356b88bb5c69c29a2f3fa61c5e596b79bb2793044053
Instruction ID: 6c32fc5b9f6112090130227e0787eee7bd849e3471c3c2ea16adaf94930d4e34
Opcode Fuzzy Hash: 9edd87a1e525675c0c32356b88bb5c69c29a2f3fa61c5e596b79bb2793044053
Instruction Fuzzy Hash: 4DC1177261C3808BD718DF26D89166BBBE6EBD1314F18883DE0D19B382DA3CD509CB16

Function 0041499B Relevance: 4.5, Strings: 3, Instructions: 755COMMON

Download Yara Rule

Strings

kjih, xrefs: 00415130
BPA, xrefs: 00415033
D]+\, xrefs: 00414D70

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: BPA$D]+\$kjih
API String ID: 0-779469481
Opcode ID: 3b795639909c093783c68fb88a88c2082f21191ea6d78dddba18fb4a727ae03a
Instruction ID: c86518ecb6a2af19fc35f5361c14f0002270ccc2ac66e0080cc6d1c57852e329
Opcode Fuzzy Hash: 3b795639909c093783c68fb88a88c2082f21191ea6d78dddba18fb4a727ae03a
Instruction Fuzzy Hash: 77224479608301DFEB14DF24E84176BB7E2EBCA314F54843EE485573A2DB349D008B9A

Function 00422540 Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

SP, xrefs: 00422570
kjih, xrefs: 00422930
(l"R, xrefs: 00422568

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: (l"R$SP$kjih
API String ID: 0-567659598
Opcode ID: 3785ca1b37f9add546c1038ec4aba19b713aab3aa18d44877dd8aa41cb3b2193
Instruction ID: a3900cc6fc55148a6c8e14d85553ca1c9869342b247b30b550114912dbf9fceb
Opcode Fuzzy Hash: 3785ca1b37f9add546c1038ec4aba19b713aab3aa18d44877dd8aa41cb3b2193
Instruction Fuzzy Hash: ABB14972604310ABD714AF24E99277BB3E1EF91324F59852EF88597381E37CD905C36A

Function 00438D10 Relevance: 4.2, Strings: 3, Instructions: 424COMMON

Download Yara Rule

Strings

kjih, xrefs: 00438D55
kjih, xrefs: 00438EB5
kjih, xrefs: 0043913B, 00438E98

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih$kjih$kjih
API String ID: 2994545307-810310282
Opcode ID: 712fac94ba7437c9b3dbec18473d263afff0cd89d38fa19ec11d9b71cf0c5c0e
Instruction ID: 767e002e25c183fdeed3407a3d66f84cc4350f69500a9d1ea3b218917b86b708
Opcode Fuzzy Hash: 712fac94ba7437c9b3dbec18473d263afff0cd89d38fa19ec11d9b71cf0c5c0e
Instruction Fuzzy Hash: E1B16B71A083014FD7249F24988163FF7B6EBDA324F15A52EF58567391DB39EC028B89

Function 0040B11D Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

#\, xrefs: 0040B1CC
^\, xrefs: 0040B1D3
_Y, xrefs: 0040B147

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: #\$^\$_Y
API String ID: 0-1775706250
Opcode ID: 1c254cbc2ea113dba85d633fbd872cadb1710f13e14ff148a90661bb3d6fd125
Instruction ID: 64828c1c663671413410b9e3e71a9c3a4536903c3cbe0315ba33c507ed14c13b
Opcode Fuzzy Hash: 1c254cbc2ea113dba85d633fbd872cadb1710f13e14ff148a90661bb3d6fd125
Instruction Fuzzy Hash: 36F170B9204B02DFD3248F25D891B56FBB1FF8A314F11862DD45A9B7A0D734A862CF94

Function 00439459 Relevance: 4.2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

., xrefs: 004395AE
\, xrefs: 00439900
^_, xrefs: 00439739

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: .$\$^_
API String ID: 0-3646303928
Opcode ID: 297d3f3141377644b6f0c33220492bdc5aba9e444d2ed4812824903fec6dcd11
Instruction ID: 062b75e545c243369e7d1007839102a71fa034d595c1669f30e3ba6f234e4085
Opcode Fuzzy Hash: 297d3f3141377644b6f0c33220492bdc5aba9e444d2ed4812824903fec6dcd11
Instruction Fuzzy Hash: 37D1E43A628252CBCB18AF28DC6127E73F1FF4A751F1A887DD4814B6A0EB798D50C715

Function 00423257 Relevance: 3.0, Strings: 2, Instructions: 477COMMON

Download Yara Rule

Strings

kjih, xrefs: 004234E2
kjih, xrefs: 00423707

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: kjih$kjih
API String ID: 0-3924671761
Opcode ID: d2e0f1181bacb05ca1da8367e0b89aa2228c71b326f4e83b93677016c63df9da
Instruction ID: a487c086f2bff6f57182d60980e0fcb6fe8e22d5ef2e364a4cc1ffc52942c78a
Opcode Fuzzy Hash: d2e0f1181bacb05ca1da8367e0b89aa2228c71b326f4e83b93677016c63df9da
Instruction Fuzzy Hash: 78F1E27A618202CFE718CF24EC5176A73E6FF8A315F4A893CE54597291EB38E910CB45

Function 004269E0 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

$b%., xrefs: 00426D93
-,#", xrefs: 00426A05

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: $b%.$-,#"
API String ID: 2994545307-931030428
Opcode ID: 6a3802928c5f5a87aac56f19ec11622fc088211d542d43d856bad98c04f61c22
Instruction ID: eb0a7813bc495cb2fd809d80ca2ae1eeb419bef85b2bda93f64a55ce56aa5a2f
Opcode Fuzzy Hash: 6a3802928c5f5a87aac56f19ec11622fc088211d542d43d856bad98c04f61c22
Instruction Fuzzy Hash: 57B18A717083644BDB14DF24E8927BBB7A1EB91314F86853EE8858B381D63DDD05C39A

Function 00425986 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

kjih, xrefs: 00425951
kjih, xrefs: 004259D5

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: kjih$kjih
API String ID: 0-3924671761
Opcode ID: 9c4abc055bfff55d6b9c6c044379669858391a61c272c9d70dbe5eab9bb1bf85
Instruction ID: 435e266f2ad6e6eef63f3cb7faf8b725e12e8754059b896fb3d6e380001f75d0
Opcode Fuzzy Hash: 9c4abc055bfff55d6b9c6c044379669858391a61c272c9d70dbe5eab9bb1bf85
Instruction Fuzzy Hash: 5C11D676346B60CBC3148B54E49027FB7D1EBD6721FA9952EC9D123B50C17C9C428B9A

Function 0042AAE0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

", xrefs: 0042ADB8

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e628c99f02590b6f0d4c943b71b77343dd47da835aa70e3396d5bfee97e0f26e
Instruction ID: 7155dd8fcac62196877c4163cf259fe4e5bc86aa3de5309139ff4223dd971825
Opcode Fuzzy Hash: e628c99f02590b6f0d4c943b71b77343dd47da835aa70e3396d5bfee97e0f26e
Instruction Fuzzy Hash: BEC146B1B083245FC7149E25A88076BBBE6AB80314F49892FEC958B381D73CDD19C787

Function 0041B18C Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

PLR3, xrefs: 0041B367

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: PLR3
API String ID: 0-2761226970
Opcode ID: 55f0f2b169892d99dcd16b4c9832ed68bdf8ab973c645c435139344f562a5964
Instruction ID: 032294ec5626711b583989303ca1e9da9d1a30cf5e4cc2b543d20f08b9a82161
Opcode Fuzzy Hash: 55f0f2b169892d99dcd16b4c9832ed68bdf8ab973c645c435139344f562a5964
Instruction Fuzzy Hash: B7811675601B008FC725CF28C8917A3B7F1FF96314B0895ADD4968B7A2D738E885CB94

Function 0043B910 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

kjih, xrefs: 0043BA55

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih
API String ID: 2994545307-2138429548
Opcode ID: a33593026fd8eb9ec5c79d2faeb1b809e771c45f5c9a28dba86a33fca7da4d5a
Instruction ID: 4357d8f11cacceb57ec802c14660e1cd95a9d51a826ff5a575db21d457add18a
Opcode Fuzzy Hash: a33593026fd8eb9ec5c79d2faeb1b809e771c45f5c9a28dba86a33fca7da4d5a
Instruction Fuzzy Hash: 4C613B326057118BCB609F28C8C076BF792EFCA324F19A52ED68497365D735AC45C7C5

Function 00438AE0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

kjih, xrefs: 00438B45

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: kjih
API String ID: 0-2138429548
Opcode ID: a1d68a4cb3e2e4bf4865ca5e0cd9f0b9f8ab046a7825ff6a50d9a1042725e3fa
Instruction ID: 91fe87c1877ca5f05fcaee7cce7fcb8ec47d91bc591b00911bc4e7c23d8210a4
Opcode Fuzzy Hash: a1d68a4cb3e2e4bf4865ca5e0cd9f0b9f8ab046a7825ff6a50d9a1042725e3fa
Instruction Fuzzy Hash: 635107B46083019FE7009F29DC81B2FB7E5EB89314F10982DF68597292DB39EC15C79A

Function 0042459E Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

! %, xrefs: 00425C6C

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: ! %
API String ID: 0-2174870612
Opcode ID: 2e64160a11173ddfd979c0ea3d0d2b814565963c2ce7f953d5e5f862b9a3bbaa
Instruction ID: 8f1612b3a262938f3178b7bf199caa3967da8d02cacb31485a6ba24c03ffaef1
Opcode Fuzzy Hash: 2e64160a11173ddfd979c0ea3d0d2b814565963c2ce7f953d5e5f862b9a3bbaa
Instruction Fuzzy Hash: AB515731649B658BD720CF6494912BBBBE1DF65310F948A2FC4D687381E238A805D35A

Function 0042CD4D Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

kjih, xrefs: 0042CE00

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih
API String ID: 2994545307-2138429548
Opcode ID: f523621342962c52b4740b321783b526dc97598ad58fbbfbbcbe4c7a2d8bfb81
Instruction ID: 0fb10d53722430d4b77c1d80d6dbef02a9e55c0cd5a1f5aea47d3c4abb22a9cd
Opcode Fuzzy Hash: f523621342962c52b4740b321783b526dc97598ad58fbbfbbcbe4c7a2d8bfb81
Instruction Fuzzy Hash: 083169756087914BD3688F35A8A073FBBD2EF92300FA8496DE1D2873A1D7249C05CB99

Function 0042D05A Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

eB, xrefs: 0042D0CB

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: eB
API String ID: 0-3246501281
Opcode ID: e457f3081f52afee7ef6ccade78faed1e2b4b572523890a29aca42b2418bd9a1
Instruction ID: c9e8a37eecd0f3d021b10de5c2d54c9a99e51523f08571bc8dc744a8d9646f72
Opcode Fuzzy Hash: e457f3081f52afee7ef6ccade78faed1e2b4b572523890a29aca42b2418bd9a1
Instruction Fuzzy Hash: 0631C03060C3D18BD7398F3484657EBBBA1AF96304F94499DC0CA9B282DB39550ACB56

Function 0043F080 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

@, xrefs: 0043F0E9

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a472d10b5f9a7e5390908e9f8f6212d90e40df790a0c6070693bbc59db7dec30
Instruction ID: 46bd95ab95da14b092a617a80e557a72b18f969592b6fa2af1023528b8fd012f
Opcode Fuzzy Hash: a472d10b5f9a7e5390908e9f8f6212d90e40df790a0c6070693bbc59db7dec30
Instruction Fuzzy Hash: 593132725083048BCB14DF18E8816ABBBF5FB96320F10693DE5858B390E7359C08CB96

Function 0042C62F Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

s, xrefs: 0042C676

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: e45a1f2e2537c3aa27091e076b28e989616aa4a1697a312ccc4ccaba39526ba3
Instruction ID: 29f20c3b0e98ad2f0a32b60c155a5575d60e561524289968dcee3ba061b6bae2
Opcode Fuzzy Hash: e45a1f2e2537c3aa27091e076b28e989616aa4a1697a312ccc4ccaba39526ba3
Instruction Fuzzy Hash: AF31F63170C7928BC71D8F34C8643BBBBD1ABD2340F18496EE1D687391D73888068B56

Function 0042D0AE Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

eB, xrefs: 0042D0CB

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: eB
API String ID: 0-3246501281
Opcode ID: d234fc643cf34f131e990788b67370748e9a2949fcd5bacb75e7d281b2b4cb11
Instruction ID: 90c3ea06982c064a0e3bffddaa11293396c71f55d8fe445c898e383a11b9c4a0
Opcode Fuzzy Hash: d234fc643cf34f131e990788b67370748e9a2949fcd5bacb75e7d281b2b4cb11
Instruction Fuzzy Hash: 9231DF7060C3908BD7398F34C8657EBBBB1AF96300F94896DC1CA5B381DB395506CB96

Function 0042C62D Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

s, xrefs: 0042C676

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: a17dc4b0f29f5f9b404bef73946c92c1ddcd8b9df2cdf66f2056694c3c23ac44
Instruction ID: 15acc6a3c80bf2e33e426aada9df871cc9eb11dbc7320abd226b1ce3a4d8280f
Opcode Fuzzy Hash: a17dc4b0f29f5f9b404bef73946c92c1ddcd8b9df2cdf66f2056694c3c23ac44
Instruction Fuzzy Hash: 7121E57170C7928BC71CCF34C86526FBBD1ABD6300F28896EE5D687391D638C8068B4A

Function 00407500 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26be0585b5863154a1ada3a28109cfd6482920505ec00f8f0cdb4773e3318629
Instruction ID: 61abf759c9cadcf257a693f3ee14b799edd8696e77a16ce848846ba68cf6fefd
Opcode Fuzzy Hash: 26be0585b5863154a1ada3a28109cfd6482920505ec00f8f0cdb4773e3318629
Instruction Fuzzy Hash: 2A22A132A0C7118BD725DF18D8806ABB3E1BFC4319F19893ED586A7385D738B8558B87

Function 00429241 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c81599bf1fc021bcf0fc65e73ee2db50555a858067dd38631d90d1653f08eb
Instruction ID: 68e5704013bb15557501bf91ff2a082cc52ba5735bc95d065c9548d78084a955
Opcode Fuzzy Hash: a6c81599bf1fc021bcf0fc65e73ee2db50555a858067dd38631d90d1653f08eb
Instruction Fuzzy Hash: 53E15671E10226CBCB24CF64D8916ABB7B1FF5A314F19465ED8427B354E738AC02CB94

Function 004221E0 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b107d9bb1a2d9e1941e1462cd52ab4669c909d1b4daa805a2e9a076f479614
Instruction ID: e9311dae094bf1733b1d0aea7d2779e411c23cfc233bdfe60b8c7cd348ef5974
Opcode Fuzzy Hash: 81b107d9bb1a2d9e1941e1462cd52ab4669c909d1b4daa805a2e9a076f479614
Instruction Fuzzy Hash: BA9143B1604311ABC710DF24D892B6B73B0FF91328F14891DF8859B391E7B9D905C76A

Function 0041D5EC Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20164083485a976f9987a595a4cf69ff1c1b16a8df36ebfeef1c5dc0fa762dc
Instruction ID: 5c7151967bff9507dd7797c5c2d42f530f5128f49545d25f922d80f8fb09922b
Opcode Fuzzy Hash: e20164083485a976f9987a595a4cf69ff1c1b16a8df36ebfeef1c5dc0fa762dc
Instruction Fuzzy Hash: E55113B4A0C3508BD7109F28D85266BB7F2EFD2308F18492DE4D99B391E739D905C75A

Function 0041D603 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a87800b8fe64a1213682ffcd7b3cd920df7af8cf0b63194adf3f10e9c6102a
Instruction ID: ac4aaf9ef2867e45983ff7a9ae25f09b9656f6f0dd0720ade2da784ad1356d6e
Opcode Fuzzy Hash: 05a87800b8fe64a1213682ffcd7b3cd920df7af8cf0b63194adf3f10e9c6102a
Instruction Fuzzy Hash: C95101B4A0C3508BD7109F28C85266BB7F2EFD2308F18892DE4D89B391E739C541C75A

Function 0041F0E0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437213943a5d6f7bba8ab58dfeae2c69ad63b4cb29ace8fcc03a326a6a244e04
Instruction ID: 4f692c9c50cbc654eae74ccc9224dc58b5a9b046cdd264a5c32c37c2572de626
Opcode Fuzzy Hash: 437213943a5d6f7bba8ab58dfeae2c69ad63b4cb29ace8fcc03a326a6a244e04
Instruction Fuzzy Hash: 0A615A3560C3919FC7258F39C88096B7BE0AF96314F0882BEE8D447392D635DC4AD796

Function 0043DCE7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477dd9c6162770bc73e5b88d5049b7ad5744b8a8486b04fcbe3a7d2182c8346d
Instruction ID: 56fb3b66251f4f27547c2b9d23238da8952789ee290974d3697a2f11aacd2a15
Opcode Fuzzy Hash: 477dd9c6162770bc73e5b88d5049b7ad5744b8a8486b04fcbe3a7d2182c8346d
Instruction Fuzzy Hash: 7741C232E145254BDB19CFB8D8911BFFBF2AB9D310F1A512EC446E7341DA38AD018B98

Function 0041B5DD Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aefbff8f267baa07500557e8c01890b3537268b37c2e49d1637d7f1157a591
Instruction ID: 07ff840f00c89fee05c80b5a58555568be596aadf3cf6fbd15384ce02e8096e0
Opcode Fuzzy Hash: b6aefbff8f267baa07500557e8c01890b3537268b37c2e49d1637d7f1157a591
Instruction Fuzzy Hash: E65149763507014FE7248F29C9C1B52BBE2EFE6304F1985ACD0959B762C7B8D802CB54

Function 0040C551 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63813f41dbe511761db8f20762812b93e7ab948a97c621a9b6d96b75e500041
Instruction ID: 9be73a98b056c2d0c7dacf170e0cd6e8e4dd5e5827fd6e65ad473f576408e71a
Opcode Fuzzy Hash: f63813f41dbe511761db8f20762812b93e7ab948a97c621a9b6d96b75e500041
Instruction Fuzzy Hash: 0E41347965C3018BC7188F64CC4567BB7F2EFC6304F189A3CE48593381DA388A06870E

Function 0041BF5D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83626cacc7732c68ab18a552209682d8902d6c7a8a32954126ad0522ddbd671
Instruction ID: 6761710f77d38817d46bc0a1b71ee177f124221904cd2e9cb6d64fccfdedefae
Opcode Fuzzy Hash: f83626cacc7732c68ab18a552209682d8902d6c7a8a32954126ad0522ddbd671
Instruction Fuzzy Hash: C12123757447418FC719CF66C8A0263BBA3AFCA25432EC04EC4968B36AC774F8868B44

Function 00432000 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62b68f1efe2ca59d36d82e6a055fe48e925e50c8864e3853668cf8a2d06942e
Instruction ID: c8573963d71175ab879c5f59e786e450b1420257dcd06735500d0dc1f647cab2
Opcode Fuzzy Hash: c62b68f1efe2ca59d36d82e6a055fe48e925e50c8864e3853668cf8a2d06942e
Instruction Fuzzy Hash: AF21B5F0900B00AFD360EF3AC946607BEF8EB49354F508A1DF4AA87691D371A5458BD6

Function 00435880 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5b2b74ac1a3ba5c45c454e7f1da22ae82971d98106045a86a0c66dac7f734a9c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1311E533A055D44EC3168D3C8400566BFE30EA7235F69939AF4F89B2D6D6268D8E8359

Function 0040C404 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e78fea8a38b24ded5d16d5c4de34fcb1592ffda36adc458e5286e25c154e54
Instruction ID: 8ded2d301ed04a995954a13864b114fad71100f10da4f8fc48165d4e31c5a971
Opcode Fuzzy Hash: f3e78fea8a38b24ded5d16d5c4de34fcb1592ffda36adc458e5286e25c154e54
Instruction Fuzzy Hash: 6E11B83464D3419BD329CF24A8D1B6BBBE2EBD2204F14E82CE08192351C5B8D8068B1E

Function 0042A4B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e09823d0e02ffd6712e61936e7254897359c543f25d11d694a2a38905cc569
Instruction ID: 67478a81853eec2dea72d16e4687bce84520cd468960b50aea60f26b09377acc
Opcode Fuzzy Hash: f3e09823d0e02ffd6712e61936e7254897359c543f25d11d694a2a38905cc569
Instruction Fuzzy Hash: 840192F170071197D620AE25A5C4727A2A86F9070CF48443EEC4967342DBBDFC2886AA

Function 0042DE30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54a11bb87efbfbf342d2a2c3f144219fdb4e62799be38ffa775fb600503eca8
Instruction ID: be3d4ae164ca6086263ea6c394f1b56c4cacc59ffcacf56fb8c71461d48c70a6
Opcode Fuzzy Hash: b54a11bb87efbfbf342d2a2c3f144219fdb4e62799be38ffa775fb600503eca8
Instruction Fuzzy Hash: C501F435D086A247CB254F388411373BB625FA7308B5D54EDC4C1AF383C61EDC068798

Function 0043E1F4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902304f499d5a184e8a82fb08a67af2d628892b930146d8a0c022a126982db98
Instruction ID: 1fd46abd00d7749c6900e513f53550d416a0f2a30bea42f7423d10527cabea00
Opcode Fuzzy Hash: 902304f499d5a184e8a82fb08a67af2d628892b930146d8a0c022a126982db98
Instruction Fuzzy Hash: F0C04C38A581418B9B08CF04E9954BAB776979F214B18B13ED506F3750C734DC01990C

Function 00428BFE Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e004b511eee906e3079cfc60d91f8bd874a58f69aba1e39e5ab1c21b77e04
Instruction ID: 8ddfabdbd47d42b1c93bf9e1ab641da2c5150ae9938c0d7cb83ab9f96b1d894d
Opcode Fuzzy Hash: 680e004b511eee906e3079cfc60d91f8bd874a58f69aba1e39e5ab1c21b77e04
Instruction Fuzzy Hash: 72B00274E441548BE614CF14DD50B74F375A747105F153454D10EB7152C631E955CA0D

Function 00424C80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a90507de928d43dc4e33b8172c8b4ebbfc2960a3ccf639557fe3167fb9d420
Instruction ID: 8ee52886bdf383e29db227205d642dcaefe645a769550572070308d17a5c2958
Opcode Fuzzy Hash: f5a90507de928d43dc4e33b8172c8b4ebbfc2960a3ccf639557fe3167fb9d420
Instruction Fuzzy Hash: 4FB002349891008BD604CF58D550575F3759747618F157818D547B3251D655F858C91D

Function 00432367 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004323A9

Strings

_, xrefs: 004323CB
x, xrefs: 004323F3
^, xrefs: 004323D3
c, xrefs: 004323C3
-, xrefs: 004323EB

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: InitVariant
String ID: -$^$_$c$x
API String ID: 1927566239-2011743646
Opcode ID: 5e0d3c51ad46ec2c06616873faac0f117c26524ed99fea09ff2c6b131de0c4e1
Instruction ID: e4baa1acc4d029566cdfd59e8f7d3bb8e186af098319ae9321de840ef7b9e312
Opcode Fuzzy Hash: 5e0d3c51ad46ec2c06616873faac0f117c26524ed99fea09ff2c6b131de0c4e1
Instruction Fuzzy Hash: C1415D71108B81CED7158F38C598356BFE16B66324F48869CC5E90F7EAC3759505C7A2

Function 004298F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 004299CD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 00429A3F

Strings

Wuv7, xrefs: 00429980, 0042999E
Wuv7, xrefs: 00429A0A

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Wuv7$Wuv7
API String ID: 237503144-1932794618
Opcode ID: e25d58ab24c04b765f1a7a92fece9777d65b5727fe9848fec3fb11f69464d559
Instruction ID: 1d21664b7f25e21536eec30c841bdffe79b404d1da9bba8fb3677da827e04efc
Opcode Fuzzy Hash: e25d58ab24c04b765f1a7a92fece9777d65b5727fe9848fec3fb11f69464d559
Instruction Fuzzy Hash: 0151DEB52483149FE3109F21EC81B5BBBF8FB8A704F10492DF6989B282D7759509CB96

Function 0041973F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

@, xrefs: 00419763
V0/., xrefs: 004197DB

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: @$V0/.
API String ID: 0-2384241223
Opcode ID: 00119c81bcb70a326370affddf1987019324e2da4765eb631dd7385480b59cf8
Instruction ID: fd479f24e7454a86608881c10ac1fb51ac8f6e5b5ecef8113ba61f705af730f2
Opcode Fuzzy Hash: 00119c81bcb70a326370affddf1987019324e2da4765eb631dd7385480b59cf8
Instruction Fuzzy Hash: 37411876608341DBD3109F25DC91BAB77E9AFD6311F098A3EE5D8C7281DA388D448726

Function 004245C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

@AF, xrefs: 00424399
RDB, xrefs: 00424448

Memory Dump Source

Source File: 00000004.00000002.2056678218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID: RDB$@AF
API String ID: 0-293929955
Opcode ID: bb3f07d3bb2fcabe52b39a1d35e15f1a9833749b2156f1220bab2b88511df349
Instruction ID: 09827799f60907410c32fcdc6003198550ce2609f474eab8529e9ba8762932c7
Opcode Fuzzy Hash: bb3f07d3bb2fcabe52b39a1d35e15f1a9833749b2156f1220bab2b88511df349
Instruction Fuzzy Hash: 2251CDB56082009FD710CF28EC4275BBBE0AB86318F11483DF5899B281E67699098B9B

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
setup.exe

Function 007EA19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 007B2560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
encryptionthreadCOMMON

Function 007B2060 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 007CCFFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 007B1800 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 007C5439 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 007C55DE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 007C574F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 007D3CE4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 007D44BD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 007B9290 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 007CDB42 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 007B1FA0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON