Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample name:	Installer.exe
Analysis ID:	1581507
MD5:	0cebf27d0066d6ea5653547254e236e4
SHA1:	badfc5a68c17d2d1112e50ccd8ececeb4f8ba8a9
SHA256:	21d9bba7ae0dfb0892e5345ee42d73e241e0d9841a17ff340f6278e86d8f54f4
Tags:	exeLummaStealersigneduser-ventoy
Infos:

Detection

LummaC

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Installer.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 0CEBF27D0066D6EA5653547254E236E4)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Installer.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 0CEBF27D0066D6EA5653547254E236E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["inherineau.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "scentniej.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "mindhandru.buzz"], "Build id": "yau6Na--5223198671"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:09:59.943412+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.121.10.34	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:10:00.850151+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.121.10.34	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["inherineau.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "scentniej.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "mindhandru.buzz"], "Build id": "yau6Na--5223198671"}

Machine Learning detection for sample

Source: Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yau6Na--5223198671

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0043F39E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	2_2_0041D050
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041780D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	2_2_004410D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]	2_2_0042788F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edi, dword ptr [ebp-10h]	2_2_0041C900
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042B100
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_00427917
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then test eax, eax	2_2_0043A120
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+338E7E12h]	2_2_0043A120
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, eax	2_2_00405930
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebp, eax	2_2_00405930
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	2_2_0043A9D6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_004409E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx]	2_2_00426190
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	2_2_0043E9B3
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0000026Dh]	2_2_00415200
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2Ch]	2_2_00427A3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_0041F2C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004292E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]	2_2_004402B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_004402B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	2_2_00409370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_00409370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402B70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00436370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov eax, ecx	2_2_00408B00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042D306
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then jmp dword ptr [00448B7Ch]	2_2_00428307
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-6Fh]	2_2_004393C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-535229ACh]	2_2_004403D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_004403D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	2_2_0042BBE3
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	2_2_0042BC53
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000258h]	2_2_0043EC60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_00416C77
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042D4D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00440CE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-53h]	2_2_00419C90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_00419C90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 798ECF08h	2_2_00439490
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	2_2_00439490
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042D49A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_004074A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_004074A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000274h]	2_2_0042BB19
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_00440550
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041C561
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+26h]	2_2_0041C561
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0041C561
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	2_2_00426513
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_00425DEA
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00425DEA
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+446E8726h]	2_2_00441DA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	2_2_0043A640
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042D64C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-38h]	2_2_0043EE50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042A660
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, eax	2_2_0041966B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00425E70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_00440600
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	2_2_00440E00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], EABBD981h	2_2_0040DE13
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00417E1A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, eax	2_2_00417E1A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2DC31920h]	2_2_00422E3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	2_2_00422E3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+74842D10h]	2_2_00422E3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then sub edx, 01h	2_2_00440690
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5B5F0E69h]	2_2_004146A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov eax, ecx	2_2_004146A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_004146A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]	2_2_004396A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_00426EB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	2_2_0040A770
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then push eax	2_2_00415F19
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-4835D6BBh]	2_2_0040D7CF
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, edx	2_2_004227E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00416790
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00416790
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ebx	2_2_0040B79B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx]	2_2_0041E7A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx ecx, byte ptr [edi+eax]	2_2_0043F7B2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 104.121.10.34:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz

Source: Joe Sandbox View

IP Address: 104.121.10.34 104.121.10.34

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.121.10.34:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=8c34e95747c8d54639031398; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 22:10:00 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlyC* equals www.youtube.com (Youtube)
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Installer.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Installer.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Installer.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Installer.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Installer.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Installer.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Installer.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Installer.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Installer.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Installer.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Installer.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Installer.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Installer.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Installer.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Installer.exe, 00000002.00000002.1712496822.0000000003162000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Installer.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433600

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_00433600 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433600

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_0043403E GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_0043403E

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00681000	0_2_00681000
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_0068F555	0_2_0068F555
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_006A7792	0_2_006A7792
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_006BB820	0_2_006BB820
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_006A5C5E	0_2_006A5C5E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00699CC0	0_2_00699CC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00693FB2	0_2_00693FB2
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040ADEC	2_2_0040ADEC
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004085F0	2_2_004085F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00408800	2_2_00408800
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041780D	2_2_0041780D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004410D0	2_2_004410D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042788F	2_2_0042788F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00403900	2_2_00403900
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041C900	2_2_0041C900
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00412100	2_2_00412100
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043A120	2_2_0043A120
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00405930	2_2_00405930
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043D1C0	2_2_0043D1C0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004081D0	2_2_004081D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043A9D6	2_2_0043A9D6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042C9D4	2_2_0042C9D4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004259E4	2_2_004259E4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00433180	2_2_00433180
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00424990	2_2_00424990
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00406240	2_2_00406240
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00410A57	2_2_00410A57
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00415200	2_2_00415200
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00431210	2_2_00431210
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041E220	2_2_0041E220
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00427A3F	2_2_00427A3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004042B0	2_2_004042B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004402B0	2_2_004402B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041DB40	2_2_0041DB40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00409370	2_2_00409370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00426B70	2_2_00426B70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00422370	2_2_00422370
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00408B00	2_2_00408B00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00424B00	2_2_00424B00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00428307	2_2_00428307
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00421B10	2_2_00421B10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043CB20	2_2_0043CB20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004403D0	2_2_004403D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004413E0	2_2_004413E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00404BF0	2_2_00404BF0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041AB80	2_2_0041AB80
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00438C5D	2_2_00438C5D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00416C77	2_2_00416C77
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00437C78	2_2_00437C78
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042AC30	2_2_0042AC30
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042F4F6	2_2_0042F4F6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00419C90	2_2_00419C90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00416492	2_2_00416492
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042CCA2	2_2_0042CCA2
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004074A0	2_2_004074A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004264B0	2_2_004264B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00438CB0	2_2_00438CB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041E540	2_2_0041E540
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00423D40	2_2_00423D40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040CD4E	2_2_0040CD4E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00440550	2_2_00440550
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041C561	2_2_0041C561
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042D57F	2_2_0042D57F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004385C7	2_2_004385C7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00411DC9	2_2_00411DC9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00418DE6	2_2_00418DE6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004115F1	2_2_004115F1
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00420583	2_2_00420583
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0042E64D	2_2_0042E64D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041966B	2_2_0041966B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00440600	2_2_00440600
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00440E00	2_2_00440E00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041DE10	2_2_0041DE10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00417E1A	2_2_00417E1A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00422E3F	2_2_00422E3F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00402EC0	2_2_00402EC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004066D0	2_2_004066D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00426ED0	2_2_00426ED0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00440690	2_2_00440690
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004146A0	2_2_004146A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004396A0	2_2_004396A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00426EB0	2_2_00426EB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00429740	2_2_00429740
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040A770	2_2_0040A770
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00428770	2_2_00428770
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00441700	2_2_00441700
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00438F10	2_2_00438F10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043D710	2_2_0043D710
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00415F19	2_2_00415F19
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00436F2C	2_2_00436F2C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040D7CF	2_2_0040D7CF
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043A7D0	2_2_0043A7D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004227E0	2_2_004227E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00416FF0	2_2_00416FF0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0040C782	2_2_0040C782
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043AF80	2_2_0043AF80
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00408F90	2_2_00408F90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00416790	2_2_00416790
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00430797	2_2_00430797
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0041E7A0	2_2_0041E7A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0043F7B2	2_2_0043F7B2
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00681000	2_2_00681000
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0068F555	2_2_0068F555
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_006A7792	2_2_006A7792
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_006A5C5E	2_2_006A5C5E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00699CC0	2_2_00699CC0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00693FB2	2_2_00693FB2

Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 00690730 appears 38 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 006980F8 appears 42 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 0069CFD6 appears 40 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 0068FA60 appears 100 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 00407FE0 appears 41 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 0068FAE4 appears 34 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 00414690 appears 95 times

Source: Installer.exe

Static PE information: invalid certificate

Source: Installer.exe, 00000000.00000000.1653264158.000000000070F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
Source: Installer.exe, 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
Source: Installer.exe, 00000002.00000003.1661324522.0000000003308000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe
Source: Installer.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Installer.exe

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Installer.exe

Static PE information: Section: .bss ZLIB complexity 1.0003360896915585

Source: classification engine

Classification label: mal88.troj.evad.winEXE@4/1@10/1

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_004318D2 CoCreateInstance,

2_2_004318D2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03

Source: Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

File read: C:\Users\user\Desktop\Installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: profapi.dll	Jump to behavior

Source: Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Installer.exe

Static PE information: real checksum: 0x97cc3 should be: 0x933b3

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_006BD6B8 push esi; retf	0_2_006BD6BA
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_0068FB83 push ecx; ret	0_2_0068FB96
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00440240 push eax; mov dword ptr [esp], DED9D88Bh	2_2_00440245
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_004464FA push edx; ret	2_2_00446500
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0044666E push cs; ret	2_2_00446682
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00446627 push cs; ret	2_2_00446682
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00430797 push 89240489h; mov dword ptr [esp], eax	2_2_004307CB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0068FB83 push ecx; ret	2_2_0068FB96

Source: C:\Users\user\Desktop\Installer.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-19906

Source: C:\Users\user\Desktop\Installer.exe

API coverage: 2.5 %

Source: C:\Users\user\Desktop\Installer.exe TID: 7576	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe TID: 7584	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Installer.exe, 00000002.00000002.1712496822.0000000003162000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712589668.00000000031AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$K

Source: C:\Users\user\Desktop\Installer.exe

Code function: 2_2_0043EBA0 LdrInitializeThunk,

2_2_0043EBA0

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_0068F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0068F8E9

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_006BA19E mov edi, dword ptr fs:[00000030h]	0_2_006BA19E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00681FB0 mov edi, dword ptr fs:[00000030h]	0_2_00681FB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00681FB0 mov edi, dword ptr fs:[00000030h]	2_2_00681FB0

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_0069D8E0 GetProcessHeap,

0_2_0069D8E0

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_0068F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0068F52D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_0068F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0068F8E9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_0068F8DD SetUnhandledExceptionFilter,	0_2_0068F8DD
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00697E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00697E30
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0068F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0068F52D
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0068F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0068F8E9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_0068F8DD SetUnhandledExceptionFilter,	2_2_0068F8DD
Source: C:\Users\user\Desktop\Installer.exe	Code function: 2_2_00697E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00697E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_006BA19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_006BA19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Installer.exe

Memory written: C:\Users\user\Desktop\Installer.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Installer.exe, 00000000.00000002.1661403272.00000000047D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz

Source: C:\Users\user\Desktop\Installer.exe

Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	0_2_0069D1BD
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_006A1287
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	0_2_006A14D8
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_006A1580
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	0_2_006A17D3
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	0_2_006A1840
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	0_2_006A1960
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	0_2_006A1915
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_006A1A07
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	0_2_006A1B0D
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	0_2_0069CC15
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	2_2_0069D1BD
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_006A1287
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	2_2_006A14D8
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_006A1580
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	2_2_006A17D3
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	2_2_006A1840
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	2_2_006A1960
Source: C:\Users\user\Desktop\Installer.exe	Code function: EnumSystemLocalesW,	2_2_006A1915
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_006A1A07
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	2_2_006A1B0D
Source: C:\Users\user\Desktop\Installer.exe	Code function: GetLocaleInfoW,	2_2_0069CC15

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_006900B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_006900B4

Source: C:\Users\user\Desktop\Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.121.10.34	true	false	high
cashfuzysao.buzz	unknown	unknown	true	unknown
scentniej.buzz	unknown	unknown	true	unknown
inherineau.buzz	unknown	unknown	true	unknown
prisonyfork.buzz	unknown	unknown	true	unknown
rebuildeso.buzz	unknown	unknown	true	unknown
appliacnesot.buzz	unknown	unknown	true	unknown
hummskitnj.buzz	unknown	unknown	true	unknown
mindhandru.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
hummskitnj.buzz	false	high
mindhandru.buzz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
prisonyfork.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.entrust.net03	Installer.exe	false	high
https://steamcommunity.com/?subsection=broadcasts	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.entrust.net02	Installer.exe	false	high
https://help.steampowered.com/en/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.entrust.net/ts1ca.crl0	Installer.exe	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.entrust.net/rpa03	Installer.exe	false	high
http://store.steampowered.com/privacy_agreement/	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://aia.entrust.net/ts1-chain256.cer01	Installer.exe	false	high
https://store.steampowered.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.entrust.net/2048ca.crl0	Installer.exe	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	Installer.exe, 00000002.00000003.1711991278.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711893472.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1712017253.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.1712666133.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.entrust.net/rpa0	Installer.exe	false	high
https://store.steampowered.com/about/	Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Installer.exe, 00000002.00000003.1711858773.00000000031EE000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.1711858773.00000000031F3000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.121.10.34	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581507
Start date and time:	2024-12-27 23:09:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Installer.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@4/1@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 32 Number of non-executed functions: 181
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
17:09:55	API Interceptor	6x Sleep call for process: Installer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.121.10.34	Setup.exe	Get hash	malicious	Unknown	Browse
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml	Get hash	malicious	Unknown	Browse	2.19.198.40
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	23.57.90.162
	grand-theft-auto-5-theme-1-installer_qb8W-j1.exe	Get hash	malicious	Unknown	Browse	95.100.135.104
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	104.73.204.126

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	NewSetup.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.121.10.34
	launcher.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	search.hta	Get hash	malicious	Unknown	Browse	104.121.10.34
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.121.10.34
	@Setup.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Installer.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	low
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.576095801286095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Installer.exe
File size:	577'064 bytes
MD5:	0cebf27d0066d6ea5653547254e236e4
SHA1:	badfc5a68c17d2d1112e50ccd8ececeb4f8ba8a9
SHA256:	21d9bba7ae0dfb0892e5345ee42d73e241e0d9841a17ff340f6278e86d8f54f4
SHA512:	5590c096ba88b0e4b5dcb246930853a619216bc8135e799c92c194525299bc8fb6b941dec480d1b293eee6f5e7adc2d663ae483d86c8708d3f9be04fa4180a46
SSDEEP:	12288:+YO6Dqzihouxpa+yWz2qRPmZqaKS6gfb3e82ffYDXCOEO:nO6DThou2+y02TZqa97b3effIXXt
TLSH:	77C4E1123680C0B3D963153759B9C7794A3EF8201F616AC793984BBEDEB06D15F30A6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@..................................\|....@.................................\|j..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007FDB0D0D497Ah
jmp 00007FDB0D0D47DDh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FDB0D0D4976h
test esi, ecx
jne 00007FDB0D0D4998h
call 00007FDB0D0D49A1h
mov ecx, eax
cmp ecx, edi
jne 00007FDB0D0D4979h
mov ecx, BB40E64Fh
jmp 00007FDB0D0D4980h
test esi, ecx
jne 00007FDB0D0D497Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FDB0D0DB753h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8f000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8a800	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4d000	0x4d000	a20e827dffb35f9fff89825936fba1a1	False	1.0003360896915585	data	7.999398974295207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8f000	0x3fc	0x400	6d588082959117d83b5b94b45915208a	False	0.4423828125	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8f058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T23:09:59.943412+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.121.10.34	443	TCP
2024-12-27T23:10:00.850151+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49733	104.121.10.34	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:09:58.436301947 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:09:58.436336040 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:09:58.436425924 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:09:58.439455032 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:09:58.439467907 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:09:59.943345070 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:09:59.943412066 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:09:59.952409029 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:09:59.952415943 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:09:59.952631950 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.001405954 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:00.203231096 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:00.247330904 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850176096 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850194931 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850275993 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:00.850291014 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850341082 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850368023 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850380898 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:00.850389957 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:00.850389957 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:00.850419998 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.041306973 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:01.041373968 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.041387081 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:01.041434050 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.042593956 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.042599916 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:01.042736053 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:01.042768002 CET	443	49733	104.121.10.34	192.168.2.4
Dec 27, 2024 23:10:01.042818069 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.043004990 CET	49733	443	192.168.2.4	104.121.10.34
Dec 27, 2024 23:10:01.043015957 CET	443	49733	104.121.10.34	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:09:56.072268009 CET	63679	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:56.303467989 CET	53	63679	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:56.306731939 CET	64733	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:56.540052891 CET	53	64733	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:56.543705940 CET	51198	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:56.771437883 CET	53	51198	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:56.775042057 CET	64636	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:56.990441084 CET	53	64636	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:56.992244005 CET	55084	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:57.220199108 CET	53	55084	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:57.224014997 CET	57378	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:57.445698977 CET	53	57378	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:57.548049927 CET	49829	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:57.847930908 CET	53	49829	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:57.852117062 CET	54619	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:58.068125010 CET	53	54619	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:58.071548939 CET	51278	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:58.288876057 CET	53	51278	1.1.1.1	192.168.2.4
Dec 27, 2024 23:09:58.292800903 CET	61180	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:09:58.430284977 CET	53	61180	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 23:09:56.072268009 CET	192.168.2.4	1.1.1.1	0xa342	Standard query (0)	mindhandru.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.306731939 CET	192.168.2.4	1.1.1.1	0x8dc	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.543705940 CET	192.168.2.4	1.1.1.1	0xbe59	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.775042057 CET	192.168.2.4	1.1.1.1	0x2997	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.992244005 CET	192.168.2.4	1.1.1.1	0x1b97	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.224014997 CET	192.168.2.4	1.1.1.1	0xf44a	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.548049927 CET	192.168.2.4	1.1.1.1	0xb714	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.852117062 CET	192.168.2.4	1.1.1.1	0x323b	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:58.071548939 CET	192.168.2.4	1.1.1.1	0x4a0e	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:58.292800903 CET	192.168.2.4	1.1.1.1	0x41a8	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 23:09:56.303467989 CET	1.1.1.1	192.168.2.4	0xa342	Name error (3)	mindhandru.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.540052891 CET	1.1.1.1	192.168.2.4	0x8dc	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.771437883 CET	1.1.1.1	192.168.2.4	0xbe59	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:56.990441084 CET	1.1.1.1	192.168.2.4	0x2997	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.220199108 CET	1.1.1.1	192.168.2.4	0x1b97	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.445698977 CET	1.1.1.1	192.168.2.4	0xf44a	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:57.847930908 CET	1.1.1.1	192.168.2.4	0xb714	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:58.068125010 CET	1.1.1.1	192.168.2.4	0x323b	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:58.288876057 CET	1.1.1.1	192.168.2.4	0x4a0e	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:09:58.430284977 CET	1.1.1.1	192.168.2.4	0x41a8	No error (0)	steamcommunity.com		104.121.10.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.121.10.34	443	7552	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:10:00 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-27 22:10:00 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Dec 2024 22:10:00 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=8c34e95747c8d54639031398; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-27 22:10:00 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-27 22:10:01 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	17:09:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0x680000
File size:	577'064 bytes
MD5 hash:	0CEBF27D0066D6EA5653547254E236E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:09:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:09:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0x680000
File size:	577'064 bytes
MD5 hash:	0CEBF27D0066D6EA5653547254E236E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	16

Executed Functions

Function 006BA19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,006BA110,006BA100), ref: 006BA334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 006BA347
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 006BA365
ReadProcessMemory.KERNELBASE(00000098,?,006BA154,00000004,00000000), ref: 006BA389
VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 006BA3B4
WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 006BA40C
WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 006BA457
WriteProcessMemory.KERNELBASE(00000098,?,?,00000004,00000000), ref: 006BA495
Wow64SetThreadContext.KERNEL32(0000009C,02B30000), ref: 006BA4D1
ResumeThread.KERNELBASE(0000009C), ref: 006BA4E0

Strings

aryA, xrefs: 006BA1E2
CreateProcessW, xrefs: 006BA250
ReadProcessMemory, xrefs: 006BA289
VirtualAlloc, xrefs: 006BA263
TerminateProcess, xrefs: 006BA3C3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 006BA333
VirtualAllocEx, xrefs: 006BA29C
ResumeThread, xrefs: 006BA2D8
SetThreadContext, xrefs: 006BA2C2
GetThreadContext, xrefs: 006BA276
ress, xrefs: 006BA226
Load, xrefs: 006BA1DA
WriteProcessMemory, xrefs: 006BA2AF
GetP, xrefs: 006BA21E

Memory Dump Source

Source File: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 272f8378ed748f0690bdd7b07863ef9d4aafd60f48ad02028ecb9260dfe38f36
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 43B1F77664064AAFDB60CFA8CC80BDA73A5FF88714F158125EA0CAB341D774FA51CB94

Function 00681FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00681240: _strlen.LIBCMT ref: 006812BA

CreateFileA.KERNELBASE ref: 00682036
GetFileSize.KERNEL32(00000000,00000000), ref: 00682046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0068206B
CloseHandle.KERNELBASE(00000000), ref: 0068207A
_strlen.LIBCMT ref: 006820CD
CloseHandle.KERNEL32(00000000), ref: 006821FD

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 88564227ad06227e4b391912e26ecca4f46ca557a36f4ebfb7db89525be7274d
Instruction ID: 3b4ba0da322380e88c802fcc832952c0d5818572c50e72d252ae4eede823c2e1
Opcode Fuzzy Hash: 88564227ad06227e4b391912e26ecca4f46ca557a36f4ebfb7db89525be7274d
Instruction Fuzzy Hash: C671E5B2C002059BDB10EFA4DC547AEBBB6FF48310F240729E914B7391E7359A45CBA1

Function 00681000 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

pj, xrefs: 0068101E

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID: pj
API String ID: 0-2212669218
Opcode ID: f17dec3cc8d7d35ecf96663eb9ca660cfab46e306e620cbb87ff61a199d442c1
Instruction ID: 55dde0ddb0452b4cb715629c2a27e66aa871023d43c5cf42cfd82254c1e2ff7d
Opcode Fuzzy Hash: f17dec3cc8d7d35ecf96663eb9ca660cfab46e306e620cbb87ff61a199d442c1
Instruction Fuzzy Hash: 4C212832A101650B879CAF386D62077FB4FDB876A0715573AED129F3D1E920DE5183E8

Function 006824B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 006824DD
ShowWindow.USER32(00000000,00000000), ref: 006824E6
GetCurrentThreadId.KERNEL32 ref: 00682524

Part of subcall function 0068F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0068253A,?,?,00000000), ref: 0068F129
Part of subcall function 0068F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,0068253A,?,?,00000000), ref: 0068F142
Part of subcall function 0068F11D: CloseHandle.KERNEL32(?,?,?,0068253A,?,?,00000000), ref: 0068F154

std::_Throw_Cpp_error.LIBCPMT ref: 00682567
std::_Throw_Cpp_error.LIBCPMT ref: 00682578
std::_Throw_Cpp_error.LIBCPMT ref: 00682589
std::_Throw_Cpp_error.LIBCPMT ref: 0068259A

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: b059bad98f99345378a9c57ea2bfc4e16475521aa6208871a4a8970e71dfc428
Instruction ID: 348d9edeff62fd1a8c45b85e4033a9eb80fb209426dc99aee138c89bcfee9fe3
Opcode Fuzzy Hash: b059bad98f99345378a9c57ea2bfc4e16475521aa6208871a4a8970e71dfc428
Instruction Fuzzy Hash: E22176F2D402159BDF50BFE4DC06BDE7BB5AF04710F080269F90476281E7B6A554C7A6

Function 0069CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,779D02F1,?,0069D01A,?,?,00000000), ref: 0069CFCC

Strings

ext-ms-, xrefs: 0069CF76
api-ms-, xrefs: 0069CF62

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d275dafce217a2e4ca52090e08ed6433dabe253597d83a82cc97febfb33a4088
Instruction ID: 4749bac5fb547de3f0cac267f3e634ad6a605379ecc87c4a42922e632887d4b0
Opcode Fuzzy Hash: d275dafce217a2e4ca52090e08ed6433dabe253597d83a82cc97febfb33a4088
Instruction Fuzzy Hash: 65210671B41311ABDF219B69DC40AAA7B6FDF817B0F250211F909A7790E730EE40CAD0

Function 00681750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00681783

Strings

ios_base::failbit set, xrefs: 00681BEF
ios_base::badbit set, xrefs: 00681BFA, 00681C20
ios_base::eofbit set, xrefs: 00681BEA

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: a959a010956462db0a0a7a10acb9d3028c15297ae420c78081eff7c130c495ec
Instruction ID: 4cef089ed46c4e4887fecfcd01f3eedc3987babfd7d8a6aa6aeafa8c97f91156
Opcode Fuzzy Hash: a959a010956462db0a0a7a10acb9d3028c15297ae420c78081eff7c130c495ec
Instruction Fuzzy Hash: 3AF16E75A002188FCB14DF68C494BADBBF6FF89324F194269E815AB391D734AD46CB90

Function 00695349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00695392
GetLastError.KERNEL32(?,?,?,00682513,00000000,00000000), ref: 0069539E
__dosmaperr.LIBCMT ref: 006953A5

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 15b9c5df8644b2f06b145d2b602acccb0624f93d46dd0421df34beec391f17e3
Instruction ID: 34cf9e81dc919229ac42a8fc07a9851617df79ef0ec3bfd401bd4baae6c83e95
Opcode Fuzzy Hash: 15b9c5df8644b2f06b145d2b602acccb0624f93d46dd0421df34beec391f17e3
Instruction Fuzzy Hash: 8201B172511619EFCF169FA0DC06AEE3BAEFF003A1F004058F80296650EBB0DE50DB50

Function 006954EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0069C2BB: GetLastError.KERNEL32(00000000,?,006976E9,0069D306,?,?,0069C1B7,00000001,00000364,?,00000006,000000FF,?,00695495,006B8E38,0000000C), ref: 0069C2BF
Part of subcall function 0069C2BB: SetLastError.KERNEL32(00000000), ref: 0069C361

CloseHandle.KERNEL32(?,?,?,006953D9,?,?,006954CE,00000000), ref: 0069551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,006953D9,?,?,006954CE,00000000), ref: 00695535
ExitThread.KERNEL32 ref: 0069553E

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 8ce8f0c45d2d9ea50a98f3cf4faf126d77eff99069c14599fd6f85c2267d1df0
Instruction ID: 6c04e23cc49319fb75b4191ba828a795dbd9089230380a4c110cf65f863a3ddb
Opcode Fuzzy Hash: 8ce8f0c45d2d9ea50a98f3cf4faf126d77eff99069c14599fd6f85c2267d1df0
Instruction Fuzzy Hash: EFF0FEB1500A01ABCF265B75D848A9A3A9FAF01370B1A4714F86BC7AE2DB34DD528750

Function 0069565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00695721,00698396,00698396,?,00000002,779D02F1,00698396,00000002), ref: 00695670
TerminateProcess.KERNEL32(00000000,?,00695721,00698396,00698396,?,00000002,779D02F1,00698396,00000002), ref: 00695677
ExitProcess.KERNEL32 ref: 00695689

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 37cf91eb8bfe115b0fac9a593b6c273266e129897cc77d3da11a952580c85941
Instruction ID: 4b763c0a78ac2367576becebfdb1ded93fb05ab36533a4dd2ed9af18f501b1d0
Opcode Fuzzy Hash: 37cf91eb8bfe115b0fac9a593b6c273266e129897cc77d3da11a952580c85941
Instruction Fuzzy Hash: 49D09272000608BBCF422F61EC4D8993F2FEF40381B485114B94A4A572DF3A9992DB88

Function 006A3BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A3F9E: GetConsoleOutputCP.KERNEL32(779D02F1,00000000,00000000,?), ref: 006A4001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00698584,?), ref: 006A3D79
GetLastError.KERNEL32(?,?,00698584,?,006987C8,00000000,?,00000000,006987C8,?,?,?,006B8FE8,0000002C,006986B4,?), ref: 006A3D83

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: deb184c3a4d4e3f97fb41b95e547c33e7fd361d205c3fce13afad87b9ff5c1cd
Instruction ID: fc2ac6a222fda0320147e3d8298d655cf47b2a97fda48c28cfd17e681e2d8141
Opcode Fuzzy Hash: deb184c3a4d4e3f97fb41b95e547c33e7fd361d205c3fce13afad87b9ff5c1cd
Instruction Fuzzy Hash: EA6192B5904129AFDF11EFA8CD45AEEBBBAAF4A314F140159F801A7352D735DE018F60

Function 006A43CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,006A3D5F,00000000,006987C8,?,00000000,?,00000000), ref: 006A4469
GetLastError.KERNEL32(?,006A3D5F,00000000,006987C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00698584), ref: 006A448F

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b840a12dd2b5378697b35474d05ec84651d769c7cebaaa16e6b10cb824391342
Instruction ID: 195b3172db0b511d36aa63a2503248fa061ef72de2516896878230943da10ba4
Opcode Fuzzy Hash: b840a12dd2b5378697b35474d05ec84651d769c7cebaaa16e6b10cb824391342
Instruction Fuzzy Hash: 8521A034A002189FCB19DF19DC80AE9B7FAEB8D305F1441A9E906D7211DA709D82CF64

Function 006890F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 006891C9
std::_Throw_Cpp_error.LIBCPMT ref: 006891D7

Part of subcall function 0068EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00688E4A,0068A2F0), ref: 0068EFE7

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: 269205ac3498141c5fe0f87a74e5f10961246f99fac174e4c417571e38cf8c98
Instruction ID: 4d6bcfd7f966df0909995c980b40d96ffdfe6bc8ebc4ee1c9328b26e3219ec18
Opcode Fuzzy Hash: 269205ac3498141c5fe0f87a74e5f10961246f99fac174e4c417571e38cf8c98
Instruction Fuzzy Hash: 9721F3B0A006469BDB10AFA4C945BAEBBB6FB04320F184328E51557381D734A905CBE6

Function 0069DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,0069D941,006B9330,0000000C), ref: 0069DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,0069D941,006B9330,0000000C), ref: 0069DAB0

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 40f7c030740fa40220aaa776cc91e3a319e94a3b14baa94eb21f773dcbee39e8
Instruction ID: f02b8309df34de036553ce628931aa1e7c2a7ce2a6268afd6eb81b8ae380e014
Opcode Fuzzy Hash: 40f7c030740fa40220aaa776cc91e3a319e94a3b14baa94eb21f773dcbee39e8
Instruction Fuzzy Hash: 851184715087424ACF308E3FCC886627E9FAB56370B38077AD4B687AF1C675D9A6D241

Function 00681EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00681240: _strlen.LIBCMT ref: 006812BA

FreeConsole.KERNELBASE(?,?,?,?,?,0068173F,?,?,?,00000000,?), ref: 00681F21
VirtualProtect.KERNELBASE(006BA011,00000549,00000040,?), ref: 00681F78

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 589e48b3b2958f9d70b4da68d6e7e968dc98f4f0c96eddd04c128957141b25f7
Instruction ID: e762caca3825878e71c2d02e41a3ef1806fd02b77a8c6bb5118157dbad7aa9d0
Opcode Fuzzy Hash: 589e48b3b2958f9d70b4da68d6e7e968dc98f4f0c96eddd04c128957141b25f7
Instruction Fuzzy Hash: 0811E3B1A001186BDB40BFA49C02EFE77AAEB45714F004529FA04BB282E6755A9147D5

Function 00695470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(006B8E38,0000000C), ref: 00695483
ExitThread.KERNEL32 ref: 0069548A

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: da7eb5b8a76f38cfd66e31b28e4b232521475c19b65aa72571aab840383d27fb
Instruction ID: 05d91a2416508ac86d12e00396aaf70c974b3b0061f90d1558574acdc87e4b8b
Opcode Fuzzy Hash: da7eb5b8a76f38cfd66e31b28e4b232521475c19b65aa72571aab840383d27fb
Instruction Fuzzy Hash: 6FF0AFB1A40605AFDF51BFB0C80AA6E7B7AEF00B10F10415DF40297692DF789982CB95

Function 00682270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00682288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0068229C

Part of subcall function 00681FB0: CreateFileA.KERNELBASE ref: 00682036
Part of subcall function 00681FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00682046
Part of subcall function 00681FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0068206B
Part of subcall function 00681FB0: CloseHandle.KERNELBASE(00000000), ref: 0068207A
Part of subcall function 00681FB0: _strlen.LIBCMT ref: 006820CD

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: d35b58f8fcdc111f4bcc8eb7fcfad798882c17a3aefcf46eaafdad1780561ffe
Instruction ID: 838cec191bb80275a5bc4091a264a7aadcdf7e41551561c83353f4883745fd11
Opcode Fuzzy Hash: d35b58f8fcdc111f4bcc8eb7fcfad798882c17a3aefcf46eaafdad1780561ffe
Instruction Fuzzy Hash: E9F0E5F19402102BD6617724EC0BEAB7BADDF85710F000618F5894A181EA74159587D3

Function 0069BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,006A02B4,?,00000000,?,?,0069FF54,?,00000007,?,?,006A089A,?,?), ref: 0069BEED
GetLastError.KERNEL32(?,?,006A02B4,?,00000000,?,?,0069FF54,?,00000007,?,?,006A089A,?,?), ref: 0069BEF8

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1588ffa703e457cd442c678ffc249796f687722d36faae4f95c189bb037dcbd4
Instruction ID: a6270e2e58ed8f2a21da3465e4a1e654692f402bf4b9c1c9630a02268776474f
Opcode Fuzzy Hash: 1588ffa703e457cd442c678ffc249796f687722d36faae4f95c189bb037dcbd4
Instruction Fuzzy Hash: C1E0ECB2244618ABCF112FA5FC09B993BAEEF40791F146165F6089A670DB359890CB98

Function 0068DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428dc563c4238c455813a261feae17b7eee404f359449601037d7437743111f1
Instruction ID: 4a15d0c143f23f5bda5e7898c69dfae47c934a40cd9d83d03db2e9d31f72c8f7
Opcode Fuzzy Hash: 428dc563c4238c455813a261feae17b7eee404f359449601037d7437743111f1
Instruction Fuzzy Hash: EB41A271A0411AAFCF14EF68C8948EDB7BAFF18310B54026AE542E7780E731E955DBA0

Function 0068CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a479f002e160805427cdd52228da7cdccd206d60187e76f1948b36317c14c8d1
Instruction ID: 27e8c3047c97e174d6a642b9225738b348a81c0fd362ac064637d1ca81914ce5
Opcode Fuzzy Hash: a479f002e160805427cdd52228da7cdccd206d60187e76f1948b36317c14c8d1
Instruction Fuzzy Hash: C331757290051AAFCB14EF78D8909EDB7BABF09330B14036AE515E3790E731E955CBA0

Function 0068B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0068AFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00688A2A,?,?,0068AF87,00688A2A,?,0068AF58,00688A2A,?,?,?), ref: 0068AFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,779D02F1,?,?,?,Function_0002BE94,000000FF), ref: 0068B0C7

Part of subcall function 0068AEFA: std::_Throw_Cpp_error.LIBCPMT ref: 0068AF1B

Part of subcall function 0068EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00688E4A,0068A2F0), ref: 0068EFE7

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: dba7a710097d21c2939b61a5ea8752e787e988b189cee39fff48bc26c4713e2c
Instruction ID: a71967c3f44c5846aff46a03957757a0d51722b81c961d75640a4dad617bd74a
Opcode Fuzzy Hash: dba7a710097d21c2939b61a5ea8752e787e988b189cee39fff48bc26c4713e2c
Instruction Fuzzy Hash: AE1122726006109BDB217B64EC15A6E7BA7EB41B20F10572FF901977D1CF399840CB95

Function 0069CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd62d48fcb78b01c1acb05a495f63d04009543abda37bea10c1ff374386ddc5e
Instruction ID: beb80e25d1186e5fbe6f185189a9376042e92ffd681caae42ffc131ca5c7de37
Opcode Fuzzy Hash: cd62d48fcb78b01c1acb05a495f63d04009543abda37bea10c1ff374386ddc5e
Instruction Fuzzy Hash: 8301F173610224AF9F168F68EC41D6633AFBBC1760B255235F904CB694EB31DC42D790

Function 0068CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 3239d0a77e6514c7a1483f6236b41875fd4acf5a3ceb5b362da1210f4451179f
Instruction ID: 16bdec68280f6880df0052225696de21586c7a884e64c01220f815511873acdf
Opcode Fuzzy Hash: 3239d0a77e6514c7a1483f6236b41875fd4acf5a3ceb5b362da1210f4451179f
Instruction Fuzzy Hash: B90144B66486865ECB95BB78F9256A8BB12FF95334B20436FD111846C1DB335861C320

Function 00687770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 006877C6

Part of subcall function 0068AF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,006878DA,00000000), ref: 0068AF72

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 8430ad030f0430c8e2ebe65ca8bbc94802aff1d0e8465d46341024956cb31cd5
Instruction ID: da2566b631778f46b2bd8fa6364b61a6c84eef44e0b3b7ae3292ccfcb5cf4f14
Opcode Fuzzy Hash: 8430ad030f0430c8e2ebe65ca8bbc94802aff1d0e8465d46341024956cb31cd5
Instruction Fuzzy Hash: 3C0128B1C0065A9BDB00EF94D84579EBBB5FB44720F04423AE91967340E379AA85CBD2

Function 0069BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0069DF35,?,?,0069DF35,00000220,?,00000000,?), ref: 0069BF43

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6735fccd809a7898e94c0a2d82315fb32ac36a204abb975e3a371d765e74a62c
Instruction ID: 06bffc7f12577f78964bf0061dae5e591132c86f0264d167b4e3f8c4af11885f
Opcode Fuzzy Hash: 6735fccd809a7898e94c0a2d82315fb32ac36a204abb975e3a371d765e74a62c
Instruction Fuzzy Hash: 05E0E53120552566DF212A65BF04BAA368F9F427E0F1421A0FC1D97A90DB20DC00CAE5

Function 006898F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0068990F

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b668df0eacfe3f98a3208e838c01a256c91334995d4c1cf9ab38f1a10b8c9408
Instruction ID: 03a2a83bf650831760c8954f289d837be75d73d609bc40acb83602883b051d7c
Opcode Fuzzy Hash: b668df0eacfe3f98a3208e838c01a256c91334995d4c1cf9ab38f1a10b8c9408
Instruction Fuzzy Hash: 2FD0A7797010248F4B147F2CE81486E73A3FFC872035A066DE940D7349CB64DC4287C4

Non-executed Functions

Function 006A1287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 006A138F
IsValidCodePage.KERNEL32(00000000), ref: 006A13CD
IsValidLocale.KERNEL32(?,00000001), ref: 006A13E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006A1428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006A1443

Strings

,Kk, xrefs: 006A133C

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: ,Kk
API String ID: 415426439-133908616
Opcode ID: 2aef0a4bc6e4f36cbcd9506140c0bf7c902c3fec707d540b49bdc1579386e194
Instruction ID: b5d9d9f13b28e89c502f88a838b540a2de91b25e6c6b3c99740a63f46dedcb28
Opcode Fuzzy Hash: 2aef0a4bc6e4f36cbcd9506140c0bf7c902c3fec707d540b49bdc1579386e194
Instruction Fuzzy Hash: 46513E71A00219ABEF10EFA5CC45ABA77BAEF0B700F144569F911EB250E7709E448F65

Function 006A7792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006A79A9

Strings

1#SNAN, xrefs: 006A789E
1#QNAN, xrefs: 006A78A5
1#IND, xrefs: 006A7897
1#INF, xrefs: 006A78C8

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d0231799eebb1027eda399ae85c40297a3b2fb63f71ae3a60cc0dd2b685158a5
Instruction ID: 65765b4ffdf088057fee99e3a14c69da27ec78d5a456f1e5489128610447176e
Opcode Fuzzy Hash: d0231799eebb1027eda399ae85c40297a3b2fb63f71ae3a60cc0dd2b685158a5
Instruction Fuzzy Hash: 3ED22871E082298FDF65DE28DD407EAB7B6EB46305F1441EAD40DE7240EB78AE858F41

Function 006A1A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,006A13BD,00000002,00000000,?,?,?,006A13BD,?,00000000), ref: 006A1AA0
GetLocaleInfoW.KERNEL32(?,20001004,006A13BD,00000002,00000000,?,?,?,006A13BD,?,00000000), ref: 006A1AC9
GetACP.KERNEL32(?,?,006A13BD,?,00000000), ref: 006A1ADE

Strings

ACP, xrefs: 006A1A25
OCP, xrefs: 006A1A5B

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5cc4116f23f66cda306ec74209552e918f9bdb50d0fd494a033955b3d9f8837a
Instruction ID: 36bd7836d3d238f0b994b0efb3560ff5914b4577f291a80ebe18b8cce01b4dc5
Opcode Fuzzy Hash: 5cc4116f23f66cda306ec74209552e918f9bdb50d0fd494a033955b3d9f8837a
Instruction Fuzzy Hash: 8F21B662B02114ABD734AF54C900BD776ABEB57B54F568564EB0ADF300E732DE41CB50

Function 00699CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: cbbe919eb0c367bdc483d65fcf0d0a128b857ca7c283783a43555bcd83b8c4b0
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 15022971E012199BDF14CFA9C8806EEBBF6EF48314F248269E919E7740D731AA458B94

Function 0068F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0068F8F5
IsDebuggerPresent.KERNEL32 ref: 0068F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0068F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 0068F9E4

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 05860439d1e9c28e5763ea959c751f16f857fd3afb3cb58bddbf5a1e4af8aa23
Instruction ID: fd133abb9b122f69284168f456542910f36a809a10d5cd9fac98a567c28f552f
Opcode Fuzzy Hash: 05860439d1e9c28e5763ea959c751f16f857fd3afb3cb58bddbf5a1e4af8aa23
Instruction Fuzzy Hash: E2310CB5D012199BDF61EFA4DD497CDBBB8AF08300F1042AAE40CA7250E7759A85CF45

Function 006A1580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006A15D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006A161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006A16E4

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 1563bb9f14609dda63e5d631482a1040627d321143416d7c02516359ff524c34
Instruction ID: 2aeefc9c8437b59c37a911813fc801080f29080f458da4dff7db0b349c305d3a
Opcode Fuzzy Hash: 1563bb9f14609dda63e5d631482a1040627d321143416d7c02516359ff524c34
Instruction Fuzzy Hash: B861BE719542079FDB28AF28CD82BBA77AAEF07710F14417AE905CA682E734DD81CF50

Function 00697E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00697F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00697F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00697F3F

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 806e7b43b841590b8fe10f7083c6dd4b7d59eb1b8f616f60842292c41b128cbf
Instruction ID: 86708475c5cf6b2101984ae30d5fcd9a9be1975fe1f330c19e12558f440dd3c8
Opcode Fuzzy Hash: 806e7b43b841590b8fe10f7083c6dd4b7d59eb1b8f616f60842292c41b128cbf
Instruction Fuzzy Hash: 5531C1B4911229ABCB61DF64DD8879DBBB9AF08310F5042EAE40CA7251E7709F858F45

Function 006900B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 006900EC
GetSystemTimeAsFileTime.KERNEL32(?,779D02F1,00688E30,?,006ABE77,000000FF,?,0068FDB4,?,00000000,00000000,?,0068FDD8,?,00688E30,?), ref: 006900F0

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 5d3a339f9a2e32619d93da1cfdb7f897453112b9f1abd9eff8daa80e05875471
Instruction ID: eb0522d5d3cbc879cf840800ddf4a2637a698248385701dfe8ed7f0d0abedb9c
Opcode Fuzzy Hash: 5d3a339f9a2e32619d93da1cfdb7f897453112b9f1abd9eff8daa80e05875471
Instruction Fuzzy Hash: 29F06572A44654EFCB019F48DC00BAEB7AEFB09B60F01166AF91293791DB756D40DB84

Function 00693FB2 Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

(=i, xrefs: 006942D6, 00694278, 0069421A, 0069419B
0, xrefs: 00694136

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID: (=i$0
API String ID: 0-2783285761
Opcode ID: 4d6549fe846bd6749c9663af797e032c62899cb53e194197f430beba0e675b62
Instruction ID: 8f2ceae0004776067b88bf2693f1d1fbe7cbae98c01c9d037ac5d9a3a9955161
Opcode Fuzzy Hash: 4d6549fe846bd6749c9663af797e032c62899cb53e194197f430beba0e675b62
Instruction Fuzzy Hash: 8FB1AD3090060A8BCF28CF68C995EFEBBBBAF51314F14461DE65297F81DE219A43CB55

Function 006A5C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006A5BB9,?,?,00000008,?,?,006ABCAB,00000000), ref: 006A5E8B

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fb8161179a8defaa0d63080872037012ce791edf12fd6dec4ac3502d6d472b74
Instruction ID: 1b37951f369f218abcae2dd8d77ddf0d90fdcc53944c4c89f5d3be4959a95f9a
Opcode Fuzzy Hash: fb8161179a8defaa0d63080872037012ce791edf12fd6dec4ac3502d6d472b74
Instruction Fuzzy Hash: BBB14D31110A089FD715DF28C48ABA57BE1FF46364F298658E99ACF2A1C335ED82CF40

Function 0068F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0068F56B

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6d2f180506327df31bbe053509067ad3f214d801e617da58c00ca66527d3718d
Instruction ID: 839ffa195ad216fe9972b773009b5ef1d4201efbda82f7e96bda9e113dbb669f
Opcode Fuzzy Hash: 6d2f180506327df31bbe053509067ad3f214d801e617da58c00ca66527d3718d
Instruction Fuzzy Hash: 44A14DF2A016158FDB18DF54E8816A9BBF6FB48364F24A72AD411EB364D3B499C0CF50

Function 006A1840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006A1894

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5e1270eadd0317bf4b259e39a269d7fd76afac9187d9916c420a00a87b572ff4
Instruction ID: 8c989f9811d76ce655ec15e3f76f42e95199c9c4fd6f115a82455e4e8cc679fd
Opcode Fuzzy Hash: 5e1270eadd0317bf4b259e39a269d7fd76afac9187d9916c420a00a87b572ff4
Instruction Fuzzy Hash: 0021C572610206ABDF18AB25CD41ABA37AEEF07721F14407EFD02CA241EB38ED40DB54

Function 006A14D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

EnumSystemLocalesW.KERNEL32(006A1580,00000001,00000000,?,-00000050,?,006A1363,00000000,-00000002,00000000,?,00000055,?), ref: 006A154A

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f7f4f1509f24be0f0e9f9d020eede408beaefe262434d5d0bc8c4226ebc7df3a
Instruction ID: 6dd1b2718ceeccafe37e102e1620cf22a72e8251c07c5d9152fb37601d222a63
Opcode Fuzzy Hash: f7f4f1509f24be0f0e9f9d020eede408beaefe262434d5d0bc8c4226ebc7df3a
Instruction Fuzzy Hash: 6911067A6007015FDB18AF39C8915BAB792FF82768F14442CE5474BB40E371AD42CB40

Function 006A1960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006A19B4

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: edd67083857cdc965973dbf7adc3fa100d363df6570ee62e679c49673cbe2a51
Instruction ID: 1be00c191f207fb6e32f3a416a4a810d549b09748da20a40d23c2574b27067ea
Opcode Fuzzy Hash: edd67083857cdc965973dbf7adc3fa100d363df6570ee62e679c49673cbe2a51
Instruction Fuzzy Hash: 8B11E072610216ABDB14AB68CD129AB77ADEF06720F10417AF502CB281EB38EE41CB54

Function 006A1B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006A179C,00000000,00000000,?), ref: 006A1B39

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 90b6c783a16e7ca4490da6c236195e97dfe6c87948ff239101c90d51f6be7a4c
Instruction ID: 97a6bf6580596964a19edc183addfbcaa57e7458f49311bb710fd6e376a20b2b
Opcode Fuzzy Hash: 90b6c783a16e7ca4490da6c236195e97dfe6c87948ff239101c90d51f6be7a4c
Instruction Fuzzy Hash: AC01D632610112ABDB286B64CC05AFA376AEB42754F154429ED46AB280FA74EE41CAA4

Function 006A17D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

EnumSystemLocalesW.KERNEL32(006A1840,00000001,?,?,-00000050,?,006A132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 006A181D

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a0ba1aaae102d2b360030467146b4e849e57b0d3602f87754fba11157e60e7a4
Instruction ID: 608d98f75d46a32952d1ef3b0f3f1a4d130ed3d899ca9e188e9853ac1d1241e1
Opcode Fuzzy Hash: a0ba1aaae102d2b360030467146b4e849e57b0d3602f87754fba11157e60e7a4
Instruction Fuzzy Hash: E0F0F6362003045FDB246F79DC81ABA7B96EF83768F05842CF9454F690D6B59D42CA54

Function 0069D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006980E1: EnterCriticalSection.KERNEL32(?,?,0069C5F8,?,006B9290,00000008,0069C4EA,?,?,?), ref: 006980F0

EnumSystemLocalesW.KERNEL32(0069D1B0,00000001,006B9310,0000000C,0069CB11,-00000050), ref: 0069D1F5

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: a2ff091c834e02019c4ed7d9d24f2ff6107ae52a9eb1c44f788ddfaecc7a531d
Instruction ID: aacea9b5e62adeb8dd0d9e3d1349b26b556f424f2357cad14b68463d1e13b957
Opcode Fuzzy Hash: a2ff091c834e02019c4ed7d9d24f2ff6107ae52a9eb1c44f788ddfaecc7a531d
Instruction Fuzzy Hash: BEF03CB6A00214DFDB10DF98E842B9977E2EB06721F00812AF5109B2E1DB754980CF54

Function 006A1915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

EnumSystemLocalesW.KERNEL32(006A1960,00000001,?,?,?,006A1385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 006A194C

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ce0ed2218c0d1a5e339b3a4219c0e9ca44de9a5abc78c80b77d8db8f868117f0
Instruction ID: 02a3f8770b942580a7e2bc467110b55f870797b48b52fba535866ea0a84b0ffe
Opcode Fuzzy Hash: ce0ed2218c0d1a5e339b3a4219c0e9ca44de9a5abc78c80b77d8db8f868117f0
Instruction Fuzzy Hash: C5F0EC3930020557CB04AF35DC656777FA5EFC3B61F064058EA058F651C6759D42CB94

Function 0069CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00696E33,?,20001004,00000000,00000002,?,?,00695D3D), ref: 0069CC49

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6c71bc67cf34c0c01aaf9a3a47e7420660aa221780de41f75129572d7f383de3
Instruction ID: c0cc668953c13ca0520ab4b7d9baca085d15c0ac6f80f3a928b8525e5b2d9eeb
Opcode Fuzzy Hash: 6c71bc67cf34c0c01aaf9a3a47e7420660aa221780de41f75129572d7f383de3
Instruction Fuzzy Hash: BDE04F3254022CBBCF122F60ED05E9E3E1BEF44760F044025FD0566621CB358961ABA4

Function 0068F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 0068F8E2

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d5a706c8f7b7b4c61104b7fc1c9dab8f35e025c3fb406e0c3ca4b1fe904fa58e
Instruction ID: 3dcd4680b9d9a4b4b86516f6cb029c645c63a24d143be261f6426a5bacc8bdd1
Opcode Fuzzy Hash: d5a706c8f7b7b4c61104b7fc1c9dab8f35e025c3fb406e0c3ca4b1fe904fa58e
Instruction Fuzzy Hash:

Function 0069D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0069D8E0

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 66c1b10f42be7d0ef4f5bac2b0f9a18c88e14fcac257ad040d92d483c9dde0f9
Instruction ID: bff5f04c3fb18d9d059400bf45f1faac51a0d79f3ff61915e961550ef7f96e4c
Opcode Fuzzy Hash: 66c1b10f42be7d0ef4f5bac2b0f9a18c88e14fcac257ad040d92d483c9dde0f9
Instruction Fuzzy Hash: 2EA002B46011018B57404F35991520939DAA5455D170591656445C6164EB3554945F45

Function 006BB820 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4cd8ee573cde39fab3153396043706790469eeb12fcc74cfb6b980def17824
Instruction ID: e7c70894cd5126f47286a29e20bedd981865d0c7a27bf8a7329de25ec2c43847
Opcode Fuzzy Hash: bb4cd8ee573cde39fab3153396043706790469eeb12fcc74cfb6b980def17824
Instruction Fuzzy Hash: 41417E9100EBC54FE70B877499656807FB2AF93224B0E86DBC8C4DF1E7D298495AD372

Function 006AAAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,006AAACD,?,?,?,?,?,?,?,?,?), ref: 006AAB88
__alloca_probe_16.LIBCMT ref: 006AAC43
__alloca_probe_16.LIBCMT ref: 006AACD2
__freea.LIBCMT ref: 006AAD1D
__freea.LIBCMT ref: 006AAD23
__freea.LIBCMT ref: 006AAD59
__freea.LIBCMT ref: 006AAD5F
__freea.LIBCMT ref: 006AAD6F

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 5983281072e21cab30ed3f9235e74d07734ab086b7a4e524a855a8705df3558a
Instruction ID: 408d29b051b5e79d6691e1e0749fd3e22868d30be866b69668f64b08f290451f
Opcode Fuzzy Hash: 5983281072e21cab30ed3f9235e74d07734ab086b7a4e524a855a8705df3558a
Instruction Fuzzy Hash: E171B3729002096BDF21BEE48C41BEE77ABAF4B310F19015BE845AB391E7759C41CF66

Function 0068FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0068FE70
__alloca_probe_16.LIBCMT ref: 0068FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0068FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0068FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0068FF37
__alloca_probe_16.LIBCMT ref: 0068FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0068FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0068FFB9

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 579a716a666eab1a0691e07a3c6b573703afe01541ec180bcc71257b62689e83
Instruction ID: b9492f5af3166ac1092e1cc4079300180a1bb45d9e58e8901ebfbdba6e81df83
Opcode Fuzzy Hash: 579a716a666eab1a0691e07a3c6b573703afe01541ec180bcc71257b62689e83
Instruction Fuzzy Hash: 6C51AF7260021AAFEF206F60CC45FEB7BBAEF45750F144639FA10DA290DB748C508B60

Function 0069EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0069EEFC

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: a517f2a426a733c665d203a7fd68d4d9aa38e5f838c3e6618760ce21e92bd0cd
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 41B14472A00255AFDF15CF24CC81BEEBBAEEF15310F19416AE844EB782D6759D41CBA0

Function 00690D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00690D77
___except_validate_context_record.LIBVCRUNTIME ref: 00690D7F
_ValidateLocalCookies.LIBCMT ref: 00690E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00690E33
_ValidateLocalCookies.LIBCMT ref: 00690E88

Strings

csm, xrefs: 00690E1D

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 51a428428a976529f66a59a337b38d720e471fcf3793c10c808edce68c291328
Instruction ID: b8ca1bbdd5bb781dd72af33af11dff3ed4b17ba5cd93dbffed167ec8836df5f4
Opcode Fuzzy Hash: 51a428428a976529f66a59a337b38d720e471fcf3793c10c808edce68c291328
Instruction Fuzzy Hash: 53410434A002189FDF10EF68CC84ADEBBBBAF45320F148559E8189B752DB31AE45CB94

Function 00683C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00683CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00683CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00683CE0
__Getctype.LIBCPMT ref: 00683D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00683DD8

Strings

e.k, xrefs: 00683D67

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID: e.k
API String ID: 3087743877-1614438693
Opcode ID: cb5074b6f8534ba13c3d0038797a26097bae84a97c85ae34528a76142f6fc019
Instruction ID: c8bb62b27a094860075c462633c4ad4fe97ad7d1b75909bee5d766a7fb3c9e71
Opcode Fuzzy Hash: cb5074b6f8534ba13c3d0038797a26097bae84a97c85ae34528a76142f6fc019
Instruction Fuzzy Hash: C7415CB1D002258FDB14EF94D845BAEB7B2FF84B20F148229D8556B391EB35AE41CF91

Function 00690080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00690086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00690094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006900A5

Strings

kernel32.dll, xrefs: 00690081
GetTempPath2W, xrefs: 0069009A
GetSystemTimePreciseAsFileTime, xrefs: 0069008E

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 7557b04b6e8bcd6876c1e5841ad720cc05a555b30ed85c18a750777a9c88a888
Instruction ID: 4e40c9e555a1fe216bd4f82eb3c24365ad7cc27ccdb00075e5e84edcdcb14ca9
Opcode Fuzzy Hash: 7557b04b6e8bcd6876c1e5841ad720cc05a555b30ed85c18a750777a9c88a888
Instruction Fuzzy Hash: 64D09EF1A51220AB93106F74BD0A8E93EABFA097113025292F441D2351EF7456C08794

Function 006A4F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33a08d2ecbb660b7e295a8820534ada4eed37d6940c462a638978efd178757a
Instruction ID: a42f8a8660a1ab8a00b21fc69917cac617557c2097d842fdbf6643441a39cb90
Opcode Fuzzy Hash: a33a08d2ecbb660b7e295a8820534ada4eed37d6940c462a638978efd178757a
Instruction Fuzzy Hash: 28B1E2B0A04A49AFDF11EFA8D840BBEBBB7AF46304F144159E5029B392D7719D41CFA4

Function 00689B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00689C97
std::_Throw_Cpp_error.LIBCPMT ref: 00689CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00689CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00689CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00689CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00689D06

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 1e5e82aecafe0c3c3b17317bdab2654985b0d83c30a374e468959692946bb1a1
Instruction ID: 9d4b8bdacc6dd01b95fbb7498d044e4272bf8d9a5086c7bd2578c928122e4fe1
Opcode Fuzzy Hash: 1e5e82aecafe0c3c3b17317bdab2654985b0d83c30a374e468959692946bb1a1
Instruction Fuzzy Hash: A641B1B1900740CBDB30BB6489067ABBBF6AF45324F1C072DE56A262D1D7766904CB66

Function 0069ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0069ACDE,00690760,0068B77F,779D02F1,?,?,?,?,006ABFCA,000000FF), ref: 0069ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0069AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0069AD1C
SetLastError.KERNEL32(00000000,?,0069ACDE,00690760,0068B77F,779D02F1,?,?,?,?,006ABFCA,000000FF), ref: 0069AD6E

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9c95e1c1d7810f74d426c54e6dba958b6f7b12401fad837f43097081c3a9a1fe
Instruction ID: b250b099bcd87c4241c23d51b9e9bd098d3ccdef978c6049976ab8eceef1416b
Opcode Fuzzy Hash: 9c95e1c1d7810f74d426c54e6dba958b6f7b12401fad837f43097081c3a9a1fe
Instruction Fuzzy Hash: 1A01F5B22096159EFB643BB5AC4986A3ACFEF02B71720132EF61045AF1EF914C465195

Function 0069B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0069B68D
CallUnexpected.LIBVCRUNTIME ref: 0069B906

Strings

csm, xrefs: 0069B618
csm, xrefs: 0069B6C4
csm, xrefs: 0069B5AB

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: f277ef0aa1d4ea063ff3db84a4922d3f1a9684c94283298777ce507db2e381eb
Instruction ID: 8f2bdd56160255d05367f3a52762d1f64a30c643ad996c83ee192fd3b3a8c682
Opcode Fuzzy Hash: f277ef0aa1d4ea063ff3db84a4922d3f1a9684c94283298777ce507db2e381eb
Instruction Fuzzy Hash: F3B15871800209EFCF14DFA4EA819AEBBBEFF08310F14555AE8116BA12D731EA51DF95

Function 0068BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 0068BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 0068C028

Strings

MOC, xrefs: 0068BE9F
csm, xrefs: 0068BEB7
RCC, xrefs: 0068BEAB

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: a6050fde3006244026635b9985f61b9ec048816d008487989f46aba74fd6ed41
Instruction ID: d255bba718ef958684c6fa4ec647f45a99dacd2bdf2cb00316fbdc4d968f5292
Opcode Fuzzy Hash: a6050fde3006244026635b9985f61b9ec048816d008487989f46aba74fd6ed41
Instruction Fuzzy Hash: 8841BF74900209DFCF28EF68D9459AEBBB6BF48300B58929DE445A7742CB74AA04CF65

Function 006955C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,779D02F1,?,?,00000000,006ABE94,000000FF,?,00695685,00000002,?,00695721,00698396), ref: 006955F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0069560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,006ABE94,000000FF,?,00695685,00000002,?,00695721,00698396), ref: 0069562D

Strings

CorExitProcess, xrefs: 00695603
mscoree.dll, xrefs: 006955F2

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ef9553a1bf3202f346edf175def32f2316b01c44172fd710d811b3ab2ffe21d8
Instruction ID: 893d9e24c88b9651c42a4ed997038b147426f3619d819333bee7f121c628b929
Opcode Fuzzy Hash: ef9553a1bf3202f346edf175def32f2316b01c44172fd710d811b3ab2ffe21d8
Instruction Fuzzy Hash: 91018B71A50615AFDF119F54DC05BEEBBBEFB04B15F010625F811E26A0DB789D40CB94

Function 0069D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0069D76F
__alloca_probe_16.LIBCMT ref: 0069D838
__freea.LIBCMT ref: 0069D89F

Part of subcall function 0069BF11: RtlAllocateHeap.NTDLL(00000000,0069DF35,?,?,0069DF35,00000220,?,00000000,?), ref: 0069BF43

__freea.LIBCMT ref: 0069D8B2
__freea.LIBCMT ref: 0069D8BF

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: e80d744e813e5e5f755a79d54122b1ac450856e6ac1385378a1f386a2f41ae61
Instruction ID: cd6817b57e6385430ba091bdcb1ae17a2ad9c19310d416e588b7711475889a44
Opcode Fuzzy Hash: e80d744e813e5e5f755a79d54122b1ac450856e6ac1385378a1f386a2f41ae61
Instruction Fuzzy Hash: AC51BF72600206AFEF215FA08D85EFB7AAFEF44750B15013DFD04DAA92EB74CC1196A4

Function 0068EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0068F005
AcquireSRWLockExclusive.KERNEL32(00688E38), ref: 0068F024
AcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F052
TryAcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F0AD
TryAcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F0C4

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e91211cc64f288a2a573489483894ae927580a061d58b01ba5f45979be472cbd
Instruction ID: c90ec96501293f0e258801fbe056c30327470f2b66a32be18d3b95a18ade9ae5
Opcode Fuzzy Hash: e91211cc64f288a2a573489483894ae927580a061d58b01ba5f45979be472cbd
Instruction Fuzzy Hash: EF417C7160060ADFCB20EF65C8A49AAB3F6FF44311B204B3AE496D7642D770F995CB61

Function 0068D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0068D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 0068D4D3
int.LIBCPMT ref: 0068D4EA

Part of subcall function 0068C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0068C1F6
Part of subcall function 0068C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0068C210

codecvt.LIBCPMT ref: 0068D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 0068D544

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 3d178fb356a5fa048f5f8c612e5b264d4de47e6e477a590bdc0c353bbd4ebc0b
Instruction ID: b96a5a59ba7ba163057bcf8e0942007dca43f708c51e9937047d273ef00549ac
Opcode Fuzzy Hash: 3d178fb356a5fa048f5f8c612e5b264d4de47e6e477a590bdc0c353bbd4ebc0b
Instruction Fuzzy Hash: 8F01C0719001158BCB05FBA8C845AAE7B73AF84724F14030EF811AB3D2CF749E40CBA6

Function 0068ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0068ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 0068ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 0068AE57

Part of subcall function 0068ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0068ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 0068AE04
_Yarn.LIBCPMT ref: 0068AE1A

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 2e4ea5b016fe7f95b2ce9d3a24107a39da95dce96af48b24e0b570c08f33ffaf
Instruction ID: 321c54229529fbc3224606776cfdbaad3af27fb87f7ae40927da0213732e3aa1
Opcode Fuzzy Hash: 2e4ea5b016fe7f95b2ce9d3a24107a39da95dce96af48b24e0b570c08f33ffaf
Instruction Fuzzy Hash: 0201B1B56002219BDB05FF60D85557D3B63FF88760B04121EE80157381CF386E82CB8A

Function 006A0976 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(?,?,00695495,006B8E38,0000000C), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000), ref: 0069C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00695BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 006A0A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00695BD5,?,?,?,00000055,?,-00000050,?,?), ref: 006A0A6C

Strings

utf8, xrefs: 006A0B3E
,Kk, xrefs: 006A09E9

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: ,Kk$utf8
API String ID: 943130320-3476626227
Opcode ID: 160214b27b65915ba7ad2cf357576c724865133f31ad99b53a24e380c35b1b71
Instruction ID: 124996c98489b698f32b1f730dc71cd8ecdbfa7468f947af41766248d2c37bba
Opcode Fuzzy Hash: 160214b27b65915ba7ad2cf357576c724865133f31ad99b53a24e380c35b1b71
Instruction Fuzzy Hash: 2A51B671600705AAFB25BB35CD82FE672ABEF0B704F140429F64597282E671ED808F75

Function 006873E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00687526
___std_exception_copy.LIBVCRUNTIME ref: 00687561

Part of subcall function 0068AF37: CreateThreadpoolWork.KERNEL32(0068B060,00688A2A,00000000), ref: 0068AF46
Part of subcall function 0068AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 0068AF53

Strings

Fail to schedule the chore!, xrefs: 00687560
G.k, xrefs: 00687551

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!$G.k
API String ID: 3683891980-46482813
Opcode ID: 609638cc1b4374d818b459360593f3a399a9e92746d4e86814f039d599454802
Instruction ID: 77b8fe53e463edac1b6497c39ff1ddffed357821e2b2ff618a016c0e0487ac10
Opcode Fuzzy Hash: 609638cc1b4374d818b459360593f3a399a9e92746d4e86814f039d599454802
Instruction Fuzzy Hash: A9519DB09012099FDF00EF94D844BEEBBB6FF08324F144229E8156B391E775AA45CF91

Function 00683E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00683EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00684002

Part of subcall function 0068ABC5: _Yarn.LIBCPMT ref: 0068ABE5
Part of subcall function 0068ABC5: _Yarn.LIBCPMT ref: 0068AC09

Strings

|=he.k, xrefs: 00683E9B, 00683F1F
bad locale name, xrefs: 00683F46

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name$|=he.k
API String ID: 2070049627-16793672
Opcode ID: 8d470620e4d320e9bc940b188cc6e0528c355ae221f40e513a84698481732ced
Instruction ID: 06ffdb7653d89f8e0b6382fe79e62e33e3392ffa367647090a181f93ad30a390
Opcode Fuzzy Hash: 8d470620e4d320e9bc940b188cc6e0528c355ae221f40e513a84698481732ced
Instruction Fuzzy Hash: B2417EF0A007559BEB10EF69C805B57BAF9BF04714F04422DE40997B80E77AE518CBE5

Function 0068B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 0068B809

Strings

MOC, xrefs: 0068B789
csm, xrefs: 0068B7A1
RCC, xrefs: 0068B795

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: b48fba0421a574752c9ca8fcc82772a960f46d966d536019475a62370d415065
Instruction ID: a53bafe7f90543395467c8bb048b88bae8d2e248406e6474175c27bfef79a9a9
Opcode Fuzzy Hash: b48fba0421a574752c9ca8fcc82772a960f46d966d536019475a62370d415065
Instruction Fuzzy Hash: 2F21F275800705DFCF28BF94D855AA9B7AEEF44720F18671EE4118BB90DB34AA41CB80

Function 0068F11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0068253A,?,?,00000000), ref: 0068F129
GetExitCodeThread.KERNEL32(?,00000000,?,?,0068253A,?,?,00000000), ref: 0068F142
CloseHandle.KERNEL32(?,?,?,0068253A,?,?,00000000), ref: 0068F154

Strings

:%h, xrefs: 0068F134

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: :%h
API String ID: 2551024706-2099740889
Opcode ID: a71c8f3fc668cab8eaaca4a9c03955a97e97a77c0603fbf147af09de836b119e
Instruction ID: 04839873da09fb3c2df341c1de517da61c4fbf7add39f44a0512808b09658d76
Opcode Fuzzy Hash: a71c8f3fc668cab8eaaca4a9c03955a97e97a77c0603fbf147af09de836b119e
Instruction Fuzzy Hash: 77F08271644114EFDF109F24DC09A9A3B66EF01770F240320F962EA2E0E734DE418780

Function 0068ABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 0068ABE5
_Yarn.LIBCPMT ref: 0068AC09

Strings

|=he.k, xrefs: 0068ABC8
e.k, xrefs: 0068ABD9

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Yarn
String ID: e.k$|=he.k
API String ID: 1767336200-1824295239
Opcode ID: d4d72012ef84ef28d0ae3580cc70d5f105b7c53834d4c8a114f7b4e45461b3fc
Instruction ID: c03f3193ad58e415d0c81014faa00c1ef0bc1b4a689aad58552ee2ff7187d1b9
Opcode Fuzzy Hash: d4d72012ef84ef28d0ae3580cc70d5f105b7c53834d4c8a114f7b4e45461b3fc
Instruction Fuzzy Hash: 64E030323082006BFB487AA5AC52BA677DECB04760F10052EFD0A8B5C1ED10AC404669

Function 006A6940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006A69DC,00000000,?,006BD2B0,?,?,?,006A6913,00000004,InitializeCriticalSectionEx,006B0D34,006B0D3C), ref: 006A694D
GetLastError.KERNEL32(?,006A69DC,00000000,?,006BD2B0,?,?,?,006A6913,00000004,InitializeCriticalSectionEx,006B0D34,006B0D3C,00000000,?,0069BBBC), ref: 006A6957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006A697F

Strings

api-ms-, xrefs: 006A6964

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fcd425d64250035cc939e1a86b6702a787bc4a9577496e223476e4000e84c7c4
Instruction ID: e87478f77716c67da214a560fd2044c156118c1ce40aad6a97f8e1a985f02429
Opcode Fuzzy Hash: fcd425d64250035cc939e1a86b6702a787bc4a9577496e223476e4000e84c7c4
Instruction Fuzzy Hash: 5DE01AB0780209BAEF212B65EC06BAD3A57AF41B95F180520F94CA85E1DBB5EC909E44

Function 006A3F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(779D02F1,00000000,00000000,?), ref: 006A4001

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006A4253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006A4299
GetLastError.KERNEL32 ref: 006A433C

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 42251e8c1cc85592199778781441d23d15d8f930156a01f8b95aeab0660d7925
Instruction ID: 98720b08ca6f45e99159b726bfe4c3648a409e30e4cb0862363582c60da2ad52
Opcode Fuzzy Hash: 42251e8c1cc85592199778781441d23d15d8f930156a01f8b95aeab0660d7925
Instruction Fuzzy Hash: C1D159B5D002589FCF14DFA9C880AEDBBB6EF49314F24416AE516EB351DA70AD41CF50

Function 0069B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0069B35C
___AdjustPointer.LIBCMT ref: 0069B37F
___AdjustPointer.LIBCMT ref: 0069B41B

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5564bec677bbe38542a3b4d66f8d5c1b3599fc4013b9cb67d384cfbc3aa6c40b
Instruction ID: 2f261c7b72bf5ef8b31c1a0cc7e6c1daab688e86324748494c29dbe75385cc0a
Opcode Fuzzy Hash: 5564bec677bbe38542a3b4d66f8d5c1b3599fc4013b9cb67d384cfbc3aa6c40b
Instruction Fuzzy Hash: AD51D271A04612AFEF29DF54EA91BBA73AAEF00710F14512DED0647A91D731ED81CB90

Function 00687220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006872C5
std::_Throw_Cpp_error.LIBCPMT ref: 00687395
std::_Throw_Cpp_error.LIBCPMT ref: 006873A3
std::_Throw_Cpp_error.LIBCPMT ref: 006873B1

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 6ec4cf4c567456c875c67ebe15083b3b6dfffac9e60faedf29222013d11e1579
Instruction ID: 16816499fc1a60850bdac0ac79829974ecb21186fa6288ffcad4455d28fc287e
Opcode Fuzzy Hash: 6ec4cf4c567456c875c67ebe15083b3b6dfffac9e60faedf29222013d11e1579
Instruction Fuzzy Hash: 2B41E4B1A00705CBDB20FB64C8417AAB7A6FF44320F28473DE81657791EB35E811CB92

Function 00684460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00684495
std::_Lockit::_Lockit.LIBCPMT ref: 006844B2
std::_Lockit::~_Lockit.LIBCPMT ref: 006844D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00684580

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: a69152343dc298f4f573bb43cbec33c43de825c8a4ecde94d600b79b62d7102e
Instruction ID: c65d552f5b6df4c4965a9e84872dd96d2dae74d71d7aeb09a0cf24cda026ee94
Opcode Fuzzy Hash: a69152343dc298f4f573bb43cbec33c43de825c8a4ecde94d600b79b62d7102e
Instruction Fuzzy Hash: 164118B1D002198FCB14EF94D844BADBBB2FB48724F14432AE81567391DB74AA84CF91

Function 006A1DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

GetLastError.KERNEL32 ref: 006A1E2A
__dosmaperr.LIBCMT ref: 006A1E31
GetLastError.KERNEL32 ref: 006A1E6B
__dosmaperr.LIBCMT ref: 006A1E72

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f4dde71b37705112df4bc54e9521889fc83f3c5432d0a36ba9c7da9f98f16542
Instruction ID: 7b9e40f85e822c387f813fc38be561abf8099514f76f81929d3ce24ce7e7e7c6
Opcode Fuzzy Hash: f4dde71b37705112df4bc54e9521889fc83f3c5432d0a36ba9c7da9f98f16542
Instruction Fuzzy Hash: D7219D72604215AF9B20BFA588819ABB7AFFF03364B10851DFC199B651D731EC418BA0

Function 00692BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11d4e6cd7d5e80a3596e9576a83129844dad5cc6dee895265ae829d3c76cfb5
Instruction ID: 88627a5d1f6e2680ea14a206f80beb107942a6607dbeca4e7b065db771f1f5db
Opcode Fuzzy Hash: e11d4e6cd7d5e80a3596e9576a83129844dad5cc6dee895265ae829d3c76cfb5
Instruction Fuzzy Hash: C9218B7220420BBF9FA0AF658CA19AA77AFFF40364B104519F85997A51EB31EC5187A0

Function 006A31BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006A31C6

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006A31FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006A321E

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d6693ab81ab8bfcb6058a4c77c00d1e19dd2e5f63fa6123c21aaf20f75e9c14e
Instruction ID: 2bbac7a3adb8a0600897b38164167ddaac4f4fa4ebe04c6a278b7ee7e0b02cd4
Opcode Fuzzy Hash: d6693ab81ab8bfcb6058a4c77c00d1e19dd2e5f63fa6123c21aaf20f75e9c14e
Instruction Fuzzy Hash: 3D11C0F25011297EAB2137B5AD8ADBF6E5EDEC63947100129FA0191201FF68DF418AB9

Function 0068E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0068E899
std::_Lockit::_Lockit.LIBCPMT ref: 0068E8A3
int.LIBCPMT ref: 0068E8BA

Part of subcall function 0068C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0068C1F6
Part of subcall function 0068C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0068C210

std::_Lockit::~_Lockit.LIBCPMT ref: 0068E914

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 9f7c74277dececdd53b74c43a91184890337ea7dba3b48ed791236f7e0cbaa91
Instruction ID: 7129b04f6de3bfa383471251f58021d647761c7193d0b9b2b8dc3f5646f75154
Opcode Fuzzy Hash: 9f7c74277dececdd53b74c43a91184890337ea7dba3b48ed791236f7e0cbaa91
Instruction Fuzzy Hash: EF11CB759001199BCF45FBA4C945AADBB63AF84720F24032EF811AB282DFB59E40CB95

Function 006AADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000), ref: 006AADB7
GetLastError.KERNEL32(?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?,?,?,006A3CD6,00000000), ref: 006AADC3

Part of subcall function 006AAE20: CloseHandle.KERNEL32(FFFFFFFE,006AADD3,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?,?), ref: 006AAE30

___initconout.LIBCMT ref: 006AADD3

Part of subcall function 006AADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006AAD91,006AA2DC,?,?,006A4390,?,00000000,00000000,?), ref: 006AAE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?), ref: 006AADE8

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 438fc015b7c7b8a14ddeb1fb181d49f8cf9da16ed6c40f1ea6d69b3e45751be4
Instruction ID: 63848fcf46b41b83aa06ffbaadd6d587723887e28e5957eb264db37a4c8617ce
Opcode Fuzzy Hash: 438fc015b7c7b8a14ddeb1fb181d49f8cf9da16ed6c40f1ea6d69b3e45751be4
Instruction Fuzzy Hash: 92F0F836500119BBCFA22FD5DC0899A3E27FF097A1B004116FA0886130DB328DA0EB95

Function 006904F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00690507
GetCurrentThreadId.KERNEL32 ref: 00690516
GetCurrentProcessId.KERNEL32 ref: 0069051F
QueryPerformanceCounter.KERNEL32(?), ref: 0069052C

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 04aed90e344db90d6ce28913c236bfe7d0cf3c5a8e4692429a1e64a16cf915a5
Instruction ID: 41c111f34bd3c85b248df350fec01da2bb5853a232a5eade05da7b96b41a095d
Opcode Fuzzy Hash: 04aed90e344db90d6ce28913c236bfe7d0cf3c5a8e4692429a1e64a16cf915a5
Instruction Fuzzy Hash: EAF062B5D1020DEBCB00DFB4DA4999EBBF5FF1C200B915A95E412E7110EB34AB849B50

Function 0069B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0069B893,?,?,00000000,00000000,00000000,?), ref: 0069B9B7

Strings

MOC, xrefs: 0069B9C9
RCC, xrefs: 0069B9D1

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 259bd43e2dc0449d24dbf3d8e2c7b41749140afac7ada91f11b6506e66b5aa59
Instruction ID: 50a9343364eb25a4da60ac6fc0f7ee29a58fb0cccf97499fadd6164a00a174da
Opcode Fuzzy Hash: 259bd43e2dc0449d24dbf3d8e2c7b41749140afac7ada91f11b6506e66b5aa59
Instruction Fuzzy Hash: 7A418732900209AFCF15DF98DE81AEEBBBAFF48310F189199FA14A7611D3359950DB90

Function 0069B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0069B475

Strings

csm, xrefs: 0069B497
csm, xrefs: 0069B508

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d3efb7babfb71ea4cfbbd36545cb0be480d2582b73e2f9055a94790afca2787a
Instruction ID: fef3d03be9db50e4387c985fee6b57531054053ff89a8c2588acf5355d3fa079
Opcode Fuzzy Hash: d3efb7babfb71ea4cfbbd36545cb0be480d2582b73e2f9055a94790afca2787a
Instruction Fuzzy Hash: 2231FB71400219EBCF269F50EE448FE7BAFFF08715B19565AF8444A622C336DD61EB81

Function 0068B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0068B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 0068B8DE

Part of subcall function 0069060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0068F354,02CA4018,?,?,?,0068F354,00683D4A,006B759C,00683D4A), ref: 0069066D

Part of subcall function 00698353: IsProcessorFeaturePresent.KERNEL32(00000017,0069C224), ref: 0069836F

Strings

csm, xrefs: 0068B86D

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 1b26455879f525d35bf7fae03e6b2d6b92363ae163510cb3e5173c9da12eaa54
Instruction ID: 1cf114474667a9606720464f53d54703578ff2c0a8c7bc5200ecd74e7996c5e2
Opcode Fuzzy Hash: 1b26455879f525d35bf7fae03e6b2d6b92363ae163510cb3e5173c9da12eaa54
Instruction Fuzzy Hash: E7218E71D00218EBCF24EF99D845AEEB7BEEF45710F18161AE505AB350DB70AD45CB81

Function 0068B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00682673

Strings

ios_base::badbit set, xrefs: 00682650
bad array new length, xrefs: 00682626

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 52f8cf7ce31329a5cfd510edf16a4be1292ed6c7c5020c6db76d050e02af6e8c
Instruction ID: e9692b06271d0248eeb455a1d42bfc02e94b95b44157e000ccba95dcf4f9a755
Opcode Fuzzy Hash: 52f8cf7ce31329a5cfd510edf16a4be1292ed6c7c5020c6db76d050e02af6e8c
Instruction Fuzzy Hash: C101DFF2608301AFDB04EF28D856A5A7BEAEF04318F01891DF4598B741E375EC88CB85

Function 00682610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0068F354,02CA4018,?,?,?,0068F354,00683D4A,006B759C,00683D4A), ref: 0069066D

___std_exception_copy.LIBVCRUNTIME ref: 00682673

Strings

ios_base::badbit set, xrefs: 00682650
bad array new length, xrefs: 00682626

Memory Dump Source

Source File: 00000000.00000002.1661007805.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1660992304.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661033476.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661049270.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661064909.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661079141.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661095863.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661132968.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_Installer.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: b9b17e0d463381ca0204d4cef0e9354cad33a582faab9046f1da8418370556c7
Instruction ID: 01191e621ed7806173ffd132fb04fc269abd6ca53d18be470bcfdcc832bd70b3
Opcode Fuzzy Hash: b9b17e0d463381ca0204d4cef0e9354cad33a582faab9046f1da8418370556c7
Instruction Fuzzy Hash: EDF0D4F1A14300ABE700AF18D845747BFE9EB55718F01881DF5999B701D3B5D844CB92

Analysis Process: Installer.exePID: 7552, Parent PID: 7492COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.8%
Total number of Nodes:	47
Total number of Limit Nodes:	5

Executed Functions

Function 004085F0 Relevance: 7.7, APIs: 5, Instructions: 170
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408614
GetCurrentThreadId.KERNEL32 ref: 0040861E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408696
GetForegroundWindow.USER32 ref: 00408761

Part of subcall function 0040B470: FreeLibrary.KERNEL32(004087D9), ref: 0040B476
Part of subcall function 0040B470: FreeLibrary.KERNEL32 ref: 0040B497

ExitProcess.KERNEL32 ref: 004087F2

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
Instruction ID: e8cd0a5b1b6602d458645168f9022d0593551acc0d95c8fd4e55ee87bae5c504
Opcode Fuzzy Hash: 21594b46850de91b9d7f1fcd097cf3db95484819d6bbf04f7650915a64ff1750
Instruction Fuzzy Hash: 82418DB3B003004BD3186F798D15766B6C79BD5320F1E863EA895EB3DAEE789C054245

Function 0043EBA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00441BF8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043F39E Relevance: 1.4, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0043F4EA

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
Instruction ID: ac99ad69f4e146c84b4f67b549d234f9fa435a805a225365c348144745e62db1
Opcode Fuzzy Hash: d029721911ace6ae7146d635cd2610f792fc7e2dd43cd493b89f1baae024793e
Instruction Fuzzy Hash: 9C51BEB4D112159BEB14CF54C8907BFB7B2FFA9315F04612DD4416B3A0EB785C0A8B98

Function 0043ECE8 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043ED37

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
Instruction ID: c78e23977c3e2a35fed25d62a8fd294347c45f883251edd20cfe32e08262873d
Opcode Fuzzy Hash: a5036223926f76e7a30bb82d8b41372fba638fb8ce1a419d4bb5bda1a50e89be
Instruction Fuzzy Hash: AFF0E2B09445D48BDB00CF7AAC593AA37A0EB56305F241975E112D72A1EB3898528B0D

Function 0043ED29 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043ED37

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
Instruction ID: e9d83bbf03ffa0495804572a0f9332504b97f5da304552063f637eff08c1ad84
Opcode Fuzzy Hash: a9ffe737249dc3e0122e0f7b10e8a54413ea6789124a50639fd91797d931d788
Instruction Fuzzy Hash: 06E012F9D401548FCB04DF64FC955243374FB562057144439E112C3271D735E522CB59

Function 0043CAF2 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043CB0B

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
Instruction ID: 1226c4ec29f38b57e24691680627c35296be4bb29b2a26d95288c068be923f2f
Opcode Fuzzy Hash: 5a61d3da357a9b9377e023cb1afacc8d5594f4b24d9fa0354fd77178c021c893
Instruction Fuzzy Hash: BAC08C70141122EBD3102F15BC0BB963A10AF01312F0208B2B0006D0B2CA78ECB0C6C8

Function 0043CAC0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,B19801D9,004086F7,B4B7D921), ref: 0043CAD0

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
Instruction ID: 562293d3e3569241bb9a478438e2c4c3206b523b80c2934943ed8cc9fbbd0605
Opcode Fuzzy Hash: fc5eda2e49f68f0e30b130f1320f09b628e5b9bd0ed49f4e6fdc7f947bd58373
Instruction Fuzzy Hash: 76C04C71445121AAD6102B15EC09B867F54AF45751F014095B104660B286B0EC928AD8

Non-executed Functions

Function 004396A0 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 644memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044468C,00000000,00000001,0044467C,00000000), ref: 004399AB
SysAllocString.OLEAUT32(C197C794), ref: 00439A18
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439A56
SysAllocString.OLEAUT32(B2ECBC14), ref: 00439AD9
SysAllocString.OLEAUT32(77B37587), ref: 00439B6B
VariantInit.OLEAUT32(BFBEBDA4), ref: 00439BDB
VariantClear.OLEAUT32(BFBEBDA4), ref: 00439D18
SysFreeString.OLEAUT32(?), ref: 00439D3C
SysFreeString.OLEAUT32(?), ref: 00439D42
SysFreeString.OLEAUT32(00000000), ref: 00439D4F

Strings

&v, xrefs: 00439851

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: &v
API String ID: 2485776651-996230610
Opcode ID: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
Instruction ID: 2eae229d14a92933328e5725d2ae13478f160aa11d56bd9171fe0ff53e23d803
Opcode Fuzzy Hash: c76a795488dcaea1087b38c4a21f4ec032b56208ede1dfedf05bb0fa22a11b63
Instruction Fuzzy Hash: 4E22F072A083409FD714CF29C845B5BBBE6EFC9324F18992DE5958B381DB78D805CB86

Function 00419C90 Relevance: 18.8, APIs: 2, Strings: 8, Instructions: 1349COMMON

Download Yara Rule

APIs

Part of subcall function 0043EBA0: LdrInitializeThunk.NTDLL(00441BF8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043EBCE

FreeLibrary.KERNEL32(?), ref: 0041A269
FreeLibrary.KERNEL32(?), ref: 0041A2DE

Strings

8U:W, xrefs: 00419FEE
54+*, xrefs: 00419CC5
54+*, xrefs: 0041AA2B
8I#K, xrefs: 00419FD6
XY, xrefs: 00419FF6
54+*, xrefs: 0041A185
~Q6S, xrefs: 00419FE6
2E'G, xrefs: 00419FCE

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 2E'G$54+*$54+*$54+*$8I#K$8U:W$XY$~Q6S
API String ID: 764372645-2390782495
Opcode ID: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
Instruction ID: 2c3f929d4cabc55a225c70deac7f21d0ad3b9eba4449c3fe9de0e78d4448d8f9
Opcode Fuzzy Hash: 0f80e1662aea17d897eb7f5cc82f5f76a7864b0803524b2c06bda07c8fcedbb3
Instruction Fuzzy Hash: 3982067460A3409FD714CB24D990BABBBE2EBC6314F18882DE58587352D779DC92CB4B

Function 00415200 Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

iiat, xrefs: 00415947
8"D-, xrefs: 00415D41
54+*, xrefs: 00415595
BxBG, xrefs: 00415926
("D-, xrefs: 00415CF1
^123, xrefs: 004152B1
U, xrefs: 00415C0F
eH, xrefs: 00415952

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ("D-$54+*$8"D-$BxBG$U$^123$eH$iiat
API String ID: 0-2540653402
Opcode ID: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
Instruction ID: 07982f48521f8885066ce7338b4bbbb716ab1cb9c22f471718dbf28f94ce43d7
Opcode Fuzzy Hash: ece7e7512deb2f3d0905023b68c116b96d26401af29463b746300dd7e0310da3
Instruction Fuzzy Hash: 5A5213B5909340CBD7249F24D895BEF77E2FFC5314F08492EE48A8B291E7389841CB96

Function 006A1287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 0069C16A: GetLastError.KERNEL32(00000000,?,0069E58D), ref: 0069C16E
Part of subcall function 0069C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00698363), ref: 0069C210

GetUserDefaultLCID.KERNEL32 ref: 006A138F
IsValidCodePage.KERNEL32(00000000), ref: 006A13CD
IsValidLocale.KERNEL32(?,00000001), ref: 006A13E0
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 006A1428
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 006A1443

Strings

,Kk, xrefs: 006A133C

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: ,Kk
API String ID: 415426439-133908616
Opcode ID: 7a2d8caeed39fca7918204e782147ec75b869a16f76ccad946ec0f7bf12fe81d
Instruction ID: b5d9d9f13b28e89c502f88a838b540a2de91b25e6c6b3c99740a63f46dedcb28
Opcode Fuzzy Hash: 7a2d8caeed39fca7918204e782147ec75b869a16f76ccad946ec0f7bf12fe81d
Instruction Fuzzy Hash: 46513E71A00219ABEF10EFA5CC45ABA77BAEF0B700F144569F911EB250E7709E448F65

Function 00422E3F Relevance: 10.0, Strings: 7, Instructions: 1220COMMON

Download Yara Rule

Strings

%: !, xrefs: 00422F7F
%! 0, xrefs: 00422F87
x}}s, xrefs: 00422F17
de, xrefs: 00423253
H, xrefs: 00422FF4
"=B, xrefs: 00423D12
4, xrefs: 00423032

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "=B$%! 0$%: !$4$H$de$x}}s
API String ID: 0-695511230
Opcode ID: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
Instruction ID: 2d009fd93e7b9374216b3497db79d8202485ae03d753f23917b742f1bf9f436d
Opcode Fuzzy Hash: 19c0ccc2f21457345f6c989c8bd1b427ac2a30c96d4d5a23cba524a46654f40a
Instruction Fuzzy Hash: 41821F75708311CFD324CF28E89176BB7E2EB8A311F59897CE59187391D738A906CB86

Function 00417E1A Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 937COMMON

Download Yara Rule

Strings

A, xrefs: 00417BBC
\xy>, xrefs: 00418912
54+*, xrefs: 00417FC5
S<.+, xrefs: 00417C0D, 00417C3A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 54+*$A$S<.+$\xy>
API String ID: 0-3685461857
Opcode ID: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
Instruction ID: b9dae982806908fc93e9902a33def771db61ac40b6c91c0664327fad2570cd92
Opcode Fuzzy Hash: 38d5dddfc1d7d73f8303f266aa0984ee0180c9c2ce3074419444b47f20e9dfdf
Instruction Fuzzy Hash: 115212726183418BC725CF28C8A17ABB7E2FFD6314F18496EE4C58B391DB399846C746

Function 00433600 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433622
GetClipboardData.USER32 ref: 00433643
CloseClipboard.USER32 ref: 00433788

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
Instruction ID: 5078fe84b0e2f8b0d482d572d4820ca8f51d2eda85a3955b293059345ad65239
Opcode Fuzzy Hash: 9ace8d3d66c656d27122584beaa275d741043033d7610bd44cbfd8939ce7624b
Instruction Fuzzy Hash: 9B41D4F480C7819FD700AF78D14A36ABFE0AB16345F04853ED48587641D37DA659C797

Function 00428770 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428850
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004288B5

Strings

efg, xrefs: 004289AF
_\efg, xrefs: 00428A38
A%g', xrefs: 004287AE

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: A%g'$_\efg$efg
API String ID: 237503144-2372333709
Opcode ID: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
Instruction ID: ccad30b6dcc476866ed8e691afcd1205d7334b7ec1782e1d821448a32adf35b5
Opcode Fuzzy Hash: a7a1f39499a5e99c848ff68f033dae6045633c5ac20e702f25ecc2a0062ac25d
Instruction Fuzzy Hash: 41A1ACB2E002688FEB148FA8DC917DEBBB1FB45304F5145B9D91AAB281DB3059468F94

Function 006A1A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,006A13BD,?,00000000), ref: 006A1AA0
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,006A13BD,?,00000000), ref: 006A1AC9
GetACP.KERNEL32(?,?,006A13BD,?,00000000), ref: 006A1ADE

Strings

ACP, xrefs: 006A1A25
OCP, xrefs: 006A1A5B

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5cc4116f23f66cda306ec74209552e918f9bdb50d0fd494a033955b3d9f8837a
Instruction ID: 36bd7836d3d238f0b994b0efb3560ff5914b4577f291a80ebe18b8cce01b4dc5
Opcode Fuzzy Hash: 5cc4116f23f66cda306ec74209552e918f9bdb50d0fd494a033955b3d9f8837a
Instruction Fuzzy Hash: 8F21B662B02114ABD734AF54C900BD776ABEB57B54F568564EB0ADF300E732DE41CB50

Function 0041780D Relevance: 7.9, Strings: 6, Instructions: 427COMMON

Download Yara Rule

Strings

$w=q, xrefs: 004178AF
A, xrefs: 00417BBC
1c;m, xrefs: 0041788E
S<.+, xrefs: 00417C0D, 00417C3A
5k5u, xrefs: 004178A4
o4i, xrefs: 00417899

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: o4i$$w=q$1c;m$5k5u$A$S<.+
API String ID: 0-1763114429
Opcode ID: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
Instruction ID: afb31bd0c27c82544a17a6576629b60a2b4a96c899e5dad63360a4cbb890e339
Opcode Fuzzy Hash: da2264087117273adc8f8cbb7abf3b3369941c733713fa4ddd61a4a78f3232fe
Instruction Fuzzy Hash: D4D1ADB55093808BD7348F29C4A17EBB7E1EFD6314F05896ED4CA8B351EB785901CB86

Function 0040A770 Relevance: 7.9, Strings: 6, Instructions: 400COMMON

Download Yara Rule

Strings

./, xrefs: 0040A93D
4=/U, xrefs: 0040A7DA
E]Qw, xrefs: 0040AB35
j^h, xrefs: 0040A890
%751, xrefs: 0040A789
wNoL, xrefs: 0040A848

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %751$./$4=/U$E]Qw$wNoL$j^h
API String ID: 0-997366216
Opcode ID: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
Instruction ID: 7a5dc0394ecbf34ac9b8307d7efc7bae40aec903ea1c7f0c69f60aa070f276f3
Opcode Fuzzy Hash: 9ad3b405c217e9d1e4c0f6edf70f746ac05b5820c8d0e78aa04361182b97f1d7
Instruction Fuzzy Hash: 12C19B7564C3444BD324EF6488502ABFBE39FC1304F19883DE4D5AB382D6B9C9168B8B

Function 00681FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00681240: _strlen.LIBCMT ref: 006812BA

GetFileSize.KERNEL32(00000000,00000000), ref: 00682046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0068206B
CloseHandle.KERNEL32(00000000), ref: 0068207A
_strlen.LIBCMT ref: 006820CD
CloseHandle.KERNEL32(00000000), ref: 006821FD

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: d4c9614d6013408d28aa7d90d1c7fb0136e39b33c4d574a9f6243cbf2d832126
Instruction ID: 3b4ba0da322380e88c802fcc832952c0d5818572c50e72d252ae4eede823c2e1
Opcode Fuzzy Hash: d4c9614d6013408d28aa7d90d1c7fb0136e39b33c4d574a9f6243cbf2d832126
Instruction Fuzzy Hash: C671E5B2C002059BDB10EFA4DC547AEBBB6FF48310F240729E914B7391E7359A45CBA1

Function 00426190 Relevance: 6.5, Strings: 5, Instructions: 244COMMON

Download Yara Rule

Strings

)L, xrefs: 0042629C
HR, xrefs: 004262B4
pO, xrefs: 004262AC
*+, xrefs: 00426411
@C, xrefs: 004262A4

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: )L$*+$@C$HR$pO
API String ID: 0-3083683625
Opcode ID: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
Instruction ID: 5fe24d867cb9075332fe1ade04ad22fabc6e99e6679ddeed31bd91dff5edfe56
Opcode Fuzzy Hash: 0aaee39fcba311e15bc1f38c0aae4a491dfa01ec6e052e56f652e43bf11aa76a
Instruction Fuzzy Hash: 637134B06493518BD310DF25E89166BBBF1EFD2360F58891DE4C18B391E7789505CB8B

Function 00699CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: cbbe919eb0c367bdc483d65fcf0d0a128b857ca7c283783a43555bcd83b8c4b0
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 15022971E012199BDF14CFA9C8806EEBBF6EF48314F248269E919E7740D731AA458B94

Function 0068F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0068F8F5
IsDebuggerPresent.KERNEL32 ref: 0068F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0068F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 0068F9E4

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 05860439d1e9c28e5763ea959c751f16f857fd3afb3cb58bddbf5a1e4af8aa23
Instruction ID: fd133abb9b122f69284168f456542910f36a809a10d5cd9fac98a567c28f552f
Opcode Fuzzy Hash: 05860439d1e9c28e5763ea959c751f16f857fd3afb3cb58bddbf5a1e4af8aa23
Instruction Fuzzy Hash: E2310CB5D012199BDF61EFA4DD497CDBBB8AF08300F1042AAE40CA7250E7759A85CF45

Function 00418DE6 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

-, xrefs: 00418E0A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 26e56592e961bea5087d3fbf0724cf14b3badda5f92198c10e7eec8343564e6d
Instruction ID: 2db9ac68f453c0b2d94bf9f393f819a8b1a8f76bd3cef0c41518664d486a93b6
Opcode Fuzzy Hash: 26e56592e961bea5087d3fbf0724cf14b3badda5f92198c10e7eec8343564e6d
Instruction Fuzzy Hash: B0F114766183529BD714CF29C8906ABB7E2EFC9310F08896DE8C587391EB38DD45C752

Function 00415F19 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

54+*, xrefs: 004162E5
:_A, xrefs: 00415F34
7, xrefs: 00416177
gfff, xrefs: 0041621C

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 54+*$7$:_A$gfff
API String ID: 0-323440868
Opcode ID: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
Instruction ID: 974855a4ab02da3001828df224cdb3c791939bff7d675949acd43d199703548e
Opcode Fuzzy Hash: ef99c69aae7ebca8759eae803294edf467de6f070c2877fa02e645cc48d7660a
Instruction Fuzzy Hash: 5EB13972A142118BD328CF38CC527EBBAD6EBC5314F0A867DD885DB395DB78980687C5

Function 0043403E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043406C
GetSystemMetrics.USER32 ref: 0043407B

Strings

, xrefs: 00434129

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
Instruction ID: e93982ecca13eb1c7eb5bd9c416ca4066cf6d94eca1d44aa69bf2b87bfcca62b
Opcode Fuzzy Hash: 9263576a989dd9e8dd5ba1139270ca0a2cd30e8eaf9ab1227e7a8ea63402d5a7
Instruction Fuzzy Hash: 3931A3B49143548FDB00EFA8E98565DBBF0BB89704F11852EE498DB360D774A948CF86

Function 00426EB0 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

*+, xrefs: 00427798
1>, xrefs: 00427687
bxB, xrefs: 00427855
OI, xrefs: 004277B0

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: *+$1>$bxB$OI
API String ID: 0-1035774624
Opcode ID: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
Instruction ID: 2bcf0024169a31bcf5d17f9542290146e57be21ae5465408edeec82165f3d5e6
Opcode Fuzzy Hash: b638a3a3900de88040439206c35891a4249c7e51ff3c4424b8b62b3d3637280b
Instruction Fuzzy Hash: 3791ECB46083808FD734DF24E852BAFB7A1FB82314F44492DE5898B241DB789946CB5B

Function 00416790 Relevance: 5.2, Strings: 4, Instructions: 248COMMON

Download Yara Rule

Strings

54+*, xrefs: 004167B5
54+*, xrefs: 004169AF, 00416A2F
MnA, xrefs: 00416A4D
54+*, xrefs: 004168C5

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: 54+*$54+*$54+*$MnA
API String ID: 2994545307-957495038
Opcode ID: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
Instruction ID: dd597300f9b4ef6573e6ef65d23cc5c487566c46e2a7da0a635b7d7db396d5cc
Opcode Fuzzy Hash: 8f06322f8e6d6c7ea759cd23599a080b87f48ffbe2650b3fb3614bfedb925110
Instruction Fuzzy Hash: E261E97461D3808FD315CB3888907EBBBE5EB8A350F25896ED1D1C72A1D738D885CB5A

Function 0041E7A0 Relevance: 4.7, Strings: 3, Instructions: 938COMMON

Download Yara Rule

Strings

2"\\, xrefs: 0041EE22
!&& , xrefs: 0041EE1A
v, xrefs: 0041E98E

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: !&& $2"\\$v
API String ID: 0-66690623
Opcode ID: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
Instruction ID: e9b17d7d6cb25fd7e8af81ca0dca0c33645f5d3503e302bb4264f03f34b07c3b
Opcode Fuzzy Hash: 4dfb5fb78e8a455e5ad835274cf3511fda185d48fb834496ef83a700337ad192
Instruction Fuzzy Hash: 62527B7450C3818FC725CF25C8506AFBFE1AF96314F088A6EE8D54B392D7398946CB56

Function 0043A120 Relevance: 4.2, Strings: 3, Instructions: 478COMMON

Download Yara Rule

Strings

54+*, xrefs: 0043A347
54+*, xrefs: 0043A600, 0043A308
54+*, xrefs: 0043A188

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: 54+*$54+*$54+*
API String ID: 2994545307-26850336
Opcode ID: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
Instruction ID: d7f07654b581cdb91e5346d4e79727cc379c0b8875721e9d15300a6a5d61dc92
Opcode Fuzzy Hash: a67e97fda4feb9dd47d5dd4a0776e3bc287d4b57f4707a9353eb73cb6bf7ee0f
Instruction Fuzzy Hash: 0FD177357883009FDB14CB25C882A7BB7A2EBC9354F18A52EE5C557391C778EC06878B

Function 00409370 Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

,-, xrefs: 00409763
g*V9, xrefs: 00409500
T, xrefs: 004095C1

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ,-$T$g*V9
API String ID: 0-1490858594
Opcode ID: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
Instruction ID: a0ce2b4ea5d82b238d504246632dfdecb4304a147a1c54da40f31a80d191d4bf
Opcode Fuzzy Hash: 86bf961c395ed7b7e07ea05ad14cc24c126058a6d268732374085c02ea76dcbd
Instruction Fuzzy Hash: ADC135B16083408BD718CF35C891A6BBBE5EFC2304F14496DE5D29B392DB38D90ACB56

Function 0042D306 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762
Uo#_, xrefs: 0042D752

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
Instruction ID: b3be92acc381a827a91cc0f17c6e37e2be9106d66737dd4d561d2fb3aa3361bd
Opcode Fuzzy Hash: d3126adfd973d3248ca04cd93e27acaf3fc7bc708df34f2fc2eacb6372e1e1a0
Instruction Fuzzy Hash: 3C7158B4A083A19BD3198B3994A033BBBE09F97305F58856EF4D68B381D67D8C04C756

Function 0042D4D0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762
Uo#_, xrefs: 0042D752

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
Instruction ID: 2ffdbc668ff94129819068ea1ed793c8dcaee62cf96c99cff00229467904dbcf
Opcode Fuzzy Hash: 36fd720ed8d6823c32771bfe1625822d316a9a8a9853b2f702ca3dab545584eb
Instruction Fuzzy Hash: BF5168A4A093A18BD3188F2994A0337FFE09FE3305F58956EF4D68B381D67D8804C756

Function 0042D49A Relevance: 4.0, Strings: 3, Instructions: 218COMMON

Download Yara Rule

Strings

F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762
Uo#_, xrefs: 0042D752

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
Instruction ID: 0de7b66c928a3350a22ba3e9d9bb6f9889ec970dbe198820fd9a8fcea16b9496
Opcode Fuzzy Hash: 4ffe94aedec0ee075d16d5ca1e3e2f6a888b7093a5e75b5c49b8c05ae89e53b4
Instruction Fuzzy Hash: 785179B4A093A18BD3098B2994A033BFFE09FD3305F58955EF4D68B381D67D8804C756

Function 0042D64C Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

F]EH, xrefs: 0042D67F
[:, xrefs: 0042D762
Uo#_, xrefs: 0042D752

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: F]EH$Uo#_$[:
API String ID: 0-1241761701
Opcode ID: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
Instruction ID: 61dd48889cf855c270f3eeb86a6ea88740ffcb6d6eea17eed08dc00024456671
Opcode Fuzzy Hash: 75d27e60beb243e9c3408e842da1e13c30d6f828246f723bff5a19cc79804c01
Instruction Fuzzy Hash: 355166B0A093A18BD3088B2894A033BFFE09FD3305F58956EE4D68B381D67D8804C756

Function 0042BBE3 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
0' :, xrefs: 0042BCB9
(, xrefs: 0042BD9A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
Instruction ID: 82fddf1245ea9785951fab6b19b0e18f29a6b2d5cfba79b1b40d0bceeec468ca
Opcode Fuzzy Hash: 127e783f08fa03dc1526e31b0ee453c704f7bbf9130a5869e8a9e0373e6e0c28
Instruction Fuzzy Hash: F651F26531D3D24BDB298F3598653FBBBE2DB93304F5C496DC0CA87282DB3984068796

Function 0042BC53 Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
0' :, xrefs: 0042BCB9
(, xrefs: 0042BD9A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
Instruction ID: ab1398b02a8a7281b2a45260371c8ad29eb33f1a8b52771f88fa1d3f98cb6ccb
Opcode Fuzzy Hash: 60e313afede76628c7910cabc6e2c24f69d92bdb4d83de5ca37a98b6c8095f76
Instruction Fuzzy Hash: 7341D37061C3D28ADB394F3494293FBBBE1DB93304F5849ADC0C987282DB394106879A

Function 0042BB19 Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

g, xrefs: 0042BCC4
0' :, xrefs: 0042BCB9
(, xrefs: 0042BD9A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ($0' :$g
API String ID: 0-2894493355
Opcode ID: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
Instruction ID: be085471faecc0e2517363bcce5a64cf4fe5eb468f05be4f0a344c56f6f7ae45
Opcode Fuzzy Hash: b96d02e88c0a58c109baa3d55930f9ba5c7ef7b50bcf42591470675d5c739625
Instruction Fuzzy Hash: 9031F46021C3D28ADB394F3494593FBBBE1DB93304F98496EC0C987292CB394106CB5A

Function 00427917 Relevance: 3.8, Strings: 3, Instructions: 30COMMON

Download Yara Rule

Strings

KNCI, xrefs: 00427943
AL7, xrefs: 0042793B
X, xrefs: 00427953

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: AL7$KNCI$X
API String ID: 0-2162001628
Opcode ID: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
Instruction ID: c1efb55ec262374922805156c2cb0b218ab5fdccaf3554e53de449f270c0e8b1
Opcode Fuzzy Hash: 2d3aa0b5dc2908d3afa6b89691fa5862a8d4e30f209e389472789df3b9353774
Instruction Fuzzy Hash: 27F0A9B011D3909BE350AF69969065FFBF8EF96320F502A2CFAD49B242C334C0018F46

Function 0042788F Relevance: 3.7, APIs: 2, Instructions: 692COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
Instruction ID: 247fa94026213c22a70afdfae02ba9db67c982c8a71b05e85d253056af3d2863
Opcode Fuzzy Hash: 5a29734b277b2e9b8358fa5ecbf45429ecc3aeb30d586a3974802221ebf8515b
Instruction Fuzzy Hash: FE324376A0C350CFD3108F29E88072EB7E1EF86314F19867DE99597391DB74E9018B8A

Function 00427A3F Relevance: 3.7, APIs: 2, Instructions: 668COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427B68
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C72

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
Instruction ID: 345d3084dec7a3450128b1aec3c018c2bdda3eb4c1cf0a9ab4d6be0b7558935f
Opcode Fuzzy Hash: 5f34821947dbddbcf30ce221ada36af6612115f31c02cf9bf287c06683c0a9f8
Instruction Fuzzy Hash: 3B324476A0C350CFD3248F29E88071EB7E1EF86314F19867DE99597391DB34E9018B8A

Function 004146A0 Relevance: 3.5, Strings: 2, Instructions: 1049COMMON

Download Yara Rule

Strings

C=, xrefs: 004148BE
D]+\, xrefs: 00414D50

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: C=$D]+\
API String ID: 0-9813778
Opcode ID: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
Instruction ID: cd0c9bfdefc84b350a232778b7e2c0df60d2e4748fd71e5e92d8149e0538340d
Opcode Fuzzy Hash: b6a84abd2839b95c80c6a07005a96518be76de580fe6589eb625db292694bc81
Instruction Fuzzy Hash: 7F5223746093009BD7149F24EC81BABB7A1FFCA314F14492DE581973A1E738E946CB9A

Function 0040D7CF Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040D7DF

Strings

x~, xrefs: 0040DA4A

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Uninitialize
String ID: x~
API String ID: 3861434553-550574277
Opcode ID: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
Instruction ID: 6343ddfc659097a6b1acf70417bf2a81d4440c70e9b0de2d3dfcc7ed75506984
Opcode Fuzzy Hash: e28907237b4d3a91ec5e118e2f9312d913e820380ba1de72427fa36cd9a4d49b
Instruction Fuzzy Hash: 32B146B1A047808FD319CF2AC4E0663BFA2EF9730571981ADC8D65F79AC7399806CB55

Function 0041C900 Relevance: 3.1, Strings: 2, Instructions: 645COMMON

Download Yara Rule

Strings

3;P, xrefs: 0041CA28
!;P, xrefs: 0041C9DB

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: !;P$3;P
API String ID: 0-2962031992
Opcode ID: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
Instruction ID: 40303969f341cab0190b7ffaf639a3eee83e9144fdcd8cc0720d9d15948ab37b
Opcode Fuzzy Hash: d5e4f07c2787d845fb65e5a98866e9f50cd63d594b10ba433d030bc227476e3b
Instruction Fuzzy Hash: 211275B2A50616CFCB048F68CC812EBBBB2FF55314F19856DD445AB391D338A892CBC4

Function 004227E0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

10, xrefs: 00422874
.8, xrefs: 00422802

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: .8$10
API String ID: 0-814249144
Opcode ID: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
Instruction ID: 6ecdc93fcc257772eba09db5fa8149ff251927af64ff6b659e51a55be0f97946
Opcode Fuzzy Hash: 32d5e060f1d652f2465254695c79ef22fd30b916abb47e7b2ed794c844420618
Instruction Fuzzy Hash: 23C15B717083209BD724DF28D95163BF3E1EF91324F49892EE89697391E7B8E801C35A

Function 0041966B Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

54+*, xrefs: 004195C5
L4, xrefs: 00419600

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 54+*$L4
API String ID: 0-1428210418
Opcode ID: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
Instruction ID: b6df84392dfbbf32e231f27527d6559e31459186b39928bbcdb8bfc668edbfbe
Opcode Fuzzy Hash: b8bc600fa4d70428250f3d62d1b0c4869235ddbcb5ebdaa6d2aff065ca03eef8
Instruction Fuzzy Hash: 6691D1B56083419FD714CF29D8A1BABB7E2BFD5304F14492DE48A83251D738EC46CB5A

Function 00416C77 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

54+*, xrefs: 00416A75
MnA, xrefs: 00416A4D, 00416CBD

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 54+*$MnA
API String ID: 0-3213807796
Opcode ID: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
Instruction ID: 6e584b5c880dee98a52d54ab6d2185dce934cf6ba25eebf79510f41c98d88442
Opcode Fuzzy Hash: f66647ee9ab0e35559181c8ae5c5de11cfb4496e1a8266f8898e9403b5961e50
Instruction Fuzzy Hash: 0051F67420D3508BD7288B14D9D0BABB7A2EFCA318F25967DD58697291C335E843C78E

Function 0043EE50 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

'}, xrefs: 0043EE65
yz, xrefs: 0043EE57

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: '}$yz
API String ID: 0-4283282396
Opcode ID: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
Instruction ID: 6c98babec1c2cee739f789cf685c2ea4349774288cd61dce89ebb6089c752d52
Opcode Fuzzy Hash: f79d7379e376645b73c42350e5ee51e8a145ed93f69b725fee394d330310c919
Instruction Fuzzy Hash: A91132759002298FCB00CF54D8D06EE77B2FF41344F151569D851BB2A0CB389946CB99

Function 004402B0 Relevance: 2.0, Strings: 1, Instructions: 703COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
Instruction ID: cc1519bfc60c4b12a942df2b806186209cadf443f4b6312827fcc7d0bb8de627
Opcode Fuzzy Hash: 9ac8e299f1cf1d63ed86c6bd82d1a592ff0dcb59a841c00e2249b3a717890619
Instruction Fuzzy Hash: CB22363A608251DFC704CF28D8A126AF7F2FB8A314F09857ED98987351D734E955CB89

Function 004403D0 Relevance: 1.8, Strings: 1, Instructions: 594COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
Instruction ID: ab146c73076e2240b060154e7353531ea1e8eb1c5403ea302177df520b4c5a47
Opcode Fuzzy Hash: 0068fcea1fcce90b3d7b75575ae24fd46d4f308cccbdaad663dec9647c00860c
Instruction Fuzzy Hash: 8D120339608250DFC708CF28E8A166AF7F2FB8A314F09857EE98987351D734D955CB89

Function 00440550 Relevance: 1.7, Strings: 1, Instructions: 478COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
Instruction ID: b47343fc74fa199a2dd3296f085def7190a0f10b9a04de121b961ff035c16150
Opcode Fuzzy Hash: a8b42d00aa42b6c5f4fdbec2012c9a4f829a243eac6bcdfeac6ada73ec91b821
Instruction Fuzzy Hash: A6F10136608251DFC704CF28D8A066AF7F2FB8A318F09897EE58987351C735E955CB89

Function 00440690 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
Instruction ID: a8adab88cd6467e8744eccda8f8671d0fd7897d1ea11a103ef712ebcb60b2b94
Opcode Fuzzy Hash: 2fdcadc8431d5e275e97618014f6d9204e5a36a54ec6d05914a11fb32c429fef
Instruction Fuzzy Hash: 3CE100366082508FD304CF38D89066BFBE2EB8A314F09897EE99987351D735D905CB89

Function 00440600 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

cu16, xrefs: 00440725

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: cu16
API String ID: 0-1393213281
Opcode ID: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
Instruction ID: a6b8655c2d4fe843f733019638999d7a326d799a2e10267b81ba0de51ceb402d
Opcode Fuzzy Hash: 7970cd6754f9a29d7eb6efe6f2f2c38251dbb01199b4c91cf1d898bcd2063352
Instruction Fuzzy Hash: 41E10136608250DFD704CF28D8A066AFBE2FB8A314F09897EE59987351C735E915CB89

Function 0041C561 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

-.-2, xrefs: 0041C7E9

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: -.-2
API String ID: 0-2838677626
Opcode ID: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
Instruction ID: c65bc0e0fd9ab2b407f4ec274a243cae03b52599eb44c3ec4b920f3608bc9bdb
Opcode Fuzzy Hash: 84298f2c1df00ac477d8c9eb7f651bf770509cc0667fa7c23a1cbe41850e76cc
Instruction Fuzzy Hash: 08912770694B804FE335CF768880763BBE3AB96314F18896DD0D28BB95DB79E446CB14

Function 0042B100 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B2FE

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 981523987b1e43f0f2fbc980dbd505f4044b7fe8cc5f065e6a15477f38c1429d
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4071C632B083258BD714CE28E49032FB7E2EBC5750FA9856EE89497395D338DD4587CA

Function 00441DA0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

@, xrefs: 00441E51

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
Instruction ID: 65ca1ec6d4672f8839795e63c8614bf8e8fa17c57707b6a32643269015e7e6e9
Opcode Fuzzy Hash: 00ccdfaef0cf493359b405ba2665aa19c664aa536cebf78614738aaa438344e7
Instruction Fuzzy Hash: 9A4158B49083109BEB10CF24D88072BB7E1FF99368F24852DEA88573A1E7389D44C7C6

Function 0043E9B3 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

v4vE, xrefs: 0043E9C0

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: v4vE
API String ID: 0-866190975
Opcode ID: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
Instruction ID: 34cdfc8a34f78da73259cccf7ab61d51709751dea84dcafbc9ea7b9c9e951e0c
Opcode Fuzzy Hash: 7b64acfa24e2befdd8ac35dee43b38dc2d497a1a5a96ae3d147eba01d7514725
Instruction Fuzzy Hash: D631F4B6A183005BF708DF76AC8255BBAF3EBD5304F19C43DD185D7215EA38C1068B4A

Function 00440CE0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00440D49

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
Instruction ID: 9fac65509ee92f571f5b79e95c1ad94962471f478490a82abc777c74c6c74bd9
Opcode Fuzzy Hash: b277768eaef66f0637a864381fd791a7c7a7d3d97be0c2acc1eb4938501a7204
Instruction Fuzzy Hash: 9A31EEB18083049BD314DF98D8C066BBBF5EB99314F14892DE79987280E335A818CB9A

Function 00426513 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

/kB, xrefs: 00426B29

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID: /kB
API String ID: 0-3532343839
Opcode ID: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
Instruction ID: 30b78e98d0376e77b4dedd947e5e84c4a76dc6197d8d4778f9e0425fae07882d
Opcode Fuzzy Hash: b4b5b7e280f642f85b3dfe5987f8b3969132ef151dffa41fcba20c5fda879f96
Instruction Fuzzy Hash: EA1159B4E093649FC320AB25A8D017B76A5DF97314F85852FF9C367361EA3C9C02C65A

Function 004074A0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
Instruction ID: 53bedda06ccc27c303568f9e7e6bd49d427b81707e73c2342d6127383662a74f
Opcode Fuzzy Hash: cfa9a842e54d6f6908c7b800668eb5eb2d5e9b27e34123646e38c57c34ffb93e
Instruction Fuzzy Hash: 4F12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87

Function 0041D050 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
Instruction ID: 06ba914754fda528d7acfc96047ccc351decbac5893a7f6043ce80427adf6e18
Opcode Fuzzy Hash: ba2a651c7b4397c0272f4726fbccc838470ac406de1116525d09835cc8aaf273
Instruction Fuzzy Hash: 02C123B5A183118BD728DF28CC526ABB7F1EFD5314F08862DE8958B384E73C9944C795

Function 0043A9D6 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
Instruction ID: 6ff10e554b56e7d98c0354463b113c8fe134109c80e7cf3690ca443259b71b45
Opcode Fuzzy Hash: fb2c410d40d8a7215a23457b42f4989fe7a875ffa95cad037c50274c93334019
Instruction Fuzzy Hash: 91E1397AA68226CBCB189F24D85116B73F2FF4A751F0BC97DD881472A0E7398960C746

Function 00405930 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
Instruction ID: 5dc1153c2cae88f14e706d6766014c5310a85aff0076e014daa1ca1314a98a54
Opcode Fuzzy Hash: 8469296e2ad6377bca0d66c7fdbce60c96d239fa905cce4d846bf08553cb04b8
Instruction Fuzzy Hash: 5DF1BD756087418FD724CF29C88076BBBE2EFD9304F08882DE5D597391E639E944CB96

Function 00428307 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
Instruction ID: a954b38a6bb1ce87cf69874cc4df31a0facd51f51a0102f5d1bcd2fc66b16d63
Opcode Fuzzy Hash: 0e71ddd8efcb11a8d109418157ab47fde1022d2a01cbd6712a0ad8640d730c20
Instruction Fuzzy Hash: CFA1F476B096114FD71CCF2AD81132FB6D3ABD4310F5A853EE88AC7395DE74E8128685

Function 00440E00 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
Instruction ID: c62094c7f2aec0b4591fe89b4ffec96fa28a786c068cd393fffb3f8dac1334b7
Opcode Fuzzy Hash: 9b8b0fe984b0c526368686a946928a16b95041f210f520b4daf9bb1128f79edd
Instruction Fuzzy Hash: 0D7127756082419BEB24DF28C890A3FB3E2EFD9750F19C42EE68587365E73498609786

Function 004410D0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
Instruction ID: 48af3df080d7374f24d22ba405b18466128ca7b67be3218363250a1880df35ed
Opcode Fuzzy Hash: 1d4ee9170cb315f71c8184b5a82f458173e5dc386eddf8c79e1ec2de4589c0f9
Instruction Fuzzy Hash: 8D91DF756083019BE718DF18C490A2BB3E2FF89750F15846EEA85DB361EB34DC41DB8A

Function 004409E0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
Instruction ID: 396e9f4d8292420b39720d4ebe7e3b2ba50298b7ad3af056df74e370846adae9
Opcode Fuzzy Hash: 2081274b20256b51a48b52e86fac1d0e917b6bc8052939e7a96106f21d596131
Instruction Fuzzy Hash: 4F71353560C2A59FC7048F39D8512AABBE3EBCA314F49896DE8D887350D739DD11CB89

Function 0041F2C0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
Instruction ID: 7de542bc9115ef73e19b3091658d28cf0780ac80647d3c93e3c636ac7a511b7b
Opcode Fuzzy Hash: e2ef3ed592ffea8117d6535c71c633ebd8baee3f6d97b41eb70e06c6ff45de06
Instruction Fuzzy Hash: 99614A355083914FD7258F29C84096B7BE0ABA6314F4882BEE8E84B392D635DC4AC796

Function 00439490 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
Instruction ID: 6b3e4b7f11ac291a21e261308eef6cd7443abca3de393b842f6f559da3e6bac2
Opcode Fuzzy Hash: 76f77a49fba37e77a617a0d652d585f641a783687e7745c1783b0e6500cdef52
Instruction Fuzzy Hash: 8051CE263492116BD7018B25CC81A7BB7EAE7DE360F14952EE5C083342C2BCDC82D79E

Function 0043A640 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
Instruction ID: 66fd862550092496dbaeb2d3bb1543f7b4ae7d39c68e2cc44db9a05b1b136551
Opcode Fuzzy Hash: 6d1fab72e9f5b1cdff51703c3b7269aa68bcba2dda9f3549e373aaeca11e4806
Instruction Fuzzy Hash: 8C3123B5A04300AFE7109E119CC1B3BB7B5EB89758F10182EF9C5A3201D339EC26879B

Function 00408B00 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
Instruction ID: 37f3efdb486df1b50b7503efc8676e0e0480c9f1302ca175b3bd99bebac416ea
Opcode Fuzzy Hash: 83a46eb97a1ede892c521cd0a1cf27060ef79bfacc0411b261445066a2a95deb
Instruction Fuzzy Hash: DF4190216493494BEB14CD2889815E77B61DBA2350F08C63EECC55B3C1EA3CDA0AD3A9

Function 0043F7B2 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
Instruction ID: 65860a534bcdc61a69b891c8f4b112b5ccb7c4aa6a6d252a23f247d29c97b397
Opcode Fuzzy Hash: b8bd4d7e9bd20bf13d05e542f28e56da8f4d605b247b1b6829d47043411abe16
Instruction Fuzzy Hash: F8410436F245554BDB0CCF6888A157FBAB2AB8E310F19E13EC556E7354CB3899058788

Function 0040DE13 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
Instruction ID: 8192ad4da6690d975133d58e89ccec5cc32f62d7e28f0f863b58bcb031853df0
Opcode Fuzzy Hash: 7429881085838c9e2ea473406c0e777441f7560d71a7cb9971c1e3e1e517dda0
Instruction Fuzzy Hash: 64313938B556018FC725CB68CCC0B3673A3EBD6315B589639E092673D6DB38E8068788

Function 004292E0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
Instruction ID: 6483a22a6f500d058f9f4f03b7d1e0b0debdf2b506a58ba5144e8a59cc6fe5a8
Opcode Fuzzy Hash: 8820827ab3717a503f23ee1f329a572c2ac425d8331617b1f9b573c8837ef006
Instruction Fuzzy Hash: DF31C432E00125CFCB14CF64C8516AFB7B2FF46310F19959AD842AB3A1DB385D01CB94

Function 004393C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
Instruction ID: daeb1bb460313cd135989d5d7c02351c17a175b5b9fd5c5575e707a8a0bfda13
Opcode Fuzzy Hash: 311bccfb7c94d63f981d42372d52fcc226d8c5098601f3624a1e21d790acd581
Instruction Fuzzy Hash: 3C1178217082110AC3249BA9C8C1177F399DBDE724F19967BD9C08F292E2B8CC42C3D5

Function 00436370 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 91ac4c5b143b02c7d32e682e2a6aab4e0f1bc94368da354689b67666a2c00c8c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6311EC336451D50EC3168D3C84005A67FA30B97234F1AD39EF8B49B2D3D7278D8A8359

Function 0042A660 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
Instruction ID: 9eb9525df2382ca65ffc71ea0fe4effccc3bbe68bdeaf4085e84a9653100f2a1
Opcode Fuzzy Hash: 2ee26b68ca80d359eea836c05570f0252371bc8a0c72456eea12c8fb01481f6b
Instruction Fuzzy Hash: A8019EF5B0031247D6209E11A4C4B2BB2A9AF90748F5D443EEC8457342DB7DFC2482AF

Function 00402B70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
Instruction ID: fe22f187d6262aa03d792ec1030457158b6d731bbaaa7045d526425db3de230e
Opcode Fuzzy Hash: d5d295e9ed382b796e59e78ecd7c3973d9fbade591b377e9c3dd8d664adeac99
Instruction Fuzzy Hash: 1D01F46B7A831A0BD700DDBDECD56AAB7A696D5108B1E4139EA80D7781E0B8F8058294

Function 00425E70 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
Instruction ID: 18454f57bc8bd7713fef9fb37d3191b327954915f6893786146af46e59a98f16
Opcode Fuzzy Hash: 4230b21a2fd02e58cc7b406f354e8a131570180303f77ccb7a9505112db3ad99
Instruction Fuzzy Hash: AA01B53560E710DFC7188B24948093FB3B2FB9A324FA5556CD59123261D330ED028BCE

Function 00425DEA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
Instruction ID: 6fca0e276dc41d176f9258a46a62d3d95cdd6612b9affbec5bcc6b9929d5356f
Opcode Fuzzy Hash: 75cdd2821561e72d22e9e4a155e993369658370f557c2a38552048b2028693a2
Instruction Fuzzy Hash: 3001DF30A096209BC7088B14A48053FF3B2EF8B720FD5552DE68667251C335ED028B8E

Function 0043EC60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
Instruction ID: 79179b24096eac5e6ac07bd72d819e76adb0a4e00d37c96423816886d630571d
Opcode Fuzzy Hash: bfa1d9da91f22f173d497c8b9dff6cb2ad0c54e4f2a9c7da531a3c1cc58556e0
Instruction Fuzzy Hash: E7012B3AA519904BC718CF39DC91AE573A1F797305F19A6BCC406E7274EE3499058B48

Function 0040B79B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
Instruction ID: 006929160d69d297b0fade613808cb138237ee9c33cbc0bff183a40fe4272359
Opcode Fuzzy Hash: a5f67c24f99cd3bc66bd5b873502f9be22687b740bcac6bb5ea83f9132e44f2e
Instruction Fuzzy Hash: 48F024796093805BD348CF34DCE1A6BBBA6E792608F05653CE58293290CA21DC598A4D

Function 004318D2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4524fc0a338ad57f963c04a2a1849163223f2dae8872ce465ca5c5a18a3cbdac
Instruction ID: a73563fd83c1a5f1fe8eb3a12ecc0343a21fa8b04a7e32c0d6862619b683f324
Opcode Fuzzy Hash: 4524fc0a338ad57f963c04a2a1849163223f2dae8872ce465ca5c5a18a3cbdac
Instruction Fuzzy Hash: 670148B44047029FD320EF28C445B57BBF4EB48344F408A2DE8AAC7791E770A404CF82

Function 00431D48 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 102COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431D54
VariantInit.OLEAUT32 ref: 00431D60

Strings

f, xrefs: 00431DAA
%, xrefs: 00431DA6
, xrefs: 00431D96
-, xrefs: 00431D7E
m, xrefs: 00431DD6
3, xrefs: 00431D8E
n, xrefs: 00431DCA
d, xrefs: 00431DB2
b, xrefs: 00431DBA
l, xrefs: 00431DD2
j, xrefs: 00431DDA
", xrefs: 00431D86
`, xrefs: 00431DC2
4, xrefs: 00431D9E

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
API String ID: 2610073882-388534048
Opcode ID: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
Instruction ID: 0ed16d0090aa2853db3fa94cf8c83c94d7f5a066e2027e59c45352e3d5823b27
Opcode Fuzzy Hash: 0d47e0fe30014c20ce2d32c7426541ef57348e46fc9c568ff5466d38f1117a37
Instruction Fuzzy Hash: 5C415C612087C1CED725CF38C889346BFA2AB62314F08C69DD8E54F39BD279D516C762

Function 0043285B Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 96COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432867
VariantInit.OLEAUT32 ref: 00432873

Strings

n, xrefs: 004328E3
j, xrefs: 004328F3
b, xrefs: 004328D3
%, xrefs: 004328BF
d, xrefs: 004328CB
3, xrefs: 004328A7
-, xrefs: 00432897
", xrefs: 0043289F
m, xrefs: 004328EF
l, xrefs: 004328EB
f, xrefs: 004328C3
`, xrefs: 004328DB
4, xrefs: 004328B7
, xrefs: 004328AF

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$%$-$3$4$`$b$d$f$j$l$m$n
API String ID: 2610073882-388534048
Opcode ID: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
Instruction ID: cf5d184b347ae60a31a8e7b64644b3d0961cef50304e460fca956dadef895e24
Opcode Fuzzy Hash: ae5400dcd5d302ef961202c0a16dd426301db3ee827d1cb557e1cc8c01814538
Instruction Fuzzy Hash: 2F413C612087C08ED726CF3CC885346BFE1AB66314F08869DD8E58F39BD275D516C766

Function 006AAAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,006AAACD,?,?,?,?,?,?,?,?,?), ref: 006AAB88
__alloca_probe_16.LIBCMT ref: 006AAC43
__alloca_probe_16.LIBCMT ref: 006AACD2
__freea.LIBCMT ref: 006AAD1D
__freea.LIBCMT ref: 006AAD23
__freea.LIBCMT ref: 006AAD59
__freea.LIBCMT ref: 006AAD5F
__freea.LIBCMT ref: 006AAD6F

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 90cf10d9d0b8ae71cd365f226f6d485ade340bf275fdcc8b155a2256be37e26d
Instruction ID: 408d29b051b5e79d6691e1e0749fd3e22868d30be866b69668f64b08f290451f
Opcode Fuzzy Hash: 90cf10d9d0b8ae71cd365f226f6d485ade340bf275fdcc8b155a2256be37e26d
Instruction Fuzzy Hash: E171B3729002096BDF21BEE48C41BEE77ABAF4B310F19015BE845AB391E7759C41CF66

Function 0068FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0068FE70
__alloca_probe_16.LIBCMT ref: 0068FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0068FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0068FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0068FF37
__alloca_probe_16.LIBCMT ref: 0068FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0068FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0068FFB9

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 579a716a666eab1a0691e07a3c6b573703afe01541ec180bcc71257b62689e83
Instruction ID: b9492f5af3166ac1092e1cc4079300180a1bb45d9e58e8901ebfbdba6e81df83
Opcode Fuzzy Hash: 579a716a666eab1a0691e07a3c6b573703afe01541ec180bcc71257b62689e83
Instruction Fuzzy Hash: 6C51AF7260021AAFEF206F60CC45FEB7BBAEF45750F144639FA10DA290DB748C508B60

Function 0069EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0069EEFC

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: a517f2a426a733c665d203a7fd68d4d9aa38e5f838c3e6618760ce21e92bd0cd
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 41B14472A00255AFDF15CF24CC81BEEBBAEEF15310F19416AE844EB782D6759D41CBA0

Function 00690D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00690D77
___except_validate_context_record.LIBVCRUNTIME ref: 00690D7F
_ValidateLocalCookies.LIBCMT ref: 00690E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00690E33
_ValidateLocalCookies.LIBCMT ref: 00690E88

Strings

csm, xrefs: 00690E1D

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 30560e36b3b890a8dcdd2f7e6219fa2202743424aee359948dff3920f8ebd3cf
Instruction ID: b8ca1bbdd5bb781dd72af33af11dff3ed4b17ba5cd93dbffed167ec8836df5f4
Opcode Fuzzy Hash: 30560e36b3b890a8dcdd2f7e6219fa2202743424aee359948dff3920f8ebd3cf
Instruction Fuzzy Hash: 53410434A002189FDF10EF68CC84ADEBBBBAF45320F148559E8189B752DB31AE45CB94

Function 00683C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00683CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00683CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00683CE0
__Getctype.LIBCPMT ref: 00683D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00683DD8

Strings

e.k, xrefs: 00683D67

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID: e.k
API String ID: 3087743877-1614438693
Opcode ID: 777ce653577e82525a92e75f09ff3f01509284d7786e850fc1e6e824ce9799df
Instruction ID: c8bb62b27a094860075c462633c4ad4fe97ad7d1b75909bee5d766a7fb3c9e71
Opcode Fuzzy Hash: 777ce653577e82525a92e75f09ff3f01509284d7786e850fc1e6e824ce9799df
Instruction Fuzzy Hash: C7415CB1D002258FDB14EF94D845BAEB7B2FF84B20F148229D8556B391EB35AE41CF91

Function 006824B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 006824DD
ShowWindow.USER32(00000000,00000000), ref: 006824E6
GetCurrentThreadId.KERNEL32 ref: 00682524

Part of subcall function 0068F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0068253A,?,?,00000000), ref: 0068F129
Part of subcall function 0068F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,0068253A,?,?,00000000), ref: 0068F142
Part of subcall function 0068F11D: CloseHandle.KERNEL32(?,?,?,0068253A,?,?,00000000), ref: 0068F154

std::_Throw_Cpp_error.LIBCPMT ref: 00682567
std::_Throw_Cpp_error.LIBCPMT ref: 00682578
std::_Throw_Cpp_error.LIBCPMT ref: 00682589
std::_Throw_Cpp_error.LIBCPMT ref: 0068259A

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 9a69261c3f93644caae04902737936aaf3857c9043167ebac0be7bcaa9f87ffa
Instruction ID: 348d9edeff62fd1a8c45b85e4033a9eb80fb209426dc99aee138c89bcfee9fe3
Opcode Fuzzy Hash: 9a69261c3f93644caae04902737936aaf3857c9043167ebac0be7bcaa9f87ffa
Instruction Fuzzy Hash: E22176F2D402159BDF50BFE4DC06BDE7BB5AF04710F080269F90476281E7B6A554C7A6

Function 0069CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,0069D01A,00681170,0068AA08,?,?), ref: 0069CFCC

Strings

ext-ms-, xrefs: 0069CF76
api-ms-, xrefs: 0069CF62

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d275dafce217a2e4ca52090e08ed6433dabe253597d83a82cc97febfb33a4088
Instruction ID: 4749bac5fb547de3f0cac267f3e634ad6a605379ecc87c4a42922e632887d4b0
Opcode Fuzzy Hash: d275dafce217a2e4ca52090e08ed6433dabe253597d83a82cc97febfb33a4088
Instruction Fuzzy Hash: 65210671B41311ABDF219B69DC40AAA7B6FDF817B0F250211F909A7790E730EE40CAD0

Function 00690080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00690086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00690094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006900A5

Strings

GetTempPath2W, xrefs: 0069009A
GetSystemTimePreciseAsFileTime, xrefs: 0069008E
kernel32.dll, xrefs: 00690081

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 7557b04b6e8bcd6876c1e5841ad720cc05a555b30ed85c18a750777a9c88a888
Instruction ID: 4e40c9e555a1fe216bd4f82eb3c24365ad7cc27ccdb00075e5e84edcdcb14ca9
Opcode Fuzzy Hash: 7557b04b6e8bcd6876c1e5841ad720cc05a555b30ed85c18a750777a9c88a888
Instruction Fuzzy Hash: 64D09EF1A51220AB93106F74BD0A8E93EABFA097113025292F441D2351EF7456C08794

Function 006A4F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd443638e376fbeefe4d3fe4d835a6c0ff9bb6f929eb80be3be9e7f372de5e2
Instruction ID: a42f8a8660a1ab8a00b21fc69917cac617557c2097d842fdbf6643441a39cb90
Opcode Fuzzy Hash: 8dd443638e376fbeefe4d3fe4d835a6c0ff9bb6f929eb80be3be9e7f372de5e2
Instruction Fuzzy Hash: 28B1E2B0A04A49AFDF11EFA8D840BBEBBB7AF46304F144159E5029B392D7719D41CFA4

Function 00689B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00689C97
std::_Throw_Cpp_error.LIBCPMT ref: 00689CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00689CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00689CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00689CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00689D06

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 1e5e82aecafe0c3c3b17317bdab2654985b0d83c30a374e468959692946bb1a1
Instruction ID: 9d4b8bdacc6dd01b95fbb7498d044e4272bf8d9a5086c7bd2578c928122e4fe1
Opcode Fuzzy Hash: 1e5e82aecafe0c3c3b17317bdab2654985b0d83c30a374e468959692946bb1a1
Instruction Fuzzy Hash: A641B1B1900740CBDB30BB6489067ABBBF6AF45324F1C072DE56A262D1D7766904CB66

Function 0069ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0069ACDE,00690760,0068B77F,BB40E64E,?,?,?,?,006ABFCA,000000FF), ref: 0069ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0069AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0069AD1C
SetLastError.KERNEL32(00000000,?,0069ACDE,00690760,0068B77F,BB40E64E,?,?,?,?,006ABFCA,000000FF), ref: 0069AD6E

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5747f85d3aedc303d90277bc17e6b04e69e542e0cbd0ef58c69ddf7227d58b3b
Instruction ID: b250b099bcd87c4241c23d51b9e9bd098d3ccdef978c6049976ab8eceef1416b
Opcode Fuzzy Hash: 5747f85d3aedc303d90277bc17e6b04e69e542e0cbd0ef58c69ddf7227d58b3b
Instruction Fuzzy Hash: 1A01F5B22096159EFB643BB5AC4986A3ACFEF02B71720132EF61045AF1EF914C465195

Function 0069B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0069B68D
CallUnexpected.LIBVCRUNTIME ref: 0069B906

Strings

csm, xrefs: 0069B618
csm, xrefs: 0069B5AB
csm, xrefs: 0069B6C4

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: ae93eceb7fe756ce81d9dd40057ff873466daae2f6a6c2223de9cab63b46b623
Instruction ID: 8f2bdd56160255d05367f3a52762d1f64a30c643ad996c83ee192fd3b3a8c682
Opcode Fuzzy Hash: ae93eceb7fe756ce81d9dd40057ff873466daae2f6a6c2223de9cab63b46b623
Instruction Fuzzy Hash: F3B15871800209EFCF14DFA4EA819AEBBBEFF08310F14555AE8116BA12D731EA51DF95

Function 0068BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 0068BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 0068C028

Strings

RCC, xrefs: 0068BEAB
csm, xrefs: 0068BEB7
MOC, xrefs: 0068BE9F

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 7c75968d182e2de551aa1064d9fc04c0666457c90ff326bcf741f0974bd4e3c1
Instruction ID: d255bba718ef958684c6fa4ec647f45a99dacd2bdf2cb00316fbdc4d968f5292
Opcode Fuzzy Hash: 7c75968d182e2de551aa1064d9fc04c0666457c90ff326bcf741f0974bd4e3c1
Instruction Fuzzy Hash: 8841BF74900209DFCF28EF68D9459AEBBB6BF48300B58929DE445A7742CB74AA04CF65

Function 006955C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,006ABE94,000000FF,?,00695685,?,?,00695721,00000000), ref: 006955F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0069560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,006ABE94,000000FF,?,00695685,?,?,00695721,00000000), ref: 0069562D

Strings

mscoree.dll, xrefs: 006955F2
CorExitProcess, xrefs: 00695603

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ef9553a1bf3202f346edf175def32f2316b01c44172fd710d811b3ab2ffe21d8
Instruction ID: 893d9e24c88b9651c42a4ed997038b147426f3619d819333bee7f121c628b929
Opcode Fuzzy Hash: ef9553a1bf3202f346edf175def32f2316b01c44172fd710d811b3ab2ffe21d8
Instruction Fuzzy Hash: 91018B71A50615AFDF119F54DC05BEEBBBEFB04B15F010625F811E26A0DB789D40CB94

Function 0069D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0069D76F
__alloca_probe_16.LIBCMT ref: 0069D838
__freea.LIBCMT ref: 0069D89F

Part of subcall function 0069BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,0068A67D,00000018,?,00683D4A,00000018,00000000), ref: 0069BF43

__freea.LIBCMT ref: 0069D8B2
__freea.LIBCMT ref: 0069D8BF

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: f865d31ddad83605a397c96cac053b492ebfeca63d4a1f3be39b1a9d029e5c78
Instruction ID: cd6817b57e6385430ba091bdcb1ae17a2ad9c19310d416e588b7711475889a44
Opcode Fuzzy Hash: f865d31ddad83605a397c96cac053b492ebfeca63d4a1f3be39b1a9d029e5c78
Instruction Fuzzy Hash: AC51BF72600206AFEF215FA08D85EFB7AAFEF44750B15013DFD04DAA92EB74CC1196A4

Function 0068EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0068F005
AcquireSRWLockExclusive.KERNEL32(00688E38), ref: 0068F024
AcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F052
TryAcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F0AD
TryAcquireSRWLockExclusive.KERNEL32(00688E38,0068A2F0,?), ref: 0068F0C4

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e91211cc64f288a2a573489483894ae927580a061d58b01ba5f45979be472cbd
Instruction ID: c90ec96501293f0e258801fbe056c30327470f2b66a32be18d3b95a18ade9ae5
Opcode Fuzzy Hash: e91211cc64f288a2a573489483894ae927580a061d58b01ba5f45979be472cbd
Instruction Fuzzy Hash: EF417C7160060ADFCB20EF65C8A49AAB3F6FF44311B204B3AE496D7642D770F995CB61

Function 0068D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0068D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 0068D4D3
int.LIBCPMT ref: 0068D4EA

Part of subcall function 0068C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 0068C1F6
Part of subcall function 0068C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 0068C210

codecvt.LIBCPMT ref: 0068D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 0068D544

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 3d178fb356a5fa048f5f8c612e5b264d4de47e6e477a590bdc0c353bbd4ebc0b
Instruction ID: b96a5a59ba7ba163057bcf8e0942007dca43f708c51e9937047d273ef00549ac
Opcode Fuzzy Hash: 3d178fb356a5fa048f5f8c612e5b264d4de47e6e477a590bdc0c353bbd4ebc0b
Instruction Fuzzy Hash: 8F01C0719001158BCB05FBA8C845AAE7B73AF84724F14030EF811AB3D2CF749E40CBA6

Function 0068ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0068ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 0068ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 0068AE57

Part of subcall function 0068ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0068ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 0068AE04
_Yarn.LIBCPMT ref: 0068AE1A

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 2e4ea5b016fe7f95b2ce9d3a24107a39da95dce96af48b24e0b570c08f33ffaf
Instruction ID: 321c54229529fbc3224606776cfdbaad3af27fb87f7ae40927da0213732e3aa1
Opcode Fuzzy Hash: 2e4ea5b016fe7f95b2ce9d3a24107a39da95dce96af48b24e0b570c08f33ffaf
Instruction Fuzzy Hash: 0201B1B56002219BDB05FF60D85557D3B63FF88760B04121EE80157381CF386E82CB8A

Function 00681750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00681783

Strings

ios_base::failbit set, xrefs: 00681BEF
ios_base::eofbit set, xrefs: 00681BEA
ios_base::badbit set, xrefs: 00681BFA, 00681C20

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: a959a010956462db0a0a7a10acb9d3028c15297ae420c78081eff7c130c495ec
Instruction ID: 4cef089ed46c4e4887fecfcd01f3eedc3987babfd7d8a6aa6aeafa8c97f91156
Opcode Fuzzy Hash: a959a010956462db0a0a7a10acb9d3028c15297ae420c78081eff7c130c495ec
Instruction Fuzzy Hash: 3AF16E75A002188FCB14DF68C494BADBBF6FF89324F194269E815AB391D734AD46CB90

Function 0042DAFD Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042DC5F

Strings

glhm, xrefs: 0042DB59
kdge, xrefs: 0042DB69
G, xrefs: 0042DC87

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: G$glhm$kdge
API String ID: 3664257935-3790318392
Opcode ID: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
Instruction ID: bfd15d46e1ac39dd06e1a04889429419f0e65eafd70abaf615cf56b171db5900
Opcode Fuzzy Hash: efda84222cddbdac5fe667d835128501f3c90b1fd491eb25eb067e342f112da9
Instruction Fuzzy Hash: C451267060C3919FE311CB25D850B6BBFD0EFA6300F14486DF5C5AB392D2B98805CB56

Function 006873E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00687526
___std_exception_copy.LIBVCRUNTIME ref: 00687561

Part of subcall function 0068AF37: CreateThreadpoolWork.KERNEL32(0068B060,00688A2A,00000000), ref: 0068AF46
Part of subcall function 0068AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 0068AF53

Strings

G.k, xrefs: 00687551
Fail to schedule the chore!, xrefs: 00687560

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!$G.k
API String ID: 3683891980-46482813
Opcode ID: 5d5b22349ca31442e0c72373fc85e2dc4ad8be217d40b496b56b7403a3e87618
Instruction ID: 77b8fe53e463edac1b6497c39ff1ddffed357821e2b2ff618a016c0e0487ac10
Opcode Fuzzy Hash: 5d5b22349ca31442e0c72373fc85e2dc4ad8be217d40b496b56b7403a3e87618
Instruction Fuzzy Hash: A9519DB09012099FDF00EF94D844BEEBBB6FF08324F144229E8156B391E775AA45CF91

Function 00683E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00683EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00684002

Part of subcall function 0068ABC5: _Yarn.LIBCPMT ref: 0068ABE5
Part of subcall function 0068ABC5: _Yarn.LIBCPMT ref: 0068AC09

Strings

bad locale name, xrefs: 00683F46
|=he.k, xrefs: 00683E9B, 00683F1F

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name$|=he.k
API String ID: 2070049627-16793672
Opcode ID: ea887715050961610347b342675bb3e872492225aa900599b9d4300562bb569a
Instruction ID: 06ffdb7653d89f8e0b6382fe79e62e33e3392ffa367647090a181f93ad30a390
Opcode Fuzzy Hash: ea887715050961610347b342675bb3e872492225aa900599b9d4300562bb569a
Instruction Fuzzy Hash: B2417EF0A007559BEB10EF69C805B57BAF9BF04714F04422DE40997B80E77AE518CBE5

Function 00424883 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004248C1

Strings

q, xrefs: 00424900
ha, xrefs: 004248F9
ha, xrefs: 00424960, 00424519

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ha$ha$q
API String ID: 237503144-2525095540
Opcode ID: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
Instruction ID: c658e200b3172b2c4a4d6f089079a709458a382cdb7082564cb6dc42ecfb3a23
Opcode Fuzzy Hash: 2afdf2c7a496911d1016a4b7ad03343ecd8edc0553639cf8e445061b07e4d96e
Instruction Fuzzy Hash: B731D575A00211CFDB10CF98D881BAE7BB1FF49714F158079E914AF396DB75D8028B95

Function 0068B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 0068B809

Strings

RCC, xrefs: 0068B795
MOC, xrefs: 0068B789
csm, xrefs: 0068B7A1

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: b48fba0421a574752c9ca8fcc82772a960f46d966d536019475a62370d415065
Instruction ID: a53bafe7f90543395467c8bb048b88bae8d2e248406e6474175c27bfef79a9a9
Opcode Fuzzy Hash: b48fba0421a574752c9ca8fcc82772a960f46d966d536019475a62370d415065
Instruction Fuzzy Hash: 2F21F275800705DFCF28BF94D855AA9B7AEEF44720F18671EE4118BB90DB34AA41CB80

Function 0068F11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,0068253A,?,?,00000000), ref: 0068F129
GetExitCodeThread.KERNEL32(?,00000000,?,?,0068253A,?,?,00000000), ref: 0068F142
CloseHandle.KERNEL32(?,?,?,0068253A,?,?,00000000), ref: 0068F154

Strings

:%h, xrefs: 0068F134

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: :%h
API String ID: 2551024706-2099740889
Opcode ID: a71c8f3fc668cab8eaaca4a9c03955a97e97a77c0603fbf147af09de836b119e
Instruction ID: 04839873da09fb3c2df341c1de517da61c4fbf7add39f44a0512808b09658d76
Opcode Fuzzy Hash: a71c8f3fc668cab8eaaca4a9c03955a97e97a77c0603fbf147af09de836b119e
Instruction Fuzzy Hash: 77F08271644114EFDF109F24DC09A9A3B66EF01770F240320F962EA2E0E734DE418780

Function 0068ABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 0068ABE5
_Yarn.LIBCPMT ref: 0068AC09

Strings

e.k, xrefs: 0068ABD9
|=he.k, xrefs: 0068ABC8

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Yarn
String ID: e.k$|=he.k
API String ID: 1767336200-1824295239
Opcode ID: d4d72012ef84ef28d0ae3580cc70d5f105b7c53834d4c8a114f7b4e45461b3fc
Instruction ID: c03f3193ad58e415d0c81014faa00c1ef0bc1b4a689aad58552ee2ff7187d1b9
Opcode Fuzzy Hash: d4d72012ef84ef28d0ae3580cc70d5f105b7c53834d4c8a114f7b4e45461b3fc
Instruction Fuzzy Hash: 64E030323082006BFB487AA5AC52BA677DECB04760F10052EFD0A8B5C1ED10AC404669

Function 006A6940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006A69DC,00000000,?,006BD2B0,?,?,?,006A6913,00000004,InitializeCriticalSectionEx,006B0D34,006B0D3C), ref: 006A694D
GetLastError.KERNEL32(?,006A69DC,00000000,?,006BD2B0,?,?,?,006A6913,00000004,InitializeCriticalSectionEx,006B0D34,006B0D3C,00000000,?,0069BBBC), ref: 006A6957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006A697F

Strings

api-ms-, xrefs: 006A6964

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fcd425d64250035cc939e1a86b6702a787bc4a9577496e223476e4000e84c7c4
Instruction ID: e87478f77716c67da214a560fd2044c156118c1ce40aad6a97f8e1a985f02429
Opcode Fuzzy Hash: fcd425d64250035cc939e1a86b6702a787bc4a9577496e223476e4000e84c7c4
Instruction Fuzzy Hash: 5DE01AB0780209BAEF212B65EC06BAD3A57AF41B95F180520F94CA85E1DBB5EC909E44

Function 006A3F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 006A4001

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006A4253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006A4299
GetLastError.KERNEL32 ref: 006A433C

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 42251e8c1cc85592199778781441d23d15d8f930156a01f8b95aeab0660d7925
Instruction ID: 98720b08ca6f45e99159b726bfe4c3648a409e30e4cb0862363582c60da2ad52
Opcode Fuzzy Hash: 42251e8c1cc85592199778781441d23d15d8f930156a01f8b95aeab0660d7925
Instruction Fuzzy Hash: C1D159B5D002589FCF14DFA9C880AEDBBB6EF49314F24416AE516EB351DA70AD41CF50

Function 0069B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0069B35C
___AdjustPointer.LIBCMT ref: 0069B37F
___AdjustPointer.LIBCMT ref: 0069B41B

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 34868931edc41cf8f9c81f34572da9490c91f5a3cada2aee1edda016c23d6d3b
Instruction ID: 2f261c7b72bf5ef8b31c1a0cc7e6c1daab688e86324748494c29dbe75385cc0a
Opcode Fuzzy Hash: 34868931edc41cf8f9c81f34572da9490c91f5a3cada2aee1edda016c23d6d3b
Instruction Fuzzy Hash: AD51D271A04612AFEF29DF54EA91BBA73AAEF00710F14512DED0647A91D731ED81CB90

Function 00687220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006872C5
std::_Throw_Cpp_error.LIBCPMT ref: 00687395
std::_Throw_Cpp_error.LIBCPMT ref: 006873A3
std::_Throw_Cpp_error.LIBCPMT ref: 006873B1

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 6ec4cf4c567456c875c67ebe15083b3b6dfffac9e60faedf29222013d11e1579
Instruction ID: 16816499fc1a60850bdac0ac79829974ecb21186fa6288ffcad4455d28fc287e
Opcode Fuzzy Hash: 6ec4cf4c567456c875c67ebe15083b3b6dfffac9e60faedf29222013d11e1579
Instruction Fuzzy Hash: 2B41E4B1A00705CBDB20FB64C8417AAB7A6FF44320F28473DE81657791EB35E811CB92

Function 006A1DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

GetLastError.KERNEL32 ref: 006A1E2A
__dosmaperr.LIBCMT ref: 006A1E31
GetLastError.KERNEL32 ref: 006A1E6B
__dosmaperr.LIBCMT ref: 006A1E72

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 670a365a451a4562b430942a3a6f27038f32d0986e8d635ac6d87f81756038fa
Instruction ID: 7b9e40f85e822c387f813fc38be561abf8099514f76f81929d3ce24ce7e7e7c6
Opcode Fuzzy Hash: 670a365a451a4562b430942a3a6f27038f32d0986e8d635ac6d87f81756038fa
Instruction Fuzzy Hash: D7219D72604215AF9B20BFA588819ABB7AFFF03364B10851DFC199B651D731EC418BA0

Function 00692BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f246b1a6daa18f2edcf346e74f283d5192968450e549977084df34df4c3bdbc
Instruction ID: 88627a5d1f6e2680ea14a206f80beb107942a6607dbeca4e7b065db771f1f5db
Opcode Fuzzy Hash: 1f246b1a6daa18f2edcf346e74f283d5192968450e549977084df34df4c3bdbc
Instruction Fuzzy Hash: C9218B7220420BBF9FA0AF658CA19AA77AFFF40364B104519F85997A51EB31EC5187A0

Function 006A31BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006A31C6

Part of subcall function 0069C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0069D895,?,00000000,-00000008), ref: 0069C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006A31FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006A321E

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a7c22747ab1caa1acb84631e8b6b9c73abc41611557f6886422ad4627d62439d
Instruction ID: 2bbac7a3adb8a0600897b38164167ddaac4f4fa4ebe04c6a278b7ee7e0b02cd4
Opcode Fuzzy Hash: a7c22747ab1caa1acb84631e8b6b9c73abc41611557f6886422ad4627d62439d
Instruction Fuzzy Hash: 3D11C0F25011297EAB2137B5AD8ADBF6E5EDEC63947100129FA0191201FF68DF418AB9

Function 006AADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000), ref: 006AADB7
GetLastError.KERNEL32(?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?,?,?,006A3CD6,00000000), ref: 006AADC3

Part of subcall function 006AAE20: CloseHandle.KERNEL32(FFFFFFFE,006AADD3,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?,?), ref: 006AAE30

___initconout.LIBCMT ref: 006AADD3

Part of subcall function 006AADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006AAD91,006AA2DC,?,?,006A4390,?,00000000,00000000,?), ref: 006AAE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,006AA2EF,00000000,00000001,00000000,?,?,006A4390,?,00000000,00000000,?), ref: 006AADE8

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 438fc015b7c7b8a14ddeb1fb181d49f8cf9da16ed6c40f1ea6d69b3e45751be4
Instruction ID: 63848fcf46b41b83aa06ffbaadd6d587723887e28e5957eb264db37a4c8617ce
Opcode Fuzzy Hash: 438fc015b7c7b8a14ddeb1fb181d49f8cf9da16ed6c40f1ea6d69b3e45751be4
Instruction Fuzzy Hash: 92F0F836500119BBCFA22FD5DC0899A3E27FF097A1B004116FA0886130DB328DA0EB95

Function 006904F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00690507
GetCurrentThreadId.KERNEL32 ref: 00690516
GetCurrentProcessId.KERNEL32 ref: 0069051F
QueryPerformanceCounter.KERNEL32(?), ref: 0069052C

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 04aed90e344db90d6ce28913c236bfe7d0cf3c5a8e4692429a1e64a16cf915a5
Instruction ID: 41c111f34bd3c85b248df350fec01da2bb5853a232a5eade05da7b96b41a095d
Opcode Fuzzy Hash: 04aed90e344db90d6ce28913c236bfe7d0cf3c5a8e4692429a1e64a16cf915a5
Instruction Fuzzy Hash: EAF062B5D1020DEBCB00DFB4DA4999EBBF5FF1C200B915A95E412E7110EB34AB849B50

Function 0069B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0069B893,?,?,00000000,00000000,00000000,?), ref: 0069B9B7

Strings

MOC, xrefs: 0069B9C9
RCC, xrefs: 0069B9D1

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dd30e4f3f3088ff775d361c1829997e4293b264614a016e8c3be4769a711a93a
Instruction ID: 50a9343364eb25a4da60ac6fc0f7ee29a58fb0cccf97499fadd6164a00a174da
Opcode Fuzzy Hash: dd30e4f3f3088ff775d361c1829997e4293b264614a016e8c3be4769a711a93a
Instruction Fuzzy Hash: 7A418732900209AFCF15DF98DE81AEEBBBAFF48310F189199FA14A7611D3359950DB90

Function 0040C5B6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C5BA
CoInitializeEx.OLE32(00000000,00000002), ref: 0040C6FF

Strings

E)ov, xrefs: 0040C70B

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: Initialize
String ID: E)ov
API String ID: 2538663250-3776031005
Opcode ID: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
Instruction ID: 7eb1427ce90a185cc1fa67b5dec7511066f0963e0e52bfde8587bb9a189e8e04
Opcode Fuzzy Hash: e7a95b8e5ff17603cc907fcbc2df53191815e2a062ed42e83665db1e0f35c6a2
Instruction Fuzzy Hash: 6941C8B4C10B40AFD370EF39990B7137EB4AB06250F504B1DF9EA866D4E631A4198BD7

Function 00433B7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433BC8
GetSystemMetrics.USER32 ref: 00433BD7

Strings

, xrefs: 00433CAB

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
Instruction ID: 01f348f677623f89764fea340cc94f5095fd4e31d5590f1ad9612ee75e4100da
Opcode Fuzzy Hash: 66b7d6ddbbaea78e25287b155da9d8360f6552616883599e2b0a62f41b2dcca0
Instruction Fuzzy Hash: E05172B4D142089FCB40EFACD98569DBBF0BB88300F11852AE498E7310D774A984CF96

Function 0069B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0069B475

Strings

csm, xrefs: 0069B508
csm, xrefs: 0069B497

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: b7ab4f45f5a473a7e1236f5588808cc2c6a22f0525b7873faa4203494b70eb52
Instruction ID: fef3d03be9db50e4387c985fee6b57531054053ff89a8c2588acf5355d3fa079
Opcode Fuzzy Hash: b7ab4f45f5a473a7e1236f5588808cc2c6a22f0525b7873faa4203494b70eb52
Instruction Fuzzy Hash: 2231FB71400219EBCF269F50EE448FE7BAFFF08715B19565AF8444A622C336DD61EB81

Function 0042C3AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C3E5

Strings

tidc, xrefs: 0042C40B
-!B, xrefs: 0042C45E

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: -!B$tidc
API String ID: 3664257935-476040656
Opcode ID: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
Instruction ID: 0cb94904c914ad7ae8bd8e1ac9fe588995fa1e3a88885b05c0f925f6698cc2a9
Opcode Fuzzy Hash: 57dd9652ca8a2e1dfdf703eb478245f04d1e764e2e6b3a4a6fe835d72092e874
Instruction Fuzzy Hash: E321F17420C3918AD7218F39D8507EBBBE6ABE6304F94885ED0C8C7292DA798506C716

Function 0068B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0068B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 0068B8DE

Part of subcall function 0069060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0068F354,00000000,?,?,?,0068F354,00683D4A,006B759C,00683D4A), ref: 0069066D

Part of subcall function 00698353: IsProcessorFeaturePresent.KERNEL32(00000017,0069378B,?,?,?,?,00000000,?,?,?,0068B5AC,0068B4E0,00000000,?,?,0068B4E0), ref: 0069836F

Strings

csm, xrefs: 0068B86D

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 6207fce0bb96614bf18c4ad80f35550f020be9223b4e6df50c3e325c2d93c758
Instruction ID: 1cf114474667a9606720464f53d54703578ff2c0a8c7bc5200ecd74e7996c5e2
Opcode Fuzzy Hash: 6207fce0bb96614bf18c4ad80f35550f020be9223b4e6df50c3e325c2d93c758
Instruction Fuzzy Hash: E7218E71D00218EBCF24EF99D845AEEB7BEEF45710F18161AE505AB350DB70AD45CB81

Function 0042C3AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C3E5

Strings

tidc, xrefs: 0042C40B
-!B, xrefs: 0042C45E

Memory Dump Source

Source File: 00000002.00000002.1712103831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: -!B$tidc
API String ID: 3664257935-476040656
Opcode ID: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
Instruction ID: 36f598f07a78be95229329e16d831615469c789e38aad443987067daf5129e6e
Opcode Fuzzy Hash: 162db42e1e998b1f12c2b9f51427277601aaff401d5d9aca3582506ac13c7d85
Instruction Fuzzy Hash: 331136756083908BD720CF35E8407ABBBE6ABD6304F84846ED0C8C7261DF398405C706

Function 0068B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00682673

Strings

bad array new length, xrefs: 00682626
ios_base::badbit set, xrefs: 00682650

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 84325f42585bb25233049c26adf082c55df3b2a6f662afa657a8e6326bae2154
Instruction ID: e9692b06271d0248eeb455a1d42bfc02e94b95b44157e000ccba95dcf4f9a755
Opcode Fuzzy Hash: 84325f42585bb25233049c26adf082c55df3b2a6f662afa657a8e6326bae2154
Instruction Fuzzy Hash: C101DFF2608301AFDB04EF28D856A5A7BEAEF04318F01891DF4598B741E375EC88CB85

Function 00682610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0069060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0068F354,00000000,?,?,?,0068F354,00683D4A,006B759C,00683D4A), ref: 0069066D

___std_exception_copy.LIBVCRUNTIME ref: 00682673

Strings

bad array new length, xrefs: 00682626
ios_base::badbit set, xrefs: 00682650

Memory Dump Source

Source File: 00000002.00000002.1712244672.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000002.00000002.1712153087.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712270369.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712287578.00000000006BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712303694.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712318664.00000000006C2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1712354952.000000000070F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_680000_Installer.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: b9b17e0d463381ca0204d4cef0e9354cad33a582faab9046f1da8418370556c7
Instruction ID: 01191e621ed7806173ffd132fb04fc269abd6ca53d18be470bcfdcc832bd70b3
Opcode Fuzzy Hash: b9b17e0d463381ca0204d4cef0e9354cad33a582faab9046f1da8418370556c7
Instruction Fuzzy Hash: EDF0D4F1A14300ABE700AF18D845747BFE9EB55718F01881DF5999B701D3B5D844CB92

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Installer.exe

Function 006BA19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00681FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 006824B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 0069CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00681750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00695349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 006954EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 0069565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 006A3BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 006A43CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 006890F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 0069DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00681EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON