Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Analysis ID:	1502165
MD5:	fe41ba6e49587e644575cc3e63bbec57
SHA1:	b26bf2f22af8fbf59c84df1295c179e6ce9010dd
SHA256:	671d2ffc833e605aa7061ce6c43b83a180957ec3c004856fe837f00b7a0b78a1
Tags:	exe
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Multi AV Scanner detection for submitted file

Adds / modifies Windows certificates

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe" MD5: FE41BA6E49587E644575CC3E63BBEC57)

msiexec.exe (PID: 7392 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7472 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	ReversingLabs: Detection: 18%

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbA source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, lzmaextractor.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, MSI92E.tmp.0.dr, MSIB14.tmp.0.dr, MSI880.tmp.0.dr, ?? 02 - ??.x64.msi.0.dr, MSI850.tmp.0.dr, MSI772.tmp.0.dr, MSI870.tmp.0.dr, MSI7F0.tmp.0.dr, ?? 02 - ??.msi.0.dr, MSIB53.tmp.0.dr, MSI8A1.tmp.0.dr, MSI82F.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FA9830 FindFirstFileW,GetLastError,FindClose,	0_2_00FA9830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FA8ED0 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FA8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FB7A10 FindFirstFileW,FindClose,FindClose,	0_2_00FB7A10

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000000.2056387638.00000000010E9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FlashWindowExFlashWindowGetPackagePathhttp://www.google.comhttp://www.yahoo.comtin9999.tmphttp://www.example.comTEST.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server/AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	String found in binary or memory: UFlashWindowExFlashWindowGetPackagePathhttp://www.google.comhttp://www.yahoo.comtin9999.tmphttp://www.example.comTEST.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server/AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)

Source: shi55E.tmp.0.dr	String found in binary or memory: http://.css
Source: shi55E.tmp.0.dr	String found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrus
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssur
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA25
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: shi55E.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: http://ocsp.sectigo.com00
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00F87CD0 SendMessageW,GetParent,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,SendMessageW,

0_2_00F87CD0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00F664F0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor,	0_2_00F664F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FEF850 NtdllDefWindowProc_W,	0_2_00FEF850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA3E40 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00EA3E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA00C0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00EA00C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E96670 SysFreeString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_00E96670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E96CD0 NtdllDefWindowProc_W,GetSysColor,	0_2_00E96CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E98C40 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00E98C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EB6FE0 NtdllDefWindowProc_W,	0_2_00EB6FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00F47370 NtdllDefWindowProc_W,	0_2_00F47370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E99360 NtdllDefWindowProc_W,	0_2_00E99360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA9430 NtdllDefWindowProc_W,	0_2_00EA9430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EF7760 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00EF7760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E99920 NtdllDefWindowProc_W,	0_2_00E99920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E95F50 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00E95F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E9FF50 NtdllDefWindowProc_W,	0_2_00E9FF50

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FE8160	0_2_00FE8160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00F88460	0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FFCE10	0_2_00FFCE10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FC36C0	0_2_00FC36C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FB1850	0_2_00FB1850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA2290	0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E87620	0_2_00E87620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA0500	0_2_00EA0500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EB8630	0_2_00EB8630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EAA820	0_2_00EAA820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EBCBB0	0_2_00EBCBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EB0C80	0_2_00EB0C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0106CD70	0_2_0106CD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EFADA0	0_2_00EFADA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_01002F40	0_2_01002F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EACE41	0_2_00EACE41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0107511A	0_2_0107511A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E83000	0_2_00E83000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0106539E	0_2_0106539E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EAF410	0_2_00EAF410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0106572C	0_2_0106572C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FAF6D0	0_2_00FAF6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EB9710	0_2_00EB9710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA9AD0	0_2_00EA9AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FBBA70	0_2_00FBBA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_01079B99	0_2_01079B99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA5CE0	0_2_00EA5CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E85C82	0_2_00E85C82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0107FF84	0_2_0107FF84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA9FF0	0_2_00EA9FF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: String function: 00E88DB0 appears 226 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: String function: 00E88300 appears 59 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: String function: 00E8A830 appears 52 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: String function: 00E8A2A0 appears 52 times

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shi55E.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: sus36.winEXE@4/90@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FACA20 FormatMessageW,GetLastError,

0_2_00FACA20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FDBC30 GetDiskFreeSpaceExW,

0_2_00FDBC30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00E8A160 LoadResource,LockResource,SizeofResource,

0_2_00E8A160

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

File created: C:\Users\user\AppData\Local\Temp\shi55E.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static file information: File size 12568744 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x267200

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbA source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, lzmaextractor.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, MSI92E.tmp.0.dr, MSIB14.tmp.0.dr, MSI880.tmp.0.dr, ?? 02 - ??.x64.msi.0.dr, MSI850.tmp.0.dr, MSI772.tmp.0.dr, MSI870.tmp.0.dr, MSI7F0.tmp.0.dr, ?? 02 - ??.msi.0.dr, MSIB53.tmp.0.dr, MSI8A1.tmp.0.dr, MSI82F.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi55E.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FBE810 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,

0_2_00FBE810

Source: shi55E.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi55E.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00F88D70 push ecx; mov dword ptr [esp], 3F800000h	0_2_00F88EA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EAC63B push ds; ret	0_2_00EAC63F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00E9D310 push ecx; mov dword ptr [esp], ecx	0_2_00E9D311
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0105D68A push ecx; ret	0_2_0105D69D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI870.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7F0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB14.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\shi55E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI82F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB53.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI850.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI772.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI880.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI92E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8A1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI870.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7F0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB14.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi55E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI82F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB53.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI850.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI772.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI880.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI92E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\Users\user\AppData\Roaming\Microsoft FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FA9830 FindFirstFileW,GetLastError,FindClose,	0_2_00FA9830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EA2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FA8ED0 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FA8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00FB7A10 FindFirstFileW,FindClose,FindClose,	0_2_00FB7A10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_01059F12 VirtualQuery,GetSystemInfo,

0_2_01059F12

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_0105C3A3 IsDebuggerPresent,OutputDebugStringW,

0_2_0105C3A3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FDD630 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00FDD630

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

0_2_00FBE810

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0106835A mov ecx, dword ptr fs:[00000030h]	0_2_0106835A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0105C6B6 mov esi, dword ptr fs:[00000030h]	0_2_0105C6B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_01076E5B mov eax, dword ptr fs:[00000030h]	0_2_01076E5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_01076E9F mov eax, dword ptr fs:[00000030h]	0_2_01076E9F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_0105C722 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_0105C722

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EBC5D0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00EBC5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_00EBEF30 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00EBEF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_0105D242 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0105D242
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Code function: 0_2_01061DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01061DF3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FA4D70 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

0_2_00FA4D70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: GetLocaleInfoW,GetLocaleInfoW,

0_2_00FD34F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_down.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_normal.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_inactive.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_down.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_normal.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_inactive.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metroinstallbutton VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FE9830 CreateNamedPipeW,CreateFileW,

0_2_00FE9830

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_0105C37D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0105C37D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00FE8160 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,

0_2_00FE8160

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Code function: 0_2_00E87620 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_00E87620

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	3 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	27 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	23%	Virustotal		Browse
SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	18%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI772.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI772.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI7F0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7F0.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI82F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI82F.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI850.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI850.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI870.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI870.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI880.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI880.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI8A1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8A1.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI92E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI92E.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIB14.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB53.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi55E.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com00	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://html4/loose.dtd	shi55E.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com00	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe	unknown
http://.css	shi55E.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://.jpg	shi55E.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502165
Start date and time:	2024-08-31 11:26:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Detection:	SUS
Classification:	sus36.winEXE@4/90@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll	Typora#U5b89#U88c5#U52a9#U624b.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Typora#U5b89#U88c5#U52a9#U624b.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195392
Entropy (8bit):	6.695068025054652
Encrypted:	false
SSDEEP:	3072:ZYioJUAoM8hWgOme/Nxe4mPS0TUTn0QOInIXcVjjjjOAg0FuDuoBE5Yc8RnSXpEe:esOJePGn0QfQAOs5dOnSx
MD5:	DCF3B737C0ED8AFEBEC05A56320B382F
SHA1:	F533F91855E8C7B52C6DE9DAE8F94E73574D8513
SHA-256:	F1C8BD9FE3639A4142139E2B3AABB1E00CFEDCCC9A65FFF64ABF8339BB68C770
SHA-512:	47E3627D5E73F87657A6F392D9D21CFE3D934C1D908947C2B8F9B84848BCA84AC07F58BB3E3ADCEDB07A41219D094AD72B43A1D02D4C72CD9466F19CAF755281
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.f.p...p...p......}.............f......a......g...... ......a...p......i...e...i...q...i...q...p..q...i...q...Richp...........................PE..L....>.d.........."!...$...........................................................<.....@.....................................x.......................@=..........0\|..p....................\|......p{..@............................................text...?........................... ..`.rdata..............................@..@.data...d...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\New

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.9169468593135157
Encrypted:	false
SSDEEP:	96:+f+OFx/DgstjfDaf///////aorGbaX8PSccl1q12xfnW1orsKc:+WqDgOQ///////aoZsP+/qAVnWursKc
MD5:	1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
SHA1:	6E567D732354BBB21F9A57BBB72730C497F35380
SHA-256:	4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
SHA-512:	5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	GIF image data, version 89a, 83 x 28
Category:	dropped
Size (bytes):	28562
Entropy (8bit):	7.936340842987423
Encrypted:	false
SSDEEP:	768:K0CzfMvOre2lMu2CN4PolP8RfW4HB/glb:K09s1ZFC48RfpHB/ub
MD5:	EC1CEDB4691C438162AC62E58DDC6B76
SHA1:	FB35E429BAD1577F51391ABE13FD402E8251A968
SHA-256:	FD488ABBDC8FEE0339B679324332A3AF29DB00F782D635E2A6593A4140A60EC6
SHA-512:	1CFE104262958F48EF677251ED3704D22CA6A7F8230119A789492867BA762720AE7023C9CBB194DE9C6305BAB92C1D511311DD251CCA37147CB1B4B3376E25A2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIF89aS......Mv+].>^.=a.'m.6l.:n.9p.;p.<r.>`.Aj.Ml.Pm.Lo.Pt.Wt.Xv.Zy.\}.bw.Jx.V~._\|.U..\w.Ey.J{.N{.I\|.K}.M~.L..d..?..\..S..Y..^..[..Q..U..X..Z..^..b..i..d..h..g..i..r..a..h..h..j..b..h..r..w..k..u..z..s..]..^..@..P..Q..Q..T..R..U.._..`..g..h..h..m..j..l..p..r..\|..r..t..u..x..`..d..a..e..e..i..b..c..j..z..\|..z..\|..s..y..\|..o..q..t..y..w..z..\|..........................................................................................................................................................................................................................................................................................................................................................................!..NETSCAPE2.0.....!..Built with GIF Movie Gear 4.0.!.......,....S..........H......)\..?..#J.H.?~.....G..1>.H.d.~...c....0]..w._?.8s..x...p.I.J.h.l...9R'.t..H.J.j.O...d....`....R~N+:.W..#...# ..(....k..b.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ProgressImage.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 121 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.644637812134814
Encrypted:	false
SSDEEP:	3:yionv//thPl8xtjt30zCdi42/uDlhlbm9F5jEshwmJ5ehFn93so9+C9pcpNDTn8z:6v/lhPwCzki7/6TWEAwmJ5eh/3F9ppca
MD5:	0C18AF08390365ED36C605F34273C4A5
SHA1:	BBBB19BC789DBA1AD031C1D4E9FF644096AC11F6
SHA-256:	1AE6B5ECCEA17A126B5EDEB49B8469013B4BCB022110DBD9E35B365BE088FA1E
SHA-512:	1B69DB94DFA3929D4651EA98E65D0495FBE7B72DA15364E88BA13BD1C4547AA81673DD9DEC34E5ED7915805A8C938B1BC8BDE55DCEF2F8FFFA4B5DFB0241CC35
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...y...........0....bKGD.I.j./B1......pHYs.................tIME.....7 .......;IDATX...1.. .... .Q'\...X...-k..,..............&c2&c2...k...vU.....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	308544
Entropy (8bit):	6.622912138664146
Encrypted:	false
SSDEEP:	6144:s4SCl/r6e1QUKPsvlXeR4A5LjG8RwXAOD1cLXrT:NSIjb1QUKUvEAFCLXrT
MD5:	57EF123E2AB9D1A9E9E838604C6864DF
SHA1:	59853816B99F6C0CBE9CE6A782CDBF9A4303135C
SHA-256:	B71BFE7AAF0361C4BA3695461D13D5004924AA39ECD14EF6EBA71DB9058307C0
SHA-512:	B785992C72E59E7F68CC4BC7F78B4D8D08D81F843E7B613D0C811FA29C49F5E9B4A393BBE2A9394D5740760121BC45987DAD79CC357A9F93FD5D08AA43633D0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Typora#U5b89#U88c5#U52a9#U624b.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........l..G...G...G......J...........s..V....s..P....s.........^......F......V...G......^r..[...^r..F...^r;.F...G.S.F...^r..F...RichG...........................PE..L....>.d.........."!...$.....l.......Y.......0............................................@..........................@.......A.......p..x............x..@=.............p........................... ...@............0...............................text............................... ..`.rdata..~....0......................@..@.data........P.......8..............@....rsrc...x....p.......F..............@..@.reloc..........,...L..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\Up

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.7901346596966383
Encrypted:	false
SSDEEP:	192:+n5lkX/1//AJffffPTb6ylHJxnSfFN5pM2C:+5lkX/K
MD5:	FD64F54DB4CBF736A6FC0D7049F5991E
SHA1:	24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
SHA-256:	C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
SHA-512:	EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 60 x 60 x 32, cbSize 14454, bits offset 54
Category:	dropped
Size (bytes):	14454
Entropy (8bit):	5.53892242994168
Encrypted:	false
SSDEEP:	384:XFpFA0xSMcZ69dzg+s4wCFC0DXtUsCUOQOxmOHO2oODgI:qj69dz4lArDCUOQOxmOHOxOt
MD5:	703A4005BC83375D5A586F6BF1032CD6
SHA1:	4D70E222EDAEE32C0748972B8261DE0FDD893367
SHA-256:	1506D8D54FF3974E30AEA8B9BA3B912F02CBE77389A6ECEA5155E420FB2B348F
SHA-512:	4F0A2AAAC7ED3E3A9FB90A134F201061EF7CB84C7DED042896DCF1A732F1E48AFA337DA9275B787DCC997DEFC6D8BFFF20F4F726B186C5433A2A743DEE68B6E7
Malicious:	false
Preview:	BMv8......6...(...<...<..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	405
Entropy (8bit):	6.157306800217306
Encrypted:	false
SSDEEP:	12:6v/7TvPdE/6TJW9/F7gqhIpS24OLvc6+aBN:yvu/6c2IEoaBN
MD5:	76E5BDD88CEEB272820CD597F7556FC6
SHA1:	9089831330D067ADE6D8EE6A4C7C4728ED1AC558
SHA-256:	52D4ECF8625C8E606C31370544F7A31F126581350628FD7CAEFE51BCCAAC1626
SHA-512:	BDF4236E57DC53F81CF20BE5194DE4B45337DBEC50A1C54EF5710B384404BD4F33E7D200605BDD4A9A21DC5C7AB8F1A2889C8352E7F8F023AAE9617AB1E79481
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME.....4.aZuo..."IDATx......0..Q+nP.......%#..:B..........^..7sJ.^...H.c.fd.-.#@.u_WV.Zg...i.&......C..0G>./...mi.\|..........d.p.......Y...F...............8.........@....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8...........".8.!_m........B.:...H....`b^.3).B..>....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfeK9tle19Eley93FVXllzhRMOzJuHqyxYqxmATdVsnoObAaby2v:XmVnTywvsA1hDV
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 32, image size 100, resolution 3780 x 3780 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.5313141850262846
Encrypted:	false
SSDEEP:	3:5l/gkrFXZRH:5l/gsH
MD5:	8FD875CDC559AD66E0A94C64FDB762C3
SHA1:	79111743F1EF8DA31688F1644F9568A42FBD3ED5
SHA-256:	FE7C2D4C244139591B0B716A410A1D8AF38084CDC560A2BEB265BDB8578E4EB3
SHA-512:	0985A7456BD94E21D62428368C8E52EF7021FE78966DD967B96ECBBF05542ABBA4F8C85EF3D56BC0F5F9500E0D0828D4B54FEAEEF9768F85FF754CA8A1B5AF3B
Malicious:	false
Preview:	BM........6...(............. .....d.......................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backgroundprepare

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 32, image size 100, resolution 3780 x 3780 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.5313141850262846
Encrypted:	false
SSDEEP:	3:5l/gkrFXZRH:5l/gsH
MD5:	8FD875CDC559AD66E0A94C64FDB762C3
SHA1:	79111743F1EF8DA31688F1644F9568A42FBD3ED5
SHA-256:	FE7C2D4C244139591B0B716A410A1D8AF38084CDC560A2BEB265BDB8578E4EB3
SHA-512:	0985A7456BD94E21D62428368C8E52EF7021FE78966DD967B96ECBBF05542ABBA4F8C85EF3D56BC0F5F9500E0D0828D4B54FEAEEF9768F85FF754CA8A1B5AF3B
Malicious:	false
Preview:	BM........6...(............. .....d.......................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backgroundsurface

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 32, image size 100, resolution 3780 x 3780 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.5313141850262846
Encrypted:	false
SSDEEP:	3:5l/gkrFXZRH:5l/gsH
MD5:	8FD875CDC559AD66E0A94C64FDB762C3
SHA1:	79111743F1EF8DA31688F1644F9568A42FBD3ED5
SHA-256:	FE7C2D4C244139591B0B716A410A1D8AF38084CDC560A2BEB265BDB8578E4EB3
SHA-512:	0985A7456BD94E21D62428368C8E52EF7021FE78966DD967B96ECBBF05542ABBA4F8C85EF3D56BC0F5F9500E0D0828D4B54FEAEEF9768F85FF754CA8A1B5AF3B
Malicious:	false
Preview:	BM........6...(............. .....d.......................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 168 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	254
Entropy (8bit):	6.406651140144335
Encrypted:	false
SSDEEP:	6:6v/lhPJ/6TVUv2MT19UTLF/eYhhvpPHgFc8l56bp:6v/7R/6T+d5q/FWgvFAnM
MD5:	1894F43A854B0F3466870E25601D2B3C
SHA1:	48140DD46BE41E079CDBA4B4D9795FE3BCC1991C
SHA-256:	04885AFDFCF1C5E5DBEAB7E827BE79D34F46E403061C87C98572EDC3247AEC6E
SHA-512:	BB53C8A51A54B32A676D820DF577EC24E26A08CB9B7C7FF52CC9D8A5BECF78BB63DF89E510DD99468B67C7E52077F4EE5B9A8A4E88F071A622DF4D68EB57AF34
Malicious:	false
Preview:	.PNG........IHDR.............#I......pHYs.................tIME.....&..@......IDATx...A..1.@.)Y.$.@...,.J.. ...8... A.r..f .{..i..SZkS$z./..{..\|..7DD.ZK.a..p..W...o.+".{..w.n._.g....c.E. P....."P.(....@.(....@A.....@A. P.......a^...&.........IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfeK9tle19Eley93FVXllzhRMOzJuHqyxYqxmATdVsnoObAaby2v:XmVnTywvsA1hDV
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 192 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1698
Entropy (8bit):	7.186970828780648
Encrypted:	false
SSDEEP:	24:Q1he91Wwh82lYSKwaNXVAT3ouyJ3Vvl3aCGMTiil/+pjrPQeHQraCrewDeLz48W:uqQvnL9OIJ3XNhbl/+pPN6ewDeLzM
MD5:	3E3E58663F11BB7C462334A4DE8EDB28
SHA1:	131243A1A515CCCD7410C18135B8D9C2DA476C3E
SHA-256:	4D2750F090DA3101849AE21E4C49F50BB4A46FC4D355A9327D49C31A0A128369
SHA-512:	3B4A5F9A3480D95E25AF6E5E3C02A2A179DE6200615D1BA8779407CE7D85FAD70EDA9F4A065AE1550A621720C422A4A393D3B965A9380394B00EBD299851D147
Malicious:	false
Preview:	.PNG........IHDR.............@.p(....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:911915E74D5EE31181168862711AAC09" xmpMM:DocumentID="xmp.did:EC45525BDA8111E3B79C98DEE81083F3" xmpMM:InstanceID="xmp.iid:EC45525ADA8111E3B79C98DEE81083F3" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:39803F417FDAE311A51EEE8397849EC8" stRef:documentID="xmp.did:911915E74D5EE31181168862711AAC09"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..lT....IDATx..[h.`..O...I.U.....PD.N..>......

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox_for_ctrls

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 192 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	875
Entropy (8bit):	7.6194543884351615
Encrypted:	false
SSDEEP:	24:as/6+PkiN+d+yOTQKxqI2e3laV9GBPtkeJzSW7fQ:9/6WFAdGTsIFG9GvkwC
MD5:	0CFACDA19675F077EB5239CA48E5D504
SHA1:	5DAC2D1D8861882068392ACA184A338AD47C0EA9
SHA-256:	1FAEF4B13A5BAC41413C58E60636E506141B6F6470E1EC011C8F127A2A81237C
SHA-512:	E8075ED12073CBD68FCB45D31B7791003618790A9C8EF70FBE56062D41C28849D3CF26BBD4443DADF5277552060510F7282D08EDB163A68660D567479C58DF89
Malicious:	false
Preview:	.PNG........IHDR.............@.p(....bKGD..............pHYs.................tIME..........S....IDATh.._HSQ..?.fH...,.....G\`....=$!.8.7...."+.\|......!.......)$....d.HE.C.m=..@j..\.=..........s.;PTQ.X../..H9e......;.oo....eY../..x....:.C..g.u..\|.....H7..._.<..o.4...U$;.n.F.w.h7..K.._H>h....?.e..[.eYZ..R.&.....R.._.....>..l2.7.L...f]......n.;.~..../.o....8.$......M=.$....O...yN.?M4.[.\... ....>.N...}..~..L........T[.y\.n...>.\|U8FKf.\K........?.r.........8.P.....,.%3v._)U..j....\|.BK.~n.R...<....c...........o.^\|....f.?.j/.&..M..x...v.....?...y......?.\..R.@4..B$.._.~ny?.....J...*....\[...H...u04...kj........,....<7!.^..-.d.QF.(..+V=..h.'....r..-.V.c..kV.]O..NS..rDJ9....G.1&.8..M.@.....~ny....D...^;.S...".T....,/[m...2bY.@....!D.R....B\|5.n..........O.\.dI)...!"&......ps..K~!.78\|.M.._....s....UTQE...... .$..i.....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox_for_list_ctrls

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	331
Entropy (8bit):	6.835858603064233
Encrypted:	false
SSDEEP:	6:6v/lhPQROC19s/6TPFj54nVJIeZHkDMx7a/X8KNZ+lkjXG+YU7Mup:6v/7442s/6T9F4npzxmjNZHPJ
MD5:	837F6712D8EEDB376613B63CA8DE1871
SHA1:	5211C58FD1FC9B6B62482F012DCAFBBD1A3F8A78
SHA-256:	24C47DC6A785D3EF2FC33EC6EE50814E0EFE01612A7EB681D0502DA4AA61D2E8
SHA-512:	CB747DBA5E23821CC25A7C8884E0ED0CAE3BBB3E4A8E1CDB8A1630FCFDADFA553122D5D671439E0439A522C4F7430AD4757ECFF2BEB74598E16E923DD3C6DE26
Malicious:	false
Preview:	.PNG........IHDR... .........w.}Y....bKGD..............pHYs.................tIME...............IDATH...1JCA.../1..AH...({...".2.BZ...X)......X.X{..V.f#!<...g._.;3;..3...^H..&....o..f\|..~WR...}.A.=\c..M.......M.~..\|H._.@H.!9_.,.9...............9z...=..S.......<._%..........WY.....I.^...r...oa..{....c.K.I7e.Q].....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:	48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\completi

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	5.905156325236297
Encrypted:	false
SSDEEP:	192:t22z2QAQFSD6izYCBReXWhB/zCSk/ovVE7j5m3Ut3MyPpEseVl0cDiCQ+fXT:I2z/FSeW/RsWh9Ctovig3UXmxYc+W/T
MD5:	244DF84C545247A478BEF4A1BBC1399D
SHA1:	C69ED79145BB40BA18A92996B0A242585AFE315E
SHA-256:	520E5248975B3B8E6C5D574D57080F901C88FE59D4DFF6A89FAB524FB51FE606
SHA-512:	BB2739344B369E5FCCB72B8762E30C38A2AC8EC949BDC8CB56619F526E3954ED5AE159D6BE4BAC2E0C10C4BC2F14820102A2D409AD17BB5A9BBD77E34441CF69
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`...................................r?..uA..yF..~J..~M..uL..yL..}S..gE .jJ'.{S$.qfZ.~vl..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...q...j...s...s...j...q...v...x...z...{...\#..]"..])..a)..e$..k$..j#..f+..m,..q"..e>..h8..f1..i3..o3..m;..q6..n%..v$..u"..{"..w...v).../..y$..z4..oN..qJ..uF..z^..zS..\|G...R..tg..yf...m.......&...1...=...2...<...;...:.....+..-..3..3..;..;...I...I...G...I...R...S...R...[..._...[...Z...a...k...w...x...\|...~...d...c...i...`...m...b...a...d...d...j...l...k...s...v...z..G..A..[..F..H..U..Q..[..\..L..X...e..i..d..i..r..v..s..\|..{..z..x..h..u...i...x.....++..;;..BB..TT..cc..uu.................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\custicon

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	21086
Entropy (8bit):	6.009410626000926
Encrypted:	false
SSDEEP:	384:52z/FYOKTR0q/irJKH2Wh9CtovihgGIqxYc+W/azzz3gx4n3V:5AF5QH2WXCto7GzYc+pzzzQx4n3V
MD5:	4E1EDBE834AAF76D9D1DAEC3DC08947E
SHA1:	218AD194CB40DF778EAFAEDA68F8A44BE25B94C1
SHA-256:	E5F4F6B5E24D6F7E2605ADD8E247DC0326F00C26725D315679C1C6FCE8A90C97
SHA-512:	4CF41E7080DF1E8606FBACC3B2F87C9416ED43FA55A2D938A1149124253486084B679BC7992CE8494DD0E22B91CD5AAA1FDD19800F5DE4F73B64A0A2BA3FCC84
Malicious:	false
Preview:	......00..........V... ..............00.... ..%...... .... .....N=........ .h....M..(...0...`...................................r?..uA..yF..~J..~M..uL..yL..}S..gE .jJ'.{S$.qfZ.~vl..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...q...j...s...s...j...q...v...x...z...{...\#..]"..])..a)..e$..k$..j#..f+..m,..q"..e>..h8..f1..i3..o3..m;..q6..n%..v$..u"..{"..w...v).../..y$..z4..oN..qJ..uF..z^..zS..\|G...R..tg..yf...m.......&...1...=...2...<...;...:.....+..-..3..3..;..;...I...I...G...I...R...S...R...[..._...[...Z...a...k...w...x...\|...~...d...c...i...`...m...b...a...d...d...j...l...k...s...v...z..G..A..[..F..H..U..Q..[..\..L..X...e..i..d..i..r..v..s..\|..{..z..x..h..u...i...x.....++..;;..BB..TT..cc..uu.................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\exclamic

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	944
Entropy (8bit):	7.717032696982044
Encrypted:	false
SSDEEP:	24:+q21KwlITydoVviPN4y7YDEiW+S95Ad913skEd+Ay:+q2kwhdXYIiW+WmtlHH
MD5:	31195023E14947842507A077D8B85102
SHA1:	ED9560DEB43A9BE1D1304E26BF59334C6B48A1BA
SHA-256:	A33DA148DBBD208168F6D4C713E3DC1B5AD7F9DA7CDF4FEA39410171AF2919DA
SHA-512:	767D1DA52CEF8DB39E5DE5C4EB8E7F4565A5872F5F3587F681CCAB88A947A749B275EFBC501702C43EDFDBC1BEDD51558D4F53DEA0A59CBDB07626EB7667FDC7
Malicious:	false
Preview:	.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<...RIDATx...d.q....q....5.q\"J.D.....f.K)..R..f..,..SD..1F.cD.E)EvDL...7..=...w......{......?....."..k.!..&...@.....9.2..3Y]Y.n.."T.2~.l... a.6.>......8. &..P.....)#7.N..t..m..@c.0dd/4......h....:.a..4.-J.>C.8..u...;.<..q\|.5..z...d....Z....%Z.z.@...s..t...PW.@.Ci..9../.8...-. ...2..~..C...1,%.>..H.z....e yfD.........W.".w9.6.$..g...u..9.RK~.%;...,Uv.^f5..M.@.7^[X....C#RK.6.$...N.......zE.2}.1[...X..h...%7.2...vY.q.X%....s~.tJ.(.......K.2J+{.b..3..QLKO..[...!>./3.N...^...,].t.,....a.A.E..v.bX.T..P..bYz\...9..w.....Rn.nA%.+.' fK.9..sPD... n.G.k.Q..i_...6~H..Q.b.2ja...[...I.......gN......Eb#...m..2bL.......q? U.%G.Xj...'k.N...T7.V ...x.S..x.W.z).-..i..%Z./.@rR...'<.;....2u.... ....V.G........s......iv..,.Z8B..S.7.;=Z.....U..{..*.d.......Z.N\1-..?.U...SH322......A....3..@...Q .D.(...@...Q .$..W......96.....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllCllflFlpt/n:6Xqlttp1
MD5:	F623CB070F63ADADF31212D6564805B9
SHA1:	D1C283EEBA4B784CD731CE5179B0B44D9D8874CB
SHA-256:	E4AB79B964317D20D8E15D8723CADCA3691878520CFE498EB62674FD8E4A3DC2
SHA-512:	1836786F6A5EB61DC179135B136EC014C7EA0FB3C87E1C96349B31B91884A55044B12C292623A52B7B20346CF6EE21FEF06CFF28411BB3C4FE76E14EE1580E66
Malicious:	false
Preview:	BMB.......6...(.......................................+vM+vM+vM...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllCllflFlpt/n:6Xqlttp1
MD5:	F623CB070F63ADADF31212D6564805B9
SHA1:	D1C283EEBA4B784CD731CE5179B0B44D9D8874CB
SHA-256:	E4AB79B964317D20D8E15D8723CADCA3691878520CFE498EB62674FD8E4A3DC2
SHA-512:	1836786F6A5EB61DC179135B136EC014C7EA0FB3C87E1C96349B31B91884A55044B12C292623A52B7B20346CF6EE21FEF06CFF28411BB3C4FE76E14EE1580E66
Malicious:	false
Preview:	BMB.......6...(.......................................+vM+vM+vM...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 38 x 24, image size 152, resolution 3778 x 3778 px/m, cbSize 206, bits offset 54
Category:	dropped
Size (bytes):	206
Entropy (8bit):	2.4607204463285153
Encrypted:	false
SSDEEP:	3:mlllSlLlll8l9lZJYv+++++++++++++++++++++++++++++++++++a:m/olRc5W1
MD5:	D4A94F93002037CA552D4478C8C701ED
SHA1:	3B3974BCD813A88EAE8D24BB3BA7B30C08CA26BB
SHA-256:	6328E3B060D86158D6A22085013C97CC8857B284A65673C4A367B9190A876A6A
SHA-512:	06BCCB7066BA3B9F09FDFE1B23CEAB28E169C664D5D462044F57103214F2B72ED49FEAB41311C2960501924D26DC0BA74D9A79B52DE91666A36A639195916CCC
Malicious:	false
Preview:	BM........6...(.......&...............................+vM.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 38 x 24, image size 152, resolution 3778 x 3778 px/m, cbSize 206, bits offset 54
Category:	dropped
Size (bytes):	206
Entropy (8bit):	2.4607204463285153
Encrypted:	false
SSDEEP:	3:mlllSlLlll8l9lZJYv+++++++++++++++++++++++++++++++++++a:m/olRc5W1
MD5:	D4A94F93002037CA552D4478C8C701ED
SHA1:	3B3974BCD813A88EAE8D24BB3BA7B30C08CA26BB
SHA-256:	6328E3B060D86158D6A22085013C97CC8857B284A65673C4A367B9190A876A6A
SHA-512:	06BCCB7066BA3B9F09FDFE1B23CEAB28E169C664D5D462044F57103214F2B72ED49FEAB41311C2960501924D26DC0BA74D9A79B52DE91666A36A639195916CCC
Malicious:	false
Preview:	BM........6...(.......&...............................+vM.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.P.}.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllAlul0lpKolOToln:6XoluKpKolOToln
MD5:	0E1AB770F8D8F8768B66E7DE087087C9
SHA1:	36AD69F719F035D0C040DB6D611611552A387B41
SHA-256:	3E57878D7E1C0D2FE4DB1DD47B803A363188114520FF5D7A4F50FAB47C0EE992
SHA-512:	2C5A627FBA9CE1B35397D1DC4AE7B6954BD7B39A402689F3C12F2DC314CA5133F553DA0411CAD0A6D556F1787F2B2FCE585F76D4B73BB2CFF98732AAF808FDC1
Malicious:	false
Preview:	BMB.......6...(.......................................+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 2835 x 2835 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	2.3845907614270176
Encrypted:	false
SSDEEP:	3:9l0lslFlKufKolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOc:9l0WtKIKolOTolOTolOTolOTolOTolOU
MD5:	C07E50413D643B1119EB4FF5F9F8A6CF
SHA1:	4DCBF7BB589CF2D34C0FAA112728412CAE9755EB
SHA-256:	A7D431D251AF68B816CB7E94E05B2201F24EBCE1CCC01A39FCD5C0EFCC0D03C4
SHA-512:	50CD65AFE7D5820F301855A283223949C62E4AAE0D9FCE6FEB53AF5F90A1E547BAE4F6400F7B25391B53B8C3621B15175EA1A462D813475D2551983DB0AF124D
Malicious:	false
Preview:	BM........6...(...................d...................+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 2835 x 2835 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	2.3845907614270176
Encrypted:	false
SSDEEP:	3:9l0lslFlKufKolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOc:9l0WtKIKolOTolOTolOTolOTolOTolOU
MD5:	C07E50413D643B1119EB4FF5F9F8A6CF
SHA1:	4DCBF7BB589CF2D34C0FAA112728412CAE9755EB
SHA-256:	A7D431D251AF68B816CB7E94E05B2201F24EBCE1CCC01A39FCD5C0EFCC0D03C4
SHA-512:	50CD65AFE7D5820F301855A283223949C62E4AAE0D9FCE6FEB53AF5F90A1E547BAE4F6400F7B25391B53B8C3621B15175EA1A462D813475D2551983DB0AF124D
Malicious:	false
Preview:	BM........6...(...................d...................+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllCllflFlpt/n:6Xqlttp1
MD5:	F623CB070F63ADADF31212D6564805B9
SHA1:	D1C283EEBA4B784CD731CE5179B0B44D9D8874CB
SHA-256:	E4AB79B964317D20D8E15D8723CADCA3691878520CFE498EB62674FD8E4A3DC2
SHA-512:	1836786F6A5EB61DC179135B136EC014C7EA0FB3C87E1C96349B31B91884A55044B12C292623A52B7B20346CF6EE21FEF06CFF28411BB3C4FE76E14EE1580E66
Malicious:	false
Preview:	BMB.......6...(.......................................+vM+vM+vM...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.1225886730475874
Encrypted:	false
SSDEEP:	3:6tlllCllflFlpt/n:6Xqlttp1
MD5:	F623CB070F63ADADF31212D6564805B9
SHA1:	D1C283EEBA4B784CD731CE5179B0B44D9D8874CB
SHA-256:	E4AB79B964317D20D8E15D8723CADCA3691878520CFE498EB62674FD8E4A3DC2
SHA-512:	1836786F6A5EB61DC179135B136EC014C7EA0FB3C87E1C96349B31B91884A55044B12C292623A52B7B20346CF6EE21FEF06CFF28411BB3C4FE76E14EE1580E66
Malicious:	false
Preview:	BMB.......6...(.......................................+vM+vM+vM...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 2835 x 2835 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	2.3845907614270176
Encrypted:	false
SSDEEP:	3:9l0lslFlKufKolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOc:9l0WtKIKolOTolOTolOTolOTolOTolOU
MD5:	C07E50413D643B1119EB4FF5F9F8A6CF
SHA1:	4DCBF7BB589CF2D34C0FAA112728412CAE9755EB
SHA-256:	A7D431D251AF68B816CB7E94E05B2201F24EBCE1CCC01A39FCD5C0EFCC0D03C4
SHA-512:	50CD65AFE7D5820F301855A283223949C62E4AAE0D9FCE6FEB53AF5F90A1E547BAE4F6400F7B25391B53B8C3621B15175EA1A462D813475D2551983DB0AF124D
Malicious:	false
Preview:	BM........6...(...................d...................+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 2835 x 2835 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	2.3845907614270176
Encrypted:	false
SSDEEP:	3:9l0lslFlKufKolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOTolOc:9l0WtKIKolOTolOTolOTolOTolOTolOU
MD5:	C07E50413D643B1119EB4FF5F9F8A6CF
SHA1:	4DCBF7BB589CF2D34C0FAA112728412CAE9755EB
SHA-256:	A7D431D251AF68B816CB7E94E05B2201F24EBCE1CCC01A39FCD5C0EFCC0D03C4
SHA-512:	50CD65AFE7D5820F301855A283223949C62E4AAE0D9FCE6FEB53AF5F90A1E547BAE4F6400F7B25391B53B8C3621B15175EA1A462D813475D2551983DB0AF124D
Malicious:	false
Preview:	BM........6...(...................d...................+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.+vM.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\info

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	7.766981650205824
Encrypted:	false
SSDEEP:	24:EJgutniqBakLEgagTMk3iumwrf/zIk5Lt8ltpSSwTLDnGelU5ZwJ6pJaG6yskL+i:EpR7E7gTinwrXsALitpfELDnBuwpi
MD5:	BC228A4708AC1A09144181F26B40E1CC
SHA1:	EAF977266DAF59B4ACFCEF52CC402EBB8543F2CD
SHA-256:	0E58AD0D0024F92E37C74EE53F9021B375DFDD5EBD712AE11FEADD3B0EC04003
SHA-512:	5972C8491DC0BD868AD5B20567F2A361CF8AEB041B48E4F23AB8B834DFFF786A65A842DF4A1071752DEE73C6BA85293FE19EABA4FA7181EB9203A22CC054E312
Malicious:	false
Preview:	.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<....IDATx..ZkH.Q...!.....V ..0.#.X06.^.J.d$J.....E..C.$1.$I0%qIzH.$.+..!.,A..A....;....;.;.uG...........N.......M"....G.#.....({.n.}.XB...=..!B..#.H...i.t.&D.m.K.....J......\|n..AB....H6.2.:.2..X.).<..!...dv......O#.....>RM.E...P.......e U.klz7.=f\|.L.b[.Ox....i..B...,3.f.1B.f.g..0.....S.1.~.;B..(...g....0A...!..\$<.#w..;.0...D/\|.%\|.._"..9;a.I....................+3......H. \|.l."\|J.L$....<"..%.......2.@.3.-]..v...........'.D..;....<c.~5..<..'%RO($..>.&La@.p..'..!....8o".....wC.......o.Tu.4`4{...J...8?./......W...~...HJv$..+...q(......I%.vF. .q..@y~.P...T.0.k.N[eZ..N.ID.....P..;. N\?.....Z.<.1P.....q.uh.5..U.P.......L$ .[dD.].J..I....uW.E....-2%.HM.5{.E.e..M...ED~.o....O..".sd....ms......(..D."..(&.D.r..)M.."rX.].&....6.I,...`=.o.9..rN..ZX.i.H...Jw)...G..TK.Qa..`.?...ID....R."]...6)..*Q.0+a.N7...@s..EHN..iV..H.q.0kDD..G.4"...3.zE.,Kh.p/...n....o.r....v..L.g....B.7...M..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\installlogoicon

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	17630
Entropy (8bit):	5.501776622442267
Encrypted:	false
SSDEEP:	384:24aEatlaz2HHHHHTHHHHHHBV310W5iehFhvY71eU748YuN6FfEoJJz5R31kpH8:2/D5HHHHHTHHHHHHBrk1
MD5:	488C247C4D7482E34D4576C44CEE79E0
SHA1:	92444B9622079CD8EB4C1D0C0E10E3E2DD8B4AD4
SHA-256:	EB276449EB326A407CE055001607F212FFCAEF01B5F849BB50A606BD9CD177A6
SHA-512:	E978672B01A2C5CD5C83DCBDC77CC80A60CA4A99283C30C7624E9DE49168BDD6686A5E6FDD913ED0A0E008D6D0D999129B3F25947A84DF7654ACD6C39906B6CA
Malicious:	false
Preview:	......00......h...V...00......................h...f...00.... ..%............ .h...v@..(...0...`.......................................................................................................................................p.......................0......................33.....................3333...................s33337..................333333p.......wwwwwwwww33333337........wwwwwwwss3333337p............ww#333333332............ws33333333330...........w333333333333p..........33333333333337..........;.............p.......................p........."""+......."""pp...........+...........pFffffffffff+.......f...pfffffffffff+.......fp..pfffffffffff+.......fp..pfffffffffff+.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff/.......fp..p..fffffffffb"""""""fp..p...vffffffffffffffffp..px....fffffffffffffffp..pwx....ffffffffffffffp..pww.....fffffffffffffp..pwww.....ffffffffffffp..pwwww.....fffffffffffp..pwwwwx.....fffffff

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\insticon

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.2402145994884695
Encrypted:	false
SSDEEP:	384:SCUNtR8LMbgM5U/YHeCtovi5yg8xYuYMp:S5RiMbHN+CtoJgkYuP
MD5:	BFBE8F838AFC6156CF2362E81F713A52
SHA1:	73A87A86C6F039E7B9D2EED0BDF7E6B1D78029BE
SHA-256:	251099323513EA86DD5BC2C0BF8503AA364DB7B40B214C288FCC1A76A97B6D88
SHA-512:	CFFAAD785AF37E35D8825058F93939EBB3CCE18D5C7BDF2ACF0543D530BCD34A443ED6B9352D1F0DF90F41DFE118B03B8F92D63143521C87138D92F2F1D6F1EB
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................wwxwp..........xFg....wwx..............hffffgwwx..............vhffffffg...............fhffffff................fhfffffg................fhfffff.................fhfffff.................fhffffg.................fhffffo.................fhffffo.................fhffff..................fhffff.......x..........fhffff......ff..........fhffff......ff..........fhffff......vg..........fhffff.......x..........fhffff..................fhffff..................fhffffh.................fhff.fg.................fhff..f.................fhff..w.................fhff..w................fhff.w................fhfg....w...............fhfx.....x......p.......fhg.......x....v`.......fhgx.......wwfff`.......fhgx..........ff`.......fhfx..........ff`.......fhfw..........ff`.......fhgw..........vf`.......fh

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22848
Entropy (8bit):	6.8705781741307765
Encrypted:	false
SSDEEP:	384:iOw0cxp5wbrBgrjrI/ehLI/ehDvZYLX2Ip4kR4qjdAA1m5wMPhzmubmm+ccP:iOAxMVTacaDRYT2Ip484qxf1mlZxbWP
MD5:	9D67E3BE4D83160D24FEE65F6E1868E5
SHA1:	9AED13C010F24C6888DA91D883A1A31AC45E029A
SHA-256:	4FC58D819A4BC75CB8170192E34FDB17E31C38831A7230ED0E03A30EB38CCF9D
SHA-512:	73AF8E17FA6C949FFB0861118A10B362DEA4A236B60912497E8F97C75CC8EBE3CDDBC8018A4E8CF24B539DA6122790FDB081CF4B68C59197EC579E13191372EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Typora#U5b89#U88c5#U52a9#U624b.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u9X..jX..jX..j...kW..jX..jh..jA..k]..jA..kY..jA..jY..jX..jY..jA..kY..jRichX..j........................PE..L...>>.d.........."!...$............@........ ...............................`......n.....@.........................P".......$.......@..h...............@=...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metrobuttonimage

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	405
Entropy (8bit):	6.133825874280697
Encrypted:	false
SSDEEP:	12:6v/7TvPdE/6TDOH9/F7gqhIpS24OLvc6+aBN:yvu/6HOd2IEoaBN
MD5:	5FBC69A793959AFB968D1B5292BE3B09
SHA1:	375889283A20C675A844E5A9A38E4FEB55F55D05
SHA-256:	53A1486B8A86C60FBDCB74057D2F9606749CDAF3C845EDE40F48D869AC553D23
SHA-512:	1451CE6CE864821B6F3D6072C6B557A04C802C5C1D715EC3723F4CC3958EA35306B8A9BED8B025CCE5F2F62BB7CD1D2070C43F2A63AACCDEE29061DFB753CFD4
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME.....4 ...`..."IDATx......0..Q+nP.......%#..:B..........^..7sJ.^...H.c.fd.-.#@.u_WV.Zg...i.&......C..0G>./...mi.\|..........d.p.......Y...F...............8.........@....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8...........".8.!_m........B.:...H....`b^.3).B..>....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metrobuttonimage.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfeK9tle19Eley93FVXllzhRMOzJuHqyxYqxmATdVsnoObAaby2v:XmVnTywvsA1hDV
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metroinstallbutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 1020 x 54, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.391845348790761
Encrypted:	false
SSDEEP:	12:6v/7ePdE/6T8Kp1zbm81RI76k6N0VtBG6WtEkiVtEp0VtEp0VtBGVtBG7NrFP7:Lu/6hp1zDROqSVvG6WviV9V9VvGVvG7r
MD5:	2D014FEFB6A22313E7E14A8DAF31CE28
SHA1:	FE1B72BBE1DAA3A0D7874DE20E8290D34015DCEC
SHA-256:	F47AC424ED22EFEB451214CD21B5096563BCBC4356BA0060278082410BB6D149
SHA-512:	73254F3A3B46D1BB0C4B29066DD3C35DAD4FCF79E4A62E503EA22EBB69ADBBEE7263CB92FDB3445DEDFE7D1FD51FAF8F57EF55ACEE7B086B1FB40AB073A4D3C4
Malicious:	false
Preview:	.PNG........IHDR.......6.....z:......bKGD.......C......pHYs.................tIME...../.........IDATx.....@..Q0.. ......S.....:.+..l..8..`k..P..N.?./.n.1...E0.........&..........?........M.R.......N..:...L_S....h\...y.T.m."..?.<..S.O....7.......?....~...@...........................~...@............... .M.....................?... ....@......................?....~...@......................?....~...@...........................~...@...........................~...@............... ..............r4....`...d].[...M..),..?....~...`.>..'....j....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metroinstallbutton.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1844
Entropy (8bit):	5.118899204184053
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfeK9gle19xley9F0FV+TlkKcm7zJGHqXxYqh+LTmTdEsnTOSi7ny2v:XmVnTj9r8C63
MD5:	6F0634CFDE72142DBB19339F4E16E86B
SHA1:	F2968128419E991AD75747BAE3726693A819A8F5
SHA-256:	0A33AB5090939B16C5BED367CA7F99B297C215714BAA1CA1B5F649B48FDC6D0B
SHA-512:	B833E1F64EC38633FBAAFEE6B3623F69604311F2ED60A2286F9EFE4FBD04FB25776771E7C5863F7D6B687360160CF25711CA92FE38AD270ED27588CBDAA8E3D0
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnInstallBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnInstallForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnInstallBackgroundPointerOver]" Opacity="[AiWinUIBtnInstallBackgroundOpacityPointerOver]"/>.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnInstallBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnInstallForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnInstallBackgroundPressed]

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metrorunapplicationbutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4840
Entropy (8bit):	7.69588834543415
Encrypted:	false
SSDEEP:	96:6S4ZBm8mdYmTTkhr9v52/7siC+LdeH6CTt+dW2dUvIPQGdfo/Wl+:6S4rhr94bLLmtkW7A4MfHk
MD5:	B658F03E1A5D49E3CA9E1D82415BB2B2
SHA1:	240CFC24BB16FFF60F1B560D2CC1CCB4AE20846D
SHA-256:	99E0E600F2C201A631621B758B4F5B5E8BAE319DF9025426F31C91F6481236AB
SHA-512:	0579A5D74447662DC20AF2374313C07B25B0BD6A16BFFF47ED3736ED709C84D5063AB8B347B04FD8D3EC04853457255FFAD2B191E7879B42F79BBE8B2ADCE707
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.......xR.....uIDATx...{l........[[J.).(Z<.PH..,.Ak0...T...#aH.4...v...... ..Aa..$......[/..B.ii.B...........,K.M6................I........lyp..s....3..o........?...{......K...$aXc.YI..../..xD.dT.D\.%..\..>.......n..z.`...v......n..}.^.......S,.S"I..d.v\....nP.d..I^.v&..z.......sH..(...w<.H.W....%".'b.....-W>.x2.]..].g..."(CZ[Z....;..\.;..G...l...tC:q......QE.}.KD..G.MF...nOr.W.d@..s\|.$............(..H<.W,.S<.S4.U,.........I..&\|..1..\|.....i......~.....J(.L(...3...L...........l..\|E.'.............p.....n.....n.........P.....P......7...@.....@.....(.................p.....n.....n.........P.......p.....n.....n.........P.....P......7...@.....@.....(.................p.....n.....n.........P.....P......7.....7...@.....(.....(...........p.....p.....n...............P......7.....7...@.....(.....(.................p.....n.....n.........P.....P......7...@.....@.....(.................p.....n....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metrorunapplicationbutton.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	ASCII text, with very long lines (373), with CRLF line terminators
Category:	dropped
Size (bytes):	1280
Entropy (8bit):	5.449752594903355
Encrypted:	false
SSDEEP:	24:m4+4hD+kwur9RJrKTAtjBg9mqErMmMg8/bF19PkOy90kOTvK96kLWbf:8+KYfJAAtjQ5Ew7Jd85vW
MD5:	22BD7066191663A7AC473C022992BA83
SHA1:	80EA48D654C38A778A40CC722C3DD5AFCF1E2AD4
SHA-256:	79CF8899E16F8AC8D2BB7280C109458130C9758083B265EDF4AA57B2AD2C86BA
SHA-512:	E497440F5170D4C6D35BB901B418F5D91E2F09875CFEA7D0427532DBDBFFC655018AA010ADE1A479AFC0307B42DB057AA0D654699A088AF6FFEC146E9C22C1AA
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRunForegroundNormal]" Background="[AiWinUIBtnRunBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.. <PathIcon Margin="0,0,0,0" Width="68" Height="68" Data="m60.738 29.1a5.646 5.646 0 0 1 0 9.8l-44.796 25.992c-3.661 2.126-8.68-.303-8.68-4.9l0-51.983c0-4.597 5.02-7.026 8.68-4.9l44.796 25.992z" />.. </DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnRunForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnRunBackgroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBt

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\modify.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1978
Entropy (8bit):	7.063174654571579
Encrypted:	false
SSDEEP:	48:6/6Wh+u5OAP3m4/m4xY/mkcmEYw6mWNq6mm4xExmsTzCR0hy:6SW/5Okhz5xYw6pqffE/Tfhy
MD5:	2899F8A97894149A40A64E05DF96EAC9
SHA1:	418A418271A5F6C00FB59A875F6F98732255CB8A
SHA-256:	31B423DB1159272EF49887453F2EF3F3C5D59EB312BAAC6E47A5C465D47A53C0
SHA-512:	663D99A08C69CBFF610280424A86531DB734BC41F39A7D8E339D37DBB68C45518F552596AE32BA093965A4699A4ABD6C3BA67D2E04C441A12BF5A70BA9E7AA06
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME..... ' .-....GIDATx....k.W..........Ab-$... ...9..(...E/^.!."..)./....JB!D.P.-.dw...D...:.}3... nv..2.}7;a._n}]..7..e.Z..GY..,....Z\....{x..u...$......6........s.>...F..r..1.G.....,.....'"+."...>6.-b.n..4(.i..n...F..W..W..}..tpw#...r...Z{e)....T}.aqy..5....X......_Q.w#..;....e...._0N..[_3.-...f..w0>...?7d....m{Wp.2..{Q._...2b.b840).t".........@.....Y....w.....H....W..q{.....#..\|.4.......9....?....pt2{...O....S............................... ...@p........7...n..@p............n...... ..............!............... ...@p........7...n..@p............n...... .............7.. ...@p........7...n..@p............n...... .............7.. ...@p........7...n..@p............n...... .............7.. ...@p........7...n................n...... .............7.. ...@p........7...n................V..6.w*.....J...S.?...KTo}...../..DX..y.?.XpGD\.~w..>.}..$..Gc?...K.,q..........X..y.?..\R.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\modify.png.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	ASCII text, with very long lines (383), with CRLF line terminators
Category:	dropped
Size (bytes):	1416
Entropy (8bit):	5.259459132521691
Encrypted:	false
SSDEEP:	24:m4+4hD+mbur9RJrKA53KFGPJwE33pwCTH8/bF19ekOy9RkOo6K9rkLWbf:8+KPfJXKSOmuCgd9mqW
MD5:	0BB7D21BCB4565FF5FDF581B1DAA4219
SHA1:	152E568118137E04E626973975F43734FE816302
SHA-256:	3C4F55D5F3736CF3402A97B626E998AEEB25D7EB10BFC326A64602B71706119A
SHA-512:	56EFE54E5ED6BC01764139B8C736AAD328CC286FBFDD190D0999E053D13457AD982F8A0C6F97A0E5D0454E8F61C938C632ABF949101EC0A53C3EFFD42AC1BCA3
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnViewReadmeForegroundNormal]" Background="[AiWinUIBtnModifyBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<TextBlock x:Name="Ico" FontFamily="Courier New" VerticalAlignment="Bottom" FontSize="100" FontWeight="Bold" >.. <TextBlock.RenderTransform>.. <CompositeTransform TranslateY="25"/>.. </TextBlock.RenderTransform>.. <Run Text="±"/>.. </TextBlock>....</DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnModifyForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointe

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	405
Entropy (8bit):	6.14062806564406
Encrypted:	false
SSDEEP:	12:6v/7TvPdE/6T59/F7gqhIpS24OLvc6+aBN:yvu/6T2IEoaBN
MD5:	69AE8E816A1CC20D5AE0021CF3539399
SHA1:	998B8394109A0BB59C2EE216548BD56BFF5F66C5
SHA-256:	8D9AA1DDF1B98A6FAC56D878FC1BEE87BF6EEEFD291FC849E3EFC5242BC19016
SHA-512:	3A38E28AEDC2DD99B6ECB0784F67077B6ED8502060BB57E841263C3510D87CC106596C1D809C2EDC75B4E00105C98408AA64F41C871DE0E8CFFB30B56864609F
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME.....4+N5....."IDATx......0..Q+nP.......%#..:B..........^..7sJ.^...H.c.fd.-.#@.u_WV.Zg...i.&......C..0G>./...mi.\|..........d.p.......Y...F...............8.........@....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8...........".8.!_m........B.:...H....`b^.3).B..>....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfeK9tle19Eley93FVXllzhRMOzJuHqyxYqxmATdVsnoObAaby2v:XmVnTywvsA1hDV
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\optionslogoicon

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	14574
Entropy (8bit):	5.314402751771045
Encrypted:	false
SSDEEP:	192:H9R53Ya0k3f6VfxJWSDL/jh7JRSdWpOWR9b0p6Bekh7SZVzzz+zwhYbhUY:dRSaJP6VJTDZlRSoxD0p6IkalAztUY
MD5:	1791161295A8385E85B82A8C60B47A5C
SHA1:	8A715DA629DB0151D537E0E909E3C1141FCA6A23
SHA-256:	AFEF25522F3973F2BE6059B021C6AC62359A2FDEE782471EAC130394BD4F5B28
SHA-512:	B04D580240CBDE64B8F57ACA1BA7C0777988C8BDF6FCAAAEEB5142E3DAF9CF2E64A8DC2E4EE3A1BA69621330360B2548B1E46BD546D36187DF7803FA50052860
Malicious:	false
Preview:	......00..........6...00.... ..%............ .h....4..(...0...`...................................KKK._\U.[[[.lll.rrr.vvv.zzz.}}}..vW...[.....0..7..9..>...Y...U...X...Z...b...h...p...{...b...a...d...b..B..G..@..E..L..T..E..K..L..Q..V..[..Y..n..a..b..e..l..i...r...u...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\print.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 222 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	638
Entropy (8bit):	7.41372113191638
Encrypted:	false
SSDEEP:	12:6v/7YrFsiiSkaq1RPa7EADxzWSwsAsjw7ke0PoFEvqDtY5qe4Ov184z9:ZFxin1upDVHAsske0PPCDS5sOiU
MD5:	ED2E083C6FF38CD0A63E2503FCCE051F
SHA1:	02C054517979CBE833C1048FB7ED578666F4240C
SHA-256:	BB37EBAF70AEE9ED478BFE1DD300C262014CCB29DB225F034F2C9D5B7EAB150F
SHA-512:	C483EE4303436C512F2DE230EA6BBD634B546D7754ECE532FAB820257FB7B3B76B9A9FDF5B365188FBF1B9E7688FD8DFBF33EF812683942E3BD4B6B9A23AAE6E
Malicious:	false
Preview:	.PNG........IHDR.......%.....-2Wm....tEXtSoftware.Adobe ImageReadyq.e<... IDATx..m.P..M...)Se.*6....@.U&..&.0...Pe....A.... ..x.....>..Y....^.y..^Y.....HO.&..x.Q0XO}...sE\|b..&0XOw............x....&..G;....^O.x..3...M.zF..}p.4x.d.I.\..s...-..i.[..'.&....7..=.F...t...u.h....tL7.z.....ty.=.l..&..O.......h2..z..5....rw..j.Ss....d.;......1........N.Q.\|;B.Q.,..5.....]4...N./.L~.....\.O.....\4)z.s=q9. .4.@...r.w".NU.>..I.;....+.L...........&E....5.X...x.....x]..A2u.Er....I....a3.T. ..wDM..5.W...8..Mh..M..X...r.......r.........Q.....y<.....4...).........D.....h<....r@.......\|;..........m..qO......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\print.png.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1711
Entropy (8bit):	5.099246065486414
Encrypted:	false
SSDEEP:	24:74+4M+i+hxfB5TOPK9Mle19PBPley9YgQB5GJiHqrBNxYqgTd8snwBAOSQy2v:XmVnZVOEfp7O0GoZR
MD5:	134BD85D740996455BC747605B6AF1A2
SHA1:	C20F6329FAD2A43B60D14C0E3BFF29CE79AA6B01
SHA-256:	3D68FEC559563414476D6FE03EF16AA5E580969AA8C2AD81166343F38204A411
SHA-512:	449B542006A2F0E180AA6E07009C3F7FB8F1C6C67038E940A57CA063431C202BB23531396D97DC8110DBBBDAB121DF07C232B881B164D016F2CAB33D4627DB4E
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.ContentTemplate>.. <DataTemplate>.. <FontIcon Glyph="" FontSize="25" />.. </DataTemplate>.. </Button.ContentTemplate>.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnPrintBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnPrintForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="Transparent" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnPrintBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnPrintForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgro

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\printico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	6518
Entropy (8bit):	5.116636834496781
Encrypted:	false
SSDEEP:	192:BwNqZ+HxIbqiMhQ8iRG8ERC136363636K:BqqZGRiRPCC0
MD5:	BDC280616F9670F41C57C16BF08E8387
SHA1:	48F574183BB500CD1808BAC20A25CFC82C05E482
SHA-256:	6E5C2E9E923569F943E9F8A86EE5023034B3DB1F6434118A0D95F429F90FFBE7
SHA-512:	EC3E5C0E6306773A3700889C2B19D6DD8EFF54F73C1BF3C7CF239807FA1B512DDE7E30D486FCD78130090125A21E2401EB0E8B7667C992863CF7FD52B11CA2C7
Malicious:	false
Preview:	...... ..........&... .... .........(... ...@...................................FEE.JJJ.MLL._UL.RQQ.ZZY.]]\.``_.uk^.}kZ.baa.mml.qhh.tkk.rnn.zoh.ypp.\|tt.~~}..q^..ta..wd..zn..{h..~l.......p...t...y...}...}...{...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\remove.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9188
Entropy (8bit):	7.831163704382977
Encrypted:	false
SSDEEP:	192:6Sx+ikzxjBEnNn5OE5WbrQ2FJL2ysmwJ/XLjw31BsEaMheI:1H456bj5WbRvxwVGbaTI
MD5:	E3D6677249C131A7B7D9E054C8534B9F
SHA1:	912234BC82273B453EFEFA809B177658B09F42C6
SHA-256:	F62D9CA362C314B51438CE3960E5DF0ACEE0CDB0C2557B94905C790B3240A2FE
SHA-512:	F29FA900E0ECF25C5C39A982390A2B1B2D124DE1D8A9D814314282E3B62D175BF2FC7ECF13ACCFE50A50CD6EC9FE4993FCF4A6627B26B9DFD6F1D7BEB1FC441F
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.....(#.ic... .IDATx...y\|.......f.l3.m&.....Q@...DD....[.z......s=..i{{..>z.......Z.T.7v...7De..d&.Y.Lf....Q...d.y=..!a2.....=Kf,[~.....l.....}~..=_.`.dn.....ug.....?8...3...$..4.[..;...$i.I.T,.N..J%RR2.4k.[.X$Y.2l.,v.......vn.......6..T...R.x:..).M(......4.nZ.-.X...v..JI....`.d........V..p.....Y,.O(.M(......$..;.n.U.T:-.b1...f..........r..h.,.z.c..Q.s...6..\|....;.....G....b....R..[.y2,.......)..G>..........[.p.dR.d..s".N'.J7......t.#..a...V)..F..n_...=i?S.s5.i).N7=M.J7..{..s.J.2Z..3.....4..'....n.... s(...........p.....p.....n...............P......7.....7...@.....(.....(...........p.....p.....n......M....P......7.....7...@.....(.....(...........p.....p.....n...............P......7.....7...@.....(.....(.................p.....n.....n.........P.....P......7...@.....@.....(.................p.....n.....n...............P......7.....7...@.....(.....(...........p.....p.....n...............P.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\remove.png.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	ASCII text, with very long lines (379), with CRLF line terminators
Category:	dropped
Size (bytes):	1403
Entropy (8bit):	5.471062774039721
Encrypted:	false
SSDEEP:	24:m4+4hD+rZur9RJrKGKBj8C+dycScmUjH8/bF19gkOy9bkOmMK9RkLWbf:8+KEfJv6wFfcdnYsW
MD5:	09B52F0751DBFDAD9692E26CAFB502D4
SHA1:	CEA5CB8DE826B3E51365C79BAF7D98B98DF1C315
SHA-256:	1AFE980E62BEF1454DF195952E1B665D263F6E0BEF39077863B387AB0061688F
SHA-512:	87269A5C740A102C52C55EBECE0D76F54892EA9861EE1442B1941997DEE7496D390226B61E28F18808DD501C03F988E2B8B450EA6448D201481C3980C475DD52
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRemoveForegroundNormal]" Background="[AiWinUIBtnRemoveBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<PathIcon Margin="5,0,0,5" Width="60" Height="60" Data="M4.83 4.83a3.753 3.753 0 0 1 5.306 0L30 24.694l19.863-19.863a3.753 3.753 0 1 1 5.306 5.306L35.307 30l19.863 19.863a3.753 3.753 0 0 1-5.306 5.306L30 35.307l-19.863 19.863a3.753 3.753 0 0 1-5.306-5.306L24.694 30 4.83 10.137a3.753 3.753 0 0 1 0-5.306z" />....</DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnRemoveForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color=

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\removico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	21598
Entropy (8bit):	3.72201218194023
Encrypted:	false
SSDEEP:	192:1zCObveDreVlref52+II4jq3ckJTgPfipj0gLlRqiNgF5IGD0pMb/Z:1z1veDreVX+wjqqq/LlVN1GIpW/Z
MD5:	299AA97601873786E924B17223257D14
SHA1:	E2F7DBBD7B59D69F4499029E40D3C6F559B5F632
SHA-256:	DBA117A25F8AFE1A3AACA4AE830D7A6BA982FDA3D543FD438515AB788643E4AE
SHA-512:	15AF787E74D4AF5896B73979C81DE93B3DB97B407322A929061583EA9F77609D0DB61C54CF69A2A522F4D635A0931A804FE1EC036FEF5544E3101C520AAEEC1C
Malicious:	false
Preview:	......00......h...V...00.............. ..........f...00.... ..%...... .... ......C..(...0...`....................................................................................................................................................p.....................y.......................y..p....................y......................wy................p.....wy................p.....wy......................ww...p...........w......ww...p...................wy......................wy.............yp.......ww......................wwy..p........y..........ww..p...................ww............p..........wy......................ww..p...................wwy......................ww.........p............wwy.p....................ww......................wwy.p....p...............ww.wy...................wwy......................wy....p.................y.......................y............................p.................q.....p.......................w......................y.p..............q.....ww.w..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\repair.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13276
Entropy (8bit):	7.922698779496922
Encrypted:	false
SSDEEP:	192:6SIQUbbuGOo9iMhQff7IdMbE8cph2ORT/W4ua95qH9MkVhPZwto+Qr2YlS:1IQ+19iMhyzI9phNCo5qH9MkVkvXYo
MD5:	B4B49297B66D52CCCD06E6A4B534537C
SHA1:	023C2D63C5E0F233B251840ED496CE87895EADC7
SHA-256:	E7BCDFA48C8B759511C262C548D8999924E120EA114AEEAAC6049ACFAF1B1813
SHA-512:	8A96F141CFEBF2541BD459CD6A785214D3F10B9D45B995EFD8D3763497898422ED2E7138D79CF5FC2F45BCD4E9C455D23371906173B5F88AD00254848FDB7236
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.....+8N!.... .IDATx...ip..}'.o?Ww?O.. n.....x..H.4u:N...x.....T.x."U....rMy...J...3J..;.d..EQ.. .....g.../@.H..@.$..O..(..<O.......s......7.7..............._.C{.~.....s...q..D...H.`)..X...^...OlB*.B2.F:.A&.A&....t:....Q.I. J".}.....p...y..VQ.M.!.L!.O!.O#...t..^... . ...3..w.......a......S#"b.M..d".d<.d".Tr..f..R.n@...Rf....RG%?.Ud.}..B.....e.#.k.5.>...,.Fg/..B.Ne.N..J..J.....+s@.IO.].tH..~(DD+.....wc.]@2..L.N...}.7...-.@.:.H...HD...>.....P..L......E.+xV.2.~.%s$"Z.u..y5...84......b.MDDDD........7.......&""""b.MDDDD........p.......&""""b.MDDDDDl.......p.......&"""""6.DDDDDl.......p.......n"""""6.DDDDDl..........&""""b.MDDDDDl.......p.......&"""""6.DDDDDl.......p.......n"""""6.DDDDDl........7......n"""""6.DDDDD........7......n"""""b.MDDDD........p.......&""""b.MDDDDDl.......p.......&"""""6.DDDDDl.......p.......n"""""6.DDDDDl........7......n"""""6.DDDDD........7.......&""""b.MDDDD........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\repair.png.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	ASCII text, with very long lines (584), with CRLF line terminators
Category:	dropped
Size (bytes):	1676
Entropy (8bit):	5.329204164329776
Encrypted:	false
SSDEEP:	24:m4+4hD+weur9RJrKG10Qtnk2u+0DdFLRYwDzm+7Pr54E1GQH8/bF19bkOy9IkOh5:8+K0fJv1T22u+0D6cP5oQcdAXbW
MD5:	85676272B990DD8A7DE94D8C003235DF
SHA1:	9CE544231BAAB4FE263E976647CDDF28039A4811
SHA-256:	0191FF0112785B0FC6343DABF3AE268BABF28218771B068AC31D84C39F86BE43
SHA-512:	B8A2195BD09EFAA67A4DAA3E9F187B92B8342A31A42AF178D0928261030CB1A05D0024830055A298ABC759B911F8FD73A02247A229CDC7AA6785F114E5CD8E55
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRepairForegroundNormal]" Background="[AiWinUIBtnRepairBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<PathIcon Margin="5,0,0,5" Width="64" Height="64" Data="F1 M10 9l8 8c2 2 2 5 0 7s-5 2-7 0L3 17C0 22 1 28 6 33s11 5 16 3l23 23c2 2 5 2 7 0s2-5 0-7l-23-23c2-5 1-12-3-16S15 7 10 9zM43 29c1-1 1-1 1-1 1-1 2-1 3 0 0 0 1 0 1 1 1 1 2 3 1 5 0 0 1 1 1 1 1 1 3 3 4 4 0 0 0 0 0 0 0 0 0 0 1 0l7-7 2-2c0 0 0-1 0-1-1-1-1-1-2-2-1-1-1-1-2-2 0 0 0 0-1 0 0 0-2 0-2 0l0 0c-2 0-2-1-2-2l0 0c0 0 0-1 0-1 0 0 0-1-1-1-2-2-5-5-7-7-1-1-2-2-4-3-3-2-6-2-10-2-2 0-3 1-5 1-1 0-1 2 0 2 2 0 3 1 5 1 3 2 5 5 5 8 0 2-1 3-1 5l-2 2-6 5c-5 5-16 15-22 20-1 1-2 3-2 5 0 3 2 5 5 5 2 0 3-1 5-2 5-5 15-16 20-21l5-5

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\repairic

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 4 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	19942
Entropy (8bit):	6.307028314098947
Encrypted:	false
SSDEEP:	384:jLGJlpUiY4vIiR59ypEf4Bloa81URvkKTtSYX9tYuYMRzOcyRM4VG9j2RW4XljaG:jglp6DSwEQBlosmKLPYuzzOnRVGZUW4p
MD5:	2ED3D45BC22B79DB09136513AED402DD
SHA1:	8B2324CBFF902B85E349D61E46D9F88170B6BEDE
SHA-256:	4A8FA6335720D3E4F464AF244364923E741605B8AD3E1E28411F494E95EC11E4
SHA-512:	3AE91AE1FF3F460D5677C1AE636C0A0E5525AD2B88DE635FC57D48B5FE78747D3B7DD7683597DA9AC344F1E8884B10124C8DC3DE54E1581921AAC8734F3947F3
Malicious:	false
Preview:	......00..........F... ..............00.... ..%...... .... .....>=..(...0...`...................................r?..uA..yF..~J..yL..}S..hG#.{S$.OOO.QQQ.ZWQ.\\].b]R.ca].qgR.qfZ.^_`.abb.njb.mml.snc.~vl.uus.}}}..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...j...s...s...j...q...v...z...{...\#..]"..])..a)..i%..e>..h8..f1..i3..o3..m;..q6..n%..w#..y$..z4..oN..sG..yF..xR..z^..zS..\|G...R..tg..yf...m..~z.......&...;...9.....+..-..3..3..;..;...X...I...I...G...L...R...S...V...R...[..._...[...Z...i...a...k...w...~...x...\|...~...e...`...m...b...a...d...d...j...l...k...y...v...v...}...}..G..A..[..F..H..Q..[..[..\..L..X...e..i..e..g..u..z..s..r..s..{..z..h..u...i...a...x...t...{.................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\runapplicationbutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 432 x 72, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18599
Entropy (8bit):	7.975539117303291
Encrypted:	false
SSDEEP:	384:QYH+4q/3TBCC3cjOdHpCsjN9AIh7/shbdQ+zgMalqcxbbDb6q:QYc47jOddoakpQhM9cZ/bH
MD5:	F5A120B564FC7823D1C269B7A6E70473
SHA1:	1B85466C12F83B7872214F787390614DF50EADDB
SHA-256:	C178ED81DE4AA8B049EFCF0670C10CF2043A51C6BE1144EE95D09C1C2AFD6087
SHA-512:	96D285759F8A8C5D17D7CAC4EF224995DFA09554A3687C7F34E63651888C98A9C60095CD1A71C82030781FF6E7D58B7D49068BD9F53126FF7B775579D3368ACE
Malicious:	false
Preview:	.PNG........IHDR.......H.............tEXtSoftware.Adobe ImageReadyq.e<..HIIDATx..}.`T.....L..B.!..( ".V..j)j.g....^-O[......w..Z..k....^Q.P+...o!!...d....?...77..@2.Ir...L.$s8......X.d..k...p..5...U...\..].t...\|>$.M>.Vy.6$.!......]C..C>7M......c...1......F.qP\...cR./.........A).]6.....KC.......`.R>.RQ.......~}H...?.`..+q...x.A.WH.qx..l\V_.gU......6/.l.-.D..;.;.-.D.-.\|....\|......O.........l5>x.._.....tO..p...3!]......3.\.4._?...V.X..).D...X..0aB.~....#...`..?.}.OH.. ..#.l..t.?>...A.....\...{M>.....g.s......<{.o....\|.b..HmH>C.5$.#...x.........j.?.%.\|..Q...."Q#h..2?d...........=...v...6~.7.......~.h.D@}).o.~m...)....=k...~..sF..f.9.......%.R.D.....ES.IX.A.. ..M.:.o.}...rB.....o.$...../.~.=.E....v..?q..]?..(a.e...~...u..3N.I..a...a.a..[....5....p.....M...z....\<..(.....N.:L.7+..._.......ll..'.0a..'.\|..}-Z..rH:,=....wr.`.?/.}.1..@......6.=..U.?.$...3.C..2..<w.W..9...`G...;k.....e7..y..Ai....._.9.,....Q..0L8*..F...Yi..>.w...z..?..s.M>h`s/<.R4..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_down.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	254
Entropy (8bit):	6.374356044068655
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TDbnTcjoSs2ABAzciMnot17S/FpXuI/RTup:6v/7oiidE/6TzcjoL4zrw1d5uI/e
MD5:	E0040A9DBB89F5A5A1B2C2C34BD52A52
SHA1:	E85D76A72041C8775F3E810273EF4F7E85035D32
SHA-256:	D817AE7A97229DF819521483CE4018A05B1EAB6930A877CB30F4E2BC79A4D42A
SHA-512:	DBB2A6EE6A51D8B3CC327BF5624410471DFEDC9EE4E9A53963881C7AF2326CE1BF036D3C4D6ED35F226E654FCE905A1AE982A5E79A4921CFD553E427EDDF4197
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME......5.}a.....IDATH...Q.. .....P...z-....aE[.....C..aj"I.. I.......p.LR.S....].3...._Jy...iT....,..6"....."....D......u.W'.f.ns/J...9.......9.....P.=...0....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_hot.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	290
Entropy (8bit):	6.630524120534146
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TDAgFyoDgMkryphJ9ipZnpv14qlaWSNHRaPl/jp:6v/7oiidE/6Th/DgMsyp4pZnpvWq4ZI7
MD5:	089ED99675E574A5CEBBA2C5E395AB1E
SHA1:	B4BB865A7ECFFD8F6F2551D7D5C23AC6F9F3345F
SHA-256:	C1EC4222CF1B3AFAF5A160914C6DDB82794236D350683D9A282C9BC4541D1315
SHA-512:	F579BD9598F5616D20F9D6CC74D7D900415127FE5629574D76D24BADFA65104DFB5EA57574D584D8B9D10A93F4D76C5DD29B0803535CF6B5BC54A1EE1CC694DD
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.......}1/p....IDATH..... .....Y.!.Y.!.......$.x.EJ....PO...@-......k.'......s..=..V.?....4.....*.Z...[.@...v.V.P9y.s)3....6.....}...#".!.3._....J.Pk...Q.....P\|-.$~M.f>....@5.#...hC....i....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_inactive.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.103157225599965
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TBm/KQVqnrj6afHDxgsxDTDGp:6v/7oiidE/6TBxQYnKavDxDk
MD5:	8BA33E929EB0C016036968B6F137C5FA
SHA1:	B563D786BDDD6F1C30924DA25B71891696346E15
SHA-256:	BBCAC1632131B21D40C80FF9E14156D36366D2E7BB05EED584E9D448497152D5
SHA-512:	BA3A70757BD0DB308E689A56E2F359C4356C5A7DD9E2831F4162EA04381D4BBDBEF6335D97A2C55F588C7172E1C2EBF7A3BD481D30871F05E61EEA17246A958E
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....28.......nIDATH.c`...`..8.H."??...b.6mb.%..,.b].q.F8....8.....?2..z..[BS.`...........~...Rl>.....'.R...../I.`........f.W......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_normal.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.103157225599965
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TBm/KQVqnrj6afHDxgsxDTDGp:6v/7oiidE/6TBxQYnKavDxDk
MD5:	8BA33E929EB0C016036968B6F137C5FA
SHA1:	B563D786BDDD6F1C30924DA25B71891696346E15
SHA-256:	BBCAC1632131B21D40C80FF9E14156D36366D2E7BB05EED584E9D448497152D5
SHA-512:	BA3A70757BD0DB308E689A56E2F359C4356C5A7DD9E2831F4162EA04381D4BBDBEF6335D97A2C55F588C7172E1C2EBF7A3BD481D30871F05E61EEA17246A958E
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....28.......nIDATH.c`...`..8.H."??...b.6mb.%..,.b].q.F8....8.....?2..z..[BS.`...........~...Rl>.....'.R...../I.`........f.W......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_down.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	219
Entropy (8bit):	6.15818596694562
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TDvvkriNhQ9+Xm9i8p:6v/7oiidE/6T7kriLQ9+29iu
MD5:	38375B1DD82D4BA1A3A8C12EEF4ADED6
SHA1:	DB968D4A666C0401ACBD2CF0535F8EF80316ECC9
SHA-256:	EAED9874836DAE7EA6C5D6BF914EBD34263880D745AD61D24D215767A4E355CF
SHA-512:	BB27752D979AFC1E6EE835DBD1A952800CB5A013C14EC70ABF213021A3532865F29888A95832A716FC557F9807F04504DA16D17D44B16A38EB513A020E079B2C
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.......\|.EG...hIDATH......0..@Su.,......Y.%......w.S..1..`^.Xk....\|0..............9..tw....vC.$+}....dy..qiK.....C..&.#.XD......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_hot.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	181
Entropy (8bit):	5.630088987541043
Encrypted:	false
SSDEEP:	3:yionv//thPlhltB2iCtlWatP2/uDlhlbpsPtjt/shkxTka9zNdDPEykUhOgSousz:6v/lhPQiCtldE/6TD8/shk5RNdVkUhdT
MD5:	9F400CA36F8629670FACD21639CDDC0D
SHA1:	00CC682A8332269B01DB832DB29CBED20E932558
SHA-256:	6D13E15F83B06A9758833E2CF47310479F7AB834EA06B310FEFB3BA859F1FCCC
SHA-512:	A84E4BAD25E401331A5B90F0D31C30E62A43B064289E89D3946B2DC06669C7543B6A9B49D8E28208A3644B684529AEA765078FB281F4EF1FFB6CA4254446FCA1
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME......*.......BIDATH.c......:..(-F'.^11...Z8j....Z8.-d!.j!B..5-....Q.G-..`.wC.....G.N......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_inactive.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	175
Entropy (8bit):	5.599077557708541
Encrypted:	false
SSDEEP:	3:yionv//thPlhltB2iCtlWatP2/uDlhlbrsjQwTHm7ZJ403Gl6hnXGhoQyeB1p:6v/lhPQiCtldE/6TBsjvT0J4OGghc/p
MD5:	A2C4802002BB61994FAABDA60334A695
SHA1:	0A2B6B0CEB09425080C5BA4B9CBDEF533CF69EBA
SHA-256:	A3B59DBC5A39D551455FF838E71B5820560CA3484C6411B9D69DF33D8113619C
SHA-512:	34E130EDC650C3DE6020F2D2B5DC1404B7AEE0105EB7E315C15C5AA61398D174377E9B6A2AECC55F79F54C04812B8745C6739A201539E291538979E6B024DA31
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....03.q.I...<IDATH.....0..A..K0-K.....Q..~.......PROMU..AI..c........[.....(.e....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_normal.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	238
Entropy (8bit):	6.297913308756489
Encrypted:	false
SSDEEP:	6:6v/lhPQiCtldE/6TBHchRTZr4wt3IN0ZhTp:6v/7oiidE/6TBHchR9rU0F
MD5:	516172D0EBF941237CEF32FCEE8CDF43
SHA1:	6BEE117996C16C7413BE876DFC15978D14813091
SHA-256:	56E64EAF6349ECE08005E6F7299DE413ED00112D53518215D90690BE2B2A4F1A
SHA-512:	46477A58AA7E9EEAE29E1C1D826BF045422709B7C8F428985C617B366012C58121D4404523A75EFE77FC6D8E061A6BB209743D0A2AF81545898F51C8855728EC
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME...../...8{...{IDATH..K.. .E........p/."..A.................w...3o...a~..Y...C.j..fv".f.>...U...Wkm..;.... ..SJ.C..$...H..~.OD2......3(.W.d..w....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\viewreadmebutton

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2979
Entropy (8bit):	7.447666176115625
Encrypted:	false
SSDEEP:	48:6/6E+6q1+9tMh8C+kjF0LDF2/agXHs2AHyDCX1XYuxNyuit:6SE9Chj+k8J2STHhNYUgt
MD5:	42622C4464EB34FDF6CD60909084D6D7
SHA1:	DE60493F4136C2FFA6B6790EA18284314C462669
SHA-256:	A23023C1667B85617BE637DB6A7FAE5C84992DE3F3A034D7644BCEFD6E75D328
SHA-512:	3F1C69080C6E1F5FEB11B2BC750023F592D6E02A515825642314228042935D868A257D204E6A8451688E1EAAF0D53DF15BBC79A84442B2AD0281155F39E48BCC
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.....#..M.....0IDATx...k.\e...g..Z%.@....T(...E...rK.&U....DcbB......1$....J..b.Hk.Di...]X.nK.K..,..&rq.3...evg.li.....~_v..w.f.g.....).r..Y..;.l....W?Q8..7...}..-..~....n..L.)EDL.6.L.......q...J......YV.,KMP...(.JQLJQL.D.8%.z..6b.n.u.h..M{.T.1T}7.w#M....E..wS..H..tD5.R1_.o_...&p.w..-.T0k..7.X5-G..nT...jZ.4.D.UML3..B1.l(....H.In..:.D..7.x.$.1w4Z.Xw0N.?.@.N..}......3pW.=.].J...g.....$...P..F5........s+....6.e...C.....!W.M\|..iDZ(F.0..L..hv.sk.g..m.w.Y..e...4..,.G.R....O...GJL...L......n............n............n............n............n............n....M....... p....7...... p....7...... p....7...... p....7...... p....7...... p....7............7............7............7............7............7............7.. p........7.. p........7.. p........7.. p........7.. p........7.. p........... p........... p........... p........... p........... p.......L......b..7M.q..K.X....l.c\|-Y..X....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\viewreadmebutton.xaml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	ASCII text, with very long lines (387), with CRLF line terminators
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	5.309056977458643
Encrypted:	false
SSDEEP:	24:m4+4hD+m4ur9RJrKCg8/bF19pkOy9OkOTlK9YkLWbf:8+KQfJtJdWhRW
MD5:	5480AF870DB76DBE15D1D1B0C6EC6550
SHA1:	6240E8A285903506484420667E87752B9AFB35FE
SHA-256:	4D2180ED426F960CF8968FBA251DA9D1D7BD76F4D5A3C2339EAEA28FC764B76A
SHA-512:	1174C8CF80B8C15DB61E79565C3A58B2768793D0586BAA5968754C44B9E8AFFCEEE37C22BD7B5859CDA65C22705713B5747625C6B7A9E758270FF2BA60F4F036
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnViewReadmeForegroundNormal]" Background="[AiWinUIBtnViewReadmeBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.. <FontIcon Glyph="" FontSize="70" Margin="5,0,0,0" />.. </DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnViewReadmeForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnViewReadmeBackgroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnViewReadmeForegroundPressed]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnV

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\waitlogoicon

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.460762662440214
Encrypted:	false
SSDEEP:	96:5Z9z9ATOwu8FjK/kIiZHFzzzzzzzzzzzzzzzzzzzzzzzzzzz8ACroD3xgp9sFoe7:d9ATOCNIiZHy3eM9sFoe1es6jqOMH
MD5:	3446EB64A3A4639003C0F6941A3254C6
SHA1:	D51159EE40B02A5EDB9B115E78CC132D6E35E00B
SHA-256:	CEA275DBB399BB7BDBB747511CF0316C699221D82EA075D65E4F5688B5EB4831
SHA-512:	2E019E66BB2EE3055CE3D066CAE2494B2E7EBCB500D4D4F71D0955D3D11F91371977BE94DB453A2CF43680A9E46ECDF2A53CBFE106A744D27B60AB944C753027
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`...................................1...3...9...?...@...B...C!..C#..E%..H&..I(..K"..K,..M,..P/..T-..S2..P1..V6..V7..Y1..X9..a:..O(.W. ._7!.]=!.Z<$.W3..d=$.b:).`<5.^A).`@$.cD.dD(.hA(.lC*.lD+.fH..hH,.qI..vR,.lL0.oH4.jN6.hE;.vM1.oP4.lP:.lR=.qR6.zQ4.\|S4.~U5.}Z5.pR8.sT8.pT<.wX<.qNA.pVA.\|V@.u[D.{]A.~\M.~`D.{`I.~bH.zaM..W6..c?..cF..fG..eH..fN..dL..jM..lJ..kL..eS..nQ..nY..sZ..rU..uT..rZ..wY..p]..yZ..{]..~^..va..wd..y`...b..{f..\|i...j...o...o...o...r...q...t...~...f...f...i...h...j...m...i...l...n...p...p...~...r...t...v...}...x...\|.......q...s...t...u...w...y...~...}...................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\whitebackground

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 400x300, components 3
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	0.9300953826985205
Encrypted:	false
SSDEEP:	3:nSullBbs1lQQp/yEDpeknmRmm8dmM0+Et3/llE//WmskX8n:3ll7QzDkmm8dmM0R3/lly/Wmsj
MD5:	EB93C0ABAE8A7DE7AE6DC3755B12C802
SHA1:	5E288B9AD93663887681F577B8129DCD9B988062
SHA-256:	EDA260871BBA09273B71A165DC8B4F254B186046AB383722DC2D8803FA698725
SHA-512:	6B1A9C98A16DC19D417FE7B6DB6B4698036CACB6570816B063341F489B56CDC54769C07337488AA68FA8D9B39FDCCF04C7DFB4C8EBE536ACDF3FA7DE1464BC85
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................,...............K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI772.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7F0.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI82F.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI850.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI870.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI880.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI8A1.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI92E.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB14.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB53.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469756311917561
Encrypted:	false
SSDEEP:	6144:2aFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl4mN9ysU5p/s8g73W:jYL9HXVW0xOA+KlZC4v65ps8g73W
MD5:	FE647318C4CC7F18012BDF5F8F96C468
SHA1:	82E516C4247CA5EAC3365BF80120D8A1F30E3042
SHA-256:	AEC9F4CB37604C67C69FC0FEE1DC630DB016E1471212006ED787DD9432158E69
SHA-512:	2AB40A563FA4AFE48BA74067653A244BDD53F9C04CD3764F29C5F80349F68B2126C6442E0A75FFB3C207F8C9267D4FAE7B407CA7D1D5E31D729B84B0EDEA817C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0......c.....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi55E.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2\?? 02 - ??.msi

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {D50A0C29-3B68-4483-AA7D-3507B07E5BB7}, Number of Words: 0, Subject: Outlook, Author: Microsoft, Name of Creating Application: Outlook, Template: ;2052, Comments: Outlook , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jan 25 08:08:36 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	2433536
Entropy (8bit):	6.638454503752706
Encrypted:	false
SSDEEP:	49152:Fq1HIG/bDPk+q4S5a8g73MURx1RK/957Wf63h0emOb5+:0Z3c+XoURx1RK/TGO
MD5:	59945D0BDEB087624ECDFF3B6592ED76
SHA1:	60DBECA78E011734612FE6919B8BF1BBE9091FA7
SHA-256:	D25CC95B1755CA7A21DA15A465C939B3E357616EEF22C7E09A04FC05A74F5656
SHA-512:	02642FD05FC84F79EDE53CAD5930AE6B490B94630D92886FE917B95B649B462855204B6E5C0C7E9CBC71AB3FCCAD798283DEAA9DD001DA357BDFA035C2E25BA9
Malicious:	false
Preview:	......................>...................&...................................l...............l.......................Q...R...S...T...U...V...W...X...Y.......................................................................x...........................................................................................................................................................................................................................................................................................................g...............'...:........................................................................................... ...!..."...#...$...%...&...2...3...)...*...+...,...-......./...0...1.......6...4...5...8...7...9...F...;...R...<...=...>...?...@...A...B...C...D...E...J...G...H...I...O...K...L...M...N...f...P...Q...h...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...K...N.......i...j...k...........n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2\?? 02 - ??.x64.msi

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {04B12AD4-B137-456D-BCD0-722D8223EA45}, Number of Words: 0, Subject: Outlook, Author: Microsoft, Name of Creating Application: Outlook, Template: x64;2052, Comments: Outlook , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jan 25 08:08:37 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	2433024
Entropy (8bit):	6.639512398922904
Encrypted:	false
SSDEEP:	49152:dd2HIG/bDPk+q4S5a8g73MURx1RK/957Wf63h0eROb5+:qZ3c+XoURx1RK/TxO
MD5:	0CB7467432057A4152A5E3A3F27308B5
SHA1:	444DA66255FA1FD6FE485BF24AE472E41539DC80
SHA-256:	A066F1CF41AFBA2A1C4297450A617B5D5586DE1EA45A66BB57DC71B18F0323DC
SHA-512:	83818BAFD9281C66F26D550D445AA41B8E386B617E76F25F35F5E7BCA47DF589B50AA79844B7D5B7EE48B7EF5AF69D27362A6ABA9EA45B2F1A4F1A25DDE99219
Malicious:	false
Preview:	......................>...................&...................................l...............l.......................Q...R...S...T...U...V...W...X...Y.......................................................................w...........................................................................................................................................................................................................................................................................................................g...............'...:........................................................................................... ...!..."...#...$...%...&...2...3...)...*...+...,...-......./...0...1.......6...4...5...8...7...9...F...;...R...<...=...>...?...@...A...B...C...D...E...J...G...H...I...O...K...L...M...N...f...P...Q...h...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...K...M.......i...j...k...........n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File Type:	data
Category:	dropped
Size (bytes):	26456992
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	953C79C8C8EBAC4AFAB0B219C482AF37
SHA1:	E23E00D8A8FCA118757EEB7B7FC724C626D4A4EF
SHA-256:	2F48B4ABD5FF29932084433321F5258150214537010EB8FF1D6F26DAEC310BE2
SHA-512:	55C0A747EBD895100EDFBCB7B397ABE2530F41CC6CCC5C7142139F69D4257375D27FA66B2D2CFC0650CA587A28718284D8F4B8920C068849DD555CDCFF00EDD2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.795045015846563
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
File size:	12'568'744 bytes
MD5:	fe41ba6e49587e644575cc3e63bbec57
SHA1:	b26bf2f22af8fbf59c84df1295c179e6ce9010dd
SHA256:	671d2ffc833e605aa7061ce6c43b83a180957ec3c004856fe837f00b7a0b78a1
SHA512:	fd7539764aebdeeac77abbf1ecc69cbb199b36bc39d1042a57d6bb4bba2e4d0aa7f4c1a49928448fb38fe5d6c9b11f75280653b786cf9e06618ad7e8cd6ebe56
SSDEEP:	196608:nomHVY0A5XNBnj0gAlYsju9Jx6+klDpEkq+EkqMMTQzTWryuLJq4TcAbI0lWhsCJ:51YT1nA+B9VklD6rhDMMTQzBCQ4TtbL4
TLSH:	FDC60131760AC43BEA6201B02A2D9ADF55287F361BB164C7A3DC3E6E18B55C31736E17
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........."...L...L...L...O...L...I.g.L...J...L.x.H...L.x.O...L.x.I...L...H...L...M...L...K...L...M.5.L...E...L.......L.......L...N...L

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x5dd680
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x649BFB69 [Wed Jun 28 09:20:41 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	21314122cd4542a6b9b297f52a87acbe

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	01/12/2023 01:00:00 01/12/2026 00:59:59
Subject Chain	CN="Wuhan Xinquan Network Technology Co., Ltd.", O="Wuhan Xinquan Network Technology Co., Ltd.", S=Hubei Sheng, C=CN, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91420106MAD0H2746N
Version:	3
Thumbprint MD5:	907D0F7C940AD322B6B7ACAFC5A6A966
Thumbprint SHA-1:	B9E40721E1CCB4D291ADBE87B7064A25492DD883
Thumbprint SHA-256:	8D7A10A79F77D6A60181CC18AD6DF6D140DBF45D2F2996B38B4782B76897CDFA
Serial:	612B4F15A480E07172E30E8C3986E585

Entrypoint Preview

Instruction
call 00007F76853A419Fh
jmp 00007F76853A39DFh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F76853A3032h
jmp 00007F76853A3B42h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006F8024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006F8024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006F8024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f6af4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x306000	0x268b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbf9b08	0x2da0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32d000	0x289b4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x299dd0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x299e40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26ad60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x269000	0x2ec	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2f3e60	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x267146	0x267200	6cac8d1588a080830b52f21bb525e452	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x269000	0x8ebfa	0x8ec00	45fa3832446dcd9690871301a1cbc035	False	0.3130609676007005	data	4.600804924708828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f8000	0xd220	0x3c00	becc499adcd980ba70741cca33175edd	False	0.26588541666666665	data	4.791177624051412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x306000	0x268b0	0x26a00	81affad27b81a3f0e40025c184c0059f	False	0.1552639563106796	data	5.8728594707925215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32d000	0x289b4	0x28a00	ed23f6d2dd1b38ddaab7384a2b0a9ca6	False	0.44384615384615383	data	6.513442265686413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3068e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	Chinese	China	0.25471698113207547
RT_BITMAP	0x306a20	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	Chinese	China	0.03017241379310345
RT_BITMAP	0x307248	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	Chinese	China	0.11881720430107527
RT_BITMAP	0x30baf0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	Chinese	China	0.21680420105026257
RT_BITMAP	0x30c55c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	Chinese	China	0.5295857988165681
RT_BITMAP	0x30c6b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	Chinese	China	0.4875478927203065
RT_ICON	0x30ced8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0, resolution 11811 x 11811 px/m	Chinese	China	0.3041450165328295
RT_ICON	0x311100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.08703319502074688
RT_ICON	0x3136a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.16463414634146342
RT_ICON	0x314750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.18565573770491803
RT_ICON	0x3150d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.3262411347517731
RT_DIALOG	0x315540	0x84	data	Chinese	China	0.75
RT_DIALOG	0x3155c4	0xb0	data	Chinese	China	0.6988636363636364
RT_DIALOG	0x315674	0x15c	data	Chinese	China	0.5603448275862069
RT_DIALOG	0x3157d0	0xf0	data	Chinese	China	0.6458333333333334
RT_DIALOG	0x3158c0	0x46	data	Chinese	China	0.8571428571428571
RT_STRING	0x315908	0xde	data	Chinese	China	0.8558558558558559
RT_STRING	0x3159e8	0xe0	data	Chinese	China	0.7008928571428571
RT_STRING	0x315ac8	0x3a	data	Chinese	China	0.7241379310344828
RT_STRING	0x315b04	0x6e	data	Chinese	China	0.4909090909090909
RT_STRING	0x315b74	0x182	data	Chinese	China	0.727979274611399
RT_STRING	0x315cf8	0x25a	data	Chinese	China	0.7558139534883721
RT_STRING	0x315f54	0x240	data	Chinese	China	0.5190972222222222
RT_STRING	0x316194	0x7c	data	Chinese	China	0.7661290322580645
RT_STRING	0x316210	0x1c8	data	Chinese	China	0.7850877192982456
RT_STRING	0x3163d8	0xd8	data	Chinese	China	0.6712962962962963
RT_STRING	0x3164b0	0x86	data	Chinese	China	0.9402985074626866
RT_STRING	0x316538	0x146	data	Chinese	China	0.5920245398773006
RT_STRING	0x316680	0x30c	data	Chinese	China	0.6051282051282051
RT_STRING	0x31698c	0x2ec	data	Chinese	China	0.6270053475935828
RT_STRING	0x316c78	0x11e	data	Chinese	China	0.7447552447552448
RT_GROUP_ICON	0x316d98	0x14	data	Chinese	China	1.1
RT_VERSION	0x316dac	0x2f8	data	Chinese	China	0.4605263157894737
RT_HTML	0x3170a4	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	Chinese	China	0.08298005420807561
RT_HTML	0x31a8dc	0x12ea	ASCII text, with CRLF line terminators	Chinese	China	0.18793886823626602
RT_HTML	0x31bbc8	0x50cb	HTML document, ISO-8859 text, with very long lines (20366), with CRLF line terminators	Chinese	China	0.11990523618430596
RT_HTML	0x320c94	0x4c2e	HTML document, ISO-8859 text, with very long lines (15487), with CRLF line terminators	Chinese	China	0.1352681776228079
RT_HTML	0x3258c4	0x534	HTML document, ASCII text, with very long lines (1017), with CRLF line terminators	Chinese	China	0.41516516516516516
RT_HTML	0x325df8	0xdc3	HTML document, ASCII text, with very long lines (3250), with CRLF line terminators	Chinese	China	0.24354243542435425
RT_HTML	0x326bbc	0x1104	HTML document, ASCII text, with very long lines (4083), with CRLF line terminators	Chinese	China	0.21051423324150598
RT_HTML	0x327cc0	0x2050	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	Chinese	China	0.13575918762088976
RT_HTML	0x329d10	0x238d	HTML document, ASCII text, with very long lines (8812), with CRLF line terminators	Chinese	China	0.15163168882540382
RT_MANIFEST	0x32c0a0	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	Chinese	China	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, GetProcessAffinityMask, GetModuleHandleA, GlobalMemoryStatus, ReleaseSemaphore, CreateSemaphoreW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	05:27:00
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe"
Imagebase:	0xe80000
File size:	12'568'744 bytes
MD5 hash:	FE41BA6E49587E644575CC3E63BBEC57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:27:01
Start date:	31/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff618720000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:27:02
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C
Imagebase:	0x3a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.4%
Total number of Nodes:	1173
Total number of Limit Nodes:	67

Executed Functions

Function 00FBE810 Relevance: 37.4, APIs: 11, Strings: 10, Instructions: 633libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00FBEA13
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FBEB0E
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00FBEC06
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00FBECE5
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00FBEE21
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00FBEF02
__Init_thread_footer.LIBCMT ref: 00FBEF76
LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 00FBEF8C
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00FBEFBE
SHGetPathFromIDListW.SHELL32(?,?), ref: 00FBF073
SHGetMalloc.SHELL32(00000000), ref: 00FBF08C

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Strings

shfolder.dll, xrefs: 00FBEF87
SHGetFolderPathW, xrefs: 00FBEFB8
WindowsVolume, xrefs: 00FBEC74, 00FBEC89, 00FBEC93
ProgramFiles64Folder, xrefs: 00FBE84E
System32Folder, xrefs: 00FBEA9B, 00FBEAB0, 00FBEABA
WindowsFolder, xrefs: 00FBEB93, 00FBEBA8, 00FBEBB2
SETUPEXEDIR, xrefs: 00FBEDCE
ProgramW6432, xrefs: 00FBE8A9
SystemFolder, xrefs: 00FBE983, 00FBE998, 00FBE9A2
TempFolder, xrefs: 00FBED12

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressAllocateFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystem
String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2816963309-2142986682
Opcode ID: 26ceac375b712573c0d5d7963c2453f31593c909df5c42a10c2b8339345441b6
Instruction ID: 366171f991938eef7336bf1799499b133a92b260d2727657dc06657336d2e531
Opcode Fuzzy Hash: 26ceac375b712573c0d5d7963c2453f31593c909df5c42a10c2b8339345441b6
Instruction Fuzzy Hash: 0E322570A002058BDB28EF65CC44BFAB3B5BF54310F1442ACE51AAB292EB719E85DF51

Function 00FC36C0 Relevance: 32.9, APIs: 11, Strings: 7, Instructions: 1355synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

GetTickCount.KERNEL32 ref: 00FC3744
__Xtime_get_ticks.LIBCPMT ref: 00FC374C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC3796
__Init_thread_footer.LIBCMT ref: 00FC3981
GetCurrentProcess.KERNEL32(00000008,?,9F3ADAE5), ref: 00FC3B78
OpenProcessToken.ADVAPI32(00000000), ref: 00FC3B7F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00FC3BAE
CloseHandle.KERNEL32(00000000), ref: 00FC3BC3

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000), ref: 00FC4495
CreateThread.KERNEL32(00000000,00000000,00FC4FA0,?,00000000,?), ref: 00FC44D0
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?), ref: 00FC4503

Part of subcall function 00FC72F0: GetCurrentProcess.KERNEL32(?,9F3ADAE5), ref: 00FC7359
Part of subcall function 00FC72F0: IsWow64Process.KERNEL32(00000000), ref: 00FC7360
Part of subcall function 00FC72F0: _wcsrchr.LIBVCRUNTIME ref: 00FC73E1

Strings

\\?\, xrefs: 00FC45D7
true, xrefs: 00FC40AB, 00FC40D2, 00FC40D3
false, xrefs: 00FC40B0
Maintenance mode:, xrefs: 00FC409A
/uninstall, xrefs: 00FC3D73
VersionString, xrefs: 00FC3E44, 00FC3E95
\/:*?"<>|, xrefs: 00FC3941

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Process$Init_thread_footer$CreateCurrentHeapToken$AllocateCloseCountEventHandleInformationObjectOpenSingleThreadTickUnothrow_t@std@@@WaitWow64Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
String ID: /uninstall$Maintenance mode:$VersionString$\/:*?"<>|$\\?\$false$true
API String ID: 514365542-1899154899
Opcode ID: 0d36e2a659cae562df1a80d0533074b166f6df848d50ab717b61040fc4f680f2
Instruction ID: 465473555fee957ee6e45560fac40d00426f4b7c56f5b1c2b482338de8dbaebf
Opcode Fuzzy Hash: 0d36e2a659cae562df1a80d0533074b166f6df848d50ab717b61040fc4f680f2
Instruction Fuzzy Hash: B8B2D130D0060A9FDB14DFA8C955BAEF7B4FF45320F14826DE825AB291DB74AE44DB90

Function 00F88460 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 367
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00F886E9
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 00F886FB
SendMessageW.USER32(?,00000443,00000000), ref: 00F88753
GetDC.USER32(00000000), ref: 00F88777
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F88782
MulDiv.KERNEL32(?,00000000), ref: 00F8878A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00F887AF
GetObjectW.GDI32(00000000,0000005C,?), ref: 00F88898
CreateFontIndirectW.GDI32(?), ref: 00F888AC
SetTimer.USER32(?,?,?,00000000), ref: 00F88920

Strings

NumberValidationTipTitle, xrefs: 00F884D5
NumberValidationTipMsg, xrefs: 00F885C5
Segoe UI, xrefs: 00F88761

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CreateFontWindow$CapsDeviceIndirectMessageObjectRedrawSendTimer
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 3996265456-2319862951
Opcode ID: b7707fb4adac002089b85310c8bfe08a7b2b8e8007355e8174783142a79ff68f
Instruction ID: 875f8cd28bee62fd584a50580a8c509015c81b0d8699d8303fb62314a7a4a37b
Opcode Fuzzy Hash: b7707fb4adac002089b85310c8bfe08a7b2b8e8007355e8174783142a79ff68f
Instruction Fuzzy Hash: 67D1C031A00605AFEB18DF64CC95BEEB7B1FF88300F10829DE55AA72D0DB746A45CB90

Function 00FE8160 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 536
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FE81F5
GetLastError.KERNEL32 ref: 00FE81FB
GetUserNameW.ADVAPI32(?,?), ref: 00FE8243
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00FE8279
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 00FE82C3
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,9F3ADAE5), ref: 00FE84F8
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00FE8732
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00FE8871

Strings

UserDomain, xrefs: 00FE8274, 00FE82BE
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00FE874D
Software, xrefs: 00FE8518

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Close$EnvironmentNameUserVariable$ErrorLast
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 938064350-4079418357
Opcode ID: 5e200a52986ad910449d50cf85ea3fcb4f24539c751ef05239281e8939b435c1
Instruction ID: 2aaf0e68423e35feded18190492e8e7e9c56e778bc3fe6aaa21bf048ea084643
Opcode Fuzzy Hash: 5e200a52986ad910449d50cf85ea3fcb4f24539c751ef05239281e8939b435c1
Instruction Fuzzy Hash: 3F228D70D00249DFEB14EFA9CD95BEEBBB4AF14304F208159E819B7280DB746A85DB91

Function 00FA4D70 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FA4DB8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FA4DC5
GetLastError.KERNEL32 ref: 00FA4DCF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00FA4DF9
GetLastError.KERNEL32 ref: 00FA4DFF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 00FA4E25
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FA4E58
EqualSid.ADVAPI32(00000000,?), ref: 00FA4E67
FreeSid.ADVAPI32(?), ref: 00FA4E76
FindCloseChangeNotification.KERNEL32(00000000), ref: 00FA4EB0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: cfcf7f1adcde4911fb21dbc33385fe55c7388f7650aff8e70a4a9d3c300aae54
Instruction ID: 3d54bb50c5c3c3e1ded2c35230c972e56a967b837cdaa82c752bdec61e50f228
Opcode Fuzzy Hash: cfcf7f1adcde4911fb21dbc33385fe55c7388f7650aff8e70a4a9d3c300aae54
Instruction Fuzzy Hash: 55414CB1D00219EFDF20DFA5C889BEEBBB8FF09724F104119E911B6290D779A944DB64

Function 00F664F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F66531
GetSysColor.USER32(00000011), ref: 00F66854

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

LoadLibraryExW.KERNEL32(?,00000000,00000000,010BD25D,000000FF), ref: 00F66604

Strings

UxTheme.dll, xrefs: 00F6650C, 00F665DF, 00F665E0, 00F66674

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$ColorDirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: UxTheme.dll
API String ID: 3874013222-352951104
Opcode ID: e924529715d445f6c3e03b30fef4eba85cbce93af017c8b413e2d2d53b1ee991
Instruction ID: 45e3b1fa83b19cc6a56efe70b5e25b129aef7ad717250d30515fab8de7618730
Opcode Fuzzy Hash: e924529715d445f6c3e03b30fef4eba85cbce93af017c8b413e2d2d53b1ee991
Instruction Fuzzy Hash: 61A18BB0900645EFE714CF68C918B9ABBF4FF04318F14865DD8299B681D7BAA618CF90

Function 00FDBC30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FDBD0A

Strings

\, xrefs: 00FDBC8C
\, xrefs: 00FDBCAE
\, xrefs: 00FDBC84

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: e142cd543cc106f0dc037825da54f614e8998aa2be03d44136a7aa94388eb0a8
Instruction ID: 94e1d7df19616b1d837944bcb1e65c122f0aa1528185dddb2199b1b69c66a6a8
Opcode Fuzzy Hash: e142cd543cc106f0dc037825da54f614e8998aa2be03d44136a7aa94388eb0a8
Instruction Fuzzy Hash: AF41F522E14315C6CB309F248040AABB7F6FF95364F1A4A2FE8D897240E7318D84A3C6

Function 00FB1850 Relevance: 6.3, APIs: 4, Instructions: 315COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000000,?,00000100), ref: 00FB194C
LoadStringW.USER32(?,00000000,?,00000001), ref: 00FB1A6D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 04af7425337961d398a697bf9e6bde9790df9b209e8535e5121683847978ae1d
Instruction ID: 5eb511f61db72677a6734b92f926244f297bba9206fa9e0b428fe5c0f4e6b4bf
Opcode Fuzzy Hash: 04af7425337961d398a697bf9e6bde9790df9b209e8535e5121683847978ae1d
Instruction Fuzzy Hash: 6CC19F71D00249DBDB04CFA8C955BEEBBB5FF44314F648229E815BB280EB746A44DB90

Function 00EA3E40 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,9F3ADAE5,?,?,?,?,0108A654,000000FF), ref: 00EA3E81
GetWindowLongW.USER32(00000003,000000FC), ref: 00EA3E96
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00EA3EA8
DeleteCriticalSection.KERNEL32(?,9F3ADAE5,?,?,?,?,0108A654,000000FF), ref: 00EA3ED3

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: 3a844b56e053e25e60a80b7c36545d378054b06b75ab043cd4bf5deaf1e10ed1
Instruction ID: 284b3c79bfcce182e3592091d225f0963a99c9e27911ed59568ce835872cdcef
Opcode Fuzzy Hash: 3a844b56e053e25e60a80b7c36545d378054b06b75ab043cd4bf5deaf1e10ed1
Instruction Fuzzy Hash: 6531A171A04346AFDB24DF34C908B9ABBB8FF19724F104269F864A7681D771EA10DB90

Function 0105C722 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FD3A1E,?,?), ref: 0105C727
HeapAlloc.KERNEL32(00000000,?,?), ref: 0105C72E
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 0105C774
HeapFree.KERNEL32(00000000,?,?), ref: 0105C77B

Part of subcall function 0105C5C0: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0105C76A,?,?,?), ref: 0105C5E4
Part of subcall function 0105C5C0: HeapAlloc.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C5EB

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: d6b844a285e3af842bedd25809266f8ef36c8d3bf1b47e38a6b8ad11b3553848
Instruction ID: e7df133059ff0dec7b060370594d760be020093147b656068339fa09fa6803fc
Opcode Fuzzy Hash: d6b844a285e3af842bedd25809266f8ef36c8d3bf1b47e38a6b8ad11b3553848
Instruction Fuzzy Hash: 7CF0B473604B129BEBF52BBEBA0CA5B3DECAF80E657114418F9C2CA644DF24C8418B50

Function 00FA9830 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00FA98CD
FindClose.KERNEL32(00000000), ref: 00FA992C

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: d8f83c131935cd1bf26252c61133d72cac987d3451e733cf9ac69d309367555c
Instruction ID: 6a8c947cc029766ed54b3390b01323a5465903748eaee2b567af81df4de7ccfe
Opcode Fuzzy Hash: d8f83c131935cd1bf26252c61133d72cac987d3451e733cf9ac69d309367555c
Instruction Fuzzy Hash: 3131E6B1D08218AFDB34DF15C848B5AB7F4EF4A724F10416DE959A7380D7B55D44DB80

Function 00FFCE10 Relevance: 3.1, Strings: 2, Instructions: 615COMMON

Download Yara Rule

Strings

{Binary Data}, xrefs: 00FFD1B8
Name, xrefs: 00FFD283

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: 67b285b0150bd573f4d84cccef9ed91eaaadec0002b6e436b4a7a8260a780367
Instruction ID: 5291d1d2155faec597e53c082def7759ce7ae1600474f4fb495cb48df15154a6
Opcode Fuzzy Hash: 67b285b0150bd573f4d84cccef9ed91eaaadec0002b6e436b4a7a8260a780367
Instruction Fuzzy Hash: AD522671D00259DFDB24DF68C984BEDBBB5AF58304F1081E9E509B7291EB70AA84DF90

Function 00FE9830 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,9F3ADAE5,9F3ADAE5,?,?,?,?,00000000), ref: 00FE98B9
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,9F3ADAE5,9F3ADAE5,?,?,?,?,00000000,010D5045), ref: 00FE98DA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: d95dc3b1148a75676ec4d8f050da5ab64e21d8828ca442f6f10ff2e5ff0ce527
Instruction ID: 8f1b28fc609957909e71568643bb477e9f6f3dd16ddcf637f886abdf5ab7a7df
Opcode Fuzzy Hash: d95dc3b1148a75676ec4d8f050da5ab64e21d8828ca442f6f10ff2e5ff0ce527
Instruction Fuzzy Hash: C0312531A88745AFE730CF15CC05B99BFA4EB01730F10826EF9A5AB6D0C7B5A900CB50

Function 00EBC5D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00EBC5E8
SetUnhandledExceptionFilter.KERNEL32(00FA87F0), ref: 00EBC5FE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 09533c986bb65b12eb333f12c07ea1c6eecf9cafc90747b7882a0748159399f7
Instruction ID: e41b802444a9faf7cd81480cd4f9ec4588ddce3f36558eb2c36c6c055cb40a65
Opcode Fuzzy Hash: 09533c986bb65b12eb333f12c07ea1c6eecf9cafc90747b7882a0748159399f7
Instruction Fuzzy Hash: 9DE026B2D043146AD3215360E808F5B3F98ABA2B50F048094F68067240C7B49841D372

Function 00FEF850 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 9b316c2c0222088d8e0a74d95d920bc6fe965164eed4a87633e0f62bf29e71d3
Instruction ID: 9e2974e61d6b7d1c4daefe5bc8b4b3b26f514f6a6c4cd8af0f7190fa8e5d4b5f
Opcode Fuzzy Hash: 9b316c2c0222088d8e0a74d95d920bc6fe965164eed4a87633e0f62bf29e71d3
Instruction Fuzzy Hash: 116159B0500744DFE710CF25C50838AFBF0BF09318F148A6DD599AB782D7B9A649DB81

Function 00FAEF00 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00FAEF70
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00FAEFAB
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00FAF026
RegCloseKey.KERNEL32(00000000), ref: 00FAF1FE

Strings

Embedded(Restricted), xrefs: 00FAF157
Blade, xrefs: 00FAF140
Personal, xrefs: 00FAF129
DataCenter, xrefs: 00FAF10F
EmbeddedNT, xrefs: 00FAF0F6
CommunicationServer, xrefs: 00FAF0AB
Compute Server, xrefs: 00FAF19C
ProductType, xrefs: 00FAEFA0
Security Appliance, xrefs: 00FAF16E
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00FAEF66
Enterprise, xrefs: 00FAF079
Terminal Server, xrefs: 00FAF0C4
Small Business, xrefs: 00FAF060
WinNT, xrefs: 00FAEFB1
BackOffice, xrefs: 00FAF092
ServerNT, xrefs: 00FAEFD4
Small Business(Restricted), xrefs: 00FAF0DD
ProductSuite, xrefs: 00FAF01B
Storage Server, xrefs: 00FAF185

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: e73346bbbd5d8ce6c03d9acec149d3ade13fef72c92a3e1656a16736283755db
Instruction ID: 02142cbe7ec306ebf9cdfd38f3f7f7a972d296006a9df548f2f3aff8c1d4dac1
Opcode Fuzzy Hash: e73346bbbd5d8ce6c03d9acec149d3ade13fef72c92a3e1656a16736283755db
Instruction Fuzzy Hash: 8471FA71F00309CAEB24DB61CE407AB7265EF42354F1081B59916AF282F778DD49AF80

Function 00FAEB70 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 224
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00FAEBDE
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00FAEC25
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00FAEC44
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00FAEC73
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00FAECE8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00FAED62
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00FAEDB4
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00FAEE48
GetProcAddress.KERNEL32(00000000), ref: 00FAEE4F
__Init_thread_footer.LIBCMT ref: 00FAEE63
GetCurrentProcess.KERNEL32(?), ref: 00FAEE86
IsWow64Process.KERNEL32(00000000), ref: 00FAEE8D
RegCloseKey.ADVAPI32(00000000), ref: 00FAEEC7

Strings

CurrentMinorVersionNumber, xrefs: 00FAEC39
CurrentVersion, xrefs: 00FAEC68
CSDVersion, xrefs: 00FAEDA9
CurrentMajorVersionNumber, xrefs: 00FAEC1A
kernel32, xrefs: 00FAEE43
IsWow64Process, xrefs: 00FAEE3E
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00FAEBD4
CurrentBuildNumber, xrefs: 00FAECDD
ReleaseId, xrefs: 00FAED57

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 1906320730-3583743485
Opcode ID: 94d0ef8af61c0b23761d6cf5a395985d2b1695e8ffef045f67b4ed53ff925d8e
Instruction ID: be7a027ceb70cd433991c450c3ff108682980fbb2712f353650abf98bbca4471
Opcode Fuzzy Hash: 94d0ef8af61c0b23761d6cf5a395985d2b1695e8ffef045f67b4ed53ff925d8e
Instruction Fuzzy Hash: D29190B1D003289EDB35CF54CC45BEAB7B5FB45B20F0042EAE819A7280EB759A94CF54

Function 00F90780 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 327
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

MoveFileW.KERNEL32(?,?), ref: 00F908FA
GetModuleHandleW.KERNEL32(kernel32,?), ref: 00F9093C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00F90984
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00F909DC
__Init_thread_footer.LIBCMT ref: 00F909EC
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F90A34
__Init_thread_footer.LIBCMT ref: 00F90994

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

__Init_thread_footer.LIBCMT ref: 00F90A44

Part of subcall function 00F664F0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F66531

Strings

@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00F907F2
kernel32.dll, xrefs: 00F90B3F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00F90810, 00F9081F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00F90817
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00F907F7, 00F907FF
kernel32, xrefs: 00F90937
SetDllDirectory, xrefs: 00F909D6
SetDefaultDllDirectories, xrefs: 00F90A2E
SetSearchPathMode, xrefs: 00F9097E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 3437638698-3455668873
Opcode ID: f44bd0ed9d77159cd275ed9296ccb53555af5c8d03b3291964db35a0b8de1ac0
Instruction ID: 698baa63047a65153f60e0d92ae1012e8ab65db9770b7a112b177139d751402a
Opcode Fuzzy Hash: f44bd0ed9d77159cd275ed9296ccb53555af5c8d03b3291964db35a0b8de1ac0
Instruction Fuzzy Hash: 80E17AB09003899FDF2ADF54DA49B9E7BF4BF05314F148119E818AB281DBB49A48CF91

Function 00FC4C60 Relevance: 25.5, APIs: 10, Strings: 4, Instructions: 1007threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00FC4E30
SetLastError.KERNEL32(0000000E), ref: 00FC4E4D
GetCurrentThreadId.KERNEL32 ref: 00FC4E65
EnterCriticalSection.KERNEL32(0118297C), ref: 00FC4E82
LeaveCriticalSection.KERNEL32(0118297C), ref: 00FC4EA5
DialogBoxParamW.USER32(000007D0,00000000,00EFC5E0,00000000), ref: 00FC4EC2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FC5074
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00FC50A8

Part of subcall function 00F92490: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,0117D68C,00FDDE10,?), ref: 00F924A8
Part of subcall function 00F92490: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00F924DA

SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00FC527D
SetEvent.KERNEL32(?,?,00000000,?), ref: 00FC52EF

Part of subcall function 00FD2050: DeleteFileW.KERNEL32(?,?,?,?,?,00FC531F,?), ref: 00FD207B

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Strings

FILES.7z, xrefs: 00FC5513
v, xrefs: 00FC4EA5
Advinst_Extract_, xrefs: 00FC500B, 00FC5020, 00FC502A
Code returned to Windows by setup:, xrefs: 00FC5961

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDeleteDialogEnterErrorFileHeapLastLeaveParamProcessThreadWindow
String ID: v$Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 2923632737-2516696193
Opcode ID: 72dd87cfa4d78117b60f6ae6fddc2cafc3d8b5fd9c150fc64d383df26054b7ef
Instruction ID: c60deb5c42f6e13dad2b92b6d5119a06fc8a9d6b2f076994151bfe5ccea98f91
Opcode Fuzzy Hash: 72dd87cfa4d78117b60f6ae6fddc2cafc3d8b5fd9c150fc64d383df26054b7ef
Instruction Fuzzy Hash: D192F230D00249DFDB14DBA8CD49BDEBBB4AF45310F1481ADE409AB292DB74AE84DF91

Function 00FC4FA0 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 774COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FC5074
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00FC50A8

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

Strings

Language of a related product is:, xrefs: 00FC5D5C
A valid language was received from commnad line. This is:, xrefs: 00FC5B5A
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00FC5CF4
Software\Caphyon\Advanced Installer\, xrefs: 00FC5CE0
Language selected programatically for UI:, xrefs: 00FC5E12
%hu, xrefs: 00FC5B88
Language used for UI:, xrefs: 00FC5E8E
AI_BOOTSTRAPPERLANGS, xrefs: 00FC6710, 00FC6722, 00FC672C
Advinst_Extract_, xrefs: 00FC500B, 00FC5020, 00FC502A
Languages of setup:, xrefs: 00FC696B
Code returned to Windows by setup:, xrefs: 00FC5961

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 1419962739-297406034
Opcode ID: 3d8e4fa59efac35dcb579d070d0d4ca3ee12af51702cc0794f4a11025f4416cc
Instruction ID: d4c26c418894e0e5374ebd85a142eb761224d087dd08a88f3033e224d4c5794b
Opcode Fuzzy Hash: 3d8e4fa59efac35dcb579d070d0d4ca3ee12af51702cc0794f4a11025f4416cc
Instruction Fuzzy Hash: B352167090160A9FDB14DF68CD46FEEB7B4EF41720F1841ACE819AB291DB74AE44CB90

Function 00FD39B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00FD39EA
SetLastError.KERNEL32(0000000E,?,?), ref: 00FD3A27
GetCurrentThreadId.KERNEL32 ref: 00FD3AB2
SetWindowTextW.USER32(?,00000000), ref: 00FD3B3C
GetDlgItem.USER32(?,000003E9), ref: 00FD3B46
SetWindowTextW.USER32(00000000,?), ref: 00FD3B52
GetDlgItem.USER32(?,00000002), ref: 00FD3BBF
SetWindowTextW.USER32(00000000,?), ref: 00FD3BC7

Part of subcall function 00FCB180: GetDlgItem.USER32(?,00000002), ref: 00FCB1A0
Part of subcall function 00FCB180: GetWindowRect.USER32(00000000,?), ref: 00FCB1B6
Part of subcall function 00FCB180: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00FD3A0A,?,?), ref: 00FCB1CF
Part of subcall function 00FCB180: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00FD3A0A,?,?), ref: 00FCB1DA
Part of subcall function 00FCB180: GetDlgItem.USER32(00000000,000003E9), ref: 00FCB1EC
Part of subcall function 00FCB180: GetWindowRect.USER32(00000000,?), ref: 00FCB202
Part of subcall function 00FCB180: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00FD3A0A), ref: 00FCB245

Strings

v, xrefs: 00FD3A8D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
String ID: v
API String ID: 127311041-3261393531
Opcode ID: df9b4f1a9e8220b5718d83e31bbd2c988e58b241bab92c245452b1382448a68e
Instruction ID: 0ce0cf3042b7663e5f81eef4db6643aa49f4e99b61895d53df9178e20a4d5f2b
Opcode Fuzzy Hash: df9b4f1a9e8220b5718d83e31bbd2c988e58b241bab92c245452b1382448a68e
Instruction Fuzzy Hash: A5612531900600DFDB21EF68C848B49BBF5FF44320F18826AF969AB391D774AA44CF91

Function 0105C4B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,0105C7FA,0117BF04,00000000,?,?,00FE9771,?), ref: 0105C4C6
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,0105C7FA,0117BF04,00000000,?,?,00FE9771,?), ref: 0105C4DB
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00FE9771,?), ref: 0105C557

Strings

atlthunk.dll, xrefs: 0105C4D6
AtlThunk_InitData, xrefs: 0105C503
AtlThunk_AllocateData, xrefs: 0105C4EC
AtlThunk_DataToCode, xrefs: 0105C51A
AtlThunk_FreeData, xrefs: 0105C531

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 9a75980ca9757df097d51c171ca210b9e197ea49d8f34be308986405b9e8fbb1
Instruction ID: 32b4c907fc96bfc5e40af184d5c062d306bc6db66f486fd7947b90ab4750a27e
Opcode Fuzzy Hash: 9a75980ca9757df097d51c171ca210b9e197ea49d8f34be308986405b9e8fbb1
Instruction Fuzzy Hash: 3201C831644315AFEB95D75A9E0AFCB3FE88B11D0CF040094FEC57B365DBA686C88689

Function 00FB3910 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 290
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FAE990: __Init_thread_footer.LIBCMT ref: 00FAEA70

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,9F3ADAE5,00000000,00000000,?), ref: 00FB396B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 00FB3AFD
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 00FB3B97
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 00FB3BB9
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 00FB3BE5
DeleteFileW.KERNEL32(?,9F3ADAE5,00000000,00000000,01084CA0,000000FF,?,80070057,80004005,?), ref: 00FB3C9D

Strings

shim_clone, xrefs: 00FB3AF7

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderInit_thread_footerNamePathRevertTemp
String ID: shim_clone
API String ID: 896069032-3944563459
Opcode ID: 182d31f5f4ae55886a172e71ff0b8ab9f744f83e2574ac92394a486b97c7cd28
Instruction ID: 9f16d1394329610c7cdebb74c7892fd7a069aaf7b9d3cbad7a66954544294bd2
Opcode Fuzzy Hash: 182d31f5f4ae55886a172e71ff0b8ab9f744f83e2574ac92394a486b97c7cd28
Instruction Fuzzy Hash: D3A1D1B4A402589FDB24EB65CC44BEAB7F8EF44310F1480ADE94AA7281DB74AF44DF54

Function 00F90DB0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F90DB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,9F3ADAE5,00000000,?,010C4546,000000FF), ref: 00F90CF8

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

FreeLibrary.KERNEL32(00000001,9F3ADAE5,?,00000001,?,?,?), ref: 00F90F47
EnterCriticalSection.KERNEL32(0117D628), ref: 00F90F62
DestroyWindow.USER32(00000000), ref: 00F90F80
LeaveCriticalSection.KERNEL32(0117D628), ref: 00F90FC9

Strings

v, xrefs: 00F90FC9
%s%lu, xrefs: 00F90E2D
.local, xrefs: 00F90D64

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessWindow
String ID: v$%s%lu$.local
API String ID: 3496055493-1141559199
Opcode ID: 74f12c88310a7527799d28415310a2e13c84de5586dc1cce136451077952a9a2
Instruction ID: b07a48e3fcb267d75fb5505062ddcf1bb5dd0f19b3a242167c26bf1ed9126ff4
Opcode Fuzzy Hash: 74f12c88310a7527799d28415310a2e13c84de5586dc1cce136451077952a9a2
Instruction Fuzzy Hash: 0391E071A00205DFEB20DFA8C844B6ABBF4FF04724F14866DE859AB381DB75A944CB91

Function 00E9A130 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(0000000E,9F3ADAE5,?,?,00000000,?), ref: 00E9A16E
GetCurrentThreadId.KERNEL32 ref: 00E9A1AF
EnterCriticalSection.KERNEL32(0118297C), ref: 00E9A1CF
LeaveCriticalSection.KERNEL32(0118297C), ref: 00E9A1F3
CreateWindowExW.USER32(00000000,00000000,00000000,0118297C,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 00E9A24E

Part of subcall function 0105C722: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FD3A1E,?,?), ref: 0105C727
Part of subcall function 0105C722: HeapAlloc.KERNEL32(00000000,?,?), ref: 0105C72E

Strings

AXWIN UI Window, xrefs: 00E9A2C5
v, xrefs: 00E9A1F3

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: v$AXWIN UI Window
API String ID: 213679520-2690018532
Opcode ID: 90f389ec9696c66b092cb612d41b3c428a482fdd550dfe18daebf0f5eba56af3
Instruction ID: b8d01d2709665b1136d6c22c04b347f952fb7ca38fcf8d76d2ed059a7133bf4e
Opcode Fuzzy Hash: 90f389ec9696c66b092cb612d41b3c428a482fdd550dfe18daebf0f5eba56af3
Instruction Fuzzy Hash: 3451A271A04305AFDB21DF59DD05BAABBF4FF88B14F14812AFD54A7280D776A810CBA1

Function 00FACBB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,9F3ADAE5,?,?,00000000), ref: 00FACBEE
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FACC11
GetSystemMetrics.USER32(0000000C), ref: 00FACC4C
GetSystemMetrics.USER32(0000000B), ref: 00FACC62
FreeLibrary.KERNEL32(00000000), ref: 00FACC8F

Strings

ComCtl32.dll, xrefs: 00FACBE2
LoadIconMetric, xrefs: 00FACC0B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LibraryMetricsSystem$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 499052680-764666640
Opcode ID: 4b1482ffc298ebe89ea25741cbc8851ff36346499d0c4e17969cfb10dfaef6ca
Instruction ID: 04fcba79178b326b4795d631956a6c6b7550f9028f8c9f73b4544df5fe1520f6
Opcode Fuzzy Hash: 4b1482ffc298ebe89ea25741cbc8851ff36346499d0c4e17969cfb10dfaef6ca
Instruction Fuzzy Hash: FB3150B1E04259ABDB15CF95DC44BAFBFF8EB49764F00416AF919A7380D7B989008B90

Function 00FED630 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(010D5D7D,-00000400,?,00000002,00000400,9F3ADAE5,?,?,?), ref: 00FED6D6
GetLastError.KERNEL32(?,?), ref: 00FED6E4
ReadFile.KERNEL32(010D5D7D,00000000,00000400,?,00000000,?,?), ref: 00FED6FF

Strings

ADVINSTSFX, xrefs: 00FED733, 00FED7EE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: d92b57a09ad78bef378b27b336093813c53c5a2fd180222c5fab8fd24780bc5a
Instruction ID: 45e2a0b5af61ca311b3c30632c280218271f9b6224e657a30611d98e63381887
Opcode Fuzzy Hash: d92b57a09ad78bef378b27b336093813c53c5a2fd180222c5fab8fd24780bc5a
Instruction Fuzzy Hash: 9761C371E002499BDB10CF6AC884BBEBBB6FF45324F244255E915AB680D7359D41DBA0

Function 00E99E81 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00E99F20
GetWindowLongW.USER32(?,000000FC), ref: 00E99F35
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00E99F4B
GetWindowLongW.USER32(?,000000FC), ref: 00E99F65
SetWindowLongW.USER32(?,000000FC,?), ref: 00E99F75

Strings

$, xrefs: 00E99EC9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 35335d0d60434a473476fc5520e9ab1cf5ad33d8162ac2137978832140b35178
Instruction ID: 0a208ebf87f7eb858137a03207f2fdb83774c6960abcd14e439da1caade964f0
Opcode Fuzzy Hash: 35335d0d60434a473476fc5520e9ab1cf5ad33d8162ac2137978832140b35178
Instruction Fuzzy Hash: A341F171208700AFC724DF19C884A1BFBF5FB89724F505A2EF5A6876A1D772E8448B51

Function 00EA4650 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(9F3ADAE5,9F3ADAE5,?), ref: 00EA468F
EnterCriticalSection.KERNEL32(?,9F3ADAE5,?), ref: 00EA469C
KillTimer.USER32(?,00000001), ref: 00EA46E4
SetTimer.USER32(?,00000001,?,00000000), ref: 00EA475C
LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00EA4773

Strings

v, xrefs: 00EA4773

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Timer$EnterInitializeKillLeave
String ID: v
API String ID: 160562401-3261393531
Opcode ID: 69e702f8dce53e0946e300b3c9c7b974ae5f8a972092a820e17d84a949fc79e7
Instruction ID: 697dca65a495f6ce665683bfa13624bc748b7805ec38c99c002b88c9e68cbe4e
Opcode Fuzzy Hash: 69e702f8dce53e0946e300b3c9c7b974ae5f8a972092a820e17d84a949fc79e7
Instruction Fuzzy Hash: 3F41E4B42007418FDB21DF38D840BAABBB5EF9B314F10552AE596AB381CB71B9158B50

Function 00FCB180 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00FCB1A0
GetWindowRect.USER32(00000000,?), ref: 00FCB1B6
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00FD3A0A,?,?), ref: 00FCB1CF
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00FD3A0A,?,?), ref: 00FCB1DA
GetDlgItem.USER32(00000000,000003E9), ref: 00FCB1EC
GetWindowRect.USER32(00000000,?), ref: 00FCB202
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00FD3A0A), ref: 00FCB245

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 18aef61c56c05b08b5c6b74aa122701ce5886da22a513b1cfbea9838fd7e4e08
Instruction ID: ff7bf37c197489f4ef80dbbdba5f0fc5e309cbc3b968a2dad68600f3af6b798a
Opcode Fuzzy Hash: 18aef61c56c05b08b5c6b74aa122701ce5886da22a513b1cfbea9838fd7e4e08
Instruction Fuzzy Hash: 10213B71608301AFE314DF24D949A6B7BE9EF8D710F00862DF859D7291E730DD818B56

Function 00FA9DA0 Relevance: 9.2, APIs: 6, Instructions: 234COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,9F3ADAE5,?,?,?,?,?,?,010C8765,000000FF,?,00FCE484,?,?,?), ref: 00FA9DEB
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0110525C,00000001,?), ref: 00FA9EAA
GetLastError.KERNEL32 ref: 00FA9EB8

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: f8fcb438fa70853aa2ea29165e968edca3534ce40c7621a2e618e3744c43f9c5
Instruction ID: ff2db0945206780a9ae9fa3de08284cf8592d387fd2ea39f9ed0586887347fe2
Opcode Fuzzy Hash: f8fcb438fa70853aa2ea29165e968edca3534ce40c7621a2e618e3744c43f9c5
Instruction Fuzzy Hash: 1D81D171E046089FDB10DFA8C885B9DBBF4EF06320F244269E924E72D0DB759904CBA0

Function 00FD3BF0 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00FEF6B0,01111934,00000000,?), ref: 00FD3C6D
GetLastError.KERNEL32 ref: 00FD3C7A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00FD3CA3
GetExitCodeThread.KERNEL32(00000000,?), ref: 00FD3CBD
TerminateThread.KERNEL32(00000000,00000000), ref: 00FD3CD5
CloseHandle.KERNEL32(00000000), ref: 00FD3CDE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 4004970c65e3f55e992283aeab7b93ada728255aac72a738064f5a4c659a1037
Instruction ID: e83e8849542349dcfd427cdbe1c1ca399bc195c3950392b8edcfa0e75841dad4
Opcode Fuzzy Hash: 4004970c65e3f55e992283aeab7b93ada728255aac72a738064f5a4c659a1037
Instruction Fuzzy Hash: C131C775910209AFDF20DFA5C908BDDBBF5FB08724F504229E960BB290D7799A04CBA5

Function 00FB3F30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,010D0985,9F3ADAE5,?,?,00000000,?,?,00000000,010D0985,000000FF,?,80004005,9F3ADAE5,?), ref: 00FB3F95
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,00000000,?,?,00000000,010D0985,000000FF,?,80004005,9F3ADAE5,?), ref: 00FB3FE3

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 00FB404D
\VarFileInfo\Translation, xrefs: 00FB4017
ProductName, xrefs: 00FB4043

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 491f1e139ec344d88720150a709563ee09ca5b66110a323748ad9cadfc74dcff
Instruction ID: 5e8c34c46ed8f184f55a8020e964890c03b9e8ed5a354ace6e7f0b90de3d9d79
Opcode Fuzzy Hash: 491f1e139ec344d88720150a709563ee09ca5b66110a323748ad9cadfc74dcff
Instruction Fuzzy Hash: C761B171D001099FDB14EFA9C948AEEBBF8FF14320F144169E915A7292EB34AD04DFA0

Function 00FB3E20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3910: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,9F3ADAE5,00000000,00000000,?), ref: 00FB396B

GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,9F3ADAE5,00000000,?,?,00000000,010C9E75,000000FF,Shlwapi.dll,00FB3DD6,?,?,?), ref: 00FB3E6D
GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00FB3E99
GetLastError.KERNEL32(?,?), ref: 00FB3EDE
DeleteFileW.KERNEL32(?), ref: 00FB3EF1

Strings

Shlwapi.dll, xrefs: 00FB3E20, 00FB3E58

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID: Shlwapi.dll
API String ID: 2825328469-1687636465
Opcode ID: dc6e1793ed036bf8ee9deaf7a72b573874bd1bff8399780c955147aef9558c6e
Instruction ID: 3e75ccb7fabba490b9c36c0e03d27f55f589ff89f3af0e5fc6e31bf15a54039f
Opcode Fuzzy Hash: dc6e1793ed036bf8ee9deaf7a72b573874bd1bff8399780c955147aef9558c6e
Instruction Fuzzy Hash: 6E317071E05219EBDB15CFA6C844BEFBBB8EF08720F14416AE805A3240D7759A44DFA1

Function 00EA4480 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,9F3ADAE5), ref: 00EA44EA
EnterCriticalSection.KERNEL32(?,9F3ADAE5), ref: 00EA44F7
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 00EA452D
LeaveCriticalSection.KERNEL32(?), ref: 00EA4548

Strings

v, xrefs: 00EA4548

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID: v
API String ID: 3379552715-3261393531
Opcode ID: 4a237c144d706259bfe0baf0672b1e5b32c2c8586a4af1d3368c917866a274f2
Instruction ID: c0e83b71306c361e15719c8f3b89aa171cd96d33d769611afda3ef7be3459b92
Opcode Fuzzy Hash: 4a237c144d706259bfe0baf0672b1e5b32c2c8586a4af1d3368c917866a274f2
Instruction Fuzzy Hash: 792105729002449FDF11DF64D840BE9BFB4FB5A328F5001A9EC99AF386C7326905CB60

Function 00F88D70 Relevance: 7.7, APIs: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,9F3ADAE5,?,?,00000000,?,?,?,?,?,?,?,?,00000000,010C306D,000000FF), ref: 00F88DA0
GetWindowRect.USER32(?,?), ref: 00F88DC0
IsWindowEnabled.USER32(?), ref: 00F88DF1
GetFocus.USER32 ref: 00F88DFF
DeleteDC.GDI32(?), ref: 00F88F15

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: 9b6d838060e7123a38542ab2d1ab47d07c1a562d1b84e008363dec388540f702
Instruction ID: 9bde21d40ad2374808bab61d9cd4c4ad49c19a12db1378803d5e8548e0c37209
Opcode Fuzzy Hash: 9b6d838060e7123a38542ab2d1ab47d07c1a562d1b84e008363dec388540f702
Instruction Fuzzy Hash: E8513871E04649EFDB24DFA4C948BEEBBF8FF08310F144129E456A7290DB716945DB24

Function 00FAA670 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00FAA691
PeekMessageW.USER32(?,00000000), ref: 00FAA6D7
TranslateMessage.USER32(00000000), ref: 00FAA6E2
DispatchMessageW.USER32(00000000), ref: 00FAA6E9
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00FAA6FB

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: cda51f842aa2acc906f0751ffcdf439e95f839640ec5daab71f6a656ebd7d971
Instruction ID: 1093f51cdcde6750e888144c1e3ee69ed22fbe34a4c31459748379a9d27f069f
Opcode Fuzzy Hash: cda51f842aa2acc906f0751ffcdf439e95f839640ec5daab71f6a656ebd7d971
Instruction Fuzzy Hash: 42112971A443097AE620DA51AC81FA7B7ECEB89774F500636FB10D62C0D771E9C88B66

Function 00FCBC70 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,9F3ADAE5,?,00000010,?), ref: 00FCBF3A

Part of subcall function 00FA4D70: GetCurrentProcess.KERNEL32 ref: 00FA4DB8
Part of subcall function 00FA4D70: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FA4DC5
Part of subcall function 00FA4D70: GetLastError.KERNEL32 ref: 00FA4DCF
Part of subcall function 00FA4D70: FindCloseChangeNotification.KERNEL32(00000000), ref: 00FA4EB0

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

Strings

\\?\, xrefs: 00FCBF47
Extraction path set to:, xrefs: 00FCBF8D
[WindowsVolume], xrefs: 00FCBD00, 00FCBD12, 00FCBD1C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Process$FindInit_thread_footer$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 2914359614-3538578949
Opcode ID: 0636210c8538a9985af7b04628973a7696a5b42faa043294c2415dfed9334784
Instruction ID: d1f751abbd531a86ddfee8695c8b3fd438055036a930426f4aa71424221c8d12
Opcode Fuzzy Hash: 0636210c8538a9985af7b04628973a7696a5b42faa043294c2415dfed9334784
Instruction Fuzzy Hash: 28C1E430900546DBDB10DFA8C946FAEF7F4AF45320F1482ADE819AB292DB74DD05CB91

Function 00FC3850 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 00FC36C0: GetTickCount.KERNEL32 ref: 00FC3744
Part of subcall function 00FC36C0: __Xtime_get_ticks.LIBCPMT ref: 00FC374C
Part of subcall function 00FC36C0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC3796

Part of subcall function 00FE8160: GetUserNameW.ADVAPI32(?,?), ref: 00FE81F5
Part of subcall function 00FE8160: GetLastError.KERNEL32 ref: 00FE81FB
Part of subcall function 00FE8160: GetUserNameW.ADVAPI32(?,?), ref: 00FE8243
Part of subcall function 00FE8160: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00FE8279
Part of subcall function 00FE8160: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 00FE82C3

__Init_thread_footer.LIBCMT ref: 00FC3981
GetCurrentProcess.KERNEL32(00000008,?,9F3ADAE5), ref: 00FC3B78
OpenProcessToken.ADVAPI32(00000000), ref: 00FC3B7F

Strings

\/:*?"<>|, xrefs: 00FC3941

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentNameProcessUserVariable$CountCurrentErrorInit_thread_footerLastOpenTickTokenUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 1521599615-3830478854
Opcode ID: 6dc9d1e406bd1d9d687661b055d33cfd88172184816a6f00f7cb04c75df1c84d
Instruction ID: a16dcdd5b127a5ae2455d5d487530ec6f79d0e1fe8e025d71292e0321f57f074
Opcode Fuzzy Hash: 6dc9d1e406bd1d9d687661b055d33cfd88172184816a6f00f7cb04c75df1c84d
Instruction Fuzzy Hash: A5B1F030D00249CFDB14DF68CA45BEEBBB0BF44714F24826CD859B7281DB34AA45CB91

Function 00FC33C0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,9F3ADAE5,?,00000010,?,00FC6E40,?), ref: 00FC3426
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00FC346F
ReadFile.KERNEL32(00000000,9F3ADAE5,?,?,00000000,00000078,?), ref: 00FC34B1
FindCloseChangeNotification.KERNEL32(00000000), ref: 00FC352A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 1dc682df8f9d0ebd7951752a341e328429b2a240473f6be5ec6b71527bfbaab1
Instruction ID: 11710ea019eac9e62cbb73eb992bfa816cd619f0664f8b168912086ba1a6cc5f
Opcode Fuzzy Hash: 1dc682df8f9d0ebd7951752a341e328429b2a240473f6be5ec6b71527bfbaab1
Instruction Fuzzy Hash: D0518D71D0064A9BDB11CBA8CD49FEEFBB8EF44724F188259E421AB2D1D7749E04CB60

Function 00FCB110 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FCB119
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,010CD7B0,000000FF), ref: 00FCB128
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00FCB146
IsWindow.USER32(?), ref: 00FCB155

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 29239971c0ce1b4b94521adfa02f72867408e5f329c76510234dee9f1199e1be
Instruction ID: 96fa87c87f122c0d49e18f87dcd011cadad165dcfc99d77e464b1bd670047f80
Opcode Fuzzy Hash: 29239971c0ce1b4b94521adfa02f72867408e5f329c76510234dee9f1199e1be
Instruction Fuzzy Hash: FDF0E2714097409AD734AB28EA09F83BBE17B48B10F04081CF19686A80C3B0F880CB18

Function 00FA9A20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

PathIsUNCW.SHLWAPI(?,?,?,?,00000000,00000000,010C86FF,000000FF), ref: 00FA9BB6

Strings

\\?\UNC\, xrefs: 00FA9AB1, 00FA9B29, 00FA9B2F
\\?\, xrefs: 00FA9B98, 00FA9B9E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 806983814-3019864461
Opcode ID: 8e2e73232341e03cf2837cbda4a8d567c38acadc381a304c02a0b680d5942340
Instruction ID: f6e8c5ad6176c9fda2f9578a2c619ad02ea03993411fa0f590b389df597061c2
Opcode Fuzzy Hash: 8e2e73232341e03cf2837cbda4a8d567c38acadc381a304c02a0b680d5942340
Instruction Fuzzy Hash: 04C194719046099FDB00DBA8CC45B9EF7F8FF49324F148269E515EB2D1DB789904CBA0

Function 01076F6C Relevance: 4.7, APIs: 3, Instructions: 202COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 0107711B

Part of subcall function 01074FC7: RtlAllocateHeap.NTDLL(00000000,0107CB1E,?,?,0107CB1E,00000220,?,?,?), ref: 01074FF9

__freea.LIBCMT ref: 01077130
__freea.LIBCMT ref: 01077140

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: f6a7ed31d09b629b28df57b0eae368f17e0132f387ce99295f5ad53769b83bec
Instruction ID: fb893df498f03dbc9631fb8d23c8ccdfcb20bb40e58a18cf10feda991591950c
Opcode Fuzzy Hash: f6a7ed31d09b629b28df57b0eae368f17e0132f387ce99295f5ad53769b83bec
Instruction Fuzzy Hash: 2751B572E00216AFFF619E689C88DFF3BEAEB54290F150568FD88D6110E631CC5087A8

Function 00FCEC90 Relevance: 4.7, APIs: 3, Instructions: 192fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,9F3ADAE5,?,?), ref: 00FCECF7
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00FCEE04

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: bfc4079ab7a5c369442c9a05aa71647107884ab5b558ed79592484065676183f
Instruction ID: 2e7db98698d35866d918779b96cfda4191b7572a5edf819fe5159a1c42212bb2
Opcode Fuzzy Hash: bfc4079ab7a5c369442c9a05aa71647107884ab5b558ed79592484065676183f
Instruction Fuzzy Hash: C4617F71D006099FDB04DFA8C945B9DFBB4FF09720F14426EE825A7390EB75AA04CB91

Function 00FCC050 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,9F3ADAE5,?,00000000,?,80004005,?,00000000), ref: 00FCC0EE
GetLastError.KERNEL32 ref: 00FCC126
GetLastError.KERNEL32(?), ref: 00FCC1BF

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: b33400114bf64d93e5900403cdac34b7de967d157a93fc5f1878f9b16ea98078
Instruction ID: e3531638936cd710e9d82484d23c0ebd70f68cb6ca52b36e40e9b7ecabbfb72e
Opcode Fuzzy Hash: b33400114bf64d93e5900403cdac34b7de967d157a93fc5f1878f9b16ea98078
Instruction Fuzzy Hash: 5C51E031E006069FDB20DF69C942BAAF7B1FF45320F14462DE919E7291EB35A904DB80

Function 00FFC4D0 Relevance: 4.7, APIs: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00FFD4E4,40000000,00000001,00000000,00000002,00000080,00000000,9F3ADAE5,?,00000001), ref: 00FFC532
WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 00FFC5C8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00FFC63C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 207adf2d0eeea3c62eb127702298315362cb3140aa2a402d8ee40cbaae062772
Instruction ID: 8ae20d458d7f41ff54619bf9fb3bffc5b4004d5fd354013b1f20fa985375fdf4
Opcode Fuzzy Hash: 207adf2d0eeea3c62eb127702298315362cb3140aa2a402d8ee40cbaae062772
Instruction Fuzzy Hash: 36518C7190021DAFDB14DFA8DD45BEEBBB9FF48710F144219E910BB290DB75AA00CBA4

Function 00FCAF10 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00FCA871), ref: 00FCAF10
EnableWindow.USER32(?,00000000), ref: 00FCAFA1
DestroyWindow.USER32(00000000,?,00000000), ref: 00FCAFC7

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: 465b41639499ea3c32a702b213d7380962c253dce4aebe3923621c229f12a737
Instruction ID: 21eb7f894f79a8f52a31f8462904e6a967eefb07d5f9930be6cc7d9875dc5c0f
Opcode Fuzzy Hash: 465b41639499ea3c32a702b213d7380962c253dce4aebe3923621c229f12a737
Instruction Fuzzy Hash: BF2127B1A1410E5BD720AE08E906FEA77A4EB54330F00026AFD14C7380C77AEC60E7E2

Function 00FAA1F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,9F3ADAE5), ref: 00FAA390

Part of subcall function 00FAA450: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00FAA45D

Strings

USERPROFILE, xrefs: 00FAA23E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 1777821646-2419442777
Opcode ID: dd1a9ef23272a03662259a7eb40fbead2dbe432f357a00d95868ab01936df025
Instruction ID: aba6f3df5eb04fb648a449b9f99ae75c036bab9fb53746be806164f1a5f45fda
Opcode Fuzzy Hash: dd1a9ef23272a03662259a7eb40fbead2dbe432f357a00d95868ab01936df025
Instruction Fuzzy Hash: 1261D2B1A006099FDB14DF68C849BAEB7F4FF45320F14826DE819EB291DB759904CB92

Function 00E8A2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00E8A0A0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?), ref: 00E8A0F6

FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

Part of subcall function 00E8A160: LoadResource.KERNEL32(00000000,00000000,9F3ADAE5,00000001,00000000,?,00000000,01084A00,000000FF,?,00E8A10C,9F3ADAE5,?,?,*.*,?), ref: 00E8A18B
Part of subcall function 00E8A160: LockResource.KERNEL32(00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?,*.*), ref: 00E8A196
Part of subcall function 00E8A160: SizeofResource.KERNEL32(00000000,00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?), ref: 00E8A1A4

Strings

*.*, xrefs: 00E8A2A0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeof
String ID: *.*
API String ID: 3127896203-438819550
Opcode ID: 6cd2999a5806e6305089c4af3b684067eda135f08e6af9b277e3521e5a65ffee
Instruction ID: a0e2c5d15e237c663c6f0940611a9c372afdd7b3f933be9d16e31d37479446c9
Opcode Fuzzy Hash: 6cd2999a5806e6305089c4af3b684067eda135f08e6af9b277e3521e5a65ffee
Instruction Fuzzy Hash: 5D1101713001219FE710ABA8E88497FB3DDEF84714B18903BF54DEB251DA669C1287A2

Function 00E8A0A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0105C452: EnterCriticalSection.KERNEL32(0117BED0,?,?,?,00E8A0D7,00000000,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0), ref: 0105C45D
Part of subcall function 0105C452: LeaveCriticalSection.KERNEL32(0117BED0,?,?,?,00E8A0D7,00000000,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0), ref: 0105C489

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?), ref: 00E8A0F6

Part of subcall function 00E8A160: LoadResource.KERNEL32(00000000,00000000,9F3ADAE5,00000001,00000000,?,00000000,01084A00,000000FF,?,00E8A10C,9F3ADAE5,?,?,*.*,?), ref: 00E8A18B
Part of subcall function 00E8A160: LockResource.KERNEL32(00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?,*.*), ref: 00E8A196
Part of subcall function 00E8A160: SizeofResource.KERNEL32(00000000,00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?), ref: 00E8A1A4

Strings

*.*, xrefs: 00E8A0B2

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: *.*
API String ID: 529824247-438819550
Opcode ID: 157e77ef46f882bfae28e3323a0b40d491d9d209d97fece4446cc0b2289f7d32
Instruction ID: efcabf2ee9ff79f1ad13c595b7c4169aa3fc5f14e2f60330d1b8e046f11d17c6
Opcode Fuzzy Hash: 157e77ef46f882bfae28e3323a0b40d491d9d209d97fece4446cc0b2289f7d32
Instruction Fuzzy Hash: 7C110172B086245BE7259A59AC41B7BB7E8E748A64F14027FED0EE7380EB359C004790

Function 00EB4700 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: EventMouseRedrawTrackWindow
String ID:
API String ID: 2912621452-0
Opcode ID: ca8f7c33717a38bf245b9c38ebb2575bfdb90dd3ccf9e16ccf67aa25576c0635
Instruction ID: 2036a43091cb560502b61e59ec23f73fd6a379f1c3c84ebcd31698e7442d5908
Opcode Fuzzy Hash: ca8f7c33717a38bf245b9c38ebb2575bfdb90dd3ccf9e16ccf67aa25576c0635
Instruction Fuzzy Hash: CC7129B26043058FDB24AF28D8847EBBBE5EB8432CF10462EF045A72D2D7359598CB52

Function 0107CD1A Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 0107C84A: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 0107C875

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0107CB61,?,00000000,?,?,?), ref: 0107CD7B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0107CB61,?,00000000,?,?,?), ref: 0107CDBD

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 63d6afedb55b4b198ce8d024d1558df242ea4ae7dd7c74cda90a76f7180aeefe
Instruction ID: 2810c0ae5ac81233c9c36e63a38499de74348514670c7f5bfbf9c1d0906eb7a6
Opcode Fuzzy Hash: 63d6afedb55b4b198ce8d024d1558df242ea4ae7dd7c74cda90a76f7180aeefe
Instruction Fuzzy Hash: 8A5105B0E002478FFB65CF39CA446EABBF5EF41300F1848AED1D68B252D6749946CB94

Function 00FEFB50 Relevance: 3.1, APIs: 2, Instructions: 131COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FEFBA1
EndDialog.USER32(00000000,00000001), ref: 00FEFBB0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 1ee3b26e30daffc908f21cbbc0f75d29cd9e06e1f36db5d93ba5e4c322d4bc41
Instruction ID: 52585b7606445396f2e5a184a0cbf9c00ab0fb0bdb07c4f83b8aa58d8ec92a7e
Opcode Fuzzy Hash: 1ee3b26e30daffc908f21cbbc0f75d29cd9e06e1f36db5d93ba5e4c322d4bc41
Instruction Fuzzy Hash: F651AC30901B89DFD710CF69CA08B4AFBF4FF49320F2482ADE4559B2A1D774AA08CB51

Function 00F47540 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00F4758A
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00F47597

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 2e60a52db6804bf3e77731a692f663dc4b0cde10518ccec76f4421b2d9f8736c
Instruction ID: 66ca9129d2fcf2cfb9fc394149f7166320d34a20b85075c948960f2873c0965f
Opcode Fuzzy Hash: 2e60a52db6804bf3e77731a692f663dc4b0cde10518ccec76f4421b2d9f8736c
Instruction Fuzzy Hash: 6E319F70805B49EEC715EF68CA4479EFBF4FF14714F108299E4A8A76C1CB746A08CB91

Function 00EA3D50 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,9F3ADAE5), ref: 00EA3DDC
EndPaint.USER32(?,?), ref: 00EA3E01

Part of subcall function 00EA4650: InitializeCriticalSection.KERNEL32(9F3ADAE5,9F3ADAE5,?), ref: 00EA468F
Part of subcall function 00EA4650: EnterCriticalSection.KERNEL32(?,9F3ADAE5,?), ref: 00EA469C
Part of subcall function 00EA4650: KillTimer.USER32(?,00000001), ref: 00EA46E4
Part of subcall function 00EA4650: LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00EA4773

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Paint$BeginEnterInitializeKillLeaveTimer
String ID:
API String ID: 1542273292-0
Opcode ID: 89b1d5236cae8dac68edbefa20ca0eacbd97bd0c2fb53af4f3fb252c62782df8
Instruction ID: c16ddfa5da0aa2adf26ef7cf0f55c5762de6e115db83571ec2a68b296d37b8f9
Opcode Fuzzy Hash: 89b1d5236cae8dac68edbefa20ca0eacbd97bd0c2fb53af4f3fb252c62782df8
Instruction Fuzzy Hash: A521B3B0904348DFDB20CFA4C544B9EBBF4FB09714F10462DE416AB780D775AA44CB91

Function 00FAD5A0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FACBB0: LoadLibraryW.KERNEL32(ComCtl32.dll,9F3ADAE5,?,?,00000000), ref: 00FACBEE
Part of subcall function 00FACBB0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FACC11
Part of subcall function 00FACBB0: FreeLibrary.KERNEL32(00000000), ref: 00FACC8F

Part of subcall function 00FACBB0: GetSystemMetrics.USER32(0000000C), ref: 00FACC4C
Part of subcall function 00FACBB0: GetSystemMetrics.USER32(0000000B), ref: 00FACC62

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00FAD5E4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FAD5EF

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LibraryMessageMetricsSendSystem$AddressFreeLoadProc
String ID:
API String ID: 1118950307-0
Opcode ID: 7446c92c0a37ef16fac95bc3299a40ab81b632632351a55bb0db7b3a01430118
Instruction ID: f3ca9205f17d7174dbe9909091899465a804088cdcace36bd45efd456fbddc91
Opcode Fuzzy Hash: 7446c92c0a37ef16fac95bc3299a40ab81b632632351a55bb0db7b3a01430118
Instruction Fuzzy Hash: 07F01C7178521836F66021595C57F67B64DD781BA4F108266BA98AB2C2ECC67C0402E8

Function 01076CD8 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,0107705A,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 01076D0C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,0107705A,?,?,00000000,?,00000000), ref: 01076D2A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: fa4dd0d710ae1aa8c6223702377bdde9188665d59a5e854a8c9cd318ae57fca4
Instruction ID: 074de133087cbf847e1e19848bc52dcd8233f0ea7d0c0316e265226c55ff015f
Opcode Fuzzy Hash: fa4dd0d710ae1aa8c6223702377bdde9188665d59a5e854a8c9cd318ae57fca4
Instruction Fuzzy Hash: 40F0B43280051ABBCF226E91EC04ADE3E66AB586A0F058010BA5929120CB37D871AB88

Function 00F92490 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,0117D68C,00FDDE10,?), ref: 00F924A8
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00F924DA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: a0ca11906745bdfc061b13ff5c5e70c43eedc167da9b553af5665f46e9bf28a7
Instruction ID: 3b42f46837a0df5f66f9bb96764fe59f260bfcafb98b21e21303a3dc930ab6b7
Opcode Fuzzy Hash: a0ca11906745bdfc061b13ff5c5e70c43eedc167da9b553af5665f46e9bf28a7
Instruction Fuzzy Hash: 8501D635301111AFEA10DA4DDC89F5EB799EFC4721F24412EF619EB2C4CA216D019790

Function 00EA4CC0 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

EqualRect.USER32(00000000,?), ref: 00EA4DF9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: EqualRect
String ID:
API String ID: 90978676-0
Opcode ID: 1b23b577a84346d1c341f0372a67c8eb5c05a96a2d6952dc1f0f28ea062b2fd1
Instruction ID: 1e003a7cdd2518257c64973d3554e4f129b2c660693c1cc8a09671c2d6d7bd9f
Opcode Fuzzy Hash: 1b23b577a84346d1c341f0372a67c8eb5c05a96a2d6952dc1f0f28ea062b2fd1
Instruction Fuzzy Hash: CF9109B5901208DFDB25DFA8C945BAEBBF4FF49704F144169E819BB281DB706A44CF90

Function 00FEEA50 Relevance: 1.7, APIs: 1, Instructions: 170synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,9F3ADAE5), ref: 00FEEA84

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 92afef62b7e5c644284e136c2bd3684f314f1a78de71c5ae2e7cd7c8f3499727
Instruction ID: 07af1b7eb8a810f0d50c6de22442e470a5dfca7e74f7879b78031e013497773e
Opcode Fuzzy Hash: 92afef62b7e5c644284e136c2bd3684f314f1a78de71c5ae2e7cd7c8f3499727
Instruction Fuzzy Hash: 06518D75A00256CFCB04CF59D984B6ABBB1FF88710F2545A9E816EB351C735ED01DB90

Function 0107C91E Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,0107CB6D,0107CB61,00000000), ref: 0107C950

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 53e1acff242dff5c6b6630a8861ae4a5cb44b934ad2e5cd2e47ade3cf6607310
Instruction ID: 0b0490fd85f30f43759a78d4864edb686e50a2a589e4ce825e689aa75b0ad45f
Opcode Fuzzy Hash: 53e1acff242dff5c6b6630a8861ae4a5cb44b934ad2e5cd2e47ade3cf6607310
Instruction Fuzzy Hash: C3517AB1D04259ABEB21CA2CCE84AEA7BFCEB55308F1405EDD5DAD7142C334AE45CB24

Function 00FD3390 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00FD34C0,?), ref: 00FD33DB

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: d692cfa1e9c8930f0c889ce6acf254e493f201a039661b0c33899dc67f499096
Instruction ID: 421f1bdf34684e6c587bc7b2b8eb4285bf00a2a674a5f574aa15bbb1b93b6b33
Opcode Fuzzy Hash: d692cfa1e9c8930f0c889ce6acf254e493f201a039661b0c33899dc67f499096
Instruction Fuzzy Hash: A741B171C0020A9BDB11DF94C880BDEBBF5FF44324F14426AE525A7781D7B9EA44CB91

Function 00FAE850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00FAEAD0: __Init_thread_footer.LIBCMT ref: 00FAEB46

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

__Init_thread_footer.LIBCMT ref: 00FAE930

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: d95129966746a79994db6450d1912de0c1859f14221268ea2001067b7f46b573
Instruction ID: cc55574ff7fcd41bd76af40cb8a9027f79ac36f2271f70d3867b4982194a90c2
Opcode Fuzzy Hash: d95129966746a79994db6450d1912de0c1859f14221268ea2001067b7f46b573
Instruction Fuzzy Hash: 7731CEB19007019BE76ADF04E881F4E77F5F706724F108329E86247784D3B56884DB49

Function 00F8E390 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

__Init_thread_footer.LIBCMT ref: 00F8E402

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: 0a920774976e3bd8ee484c3a9926458b2acbe5fcbdb6b90b85dd322deb052b2d
Instruction ID: 2d38862d403fee9e14b19a53dda836429fbd72ce5b4d80676f7b8adce714ee3e
Opcode Fuzzy Hash: 0a920774976e3bd8ee484c3a9926458b2acbe5fcbdb6b90b85dd322deb052b2d
Instruction Fuzzy Hash: 7501D4B1A44A05DBCB99EB98D945B4973E0F706B20F10863DF86A873C0D734A900CF21

Function 00FAEAD0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

Part of subcall function 00FAEB70: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00FAEBDE
Part of subcall function 00FAEB70: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00FAEC25
Part of subcall function 00FAEB70: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00FAEC44
Part of subcall function 00FAEB70: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00FAEC73
Part of subcall function 00FAEB70: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00FAECE8

__Init_thread_footer.LIBCMT ref: 00FAEB46

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: 536bd89b36496c20345ac61a94988248b8efcf38cfdcd39ca3dd8befebdc49c7
Instruction ID: 0596f3a88aaae7da383eda42d0f4cf7fea3d1c9b015c02710a8417873a0b0b7a
Opcode Fuzzy Hash: 536bd89b36496c20345ac61a94988248b8efcf38cfdcd39ca3dd8befebdc49c7
Instruction Fuzzy Hash: B201D6B1A44605DBC329EBD8DD05B6DB3A4E705B60F108769ED269B7C0DB746A00CF61

Function 00E8A9B0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0105E8FA: RaiseException.KERNEL32(E06D7363,00000001,00000003,9F3ADAE5,?,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 0105E95A

RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 696c2e4b2ba83219761f1773ba0cba30b3275ef9cafe47b10dfd09a23699e7f9
Instruction ID: a0cc6b23d6ea50ac195e3a29b4f4cbada12683067c036e9b2f269b5a8929125f
Opcode Fuzzy Hash: 696c2e4b2ba83219761f1773ba0cba30b3275ef9cafe47b10dfd09a23699e7f9
Instruction Fuzzy Hash: 55F08C72A48648BFCB15DF55DC05F5ABBF8FB08B10F10866EF969C6690DB36A900CB44

Function 01074FC7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0107CB1E,?,?,0107CB1E,00000220,?,?,?), ref: 01074FF9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c76a0b1949c7ebaede76edf3d21c5f1969fcf61057c71e329e69580489b0fa7b
Instruction ID: e2c7ef3374e6ad06531b1c8ecfcb417fc2ab9ff54af83690a83f8c6651e3c5b2
Opcode Fuzzy Hash: c76a0b1949c7ebaede76edf3d21c5f1969fcf61057c71e329e69580489b0fa7b
Instruction Fuzzy Hash: D4E06531E042129BEB72266A5C08BEA7AD99F517A0F054160FDD8D61C4DF20C84082ED

Function 00E89710 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 00E8971B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4225109994cb4df3d071183c9163982c692ae8115354d00deef1fd811f983c5b
Instruction ID: d0358485083877bb583df9c997ee1c57800aac28b625fd7aa63041bc4bf27392
Opcode Fuzzy Hash: 4225109994cb4df3d071183c9163982c692ae8115354d00deef1fd811f983c5b
Instruction Fuzzy Hash: 9DC08C306102104BD7305E18B50878236DC9B08B14F04480AB44ED3200C6B5DC008754

Non-executed Functions

Function 00E83000 Relevance: 289.5, Strings: 229, Instructions: 3218COMMON

Download Yara Rule

Strings

3000, xrefs: 00E8654D
12000, xrefs: 00E86441
1500000, xrefs: 00E866D6
10000, xrefs: 00E8686D, 00E87464
PublishFeatures, xrefs: 00E8695D
15000, xrefs: 00E8602F
Complus, xrefs: 00E86663
Feature, xrefs: 00E83B8B, 00E86983
3000, xrefs: 00E837A3, 00E837B2
10000, xrefs: 00E8745F
8000, xrefs: 00E8458D, 00E8459C
UnregisterClassInfo, xrefs: 00E84927
WriteEnvironmentStrings, xrefs: 00E862AA
FileCost, xrefs: 00E833BD
20000, xrefs: 00E867E2
30000, xrefs: 00E838DD, 00E838EC
RemoveFiles, xrefs: 00E8549D, 00E855E3
SelfUnregModules, xrefs: 00E8403D
3000000, xrefs: 00E862B8
Feature_, xrefs: 00E8390B, 00E84B06, 00E86058, 00E86917, 00E86B0D, 00E86B93, 00E86C19, 00E86CB3
RemoveEnvironmentStrings, xrefs: 00E85211
WriteIniValues, xrefs: 00E86224
2000, xrefs: 00E871DC
100, xrefs: 00E85C6D, 00E85C7C
15000, xrefs: 00E8696B
Component_, xrefs: 00E83A78, 00E83D04, 00E83E4A, 00E83F90, 00E84241, 00E84362, 00E844A8, 00E8473E, 00E8487A, 00E84ED8, 00E8501E, 00E85164, 00E852DE, 00E853F0, 00E85536, 00E857DB, 00E858FC, 00E85A42, 00E85B88, 00E85E14, 00E85F57, 00E861D7, 00E8625D, 00E862E3, 00E863E6, 00E8646C, 00E864F2, 00E86578, 00E8667B, 00E86701, 00E86782, 00E8680D, 00E86893
SelfReg, xrefs: 00E840A3, 00E865EB
MoveFiles, xrefs: 00E859A9
1500000, xrefs: 00E866DB
ODBCDataSource, xrefs: 00E841E9, 00E863D3
MIME, xrefs: 00E8613C
AI_XmlAttribute, xrefs: 00E86D8F, 00E872F7
100, xrefs: 00E86FE8
1500, xrefs: 00E872DF
RemoveIniFile, xrefs: 00E84EA5
UnpublishFeatures, xrefs: 00E83B25
AI_UserGroups, xrefs: 00E86F06, 00E870FA
UnregisterProgIdInfo, xrefs: 00E84BB3
3000, xrefs: 00E84819, 00E84828
3000, xrefs: 00E84BEB, 00E84BFA
BindImage, xrefs: 00E85EA1, 00E85EC7
3000000, xrefs: 00E862BD
5000, xrefs: 00E85EB4
AI_ChainProductsPseudo, xrefs: 00E87357
CostFinalize, xrefs: 00E83508
Options, xrefs: 00E86C3B
3000, xrefs: 00E85FB2
SelfReg, xrefs: 00E840A8, 00E840B7
20000, xrefs: 00E867E7
SelfReg, xrefs: 00E865E6
3000, xrefs: 00E83F2F, 00E83F3E
800, xrefs: 00E83669, 00E83678
ProgId, xrefs: 00E84C17, 00E84C39
Extension, xrefs: 00E84AD3, 00E86047
RemoveFile, xrefs: 00E85649
3000, xrefs: 00E84AA5, 00E84AB4
DuplicateFile, xrefs: 00E853BD, 00E85DE1
Component, xrefs: 00E832E9, 00E8355D, 00E836A8, 00E837D1
AI_Game, xrefs: 00E86E0C, 00E87000
ProcessComponents, xrefs: 00E8376B
AI_GxInstall, xrefs: 00E86DE6
UnregisterComPlus, xrefs: 00E83EF7
AI_Game, xrefs: 00E86E07
UnregisterMIMEInfo, xrefs: 00E84CF9
AI_InstallPostPrerequisite, xrefs: 00E86C66
ProgId, xrefs: 00E860BF
RemoveExistingProducts, xrefs: 00E83024
DuplicateFiles, xrefs: 00E85D7B
ServiceInstall, xrefs: 00E866EE
AI_ExtractPrereq, xrefs: 00E86B5A
8000, xrefs: 00E8408B, 00E84588, 00E86343, 00E865D8
MsiConfigureServices, xrefs: 00E8674E, 00E86774
FileSize, xrefs: 00E85BCF
3000, xrefs: 00E84D31, 00E84D40
1500, xrefs: 00E84E72, 00E84FB8, 00E86D7C, 00E872E4
RegisterTypeLibraries, xrefs: 00E8653F
Registry, xrefs: 00E84701, 00E861C4
AI_AppSearchEx, xrefs: 00E87057, 00E8707D
12000, xrefs: 00E85614, 00E85636
MsiUnpublishAssemblies, xrefs: 00E838A5
AI_ProcessGroups, xrefs: 00E870D4
AI_GxUninstall, xrefs: 00E86FDA
File, xrefs: 00E83423, 00E85503, 00E85B55
AI_ProcessAccounts, xrefs: 00E87151
PatchSize, xrefs: 00E85D15
TypeLib, xrefs: 00E86560
500, xrefs: 00E8706A
PatchFiles, xrefs: 00E85C35
1800, xrefs: 00E86CFF, 00E8725E
AppId, xrefs: 00E8498D, 00E85FCA
AI_UninstallTasks, xrefs: 00E86F5D
Feature, xrefs: 00E83B90, 00E83B9F
1500, xrefs: 00E84E77, 00E84E86
2000, xrefs: 00E86DF4
800, xrefs: 00E83664
SelfRegModules, xrefs: 00E865C5
IniFile, xrefs: 00E84FEB, 00E86245
RegisterFonts, xrefs: 00E86330
AI_DefaultActionCost, xrefs: 00E87451
3000, xrefs: 00E86129
AI_ProcessTasks, xrefs: 00E871CE
Options, xrefs: 00E86CC1
RemoveODBC, xrefs: 00E84183, 00E842C9, 00E8440F
ODBCTranslator, xrefs: 00E8432F, 00E86459
2000, xrefs: 00E86F6B
File, xrefs: 00E83428, 00E83437
3000, xrefs: 00E846D3, 00E846E2
Complus, xrefs: 00E83F62, 00E83F71
12000, xrefs: 00E85F2C
Options, xrefs: 00E86C40, 00E86CC6
CreateShortcuts, xrefs: 00E85F1E
15000, xrefs: 00E83C9E, 00E83DE4, 00E859DC, 00E85DAE, 00E86034, 00E86761, 00E86970
5000, xrefs: 00E85EAF
InstallInitialize, xrefs: 00E869DA
AppId, xrefs: 00E84992, 00E849A1
AI_DownloadPrereq, xrefs: 00E86AD4
12000, xrefs: 00E841B6, 00E842FC, 00E84442, 00E8538A, 00E854D0, 00E85631, 00E85750, 00E85896, 00E85F31, 00E863C0, 00E86446, 00E864CC
File, xrefs: 00E85B5A, 00E85B69
RegisterProgIdInfo, xrefs: 00E8609E
~, xrefs: 00E86C4A
MsiPublishAssemblies, xrefs: 00E868DB
15000, xrefs: 00E83DE9, 00E83DF8
200000, xrefs: 00E869ED
InstallODBC, xrefs: 00E863AD, 00E86433, 00E864B9
Location, xrefs: 00E86B34, 00E86BBA
2000, xrefs: 00E86E71
AppId, xrefs: 00E85FC5
AI_XmlUninstall, xrefs: 00E8724B, 00E872D1
RemoveIniValues, xrefs: 00E84E3F, 00E84F85
Complus, xrefs: 00E83F5D, 00E86668
1500, xrefs: 00E84FBD, 00E84FCC
AI_InstallPrerequisite, xrefs: 00E86BE0
12000, xrefs: 00E84301, 00E84310
3000, xrefs: 00E83B5D, 00E83B6C
TypeLib, xrefs: 00E86565
2000, xrefs: 00E83181, 00E83190
IniFile, xrefs: 00E84FF0, 00E84FFF
30000, xrefs: 00E838D8, 00E86237, 00E868F3
WriteRegistryValues, xrefs: 00E8619E
AppSearch, xrefs: 00E83149, 00E831CA
MoveFile, xrefs: 00E85A0F
RemoveRegistryValues, xrefs: 00E8469B, 00E847E1
Font, xrefs: 00E86351
3000, xrefs: 00E8379E, 00E83A12, 00E83B58, 00E83F2A, 00E846CE, 00E84814, 00E8495A, 00E84AA0, 00E84BE6, 00E84D2C, 00E85244, 00E85FB7, 00E8612E, 00E86552, 00E86655
12000, xrefs: 00E85755, 00E85764
Patch, xrefs: 00E85CA0, 00E85CAF
2000, xrefs: 00E86EEE
AI_Game, xrefs: 00E86FFB
12000, xrefs: 00E864C7
120000, xrefs: 00E850FE
15000, xrefs: 00E8675C
2000, xrefs: 00E8715F
2000, xrefs: 00E8317C, 00E86DF9, 00E86E76, 00E86EF3, 00E86F70, 00E870E7, 00E87164, 00E871E1
30000, xrefs: 00E86232
CreateFolders, xrefs: 00E85863
Feature, xrefs: 00E8697E
MIME, xrefs: 00E84D5F, 00E86141
100000, xrefs: 00E86A6A
PublishComponents, xrefs: 00E8685A
AI_UninstallGroups, xrefs: 00E86EE0
Shortcut, xrefs: 00E8513B, 00E85F44
MIME, xrefs: 00E84D64, 00E84D73
PublishComponent, xrefs: 00E83A45, 00E86880
IniFile, xrefs: 00E8624A
3000, xrefs: 00E8495F, 00E8496E
200000, xrefs: 00E869E8
RegisterClassInfo, xrefs: 00E85FA4
Font, xrefs: 00E845BB, 00E86356
8000, xrefs: 00E865D3
MsiAssembly, xrefs: 00E86906
InstallServices, xrefs: 00E866C8
3000, xrefs: 00E86650
1800, xrefs: 00E86CFA
AI_UserAccounts, xrefs: 00E86E89, 00E87177
RemoveRegistry, xrefs: 00E84847
Font, xrefs: 00E845C0, 00E845CF
AI_CountRowAction, xrefs: 00E873D4
Environment, xrefs: 00E85277, 00E862D0
15000, xrefs: 00E85DB3, 00E85DC2
ProgId, xrefs: 00E84C34, 00E860C4
10000, xrefs: 00E86868
UnpublishComponents, xrefs: 00E839E6
RemoveFolders, xrefs: 00E8571D
120000, xrefs: 00E85103, 00E85112
StartServices, xrefs: 00E867D4
3000, xrefs: 00E85249, 00E85258
RegisterExtensionInfo, xrefs: 00E86021
AI_UninstallAccounts, xrefs: 00E86E63
RegisterComPlus, xrefs: 00E86642
ODBCDriver, xrefs: 00E84475, 00E864DF
12000, xrefs: 00E863BB
UnregisterFonts, xrefs: 00E84555
15000, xrefs: 00E83CA3, 00E83CB2
12000, xrefs: 00E841BB, 00E841CA
12000, xrefs: 00E8538F, 00E8539E
12000, xrefs: 00E854D5, 00E854E4
30000, xrefs: 00E868EE
AI_XmlElement, xrefs: 00E86D12, 00E87271
12000, xrefs: 00E8589B, 00E858AA
InstallValidate, xrefs: 00E83631
RemoveShortcuts, xrefs: 00E850CB
InstallFiles, xrefs: 00E85AEF
100, xrefs: 00E860AC
100, xrefs: 00E85C68, 00E860B1, 00E86FED
1500, xrefs: 00E86D77
InstallFinalize, xrefs: 00E86A57
StopServices, xrefs: 00E83C6B, 00E83DB1
12000, xrefs: 00E84447, 00E84456
ServiceControl, xrefs: 00E83CD1, 00E83E17, 00E867FA
8000, xrefs: 00E84070, 00E84090
2000, xrefs: 00E870E2
File, xrefs: 00E85508, 00E85517
CostInitialize, xrefs: 00E83283
1800, xrefs: 00E87259
RegisterMIMEInfo, xrefs: 00E8611B
8000, xrefs: 00E8633E
3000, xrefs: 00E83A17, 00E83A26
CreateFolder, xrefs: 00E85783, 00E858C9
500, xrefs: 00E87065
AI_ScheduledTasks, xrefs: 00E871F4
6000, xrefs: 00E861AC
15000, xrefs: 00E859E1, 00E859F0
100000, xrefs: 00E86A65
RemoveDuplicateFiles, xrefs: 00E85357
AI_XmlInstall, xrefs: 00E86CEC, 00E86D69
6000, xrefs: 00E861B1
Patch, xrefs: 00E85C9B
AI_PreRequisite, xrefs: 00E86AFA, 00E86B80, 00E86C06, 00E86C8C
UnregisterExtensionInfo, xrefs: 00E84A88

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 100$100$100$100$10000$10000$10000$100000$100000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$120000$120000$1500$1500$1500$1500$1500$15000$15000$15000$15000$15000$15000$15000$15000$1500000$1500000$1800$1800$1800$2000$2000$2000$2000$2000$2000$2000$2000$2000$20000$20000$200000$200000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$30000$30000$30000$30000$3000000$3000000$500$500$5000$5000$6000$6000$800$800$8000$8000$8000$8000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_Game$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppId$AppId$AppSearch$BindImage$Complus$Complus$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature$Feature$Feature_$File$File$File$File$FileCost$FileSize$Font$Font$Font$IniFile$IniFile$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MIME$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Options$Options$Patch$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$ProgId$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfReg$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-3108495574
Opcode ID: 40c221afafff0cc3911a0de41f1823f26e0838524bcf2142af790bc1c76fc1ac
Instruction ID: 0c51e11122565bb8b6d10448286994b3f5e01f2ca761ad5290d93339375aab1c
Opcode Fuzzy Hash: 40c221afafff0cc3911a0de41f1823f26e0838524bcf2142af790bc1c76fc1ac
Instruction Fuzzy Hash: 12733520A4538895E768EBB59A1635E7AF1AFA3304F60939CF5683F3C5DFB406C08791

Function 00E85C82 Relevance: 185.0, Strings: 147, Instructions: 1248COMMON

Download Yara Rule

Strings

3000, xrefs: 00E8654D
12000, xrefs: 00E86441
12000, xrefs: 00E85F2C
Options, xrefs: 00E86C40, 00E86CC6
1500000, xrefs: 00E866D6
10000, xrefs: 00E8686D, 00E87464
PublishFeatures, xrefs: 00E8695D
CreateShortcuts, xrefs: 00E85F1E
15000, xrefs: 00E85DAE, 00E86034, 00E86761, 00E86970
5000, xrefs: 00E85EAF
InstallInitialize, xrefs: 00E869DA
15000, xrefs: 00E8602F
Complus, xrefs: 00E86663
Feature, xrefs: 00E86983
12000, xrefs: 00E85F31, 00E863C0, 00E86446, 00E864CC
AI_DownloadPrereq, xrefs: 00E86AD4
RegisterProgIdInfo, xrefs: 00E8609E
~, xrefs: 00E86C4A
MsiPublishAssemblies, xrefs: 00E868DB
10000, xrefs: 00E8745F
200000, xrefs: 00E869ED
InstallODBC, xrefs: 00E863AD, 00E86433, 00E864B9
Location, xrefs: 00E86B34, 00E86BBA
WriteEnvironmentStrings, xrefs: 00E862AA
2000, xrefs: 00E86E71
AI_XmlUninstall, xrefs: 00E8724B, 00E872D1
AppId, xrefs: 00E85FC5
Complus, xrefs: 00E86668
AI_InstallPrerequisite, xrefs: 00E86BE0
20000, xrefs: 00E867E2
TypeLib, xrefs: 00E86565
30000, xrefs: 00E86237, 00E868F3
3000000, xrefs: 00E862B8
Feature_, xrefs: 00E86058, 00E86917, 00E86B0D, 00E86B93, 00E86C19, 00E86CB3
WriteRegistryValues, xrefs: 00E8619E
WriteIniValues, xrefs: 00E86224
2000, xrefs: 00E871DC
Font, xrefs: 00E86351
3000, xrefs: 00E85FB7, 00E8612E, 00E86552, 00E86655
15000, xrefs: 00E8696B
Component_, xrefs: 00E85E14, 00E85F57, 00E861D7, 00E8625D, 00E862E3, 00E863E6, 00E8646C, 00E864F2, 00E86578, 00E8667B, 00E86701, 00E86782, 00E8680D, 00E86893
SelfReg, xrefs: 00E865EB
1500000, xrefs: 00E866DB
Patch, xrefs: 00E85CA0, 00E85CAF
2000, xrefs: 00E86EEE
ODBCDataSource, xrefs: 00E863D3
MIME, xrefs: 00E8613C
AI_XmlAttribute, xrefs: 00E86D8F, 00E872F7
AI_Game, xrefs: 00E86FFB
12000, xrefs: 00E864C7
100, xrefs: 00E86FE8
1500, xrefs: 00E872DF
15000, xrefs: 00E8675C
2000, xrefs: 00E8715F
AI_UserGroups, xrefs: 00E86F06, 00E870FA
2000, xrefs: 00E86DF9, 00E86E76, 00E86EF3, 00E86F70, 00E870E7, 00E87164, 00E871E1
30000, xrefs: 00E86232
Feature, xrefs: 00E8697E
MIME, xrefs: 00E86141
100000, xrefs: 00E86A6A
BindImage, xrefs: 00E85EA1, 00E85EC7
PublishComponents, xrefs: 00E8685A
3000000, xrefs: 00E862BD
AI_UninstallGroups, xrefs: 00E86EE0
Shortcut, xrefs: 00E85F44
5000, xrefs: 00E85EB4
PublishComponent, xrefs: 00E86880
IniFile, xrefs: 00E8624A
AI_ChainProductsPseudo, xrefs: 00E87357
200000, xrefs: 00E869E8
Options, xrefs: 00E86C3B
RegisterClassInfo, xrefs: 00E85FA4
3000, xrefs: 00E85FB2
Font, xrefs: 00E86356
20000, xrefs: 00E867E7
SelfReg, xrefs: 00E865E6
8000, xrefs: 00E865D3
MsiAssembly, xrefs: 00E86906
Extension, xrefs: 00E86047
InstallServices, xrefs: 00E866C8
3000, xrefs: 00E86650
1800, xrefs: 00E86CFA
AI_UserAccounts, xrefs: 00E86E89, 00E87177
DuplicateFile, xrefs: 00E85DE1
AI_CountRowAction, xrefs: 00E873D4
Environment, xrefs: 00E862D0
ProgId, xrefs: 00E860C4
15000, xrefs: 00E85DB3, 00E85DC2
10000, xrefs: 00E86868
AI_Game, xrefs: 00E86E0C, 00E87000
AI_GxInstall, xrefs: 00E86DE6
StartServices, xrefs: 00E867D4
AI_Game, xrefs: 00E86E07
AI_InstallPostPrerequisite, xrefs: 00E86C66
ProgId, xrefs: 00E860BF
RegisterExtensionInfo, xrefs: 00E86021
DuplicateFiles, xrefs: 00E85D7B
AI_UninstallAccounts, xrefs: 00E86E63
RegisterComPlus, xrefs: 00E86642
ServiceInstall, xrefs: 00E866EE
AI_ExtractPrereq, xrefs: 00E86B5A
ODBCDriver, xrefs: 00E864DF
12000, xrefs: 00E863BB
8000, xrefs: 00E86343, 00E865D8
MsiConfigureServices, xrefs: 00E8674E, 00E86774
1500, xrefs: 00E86D7C, 00E872E4
30000, xrefs: 00E868EE
AI_XmlElement, xrefs: 00E86D12, 00E87271
RegisterTypeLibraries, xrefs: 00E8653F
Registry, xrefs: 00E861C4
AI_AppSearchEx, xrefs: 00E87057, 00E8707D
AI_ProcessGroups, xrefs: 00E870D4
AI_GxUninstall, xrefs: 00E86FDA
100, xrefs: 00E860B1, 00E86FED
AI_ProcessAccounts, xrefs: 00E87151
100, xrefs: 00E860AC
1500, xrefs: 00E86D77
InstallFinalize, xrefs: 00E86A57
PatchSize, xrefs: 00E85D15
TypeLib, xrefs: 00E86560
500, xrefs: 00E8706A
ServiceControl, xrefs: 00E867FA
1800, xrefs: 00E86CFF, 00E8725E
AppId, xrefs: 00E85FCA
2000, xrefs: 00E870E2
AI_UninstallTasks, xrefs: 00E86F5D
1800, xrefs: 00E87259
RegisterMIMEInfo, xrefs: 00E8611B
8000, xrefs: 00E8633E
2000, xrefs: 00E86DF4
SelfRegModules, xrefs: 00E865C5
IniFile, xrefs: 00E86245
500, xrefs: 00E87065
RegisterFonts, xrefs: 00E86330
AI_ScheduledTasks, xrefs: 00E871F4
3000, xrefs: 00E86129
6000, xrefs: 00E861AC
AI_ProcessTasks, xrefs: 00E871CE
Options, xrefs: 00E86CC1
AI_DefaultActionCost, xrefs: 00E87451
100000, xrefs: 00E86A65
AI_XmlInstall, xrefs: 00E86CEC, 00E86D69
6000, xrefs: 00E861B1
Patch, xrefs: 00E85C9B
ODBCTranslator, xrefs: 00E86459
AI_PreRequisite, xrefs: 00E86AFA, 00E86B80, 00E86C06, 00E86C8C
2000, xrefs: 00E86F6B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 100$100$100$10000$10000$10000$100000$100000$12000$12000$12000$12000$12000$1500$1500$1500$15000$15000$15000$15000$15000$1500000$1500000$1800$1800$1800$2000$2000$2000$2000$2000$2000$2000$2000$20000$20000$200000$200000$3000$3000$3000$3000$3000$30000$30000$30000$3000000$3000000$500$500$5000$5000$6000$6000$8000$8000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_Game$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppId$BindImage$Complus$Complus$Component_$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature$Feature_$Font$Font$IniFile$IniFile$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MIME$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Options$Options$Patch$Patch$PatchSize$ProgId$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$SelfReg$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$TypeLib$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-402056873
Opcode ID: 493be7e1502fa1fee01436d7876374c426b356ae621b0bd1c1b3d38484962b72
Instruction ID: 15e527b491f0c08953adc9d609e604d06cbf165659c75c7f21fd69cf62935c3f
Opcode Fuzzy Hash: 493be7e1502fa1fee01436d7876374c426b356ae621b0bd1c1b3d38484962b72
Instruction Fuzzy Hash: 76C2FD10645389D5CB5DF6B94B1679F69A16B73710F50929CBBA93F3C2CFA40E0183E2

Function 00FDD630 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 517fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0117D6B0,C0000000,00000003,00000000,00000004,00000080,00000000,9F3ADAE5,0117D68C,0117D6A4,?), ref: 00FDD6B0
GetLastError.KERNEL32 ref: 00FDD6CD
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00FDD746
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00FDD84A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00FDD8BB
WriteFile.KERNEL32(00000000,00BFC388,00000026,00000000,00000000,?,0000001C), ref: 00FDD8EB
WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,010F7104,00000002), ref: 00FDD996
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FDD99F
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00FDD8F0

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00FDDA93
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 00FDDB19
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00FDDB24
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,010F7104,00000002,?,?,CPU: ,00000005), ref: 00FDDB98
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FDDBA1
WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,010F7104,00000002), ref: 00FDDC26
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FDDC2F

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Strings

LOGGER->Reusing LOG file at:, xrefs: 00FDD7F2, 00FDD804, 00FDD80E
LOGGER->Creating LOG file at:, xrefs: 00FDDA3B, 00FDDA4D, 00FDDA57
LOGGER->failed to create LOG at:, xrefs: 00FDD701, 00FDD713, 00FDD71D
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00FDD966
CPU: , xrefs: 00FDD9E7, 00FDD9FD, 00FDDB2D
x64, xrefs: 00FDD930, 00FDD93C
workstation, xrefs: 00FDD93D
server, xrefs: 00FDD942, 00FDD94A
x86, xrefs: 00FDD927

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 4051163352-1312762833
Opcode ID: f4bbb8974c973e3ec5531dd43db5a28fdd64f58f20c8a1aa36b3e29a07059d29
Instruction ID: 81f083cef8fda284af219c4f7f173b9d424b08ac21e1abfcc9fe9e09874dda9d
Opcode Fuzzy Hash: f4bbb8974c973e3ec5531dd43db5a28fdd64f58f20c8a1aa36b3e29a07059d29
Instruction Fuzzy Hash: A012B0709016059FEB10DF68CC49BAEBBB5FF44324F1881A9E814AB3A6DB74DD44DB90

Function 00EBCBB0 Relevance: 37.8, APIs: 13, Strings: 8, Instructions: 1086stringthreadsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?,?, ?(-|/)+q,010F8D76), ref: 00EBCFA1
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?,?, ?(-|/)+q,010F8D76), ref: 00EBD131
GetCurrentThreadId.KERNEL32 ref: 00EBD321
Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?, ?(-|/)+q,010F8D76), ref: 00EBD6C1
std::_Throw_Cpp_error.LIBCPMT ref: 00EBD744
std::_Throw_Cpp_error.LIBCPMT ref: 00EBD74B
std::_Throw_Cpp_error.LIBCPMT ref: 00EBD752
std::_Throw_Cpp_error.LIBCPMT ref: 00EBD768
GetCurrentThreadId.KERNEL32 ref: 00EBD95E

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

std::_Throw_Cpp_error.LIBCPMT ref: 00EBDA6F
std::_Throw_Cpp_error.LIBCPMT ref: 00EBDA76
std::_Throw_Cpp_error.LIBCPMT ref: 00EBDA7D
std::_Throw_Cpp_error.LIBCPMT ref: 00EBDA84

Part of subcall function 00EA2290: FindClose.KERNEL32(00000000), ref: 00EA23CF
Part of subcall function 00EA2290: PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00EA2487

Part of subcall function 00FACA20: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,9F3ADAE5,?,00000000), ref: 00FACA6B
Part of subcall function 00FACA20: GetLastError.KERNEL32(?,00000000), ref: 00FACA75

Strings

appx, xrefs: 00EBD14C
Return code of launched file:, xrefs: 00EBD636
msixbundle, xrefs: 00EBCFC0
(, xrefs: 00EBD688
msix, xrefs: 00EBCE61
Launch failed. Error:, xrefs: 00EBD55C
?(-|/)+q, xrefs: 00EBCD06
Launching file:, xrefs: 00EBCC4A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentInit_thread_footerThreadlstrcmpi$CloseErrorFindFormatHeapLastMessagePathProcessSleep
String ID: ?(-|/)+q$($Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 2370152566-3482523422
Opcode ID: 208b0d993f5ce787c7766676a0d469aa06e5152e1044afdfd7a9b5f1b5bcb47c
Instruction ID: a2bd2f478faaeb47d1bac3505968595783ec43a16057e5170335166443794e8f
Opcode Fuzzy Hash: 208b0d993f5ce787c7766676a0d469aa06e5152e1044afdfd7a9b5f1b5bcb47c
Instruction Fuzzy Hash: 02A2BE70D00219CFDB24DF68CC45BEEB7B1AF45318F148299D459BB291EB70AE85CB91

Function 00E96670 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 389nativememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E96B00: EnterCriticalSection.KERNEL32(0118297C,9F3ADAE5,00000000,?,?,?,?,?,?,.c,0108826D,000000FF), ref: 00E96B3D
Part of subcall function 00E96B00: GetClassInfoExW.USER32 ref: 00E96B81
Part of subcall function 00E96B00: LoadCursorW.USER32(00000000,00007F00), ref: 00E96BB8
Part of subcall function 00E96B00: RegisterClassExW.USER32(00000030), ref: 00E96BE1
Part of subcall function 00E96B00: GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 00E96C2A
Part of subcall function 00E96B00: LoadCursorW.USER32(00000000,00007F00), ref: 00E96C5E
Part of subcall function 00E96B00: RegisterClassExW.USER32(00000030), ref: 00E96C7F

SysFreeString.OLEAUT32(00000000), ref: 00E96713
GetWindowLongW.USER32(?,000000EC), ref: 00E9681B
GetWindowLongW.USER32(?,000000EC), ref: 00E9682B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E96836
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00E96844
GetWindowLongW.USER32(?,000000EB), ref: 00E96852
GetWindowTextLengthW.USER32(?), ref: 00E96876
GetWindowTextW.USER32(?,00000000,00000001), ref: 00E968E5
SetWindowTextW.USER32(?,010F42AC), ref: 00E968F1
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00E96926
GlobalLock.KERNEL32(00000000), ref: 00E96934
GlobalUnlock.KERNEL32(?), ref: 00E96988
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00E96A13
SysFreeString.OLEAUT32(00000000), ref: 00E96A2C
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00E96A73
SysFreeString.OLEAUT32(00000000), ref: 00E96A92

Strings

.c, xrefs: 00E9668F, 00E96782
.c, xrefs: 00E9672A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Class$FreeGlobalStringText$CursorInfoLoadNtdllProc_Register$AllocCriticalEnterLengthLockSectionUnlock
String ID: .c$.c
API String ID: 3033972998-2435476076
Opcode ID: f4df2015af47d8878c898f3176d1a61a59cec219287da4887f21321ea1c675e7
Instruction ID: 895944f1aec2a0391e74bd774f3e2c65edb59286e0c1fa24f63b12143309db13
Opcode Fuzzy Hash: f4df2015af47d8878c898f3176d1a61a59cec219287da4887f21321ea1c675e7
Instruction Fuzzy Hash: B8D1C271904209EFDF10DFA4C948BAFBBB9EF45714F14816AF911BB280D7759A00CBA1

Function 00EACE41 Relevance: 26.1, APIs: 3, Strings: 11, Instructions: 1626COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

SysFreeString.OLEAUT32(00000000), ref: 00EAD479
SysFreeString.OLEAUT32(00000000), ref: 00EAD897
SysFreeString.OLEAUT32(00000000), ref: 00EADA2C

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Strings

MsiGetBinaryPath, xrefs: 00EADDC6
MsiSetProperty, xrefs: 00EADAD0
MessageBox, xrefs: 00EAE003
GetFontHeight, xrefs: 00EAE240
MsiPublishEvents, xrefs: 00EADF44
MsiEvaluateCondition, xrefs: 00EADC48
MsiGetBytesCountText, xrefs: 00EAE0C2
MsiGetFormattedError, xrefs: 00EAE181
MsiGetProperty, xrefs: 00EADB89
MsiResolveFormatted, xrefs: 00EADD07
MsiGetBinaryPathIndirect, xrefs: 00EADE85

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: FreeString$HeapInit_thread_footer$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 2507001652-3153392536
Opcode ID: f5b938c85012bf0ebae3081d7c5a1e97c7105bf969d53c640c6a1cb666c2d5d3
Instruction ID: 5a80c245c2aaf99ce0310bb5f4268f3970de47a60df062ac40f8a09372454cc1
Opcode Fuzzy Hash: f5b938c85012bf0ebae3081d7c5a1e97c7105bf969d53c640c6a1cb666c2d5d3
Instruction Fuzzy Hash: 18E2AF71D04248CBDB14DFA8CC447DEBBB4FF49314F248259E85ABB291EB74AA85CB50

Function 00EA0500 Relevance: 26.1, APIs: 17, Instructions: 611COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00EA0538
GetWindowLongW.USER32(?,000000EB), ref: 00EA05B3
ShowWindow.USER32(00000000,?), ref: 00EA05D2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00EA05E0
GetWindowRect.USER32(00000000,?), ref: 00EA05F7
ShowWindow.USER32(00000000,?), ref: 00EA0618
SetWindowLongW.USER32(?,000000EB,?), ref: 00EA062F

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

GetClientRect.USER32(?,?), ref: 00EA06E8
ShowWindow.USER32(?,?), ref: 00EA076D
GetWindowLongW.USER32(?,000000EB), ref: 00EA079C
ShowWindow.USER32(?,?), ref: 00EA07B9
GetWindowRect.USER32(?,?), ref: 00EA07DE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongRectShow$Client$AllocateHeap
String ID:
API String ID: 2610838350-0
Opcode ID: a38aadca215b09b5148263bf8e5e05454937106e07135197718b1838bfd04d6a
Instruction ID: 927208f6fc2714a7c37dbd6cfad747321253722a6b0fd4445d569e2fa0f2b609
Opcode Fuzzy Hash: a38aadca215b09b5148263bf8e5e05454937106e07135197718b1838bfd04d6a
Instruction Fuzzy Hash: 54423671A04208DFDB24CFA8D984AAEBBF5FF89304F14456EF859AB260D730A945CF51

Function 00EA2290 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 668fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00EA23CF
PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00EA2487
FindFirstFileW.KERNEL32(?,?,*.*,00000000), ref: 00EA25DC
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00EA25F6
GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00EA2629
FindClose.KERNEL32(00000000), ref: 00EA2698
SetLastError.KERNEL32(0000007B), ref: 00EA26A6
_wcsrchr.LIBVCRUNTIME ref: 00EA26FC
_wcsrchr.LIBVCRUNTIME ref: 00EA271C
PathIsUNCW.SHLWAPI(*.*,?,9F3ADAE5), ref: 00EA28B5

Strings

\\?\, xrefs: 00EA2571, 00EA25C6, 00EA29A6, 00EA29FE
\\?\UNC\, xrefs: 00EA24A7, 00EA255E, 00EA28D7, 00EA2990
*.*, xrefs: 00EA23FA, 00EA2457, 00EA2458, 00EA27E4, 00EA28B4

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 1241272779-1700010636
Opcode ID: 0cf96bce463427d0703ca73a5b360f0e6262468515913dfd824b95990fafe70f
Instruction ID: d1ad04d61980c436278171c188ca207cbebef1b73393804892b24380785fa5eb
Opcode Fuzzy Hash: 0cf96bce463427d0703ca73a5b360f0e6262468515913dfd824b95990fafe70f
Instruction Fuzzy Hash: 6A321230A006069FDB14DF6CC848B6AB7F5FF5A318F14426DEA15BF291EB76A904CB40

Function 00E95F50 Relevance: 19.9, APIs: 13, Instructions: 416nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(80070216,000000EC), ref: 00E9617B
GetWindowLongW.USER32(00000000,000000EC), ref: 00E9618B
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00E96196
NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,80070216,?,?,80070216), ref: 00E961A4
GetWindowLongW.USER32(00000000,000000EB), ref: 00E961B2
GetWindowTextLengthW.USER32(00000000), ref: 00E961D6
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E96245
SetWindowTextW.USER32(00000000,010F42AC), ref: 00E96251
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00E96286
GlobalLock.KERNEL32(00000000), ref: 00E96294
GlobalUnlock.KERNEL32(?), ref: 00E962E8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E9634D
NtdllDefWindowProc_W.NTDLL(00000000,00000000,9F3ADAE5,00000000), ref: 00E9639F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$GlobalText$NtdllProc_$AllocLengthLockUnlock
String ID:
API String ID: 2673961051-0
Opcode ID: f7a0fcf650d47d3e87810d2efcc4399c1d87b067f96ee805bed847999f3a0efb
Instruction ID: 4dacca1ac30e9c82ccc4a64157f942472f90a4fa1f04dbb21987061e1095d78a
Opcode Fuzzy Hash: f7a0fcf650d47d3e87810d2efcc4399c1d87b067f96ee805bed847999f3a0efb
Instruction Fuzzy Hash: B1E1D071A00206DFDF24DF68C848BAFBBB9EF85314F14452AE915EB291DB35D900CBA1

Function 00FB7A10 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00FB7DB2
FindClose.KERNEL32(00000000), ref: 00FB7DE0
FindClose.KERNEL32(00000000), ref: 00FB7E69

Strings

An acceptable version was found., xrefs: 00FB8352
No acceptable version found. Operating System not supported., xrefs: 00FB836E
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00FB8375
No acceptable version found., xrefs: 00FB837C
No acceptable version found. It must be downloaded., xrefs: 00FB8360
No acceptable version found. It must be installed from package., xrefs: 00FB8359
No acceptable version found. It must be downloaded manually from a site., xrefs: 00FB8367
Not selected for install., xrefs: 00FB8383

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 544434140-749633484
Opcode ID: f77118128bad59ca8eb52aee6f8ade1bd3cc5e83ba8675e7071423b455a31811
Instruction ID: 8db427b745d34496f4d381a9934754ea5697b7c3f0d4cece778430c163f330ee
Opcode Fuzzy Hash: f77118128bad59ca8eb52aee6f8ade1bd3cc5e83ba8675e7071423b455a31811
Instruction Fuzzy Hash: A4F18E709047098FDB10EF29C9487AEFBF1AF85320F1482A9D859AB391DB349E45DF91

Function 00F87CD0 Relevance: 19.7, APIs: 13, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00F87D3B
GetParent.USER32(00000000), ref: 00F87D8E
GetWindowRect.USER32(00000000), ref: 00F87D91
GetParent.USER32(00000000), ref: 00F87DA0
GetDC.USER32(00000000), ref: 00F87DA3
CreateCompatibleDC.GDI32(00000000), ref: 00F87DD0
CreateCompatibleBitmap.GDI32(00000000), ref: 00F87E0F
SelectObject.GDI32(?,00000000), ref: 00F87E20
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00F87E36

Part of subcall function 00F3E220: IsWindowVisible.USER32(?), ref: 00F3E29A
Part of subcall function 00F3E220: GetWindowRect.USER32(?,?), ref: 00F3E2B2
Part of subcall function 00F3E220: GetWindowRect.USER32(?,?), ref: 00F3E2CA
Part of subcall function 00F3E220: IntersectRect.USER32(?,?,?), ref: 00F3E2E7
Part of subcall function 00F3E220: EqualRect.USER32(?,?), ref: 00F3E2F7
Part of subcall function 00F3E220: GetSysColorBrush.USER32(0000000F), ref: 00F3E30D

FillRect.USER32(?,?,00000000), ref: 00F87E4C
DeleteDC.GDI32(?), ref: 00F87E6C
SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00F87E90
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00F87EA3

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
String ID:
API String ID: 2161025992-0
Opcode ID: 01ea84bed758d1e6c6db0151100eaf5501b4b702586b4428567aa80be4e86140
Instruction ID: 5a4464bf18c1d141d9a655ab5b0a6c6c591eced8343eefea6c77f580803bd1af
Opcode Fuzzy Hash: 01ea84bed758d1e6c6db0151100eaf5501b4b702586b4428567aa80be4e86140
Instruction Fuzzy Hash: EF514771D04608ABDB21DFA8C945BDEFBF8EF59710F20436AE915B7281EB706980CB50

Function 00FBBA70 Relevance: 19.1, APIs: 2, Strings: 8, Instructions: 1604fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

CopyFileW.KERNEL32(?,?,00000000,00000000,00000000), ref: 00FBBFF8
CopyFileW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?), ref: 00FBC4F9

Part of subcall function 00F92490: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,0117D68C,00FDDE10,?), ref: 00F924A8
Part of subcall function 00F92490: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00F924DA

Strings

instname-target.msi, xrefs: 00FBBF6D, 00FBC46E
InstanceId, xrefs: 00FBC7A4, 00FBC7B6, 00FBC7BE
AI_PRODUCTNAME_ARP, xrefs: 00FBC14F, 00FBC161, 00FBC16B, 00FBC6B9, 00FBC6CB, 00FBC6D5
\\?\, xrefs: 00FBBED6, 00FBC3D0
instname-custom.mst, xrefs: 00FBBFAB, 00FBC4AC
ProductName, xrefs: 00FBC0C7, 00FBC0D9, 00FBC0E3, 00FBC642, 00FBC654, 00FBC65E
{%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}, xrefs: 00FBC343
ProductCode, xrefs: 00FBC730, 00FBC742, 00FBC74C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCopyFileHeapInit_thread_footerMultiWide$AllocateFindProcessResource
String ID: AI_PRODUCTNAME_ARP$InstanceId$ProductCode$ProductName$\\?\$instname-custom.mst$instname-target.msi${%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}
API String ID: 2868415777-2893908338
Opcode ID: f2b142ef44e69e2ca25305ed0baaab8b14842750a1da7fde432a3ff5e84fbca8
Instruction ID: 788c29b976f7d5af7f97db745ee08f239b69e42efedd4bc6a8df6c5db4d20adf
Opcode Fuzzy Hash: f2b142ef44e69e2ca25305ed0baaab8b14842750a1da7fde432a3ff5e84fbca8
Instruction Fuzzy Hash: F5D2AF70901649DFDB00DFA9C844BEEBBF4AF45324F188169E815EB292EB749E04DF91

Function 00FAF6D0 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 580COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FAF87D
__Init_thread_footer.LIBCMT ref: 00FAFA22

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

GetStdHandle.KERNEL32(000000F5,?,9F3ADAE5,?,?), ref: 00FAFAAA
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00FAFAB1
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00FAFAC5
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FAFACC
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,010F7104,00000002,?,?), ref: 00FAFB5B
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FAFB62
IsWindow.USER32(00000000), ref: 00FAFDF9

Strings

Error, xrefs: 00FAFD8C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
String ID: Error
API String ID: 2811146417-2619118453
Opcode ID: 82861373d539df75cff821e5d900e79da5061286cd84306a5ba6cf4b287dd197
Instruction ID: 190de67eb80c39f779d07d89895e89bd16e340b7632efee493b86f244883e167
Opcode Fuzzy Hash: 82861373d539df75cff821e5d900e79da5061286cd84306a5ba6cf4b287dd197
Instruction Fuzzy Hash: 0142AFB0D1021ADFDB24DFA8CC44BEEB7B0BF55714F1042A9E418AB290E7749A89DF50

Function 00EB9710 Relevance: 14.8, APIs: 1, Strings: 7, Instructions: 843windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EB975F

Strings

`Dialog_`=', xrefs: 00EB98F4
AiTabPage, xrefs: 00EB99A6, 00EB9B7B
SpawnDialog, xrefs: 00EB9E6D
Dialog, xrefs: 00EB9F3D, 00EB9F65, 00EBA0DF, 00EBA0FF, 00EBA127
Title, xrefs: 00EB9F12
ControlEvent, xrefs: 00EB9A8B
' AND `Control_`=', xrefs: 00EB9933

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1412757306
Opcode ID: ab8cacdb8d48cf187f930a6e73e1158e62a4f48a3ba0c488508185e5c1536609
Instruction ID: a0df6918c0a71296012ca524757bd8be262e64a193e26d7c5f49b0c8a36f6128
Opcode Fuzzy Hash: ab8cacdb8d48cf187f930a6e73e1158e62a4f48a3ba0c488508185e5c1536609
Instruction Fuzzy Hash: F072D031D00258DFDB14DFA8C984BEEB7B1FF59304F148299E549BB291DB74AA84CB90

Function 00EAF410 Relevance: 14.7, APIs: 6, Strings: 2, Instructions: 685windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00EAF4F1

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

__Init_thread_footer.LIBCMT ref: 00EAF4AE

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00EAFA12
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00EAFAC0
SendMessageW.USER32(?,00001003,00000001,?), ref: 00EAFB61

Part of subcall function 00F9DCE0: __cftof.LIBCMT ref: 00F9DD30

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00EAFD98

Strings

AiFeatIco, xrefs: 00EAF7AB
Icon, xrefs: 00EAF866

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 2303580663-1280411655
Opcode ID: 9fa86dbffe778a0a615ec0bd406e11bcc5df9f2a811b98fe178a95a7cda083f1
Instruction ID: fd7b3c1239068606b3960561d11258e849cbc4c477f9994300652a60537c1308
Opcode Fuzzy Hash: 9fa86dbffe778a0a615ec0bd406e11bcc5df9f2a811b98fe178a95a7cda083f1
Instruction Fuzzy Hash: 84625A70900658DFDB24DF64CC98BEEBBB1EF99304F1041A9E459AB291DB706E84CF90

Function 00EAA820 Relevance: 13.3, Strings: 10, Instructions: 767COMMON

Download Yara Rule

Strings

UpgradeCode, xrefs: 00EAA8EE
AI_MajorUpgrades, xrefs: 00EAAC8B
Manufacturer, xrefs: 00EAA97B
InstanceId, xrefs: 00EAAA95
, xrefs: 00EAB0D5
AI_DynInstances, xrefs: 00EAABAC
ProductVersion, xrefs: 00EAAA08
ProductCode, xrefs: 00EAA86C
OldProductCode, xrefs: 00EAAB22
AI_GenNewCompGuids, xrefs: 00EAAD6E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode
API String ID: 0-614494711
Opcode ID: 5d2faf686872a2d58cbbe1787fc57adb28e72b1f3ec9dbacb7740210ea2c367e
Instruction ID: 1a5af2f863ee72130e89baf6ac81b63684570f80ad05d20b5d24fb3488c33183
Opcode Fuzzy Hash: 5d2faf686872a2d58cbbe1787fc57adb28e72b1f3ec9dbacb7740210ea2c367e
Instruction Fuzzy Hash: 15620331D00258CBDF18DB64CD94BEEB7B1AF59304F18829DD449BB291DB746E84CBA1

Function 00EA5CE0 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 696COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00EA6195
AI_CONTROL_VISUAL_STYLE, xrefs: 00EA5D3A
AI_NO_BORDER_NORMAL, xrefs: 00EA5DCD
AI_NO_BORDER_HOVER, xrefs: 00EA5E7A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: ede3d6a27e8cb184d51962a018f8f2ae7a2d368f05cbfd1dc608dcf051eb1d50
Instruction ID: 01306a95c400222419a1bd5190b6b4f0b3bef75d320cdd9d10b90e4f8cec0592
Opcode Fuzzy Hash: ede3d6a27e8cb184d51962a018f8f2ae7a2d368f05cbfd1dc608dcf051eb1d50
Instruction Fuzzy Hash: 1142E171D002188FDB18CF68CC947EEB7B1EF9A304F148259E495BB395C774AA45CBA1

Function 0107FF84 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 01080168

Strings

1#INF, xrefs: 010800BA
1#SNAN, xrefs: 01080090
1#QNAN, xrefs: 01080097
1#IND, xrefs: 01080089

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8ab3c8a07a5a394be9e2d119db71efae66ae9e3927617f2b435865d9f0b57796
Instruction ID: fcd8d01c9f91e016b7bbeb6ff60c665742b3bccfd6f6f717e5c56543709c465d
Opcode Fuzzy Hash: 8ab3c8a07a5a394be9e2d119db71efae66ae9e3927617f2b435865d9f0b57796
Instruction Fuzzy Hash: CCD22871E082298FDB65DE28DD407EAB7F5EB44304F1441EAE48DE7244EB78AE858F41

Function 0105C6B6 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0105C5D2,00000000,?,0105C76A,?,?,?), ref: 0105C6B8
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,0105C76A,?,?,?), ref: 0105C6DF
HeapAlloc.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C6E6
InitializeSListHead.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C6F3
GetProcessHeap.KERNEL32(00000000,00000000,?,0105C76A,?,?,?), ref: 0105C708
HeapFree.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C70F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 5da66ce59349134b13c52faaf0148f83ef011dc446b8a8d5c23529a8e13fd093
Instruction ID: d2b1f43020c81e0e0fefc14527f2752161068ba5c73af40a329378a42ce2ca00
Opcode Fuzzy Hash: 5da66ce59349134b13c52faaf0148f83ef011dc446b8a8d5c23529a8e13fd093
Instruction Fuzzy Hash: 41F0A4716012119FEBB19F2E990CB167BF8BB88A15F040428FAD1C7345DB35C400C760

Function 00FA8ED0 Relevance: 7.7, APIs: 5, Instructions: 240fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00FA8F28

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

FindFirstFileW.KERNEL32(?,00000000), ref: 00FA9028
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000), ref: 00FA90C5
FindClose.KERNEL32(00000000,?,00000000), ref: 00FA90EB
FindClose.KERNEL32(00000000,?,00000000), ref: 00FA9135

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
String ID:
API String ID: 352340201-0
Opcode ID: 3d24e84c00f6e0970fea090651366c5f15320af85742b794cf875cc51f245a89
Instruction ID: 9930acbd23bd53e9a9095bb9d6cea88b2fa1ed5240dcbcfb117bb5542f04587b
Opcode Fuzzy Hash: 3d24e84c00f6e0970fea090651366c5f15320af85742b794cf875cc51f245a89
Instruction Fuzzy Hash: 0571F6B1D0420A9FDB14DF68CC48BAEB7F5FF45324F14862AE825972C0E7B59904DB90

Function 00EA9FF0 Relevance: 6.8, Strings: 5, Instructions: 567COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00EAA10C, 00EAA55E
AI_EXIST_NEW_INSTANCES, xrefs: 00EAA3A3
MultipleInstances, xrefs: 00EAA04D
AI_EXIST_INSTANCES, xrefs: 00EAA245
PropertyValue, xrefs: 00EAA668

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 1385522511-2308371840
Opcode ID: 62a4ee7e2d38bcb7515eb54d0ede2f57cfe13476f93adeb9b20db1e12015543e
Instruction ID: d2c19117c2c0c72bf0175ce4957b5938d606c125628fc6f29206212c2ef5bece
Opcode Fuzzy Hash: 62a4ee7e2d38bcb7515eb54d0ede2f57cfe13476f93adeb9b20db1e12015543e
Instruction Fuzzy Hash: 3122E330D003489FDB08DFA4CD59BEEBBB1AF49304F28925DE455BB291DB746A84CB91

Function 0107511A Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 010751A7

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 9e0b76cd5f3e377c6f2159358687fa5fc72b664d1f100b5c02f00f2f9645654f
Instruction ID: 8ec6adf5aaf23a28f61e39f4c8ad80d96a12781f65e02d18e97a6e6f4418bbb9
Opcode Fuzzy Hash: 9e0b76cd5f3e377c6f2159358687fa5fc72b664d1f100b5c02f00f2f9645654f
Instruction Fuzzy Hash: FFB16972E042869FDB11CF6CCC807FEBFE5EF55314F1481AAE985AB241D6749902CBA4

Function 00EB8630 Relevance: 5.4, Strings: 4, Instructions: 356COMMON

Download Yara Rule

Strings

= ", xrefs: 00EB894A
Show, xrefs: 00EB8920
Hide, xrefs: 00EB86F9, 00EB8713
<> ", xrefs: 00EB8747

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: 293e12297da3742c5e205616da41769fdf90de1007a8faf1d79630f097305dcc
Instruction ID: 9bfebf525a3cfad271254e14e8d198792a45a22965d395f4bfb0c005a8a25ec1
Opcode Fuzzy Hash: 293e12297da3742c5e205616da41769fdf90de1007a8faf1d79630f097305dcc
Instruction Fuzzy Hash: 3DF18A70D00259CFDB24DF64CD95BEEB7B4AF94304F1082DAD4497B291EB70AA84CBA0

Function 00FD34F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

GetLocaleInfoW.KERNEL32(?,00000002,010F42AC,00000000), ref: 00FD3561
GetLocaleInfoW.KERNEL32(?,00000002,00FD30E5,-00000001,00000078,-00000001), ref: 00FD359D

Strings

%d-%s, xrefs: 00FD35A7

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: InfoInit_thread_footerLocale$HeapProcess
String ID: %d-%s
API String ID: 1688948774-1781338863
Opcode ID: 8b2dbb0d0b2e3c6b341f10ba5fb85e611bb0895fb4ad42b2134394b8b1d75fce
Instruction ID: 54248b6b6273b41bb1d59cf7a1d83865d6a49b2643de0f3b797ca336cf87ce02
Opcode Fuzzy Hash: 8b2dbb0d0b2e3c6b341f10ba5fb85e611bb0895fb4ad42b2134394b8b1d75fce
Instruction Fuzzy Hash: 4C31AF71900205AFDB00EF99CC4ABAEFBB4FF04724F14416EF519AB281DB759900CB90

Function 00EA9AD0 Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00EA9C10
MultipleInstances, xrefs: 00EA9B12
ProductCode, xrefs: 00EA9D7E
OldProductCode, xrefs: 00EA9E11

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 954faad1e6d03abdcff87093a6285ec546f2b5056fe8646f37bc521ecd238c97
Instruction ID: 98cdb093a75b8f6852992b3a2e53b0cd1b3a8ee24b267bc9fe7d888c167f0d24
Opcode Fuzzy Hash: 954faad1e6d03abdcff87093a6285ec546f2b5056fe8646f37bc521ecd238c97
Instruction Fuzzy Hash: 56C1E335A00201CFCB18DF68C8956BAB7B2FF8A318B55916DD9067F652E730BD41CBA0

Function 01059F12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,01059E57,0000001C,0105A04C,00000000,?,?,?,?,?,?,?,01059E57,00000004,0117BA58,0105A0DC), ref: 01059F23
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,01059E57,00000004,0117BA58,0105A0DC), ref: 01059F3E

Strings

D, xrefs: 01059F32

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: f1a6f8523153e8ab2c233b8a1e9a9815093820644229e2e3cd3727cfaad5d7ff
Instruction ID: b5dcee03514b56204a8aaa1f4670fec37376d5055c182f70f0d5b9035d7a8759
Opcode Fuzzy Hash: f1a6f8523153e8ab2c233b8a1e9a9815093820644229e2e3cd3727cfaad5d7ff
Instruction Fuzzy Hash: DA01DB72600109ABDB54DE69DC09BDE7BE9EFC4328F0DC264ED99DB245D638D901C780

Function 0105C3A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E9AD10: InitializeCriticalSectionAndSpinCount.KERNEL32(0117BED0,00000000,9F3ADAE5,00E80000,Function_00204C50,000000FF,?,0105C3D2,?,?,?,00E87726), ref: 00E9AD35
Part of subcall function 00E9AD10: GetLastError.KERNEL32(?,0105C3D2,?,?,?,00E87726), ref: 00E9AD3F

IsDebuggerPresent.KERNEL32(?,?,?,00E87726), ref: 0105C3D6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E87726), ref: 0105C3E5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0105C3E0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 968088112004e5cc0ce524b4a2876ac8ffb98ecf458bcb80872d918861e22abe
Instruction ID: 5422fd13634b4cf75e46aa59d14caafa5984ffb53634a9ed9eb3188aed224e00
Opcode Fuzzy Hash: 968088112004e5cc0ce524b4a2876ac8ffb98ecf458bcb80872d918861e22abe
Instruction Fuzzy Hash: DFE06D706003118FE7B4AF2AD6483477BE8AF04708F108C6CD8C5D7642EBBAE1888B91

Function 00E87620 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 01056628
GetVersionExW.KERNEL32(?), ref: 01056673
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 01056687

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: 7972eb1c0dd6e58e410c3a658d45f94d11a09a60d87ba2b0affeb8b69d55866f
Instruction ID: 42d0720be2662100311dd96afb6e4de07ecfeb679e057160a5d6ea75e9fa95da
Opcode Fuzzy Hash: 7972eb1c0dd6e58e410c3a658d45f94d11a09a60d87ba2b0affeb8b69d55866f
Instruction Fuzzy Hash: C5610872A102244FF398CE2D8C952ABBBD6DBC9345F04463EE9D5C7280D679C549CBA0

Function 00EA00C0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00EA010E
GetWindowLongW.USER32(00000004,000000FC), ref: 00EA0127
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00EA0139

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e658d60758f80f370f9462edb02956427b017521b18eae51c401527cff579f26
Instruction ID: 148c18d578a24ccf5560f8b1f5b14a7f948f70d844da7e8f0eb111d65f97b02d
Opcode Fuzzy Hash: e658d60758f80f370f9462edb02956427b017521b18eae51c401527cff579f26
Instruction Fuzzy Hash: CF419AB0A05606EFDB14DF65C908B9AFBB8FF19314F104268E5649BB80D776F914CB90

Function 01061DF3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01061EEB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01061EF5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 01061F02

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e80b5721ebcb29a9cdf2eece74b9800424607fa759cae39f19f80c8ebd104a7a
Instruction ID: 4e0f8c304716a292a2a502fdeb004cb4527642c8aa44cda419ae528925444667
Opcode Fuzzy Hash: e80b5721ebcb29a9cdf2eece74b9800424607fa759cae39f19f80c8ebd104a7a
Instruction Fuzzy Hash: 2031057090122DABCB61DF68D9887CDBBF8BF18310F1041EAE85CA7250E7709B858F44

Function 00E8A160 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,9F3ADAE5,00000001,00000000,?,00000000,01084A00,000000FF,?,00E8A10C,9F3ADAE5,?,?,*.*,?), ref: 00E8A18B
LockResource.KERNEL32(00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?,*.*), ref: 00E8A196
SizeofResource.KERNEL32(00000000,00000000,?,00E8A10C,9F3ADAE5,?,?,*.*,?,00000000,010850D0,000000FF,?,00E8A2B0,?,?), ref: 00E8A1A4

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 1bc9f9e9215b1f040def7fd483e40cd5c7f11ba51541137b1e2eded7991a55a8
Instruction ID: ea0cfc2379ea1d0ee1d8b1508ab68f23ba981be09ffeaf2358d58cdb0ee0cb50
Opcode Fuzzy Hash: 1bc9f9e9215b1f040def7fd483e40cd5c7f11ba51541137b1e2eded7991a55a8
Instruction Fuzzy Hash: 5211E776A04A549FD7349F69D848B66F7E8E788B24F04493BEC5ED3640E6359C008790

Function 00E98C40 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 00E98C59
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00E98C67
DestroyWindow.USER32(0000001B), ref: 00E98C93

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 3387b0cff5320622d632dd62e00257a20549a83bbbcac51dfb4eb04d547c1d9c
Instruction ID: 088ad0c31ddb65c22bc9ad4f852ae6db78a514e65b8c5bfd0e2fbad00e58e96c
Opcode Fuzzy Hash: 3387b0cff5320622d632dd62e00257a20549a83bbbcac51dfb4eb04d547c1d9c
Instruction Fuzzy Hash: F9F01D30009B159BDB709F28EE04B92BBF0BB05721F144B69F5BA926E4DB31A844DB14

Function 01002F40 Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

) AND ( , xrefs: 01003123
gfff, xrefs: 01003082
Show, xrefs: 010030CA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ) AND ( $Show$gfff
API String ID: 0-344708357
Opcode ID: 450ba20f34d1404d0b92fbb3bb061ae3ff21e7ece8a93289f65dc3df69905f48
Instruction ID: dd3076a684885fadd482bbd87d8eecfa6170d1b85caa7907011d15e92b77d4cb
Opcode Fuzzy Hash: 450ba20f34d1404d0b92fbb3bb061ae3ff21e7ece8a93289f65dc3df69905f48
Instruction Fuzzy Hash: 11D18C71901258CFEB26DF68C945BAEBBF1BF45304F1486DDD449BB281DB30AA84CB51

Function 0106CD70 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6623433adaf61770b287b3ddac49c5cfca5bdbedcea1cffde8d45c5c429c772b
Instruction ID: b252320c4c95feab12388878b96ba4808321151bc2db17d64d7bbdf5f031d310
Opcode Fuzzy Hash: 6623433adaf61770b287b3ddac49c5cfca5bdbedcea1cffde8d45c5c429c772b
Instruction Fuzzy Hash: CEF15071E002199FDF14CFA8C980AADBBF5FF88314F158269E995AB381D7319A41CB80

Function 00EB0C80 Relevance: 3.3, APIs: 2, Instructions: 258windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,00000001), ref: 00EB0DAB
SendMessageW.USER32(?,0000102B,?,-00000002), ref: 00EB0F95

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d15b48943cb57bf432be052b9f7fb2288a8763b697dde412428ce3181a45c277
Instruction ID: 108d9b95d0e9c111423f05c5e9a4bad4c1c01a17ceeb56a728614e1446c105c5
Opcode Fuzzy Hash: d15b48943cb57bf432be052b9f7fb2288a8763b697dde412428ce3181a45c277
Instruction Fuzzy Hash: 52B1AD71A00246AFDB28DF64C595BEBFBF5FB18304F149669E459EB281D730E940CB90

Function 00FACA20 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,9F3ADAE5,?,00000000), ref: 00FACA6B
GetLastError.KERNEL32(?,00000000), ref: 00FACA75

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 364dd0aff43d47ca8fd1b007f90f64ec74154f5d26f272acf44813bb987a701e
Instruction ID: e43e60add427e34bda134f600236152d57d7a19df2af800f335029be840b929f
Opcode Fuzzy Hash: 364dd0aff43d47ca8fd1b007f90f64ec74154f5d26f272acf44813bb987a701e
Instruction Fuzzy Hash: 6241D3B1E042099BEB14DF99C8067AEF7F4EF85724F14016EE809A7380D7B659008BD1

Function 00EF7760 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00EF77CF
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00EF77DD

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dbcff92cc0172409cd1098d20827035dce95d0b4b6896131a854ffbf13be9154
Instruction ID: a86289287180f0eb9e5984733abaa0af878f9acd22e3157d2d7c8e41b95e5b8a
Opcode Fuzzy Hash: dbcff92cc0172409cd1098d20827035dce95d0b4b6896131a854ffbf13be9154
Instruction Fuzzy Hash: 93315C7190460AEFDB20EF69CA44B9AFBB4FB04324F14436AE964A77D0D771A950CBD0

Function 0105C37D Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0105C140,?,?,?,?,00FC3751), ref: 0105C396
GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,0105C140,?,?,?,?,00FC3751), ref: 0105C39A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 0e9f4a108e050f80b1d2ad7d167eb294efb12cb6d8303f64226694c0d9ff762a
Instruction ID: c3d55754af1ce89a43be74765267e59a719e1a5459fc39f7c6f5df221de4f80a
Opcode Fuzzy Hash: 0e9f4a108e050f80b1d2ad7d167eb294efb12cb6d8303f64226694c0d9ff762a
Instruction Fuzzy Hash: 2CD0223290223CE78F222F85F90489E7FACDB04F1030080A5EE864B304CBB62D008BD4

Function 00EBEF30 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00EBEF35
SetUnhandledExceptionFilter.KERNEL32(Function_001287F0), ref: 00EBEF4B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: d0df861721635cf53bc721b17cc2b28f7b3897c2be514b6f6d487454cbfc717a
Instruction ID: f3fd3a8436c2f1bc743df43953245c9d50b78cabb62dfff7b8febe71d2af504d
Opcode Fuzzy Hash: d0df861721635cf53bc721b17cc2b28f7b3897c2be514b6f6d487454cbfc717a
Instruction Fuzzy Hash: AED012B0D483985AE7255310D80D7FB3BD02732748F0490A8D886153C6EBF9AD89D323

Function 00EFADA0 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00EFAF85, 00EFB172

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: b2e27ae3fefacd9cce80846074d79aa82a5ec7c51bf93b710aef1d68906dbd84
Instruction ID: 31b78a61ec3bbed036c264978894f166a0458db583b7d5aae584822774b78d13
Opcode Fuzzy Hash: b2e27ae3fefacd9cce80846074d79aa82a5ec7c51bf93b710aef1d68906dbd84
Instruction Fuzzy Hash: 4C12E4B1A002099FCB18DF68C990AAEF7F5FF58314F14826AE959EB351D731E941CB90

Function 00E96CD0 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E96E73

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 8cf73f0a64f2b89e4171884ef4b39477f30d8022b286c739bba73439ef968f0b
Instruction ID: 3433e8e39f18339d167a714b2c4dd021729b6ad219b0eb2b99f7c6733b4f2437
Opcode Fuzzy Hash: 8cf73f0a64f2b89e4171884ef4b39477f30d8022b286c739bba73439ef968f0b
Instruction Fuzzy Hash: 8B7107B1805B48CFE761CF78C94478ABBF0BB05324F148A5ED4A99B3D1D3B96648CB91

Function 00EA9430 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00EA7B87,?,?,?,?,?,?,?,?,00EA79F8,?,?), ref: 00EA9480

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: eea78ad3ebcfca07ef9310fa809bfb0bd3a439c916ab1d4e1c100d5f8ab9c1b1
Instruction ID: 945eddb10f88bad4031e2f28c491884ded707b695617996f9324a119aa3b39ea
Opcode Fuzzy Hash: eea78ad3ebcfca07ef9310fa809bfb0bd3a439c916ab1d4e1c100d5f8ab9c1b1
Instruction Fuzzy Hash: EFF0E230004041CEE3118F58C488A69BBB6FB4F30AF4485F2E068E9463C339AD45DF10

Function 01079B99 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788d67823a2499ab3140d19117937b67cfc6f7f6b38d51593c325a2219c2a60a
Instruction ID: 93c6ee3809f12fc1c6c480aaaa28f530e9f109f343669257d621598892725ba5
Opcode Fuzzy Hash: 788d67823a2499ab3140d19117937b67cfc6f7f6b38d51593c325a2219c2a60a
Instruction Fuzzy Hash: 6F322731E29F018DD7635539C822339A689AFB77D4F19C737F855B699AEB2AC1C34200

Function 0106572C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebe7221f3a9ab119aee5af3f5b4f0cb9adb203f8f08392a20224e6164ba3481
Instruction ID: 7d7204df722b241a8b9971a1071586cc8173f26be25185ab885af604cef9fe33
Opcode Fuzzy Hash: bebe7221f3a9ab119aee5af3f5b4f0cb9adb203f8f08392a20224e6164ba3481
Instruction Fuzzy Hash: 9CE1EE30A00706CFDB64CF6CC980AAEB7F9FF45394B24469DD5D6AB690D730A942CB61

Function 0106539E Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63235131e03926c7e742ca4a0d6e2d3dbb14ae9562d714eb5ec5ecdd35922b5a
Instruction ID: e0206e0e039bc195f33134cb08d0ae3e2fe37d13e664fcb1766319d103809e46
Opcode Fuzzy Hash: 63235131e03926c7e742ca4a0d6e2d3dbb14ae9562d714eb5ec5ecdd35922b5a
Instruction Fuzzy Hash: 7BC1F070A006468FDB65CF2CCC946BEBBFAAF09394F144699D5C6DB291CB31E845CB50

Function 00F47370 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76f3da595cbaf6843c63fea0304b4b5744bf47c59e6470d6244e254e9597a86
Instruction ID: 5c08366b2f13e3f6f94dd28361288b439acd6783d32161c453560b3ae8abf511
Opcode Fuzzy Hash: c76f3da595cbaf6843c63fea0304b4b5744bf47c59e6470d6244e254e9597a86
Instruction Fuzzy Hash: 8F4116B0905B49EED708CF69C10878AFBF0BF19318F20825DD4589B781D3BAA658CBD5

Function 00E9FF50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23579aa50c1098b5aec73c3ee8927e1233b19ff175d4659b891b4305044ec8a1
Instruction ID: 10dd68f809620e8499a94bf44eb8f3cab7b6ffa7e8b8ae97d4cb534a312a2196
Opcode Fuzzy Hash: 23579aa50c1098b5aec73c3ee8927e1233b19ff175d4659b891b4305044ec8a1
Instruction Fuzzy Hash: 6E31DEB0405B84CEE721CF29C658747BFF0BB15718F108A5DD5E64BB91C3BAA648CB91

Function 00E99360 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aff09ff712cdc78573487ecaa658e4e89f2e1578564389040c80d929f3cb731
Instruction ID: 4e88d60f45d78e53d16294392296567577019e646f23bc626647f76816934bfb
Opcode Fuzzy Hash: 7aff09ff712cdc78573487ecaa658e4e89f2e1578564389040c80d929f3cb731
Instruction Fuzzy Hash: 542158B0804748CFD710CF69C504B8ABBF4FB09314F1186AED495AB791E3B9AA44CB90

Function 00E99920 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f186ba9487109d871d8be3398457457b64a966bf9170c9b1d2f9f50a3dc4759
Instruction ID: e43b0123d001b25e12deb7d84fcd4c644393fa47f2122872b7341ca267209943
Opcode Fuzzy Hash: 8f186ba9487109d871d8be3398457457b64a966bf9170c9b1d2f9f50a3dc4759
Instruction Fuzzy Hash: 5D2158B0804748CFD710CF69C504B8ABBF4FB09314F1186AED4959B791E3B9AA44CF90

Function 00EB6FE0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95a8fb1453593a2c2d3067f9a96b96e6b51104f2014d96b2ca601776965486f
Instruction ID: 5291f8a1aa60cbde66cb5a83910f241de25f517a452dc3a7fd470e6c72bde77e
Opcode Fuzzy Hash: d95a8fb1453593a2c2d3067f9a96b96e6b51104f2014d96b2ca601776965486f
Instruction Fuzzy Hash: 88110CB1904608DFC744CF58D544B89BBF4FB09328F2086AEE8589B781D3769A06CF84

Function 01076E5B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b824795f760e6a63b81d8bbc81d6a7138fc9ecb087f79e948d105da4647eab6
Instruction ID: caf71b71a4ce49116dbf5c4f083bf5b9b06eeb804fedfcc3cd7c5d79c983004e
Opcode Fuzzy Hash: 2b824795f760e6a63b81d8bbc81d6a7138fc9ecb087f79e948d105da4647eab6
Instruction Fuzzy Hash: 73F0A932A10720EFDB26DA4CC814B89B3F8EF04B25F1144A6E182AB240C7B0EE00CBD4

Function 01076E9F Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction ID: c21bd0fbf5cc02446d691bba81552123f47afb4458210868da6a28113fcc9a9d
Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction Fuzzy Hash: CEE08C72D11638EBDB25DB9CC904D8AF7ECEB44B00B114996F642D3200C271DE00C7E4

Function 0106835A Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8798d3d87da054a76c0e42327399ad101a1c947b7d92e98e61ba31c4311bc826
Instruction ID: 1aebe4821ac87a275a50ff68130abb0e7439dd88aa0e870bbc71eca5a813d379
Opcode Fuzzy Hash: 8798d3d87da054a76c0e42327399ad101a1c947b7d92e98e61ba31c4311bc826
Instruction Fuzzy Hash: 8BC08C74000B508ADE2A8D18D2703AC3398A7927C2F8489CEC9838B662CA1EE8C2D615

Function 00FB2F90 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 414libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0118078C,9F3ADAE5,00000000), ref: 00FB3133
EnterCriticalSection.KERNEL32(0118078C,9F3ADAE5), ref: 00FB3148
GetCurrentProcess.KERNEL32 ref: 00FB3155
GetCurrentThread.KERNEL32 ref: 00FB3163
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00FB31FD
GetProcAddress.KERNEL32(00000000), ref: 00FB3204
__Init_thread_footer.LIBCMT ref: 00FB3218
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00FB344E
LeaveCriticalSection.KERNEL32(0118078C,?,00000000), ref: 00FB358C

Strings

SymFromAddr, xrefs: 00FB31F3
MODULE_BASE_ADDRESS, xrefs: 00FB349B
v, xrefs: 00FB358C
<--------------------MORE--FRAMES-------------------->, xrefs: 00FB33EB
Dbghelp.dll, xrefs: 00FB31F8
*** Stack Trace (x86) ***, xrefs: 00FB3324
[0x%.8Ix] , xrefs: 00FB2D47, 00FB3455

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1326996155-981128330
Opcode ID: 90e8d92cffe41d177dc85c64c0e20dc4544f4a4093ea2db7f821ad3ac2aee9d6
Instruction ID: acd5204e5d64643f76fdfdf9528365023cd85599fdd6d431500115aa82f9777c
Opcode Fuzzy Hash: 90e8d92cffe41d177dc85c64c0e20dc4544f4a4093ea2db7f821ad3ac2aee9d6
Instruction Fuzzy Hash: F2F100719002589FDB28EF64CC88BEEBBB4EF54314F1442E9E859A7280DB749B84DF50

Function 00FB30C0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 296libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0118078C,9F3ADAE5,00000000), ref: 00FB3133
EnterCriticalSection.KERNEL32(0118078C,9F3ADAE5), ref: 00FB3148
GetCurrentProcess.KERNEL32 ref: 00FB3155
GetCurrentThread.KERNEL32 ref: 00FB3163
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00FB31FD
GetProcAddress.KERNEL32(00000000), ref: 00FB3204
__Init_thread_footer.LIBCMT ref: 00FB3218
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00FB344E
LeaveCriticalSection.KERNEL32(0118078C,?,00000000), ref: 00FB358C

Strings

SymFromAddr, xrefs: 00FB31F3
MODULE_BASE_ADDRESS, xrefs: 00FB349B
v, xrefs: 00FB358C
<--------------------MORE--FRAMES-------------------->, xrefs: 00FB33EB
Dbghelp.dll, xrefs: 00FB31F8
*** Stack Trace (x86) ***, xrefs: 00FB3324
[0x%.8Ix] , xrefs: 00FB3455

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
String ID: *** Stack Trace (x86) ***$ v$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1326996155-981128330
Opcode ID: 589c38626102dc3f2a3bea816515f5d2b4894dc30e2d83418945c5f09a85357a
Instruction ID: 77ffe857643f8c4aa4620ea5fc87c3c21e6c9f927cbc6c2388a7699c7caee3a2
Opcode Fuzzy Hash: 589c38626102dc3f2a3bea816515f5d2b4894dc30e2d83418945c5f09a85357a
Instruction Fuzzy Hash: 28D1CB31C406689FDB25DF64CC88BEEBBB4AF14705F0442DAE949A7281DB746B84DF50

Function 00FB57E0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 00FB582E
GetDlgItem.USER32(?,000001F8), ref: 00FB583B
GetDlgItem.USER32(?,000001F7), ref: 00FB587D
SetWindowTextW.USER32(00000000,?), ref: 00FB588C
ShowWindow.USER32(?,00000005), ref: 00FB58F2
GetDlgItem.USER32(?,000001F7), ref: 00FB5914
SetWindowTextW.USER32(00000000,?), ref: 00FB5923
ShowWindow.USER32(?,00000000), ref: 00FB5988
ShowWindow.USER32(?,00000000), ref: 00FB598F
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00FB59D8
GetDlgItem.USER32(?,00000000), ref: 00FB5A0A
IsWindow.USER32(00000000), ref: 00FB5A14
IsRectEmpty.USER32(?), ref: 00FB5A31
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,00000000,?,?,00000616), ref: 00FB5A61

Strings

Details <<, xrefs: 00FB5864
Details >>, xrefs: 00FB58FB

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: 4f8082a426435eb390c74a3160e1f5b428f95e3678a4701c52e9ea419ecfe269
Instruction ID: 785f3adaee1487dd476f7ad4fc60b7133f1e41341517bfebf3a4781f0c89acf2
Opcode Fuzzy Hash: 4f8082a426435eb390c74a3160e1f5b428f95e3678a4701c52e9ea419ecfe269
Instruction Fuzzy Hash: 4791DF71D00609AFDF149F69DC89BEEBBB5EF08710F108219E911B7690D778A880CF90

Function 00E98CA0 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460stringCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507,9F3ADAE5), ref: 00E98D2E
IsWindow.USER32(?), ref: 00E98D40
GetParent.USER32(?), ref: 00E98D81
GetClassNameW.USER32(00000000,?,00000008), ref: 00E98D8E
lstrcmpW.KERNEL32(?,#32770), ref: 00E98DA1
GetSysColor.USER32(00000005), ref: 00E98DB6

Strings

#32770, xrefs: 00E98D98

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClassColorNameParentRedrawlstrcmp
String ID: #32770
API String ID: 4237080057-463685578
Opcode ID: b2892b52a35a6081d1fe89d9fb9f3fcc5483eb515dbc0f685a6894abe11a6709
Instruction ID: 810509f1967a95bf243bcdeee92a026e119115f5b200c58083cbc0378a5b24b5
Opcode Fuzzy Hash: b2892b52a35a6081d1fe89d9fb9f3fcc5483eb515dbc0f685a6894abe11a6709
Instruction Fuzzy Hash: 35027B70A04209EFDF24CFA8C948BAEBBF5BF49314F14555CE455BB2A1DB76A940CB20

Function 00E96B00 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 119registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0118297C,9F3ADAE5,00000000,?,?,?,?,?,?,.c,0108826D,000000FF), ref: 00E96B3D
GetClassInfoExW.USER32 ref: 00E96B81
LoadCursorW.USER32(00000000,00007F00), ref: 00E96BB8
RegisterClassExW.USER32(00000030), ref: 00E96BE1
GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 00E96C2A
LoadCursorW.USER32(00000000,00007F00), ref: 00E96C5E
RegisterClassExW.USER32(00000030), ref: 00E96C7F
LeaveCriticalSection.KERNEL32(0118297C), ref: 00E96CB3

Strings

.c, xrefs: 00E96B10
WM_ATLGETHOST, xrefs: 00E96B49
v, xrefs: 00E96CB3
0, xrefs: 00E96C43
WM_ATLGETCONTROL, xrefs: 00E96B54
AtlAxWin140, xrefs: 00E96B6F, 00E96BD3
AtlAxWinLic140, xrefs: 00E96C1F, 00E96C75

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Class$CriticalCursorInfoLoadRegisterSection$EnterLeave
String ID: v$.c$0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 927868316-455796968
Opcode ID: a5a3e618b1bc5dc5d24fd28e548313e03720baa1d5610eae7197839a696b84d9
Instruction ID: eaa271d5e5c53695233e2fc2913ad1e2b433d3e4377e92ff988ff57da2c25da7
Opcode Fuzzy Hash: a5a3e618b1bc5dc5d24fd28e548313e03720baa1d5610eae7197839a696b84d9
Instruction Fuzzy Hash: 4D5155B0C04229AFDB15DFA5D849BDEBBF8FB08714F10012AE554B7384EBB55A448FA4

Function 00EB7C10 Relevance: 25.7, APIs: 17, Instructions: 178windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,9F3ADAE5,?), ref: 00EB7C60
SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00EB7C77
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00EB7C85
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00EB7C9F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EB7CB7
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00EB7CE8
CreateRectRgn.GDI32(?,?,?,?), ref: 00EB7D22
DeleteObject.GDI32(00000000), ref: 00EB7D39
GetClientRect.USER32(?,?), ref: 00EB7D55
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00EB7D80
CreateRectRgn.GDI32(?,?,?,?), ref: 00EB7D9D
SelectClipRgn.GDI32(00000000,00000000), ref: 00EB7DB4
GetParent.USER32(?), ref: 00EB7DC4
SendMessageW.USER32(00000000,00000136,?,?), ref: 00EB7DD5
DeleteObject.GDI32(00000000), ref: 00EB7DEB
DeleteObject.GDI32(?), ref: 00EB7DF0
EndPaint.USER32(?,?), ref: 00EB7DFF

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageRectSend$Create$DeleteObject$Paint$BeginClientClipParentSelect
String ID:
API String ID: 3183909887-0
Opcode ID: f25dc4071336b79145d021e71a42e7c035e20cbb774f1d5c5e00be9eb33d790b
Instruction ID: af69c047398837e2aff77d1f79664415e104389e1d0df18c4333847872accf12
Opcode Fuzzy Hash: f25dc4071336b79145d021e71a42e7c035e20cbb774f1d5c5e00be9eb33d790b
Instruction Fuzzy Hash: 61613B72908218AFDB259FE4DD49FEEBBB9FF48710F100129FA15AB294D7706980CB54

Function 00EB64A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 229windowtimeCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,9F3ADAE5), ref: 00EB6528

Part of subcall function 00E983A0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E983D6

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00EB662B
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00EB663F
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00EB6654
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00EB6669
GetWindowTextLengthW.USER32(?), ref: 00EB6670
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00EB6680
ClientToScreen.USER32(?,?), ref: 00EB66A0
GetWindowRect.USER32(?,?), ref: 00EB66B2
PtInRect.USER32(?,?,?), ref: 00EB66C2
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EB6714
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00EB6724
SetTimer.USER32(?,?,00001388,00000000), ref: 00EB673B

Strings

tooltips_class32, xrefs: 00EB6522

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Rect$ClientCreateLengthLongScreenTextTimer
String ID: tooltips_class32
API String ID: 3976673834-1918224756
Opcode ID: c503c823945d5e5aaa9723d0ba7a80bdb0b6eee835f3f18366285dc73ba9557d
Instruction ID: 69b3cfca1a06291207ec7fe6302a9f1e20afc486fd70f4933fc397de4111f503
Opcode Fuzzy Hash: c503c823945d5e5aaa9723d0ba7a80bdb0b6eee835f3f18366285dc73ba9557d
Instruction Fuzzy Hash: F89131B1A00208AFDB24CFA4CD95FEEBBF9FB08700F10452AF556EA294D774A904CB50

Function 00FB54D0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FACBB0: LoadLibraryW.KERNEL32(ComCtl32.dll,9F3ADAE5,?,?,00000000), ref: 00FACBEE
Part of subcall function 00FACBB0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FACC11
Part of subcall function 00FACBB0: FreeLibrary.KERNEL32(00000000), ref: 00FACC8F

GetDlgItem.USER32(?,000001F4), ref: 00FB5511
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00FB5522
GetDC.USER32(00000000), ref: 00FB552A
GetDeviceCaps.GDI32(00000000), ref: 00FB5531
MulDiv.KERNEL32(00000009,00000000), ref: 00FB553A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 00FB5563
GetDlgItem.USER32(?,000001F6), ref: 00FB5574
IsWindow.USER32(00000000), ref: 00FB557D
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00FB5594
GetDlgItem.USER32(?,000001F8), ref: 00FB559E
GetWindowRect.USER32(?,?), ref: 00FB55AF
GetWindowRect.USER32(?,?), ref: 00FB55C2
GetWindowRect.USER32(00000000,?), ref: 00FB55D2

Strings

Courier New, xrefs: 00FB5540

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: f98aa83f6c63b7b0425b2a37427e45b79cb2aa38d48e2ec09a4219377cbde6c0
Instruction ID: 841038615ecf3c56137840ae0f742aabc3e3a389d497aa93c79c291eb4dfacf1
Opcode Fuzzy Hash: f98aa83f6c63b7b0425b2a37427e45b79cb2aa38d48e2ec09a4219377cbde6c0
Instruction Fuzzy Hash: C841C871BC43087BEB24AF21DD46FAE77A9AF58B04F01012DFB057A1C1DAB4A8408B59

Function 00FA5160 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,9F3ADAE5,?,00000000), ref: 00FA51F1
GetLastError.KERNEL32 ref: 00FA521F

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00FA5235
FreeLibrary.KERNEL32(00000000), ref: 00FA524E
GetLastError.KERNEL32 ref: 00FA525B
GetLastError.KERNEL32 ref: 00FA5449
GetLastError.KERNEL32 ref: 00FA54AE

Strings

ConvertStringSidToSidW, xrefs: 00FA522F
Advapi32.dll, xrefs: 00FA51EC

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: 0732573149c01f787e7747820f58b010fa686c2715e5fc567273b6fcac8efb64
Instruction ID: e0a0bd4ab679c30ee6fb42eb49a12107ac08b4937225f9962c280e7062be6cbf
Opcode Fuzzy Hash: 0732573149c01f787e7747820f58b010fa686c2715e5fc567273b6fcac8efb64
Instruction Fuzzy Hash: E9F198F1C0160AEFDB10CF90C944BEEBBB5BF19724F244219E915B7280E774AA45DBA1

Function 00E96F60 Relevance: 22.6, APIs: 15, Instructions: 139windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00E96F86
GetClientRect.USER32(?,?), ref: 00E96F9E
FillRect.USER32(00000000,?,00000000), ref: 00E96FBD
DeleteObject.GDI32(00000000), ref: 00E96FC4
EndPaint.USER32(?,?), ref: 00E96FD2
BeginPaint.USER32(?,?), ref: 00E97007
GetClientRect.USER32(?,?), ref: 00E9701F
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E97038
CreateCompatibleDC.GDI32(00000000), ref: 00E97045
SelectObject.GDI32(00000000,00000000), ref: 00E97057
FillRect.USER32(00000000,?,00000000), ref: 00E97080
DeleteObject.GDI32(?), ref: 00E9708A
BitBlt.GDI32(00000000,00000000,00000000,00000008,00000008,00000000,00000000,00000000,00CC0020), ref: 00E970C7
SelectObject.GDI32(00000000,?), ref: 00E970D2
DeleteDC.GDI32(00000000), ref: 00E970D9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ObjectRect$DeletePaint$BeginClientCompatibleCreateFillSelect$Bitmap
String ID:
API String ID: 939394624-0
Opcode ID: 29736b8546f3a8fdcfb168eda12b6e744446adddc9cdba032cee4490d1e26a72
Instruction ID: 082ca029ef41b4a1d387538137060849e9749dbcb1d47f77599cb79aacf030ae
Opcode Fuzzy Hash: 29736b8546f3a8fdcfb168eda12b6e744446adddc9cdba032cee4490d1e26a72
Instruction Fuzzy Hash: D4418F72208305AFD7259F64DC88F6BBBF8EF88705F004939F666D2290DB70E8458B25

Function 00FC72F0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 439COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,9F3ADAE5), ref: 00FC7359
IsWow64Process.KERNEL32(00000000), ref: 00FC7360

Part of subcall function 00FA9180: _wcsrchr.LIBVCRUNTIME ref: 00FA91B9

_wcsrchr.LIBVCRUNTIME ref: 00FC73E1
_wcsrchr.LIBVCRUNTIME ref: 00FC7477

Strings

/fvomus //, xrefs: 00FC752A, 00FC757F, 00FC7580
"%s" , xrefs: 00FC761D
%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s", xrefs: 00FC76AF
/p //, xrefs: 00FC7521
.x64, xrefs: 00FC73C2
TRANSFORMS=":%d", xrefs: 00FC74D0
/i //, xrefs: 00FC752F
EXE_CMD_LINE="%s ", xrefs: 00FC7702

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: _wcsrchr$Process$CurrentWow64
String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
API String ID: 657290924-2074823060
Opcode ID: 049b33a6445ef355aa04151844f90859b01025ba118e088e89cb4458007b708e
Instruction ID: f29fca4b919cc0b62871c091da515fc7e2dcda705a2d0d17f73eeda26eeb5949
Opcode Fuzzy Hash: 049b33a6445ef355aa04151844f90859b01025ba118e088e89cb4458007b708e
Instruction Fuzzy Hash: B1F1D331A0070A9FDB14EFA8C945BAEB7E4BF45320F18866DE815AB2D1DB749D00DF91

Function 00EBC690 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00EBC7B8
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00EBC7D1
GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 00EBC7DD
GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 00EBC7EA

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Strings

20.8, xrefs: 00EBC8CA
a905d1b0, xrefs: 00EBC8EE
build , xrefs: 00EBC8DF
InitializeEmbeddedUI, xrefs: 00EBC7CB
EmbeddedUIHandler, xrefs: 00EBC7DF
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00EBC719
INAN, xrefs: 00EBC6C5
ShutdownEmbeddedUI, xrefs: 00EBC7D3

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HeapInit_thread_footer$AllocateLibraryLoadProcess
String ID: build $20.8$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$a905d1b0
API String ID: 2564778481-3114431724
Opcode ID: bb34cac2fd980da4eb4b5a9d5b293081edff645e52ffb9ea4ad62824d1ef2f0e
Instruction ID: d248f404bd0a4eab41119637521aad660b0af0e0728fba3065e084c2239b5013
Opcode Fuzzy Hash: bb34cac2fd980da4eb4b5a9d5b293081edff645e52ffb9ea4ad62824d1ef2f0e
Instruction Fuzzy Hash: 73D1A1719002099FDB04DFA4C845BEEBBF4FF08314F14462EE955BB691EB74AA44CB90

Function 00FE9300 Relevance: 21.3, APIs: 14, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0766ef31ca31863d73831921484f02fa9cdc03105d3883adb7b6f5d162463ec
Instruction ID: e0244c42d7f3c554aaf14f31f54c318db5bec3a1c49712ea5aaa336943315317
Opcode Fuzzy Hash: f0766ef31ca31863d73831921484f02fa9cdc03105d3883adb7b6f5d162463ec
Instruction Fuzzy Hash: 09A14671A08245ABDB20EF65DC85FAEB7B8EF44320F14416AF905AB2D1DBB4D800DB70

Function 00E8EED0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 233libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory), ref: 00E8EEDE
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00E8EEE4
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?), ref: 00E8EF17
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00E8EF1D
LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,010F42AC,00000000,00000000,00000000), ref: 00E8F03D
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00E8F086

Strings

CoIncrementMTAUsage, xrefs: 00E8EF0D
RoGetActivationFactory, xrefs: 00E8EED4
DllGetActivationFactory, xrefs: 00E8F080
.dll, xrefs: 00E8F024
combase.dll, xrefs: 00E8EED9, 00E8EF12

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: 141a4d5a29c3f359a06583a8665f7a15f42152837253a1f664ac45311a611c8b
Instruction ID: b54bcb7adf8951945f7410eddfa8da9c24177769a2c11eae46b6b9b0f9c0aab8
Opcode Fuzzy Hash: 141a4d5a29c3f359a06583a8665f7a15f42152837253a1f664ac45311a611c8b
Instruction Fuzzy Hash: 6F91A131E00209EFDF14EFA8C895BEEB7B1EF58308F245128E559B7291EB749A44CB50

Function 00FDD330 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0117D68C,9F3ADAE5,?,00000010), ref: 00FDD36C

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

EnterCriticalSection.KERNEL32(00000010,9F3ADAE5,?,00000010), ref: 00FDD379
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FDD3AB
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FDD3B4
WriteFile.KERNEL32(00000000,00FD3167,D68CB9EC,010D28CD,00000000,010F427C,00000001,?,?,000000FF,00000000), ref: 00FDD436
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 00FDD43F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FDD475
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FDD47E
WriteFile.KERNEL32(00000000,?,?,?,00000000,010F7104,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FDD4DF
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FDD4E8
LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 00FDD518

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Strings

v, xrefs: 00FDD518

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
String ID: v
API String ID: 201293332-3261393531
Opcode ID: 3cbec5b6f4c215501de0d4f87c6f50a2be9cef50d192cfe3ad3acab4ef9d9648
Instruction ID: d1a5ede4b8bb67fcac238ce1092ded67709df8703cfbddbe785eaa9a252af846
Opcode Fuzzy Hash: 3cbec5b6f4c215501de0d4f87c6f50a2be9cef50d192cfe3ad3acab4ef9d9648
Instruction Fuzzy Hash: 2261EF31901604AFEB10DF69CC49BA9BBB5FF05324F088169F855AB3A1D775AC04DBA0

Function 00EB50A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000005C,?), ref: 00EB50E4
SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00EB5115
lstrcpynW.KERNEL32(?,?,00000020), ref: 00EB518B
GetDC.USER32(?), ref: 00EB51AE
GetDeviceCaps.GDI32(00000000), ref: 00EB51B5
MulDiv.KERNEL32(?,00000048,00000000), ref: 00EB51C8
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00EB51FA
GetObjectW.GDI32(00000000,0000005C,?), ref: 00EB5220
DeleteObject.GDI32(?), ref: 00EB5236
CreateFontIndirectW.GDI32(?), ref: 00EB5252

Strings

t, xrefs: 00EB51D6
?, xrefs: 00EB51CE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Object$MessageSend$CapsCreateDeleteDeviceFontIndirectlstrcpyn
String ID: ?$t
API String ID: 498247171-1995845436
Opcode ID: acbff07f388866c45f65e5ab6eba2a6b319b0f76c58e958afe3949567684446d
Instruction ID: 606672e6f0d5bd8ca1f946c4e487234bfb72d4394dbe990540e6fe84dcef3435
Opcode Fuzzy Hash: acbff07f388866c45f65e5ab6eba2a6b319b0f76c58e958afe3949567684446d
Instruction Fuzzy Hash: 33517DB1908740AFE731DF64D849F9BBBE8FB48704F00492EF69AD6291D774A508CB52

Function 00EFD200 Relevance: 19.7, APIs: 13, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00EFD247
GetParent.USER32(00000000), ref: 00EFD25A
GetWindow.USER32(00000000,00000004), ref: 00EFD26A
GetWindowRect.USER32(00000000,?), ref: 00EFD27B
GetWindowLongW.USER32(00000000,000000F0), ref: 00EFD28E
MonitorFromWindow.USER32(00000000,00000002), ref: 00EFD2A6
GetMonitorInfoW.USER32(00000000,00000000), ref: 00EFD2BC
GetWindowRect.USER32(00000000,?), ref: 00EFD2E2
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00EFD39F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: fa1d7d41633018a7a18e896323df4adf6a71beb969d5c0854f8f8c5a434cbc1c
Instruction ID: 18301f3f46f6d42fd43dcdc1e25c4fff20f2acec93da857cecb15828dbdbc3e0
Opcode Fuzzy Hash: fa1d7d41633018a7a18e896323df4adf6a71beb969d5c0854f8f8c5a434cbc1c
Instruction Fuzzy Hash: 58515172D081199FDB24CFA8CD49AEEBBB5FB48710F255229E915F3294DB30AD40CB94

Function 00FB7F50 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 410libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4090: GetSystemDefaultLangID.KERNEL32(9F3ADAE5,0000004C,?,00000048,?), ref: 00FD40C6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00FB80B3
GetProcAddress.KERNEL32(00000000), ref: 00FB80BA
__Init_thread_footer.LIBCMT ref: 00FB80D1
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00FB80F0

Strings

Wrong OS or Os language for:, xrefs: 00FB841B
An acceptable version was found., xrefs: 00FB83A3, 00FB83A4
kernel32, xrefs: 00FB80AE
IsWow64Process2, xrefs: 00FB80A9
Undefined, xrefs: 00FB838A
Search result:, xrefs: 00FB8329
Searching for:, xrefs: 00FB81A9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 52476621-1658165007
Opcode ID: 5a26469e6de0b6c3dbc00bd2f8fd237303e508ae13116d6574bc4a9ed8becae7
Instruction ID: 7fd50b390e6b07dae9123da9df229467519b5596c6bf7955a873bc6f1aff546a
Opcode Fuzzy Hash: 5a26469e6de0b6c3dbc00bd2f8fd237303e508ae13116d6574bc4a9ed8becae7
Instruction Fuzzy Hash: E6F1D070A00605CFDB24DFA9C884BDEB7F9BF84360F14425DE426AB291DB74A946DF40

Function 00EA12D0 Relevance: 18.3, APIs: 12, Instructions: 337windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EA1324
GetWindowRect.USER32(?,?), ref: 00EA1403
GetClientRect.USER32(?,?), ref: 00EA1415
GetWindowDC.USER32(?), ref: 00EA1427
CreateCompatibleDC.GDI32(00000000), ref: 00EA1454
CreateCompatibleBitmap.GDI32(00000000), ref: 00EA1496
SelectObject.GDI32(00000000,00000000), ref: 00EA14A5

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: RectWindow$CompatibleCreate$BitmapClientObjectSelect
String ID:
API String ID: 2032541772-0
Opcode ID: 1e1cab703053d4b455fb38b0bfcda259c664149b4f8fb9b5ef6e5a07b2253c59
Instruction ID: 82f266a7afc3b5228fe84563949c9f73328fbb1f70240b79504d4a4ab18d4821
Opcode Fuzzy Hash: 1e1cab703053d4b455fb38b0bfcda259c664149b4f8fb9b5ef6e5a07b2253c59
Instruction Fuzzy Hash: 8BE13771D04718EFDB21DFA8C948B9EBBF8EF49704F1442A9E859A7241E7706A84CF50

Function 00E99BD0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 157registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0118297C,9F3ADAE5,00000001,01182998), ref: 00E99C43
GetClassInfoExW.USER32(00000000,?,?), ref: 00E99C83
GetClassInfoExW.USER32(?,00000030), ref: 00E99C96
LeaveCriticalSection.KERNEL32(0118297C), ref: 00E99CA8
LoadCursorW.USER32(00E80000,?), ref: 00E99D04
GetClassInfoExW.USER32(?,?,?), ref: 00E99D59
RegisterClassExW.USER32(?), ref: 00E99D6C
LeaveCriticalSection.KERNEL32(0118297C), ref: 00E99D9B

Strings

ATL:%p, xrefs: 00E99D24
v, xrefs: 00E99CA8, 00E99D9B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: v$ATL:%p
API String ID: 269841140-109518622
Opcode ID: 9caa520500b3cad562c796b04151dbc30aab5c1149615e68922e7258e1c6108a
Instruction ID: 1999e2752b70441f82336b781062d234fa1b2f47017d685bbf56fd9f69ab5287
Opcode Fuzzy Hash: 9caa520500b3cad562c796b04151dbc30aab5c1149615e68922e7258e1c6108a
Instruction Fuzzy Hash: 9051BA70D04B448BDB21CF69C944AAAFBF4FF18724F00961DE896A7741EB70B980CB90

Function 00FBF0E0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3D40: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00FBF141,?,9F3ADAE5,?,?), ref: 00FB3D5B
Part of subcall function 00FB3D40: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00FB3D71
Part of subcall function 00FB3D40: FreeLibrary.KERNEL32(00000000), ref: 00FB3DAA

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,9F3ADAE5,?,?), ref: 00FBF320

Strings

AppDataFolder, xrefs: 00FBF288, 00FBF2C5
PROGRAMFILES, xrefs: 00FBF2FD
APPDATA, xrefs: 00FBF317, 00FBF31F
Shell32.dll, xrefs: 00FBF163
ProgramFiles, xrefs: 00FBF220, 00FBF235, 00FBF23D
AI_BOOTSTRAPPERLANGS, xrefs: 00FBF3F2, 00FBF43A
ProgramFilesFolder, xrefs: 00FBF1A7
Shlwapi.dll, xrefs: 00FBF137

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressEnvironmentFreeLoadProcVariable
String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
API String ID: 788177547-1020860216
Opcode ID: 36f81577c8deb25ba26047c5eae2859fb2df4eb5f6e6dc929a5d6a15f4ffdf30
Instruction ID: 767487be09e28fe4072f7e0ebb56a49c018b5d15db45586f4b5d38e97479d80f
Opcode Fuzzy Hash: 36f81577c8deb25ba26047c5eae2859fb2df4eb5f6e6dc929a5d6a15f4ffdf30
Instruction Fuzzy Hash: 86910375A012059BDB18DF2ACC447EAB3B5FF24324F148AB9E80697284E731DD49DF80

Function 00E8D3E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D4E8
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D4F2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D501
GetExitCodeProcess.KERNEL32(?,?), ref: 00E8D51E
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D528
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D535
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8D53F

Strings

D, xrefs: 00E8D410
"%s" %s, xrefs: 00E8D470

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastProcess$Init_thread_footer$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$D
API String ID: 2023784982-3971972636
Opcode ID: 8c461787645e833fa5722ac94c67b2186f430aa813ae9c528626e613184d515d
Instruction ID: 69ebec6a504bcaebda7487d68bdc3d8f4ceb6a6a2d3b7e1995860a84209f78b1
Opcode Fuzzy Hash: 8c461787645e833fa5722ac94c67b2186f430aa813ae9c528626e613184d515d
Instruction Fuzzy Hash: 7A51E271904205DFDB20EF65CC04BAAB7B5FF84728F24462AE92DBB2D0D774A941CB91

Function 00F890C0 Relevance: 15.2, APIs: 10, Instructions: 200windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,9F3ADAE5,?), ref: 00F89123
CallWindowProcW.USER32(?,?,?,?,?), ref: 00F89146
SelectObject.GDI32(00000000,?), ref: 00F891C4
SetBkMode.GDI32(00000000,00000001), ref: 00F891D2
SetTextColor.GDI32(00000000), ref: 00F89217
GetWindowLongW.USER32(00000000), ref: 00F8922C
SendMessageW.USER32(00000000), ref: 00F8924B
DrawTextW.USER32(00000000,00000010,?,?,00000010), ref: 00F892B5
SelectObject.GDI32(00000000,?), ref: 00F892C1
EndPaint.USER32(?,?), ref: 00F892D2

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ObjectPaintSelectTextWindow$BeginCallColorDrawLongMessageModeProcSend
String ID:
API String ID: 1755490345-0
Opcode ID: 0da2fb7a4a4890eaec2c8a4ea053c34ccbac81cf6ef4d71bde919b67376afcc1
Instruction ID: f01591cf49427c247e69ddb560060ffda9bbfb96440ea4108fdbb16623e83f2a
Opcode Fuzzy Hash: 0da2fb7a4a4890eaec2c8a4ea053c34ccbac81cf6ef4d71bde919b67376afcc1
Instruction Fuzzy Hash: 6E818C71A04609AFDB14DFE4CC48FADBBB5FF48310F108269F925AB2A5C7719851DB50

Function 00FB5310 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00FB5321
DeleteObject.GDI32(?), ref: 00FB5379
EndDialog.USER32(?,00000000), ref: 00FB53F9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DeleteDialogLongObjectWindow
String ID:
API String ID: 1328495006-0
Opcode ID: 69c0b1b0d9d6240a2c26fbaf2a92693956dc506faa7e57f84ab8317310b8899c
Instruction ID: 6c949a655ae4fdcd595fbfd26c19ef728e150898ee83375846bb097d1d5279da
Opcode Fuzzy Hash: 69c0b1b0d9d6240a2c26fbaf2a92693956dc506faa7e57f84ab8317310b8899c
Instruction Fuzzy Hash: 54413B36B0461857C7349D3EAC58BBB37A8D785B31F00472AFD21C33D0C7A99891AAA1

Function 00F3E220 Relevance: 15.1, APIs: 10, Instructions: 127windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F3E29A
GetWindowRect.USER32(?,?), ref: 00F3E2B2
GetWindowRect.USER32(?,?), ref: 00F3E2CA
IntersectRect.USER32(?,?,?), ref: 00F3E2E7
EqualRect.USER32(?,?), ref: 00F3E2F7
GetSysColorBrush.USER32(0000000F), ref: 00F3E30D
GetWindowRect.USER32(?,?), ref: 00F3E336
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3E34B
GetWindowLongW.USER32(?,000000EC), ref: 00F3E35A
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00F3E378

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
String ID:
API String ID: 2158939716-0
Opcode ID: 0f2af6f55c9255302d82cf1e1c25d9c054a8d0e6e396cff74779e2f92d13c171
Instruction ID: 656997c4e72f8700b667eb99393ca8008d8b568087cb78d87c3e354e90e377ba
Opcode Fuzzy Hash: 0f2af6f55c9255302d82cf1e1c25d9c054a8d0e6e396cff74779e2f92d13c171
Instruction Fuzzy Hash: DE414C32A083059FC720DF25D984A6BB7F8FF99714F05462EF99997240E730EA858B52

Function 00E9A7F0 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00E9A831
GetClientRect.USER32(?,?), ref: 00E9A858
CreateCompatibleDC.GDI32(?), ref: 00E9A868
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E9A889
DeleteDC.GDI32(00000000), ref: 00E9A896
FillRect.USER32(?,?,00000006), ref: 00E9A8DA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CompatibleCreateRect$BitmapClientDeleteFill
String ID:
API String ID: 1262984673-0
Opcode ID: 3bd52a7e31459bf475eae2bf6d6d97279e305e051d8b8b96c95b6b2f983c7e07
Instruction ID: 78bf13f48978295976155e69ad1781f7671e75cad5089c69b5bb300de29bba93
Opcode Fuzzy Hash: 3bd52a7e31459bf475eae2bf6d6d97279e305e051d8b8b96c95b6b2f983c7e07
Instruction Fuzzy Hash: 66318F715082059FD729AF28D84CA2BBBF8BF98344F14087DF88696255D7319885CBA6

Function 01067837 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 01067C0F

Strings

p, xrefs: 01067996
f, xrefs: 0106798F
:, xrefs: 01067902
p, xrefs: 01067934
p, xrefs: 01067950
f, xrefs: 01067949
f, xrefs: 0106792D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: d8ac13847552a6fc48fd0957eec8a7d6b604565085de0e232cf7ebe8523fce5e
Instruction ID: 94b938246b0f9ee0951e9af3170948fb323816c787b96547ca7667e1d8789fd7
Opcode Fuzzy Hash: d8ac13847552a6fc48fd0957eec8a7d6b604565085de0e232cf7ebe8523fce5e
Instruction Fuzzy Hash: 6302B33A900108DADF24DFA8D8446EEBBBEFF50B2CFA84545D6957B281D3308E84CB55

Function 00FD31E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00FD321C
GetUserDefaultLangID.KERNEL32 ref: 00FD3229
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00FD323B
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00FD324F
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00FD3264

Strings

kernel32.dll, xrefs: 00FD3232
GetUserDefaultUILanguage, xrefs: 00FD325E
GetSystemDefaultUILanguage, xrefs: 00FD3249

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: 2b1efadd0c18d352a741fd5c2eff11af0d6282708a04d6eed00c2fe9c3248473
Instruction ID: 09931c3f584d39cc9302e2eccabf0e9f083c5b75784c34e9aa77037a356fe02a
Opcode Fuzzy Hash: 2b1efadd0c18d352a741fd5c2eff11af0d6282708a04d6eed00c2fe9c3248473
Instruction Fuzzy Hash: 8741F070A043019FCB54EF29D9506BAB3E2AFE8351F94092EE989C3340EB35DA44DB52

Function 010608E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01060917
___except_validate_context_record.LIBVCRUNTIME ref: 0106091F
_ValidateLocalCookies.LIBCMT ref: 010609A8
__IsNonwritableInCurrentImage.LIBCMT ref: 010609D3
_ValidateLocalCookies.LIBCMT ref: 01060A28
___vcrt_initialize_locks.LIBVCRUNTIME ref: 01060A3E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01060A53

Strings

csm, xrefs: 010609BD

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 35c0774ec80f5cb2dd8ee09a702a5f48d4f0b74a5592e6ca3ec11e94b14e53b9
Instruction ID: 06f348e93e134316c0473e3ee2bfb34cc83969af6881daf0e6f9331ca534b0d9
Opcode Fuzzy Hash: 35c0774ec80f5cb2dd8ee09a702a5f48d4f0b74a5592e6ca3ec11e94b14e53b9
Instruction Fuzzy Hash: F141E534A4020A9FDF10DF68C884AEEBBFAEF85364F048195E9D49B356D7719901CBA1

Function 00F90480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 248fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00F9056F
CloseHandle.KERNEL32(00000000), ref: 00F90597
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00F905D9
CloseHandle.KERNEL32(?), ref: 00F9062E

Strings

EXE, xrefs: 00F904D3
open, xrefs: 00F90658
.bat, xrefs: 00F904CE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID: .bat$EXE$open
API String ID: 3602564925-2898749727
Opcode ID: b0b626807e7ea2ef8ce5b6009c6d871ea4e69c8781d35d1478b570e910b8b716
Instruction ID: 8d2cec615a72086453453867af367afe7d228c5ba4555be16ad2aff5c4b157ff
Opcode Fuzzy Hash: b0b626807e7ea2ef8ce5b6009c6d871ea4e69c8781d35d1478b570e910b8b716
Instruction Fuzzy Hash: DCA16970D01648DFEB10CFA8C948B9EBBF4EF45324F288299E815AB291DB749D44CF51

Function 00E9E180 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E9E26F

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,9F3ADAE7), ref: 00E9E2C3
CloseHandle.KERNEL32(00000000), ref: 00E9E320

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00E9E387
CloseHandle.KERNEL32(00000000,01059D7B), ref: 00E9E3AD

Strings

aix, xrefs: 00E9E281
html, xrefs: 00E9E27C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: 4ab6c1456349ec255843c117f0c2eacffcfe0b3d26e77928a8b1ba1eb75cd569
Instruction ID: 757ccb338bc1fb93be28786f1039fb76b8cef917f0de59eacc3d1d7bf003c018
Opcode Fuzzy Hash: 4ab6c1456349ec255843c117f0c2eacffcfe0b3d26e77928a8b1ba1eb75cd569
Instruction Fuzzy Hash: FB61ABB0D01244DFDB29DFA4D949B9EBBF4FB04708F10815DE551AB380E7B56948CB91

Function 00E82830 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0117D648,00000000,9F3ADAE5,00000000,010C45F3,000000FF,?,9F3ADAE5), ref: 00E829A3
GetLastError.KERNEL32(?,9F3ADAE5), ref: 00E829AD

Strings

VolumeCostSize, xrefs: 00E82867
VolumeCostRequired, xrefs: 00E82879
VolumeCostAvailable, xrefs: 00E82870
VolumeCostVolume, xrefs: 00E8285D, 00E82915
VolumeCostDifference, xrefs: 00E82883

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-34576578
Opcode ID: 3e5017f5e5d6e2a31868ab4812fc5c06cc32ac07693b1eed52f45b62e5a87d62
Instruction ID: c46691f9c32ab28fb0da594159bd627dcb2c3d5e233f612cc1973f66d716e575
Opcode Fuzzy Hash: 3e5017f5e5d6e2a31868ab4812fc5c06cc32ac07693b1eed52f45b62e5a87d62
Instruction Fuzzy Hash: 0F51D2B1D002099BDB19DFA4E9047DEBBF8EB48714F10422DE96CB7380E775A544CB91

Function 00FF10D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,0117D68C), ref: 00FF10E0
LoadLibraryW.KERNEL32(Shell32.dll,?,?,0117D68C), ref: 00FF10F3
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00FF1103
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00FF118C
SHGetMalloc.SHELL32(?), ref: 00FF11CE

Strings

Shell32.dll, xrefs: 00FF10EE
SHGetSpecialFolderPathW, xrefs: 00FF10FD

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 2dcd79f2b3d9a7aeba1b9e81277a4d4c56bd55c04ecb57a3d629920144145e42
Instruction ID: 2f2905b0f003cb8b0ae2df679a44bd7b3e4947f1697cf4c018729db171535527
Opcode Fuzzy Hash: 2dcd79f2b3d9a7aeba1b9e81277a4d4c56bd55c04ecb57a3d629920144145e42
Instruction Fuzzy Hash: 28312831A00705DFEB249F24DC45B7777F9BF90B20F54842CEA86872A0EB75D8859B91

Function 00F87F00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F87F90

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F87FCD
__Init_thread_footer.LIBCMT ref: 00F87FE4
SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00F8800F

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

Part of subcall function 00F664F0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F66531

Strings

UxTheme.dll, xrefs: 00F87F61
SetWindowTheme, xrefs: 00F87FC2
explorer, xrefs: 00F87FF7

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 3410024541-3123591815
Opcode ID: 72dfd3b62e2d6fac8897cd3208ed12649d9c009f8538f26b2664b1d0a8b288b8
Instruction ID: 6b82c5d16fd34afdaed9cb3b4a3cf73794a8eaa1e58d8cceba2d27d13d2253eb
Opcode Fuzzy Hash: 72dfd3b62e2d6fac8897cd3208ed12649d9c009f8538f26b2664b1d0a8b288b8
Instruction Fuzzy Hash: 3021A771944702AFC739EF99D845B9D77A4E704B70F108225FA60973C4CBB06940DB91

Function 00EA1130 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EA115A
GetWindow.USER32(?,00000005), ref: 00EA1167
GetWindow.USER32(00000000,00000002), ref: 00EA12A2

Part of subcall function 00EA0FB0: GetWindowRect.USER32(?,?), ref: 00EA0FDC
Part of subcall function 00EA0FB0: GetWindowRect.USER32(?,?), ref: 00EA0FEC

GetWindowRect.USER32(?,?), ref: 00EA11FB
GetWindowRect.USER32(00000000,?), ref: 00EA120B
GetWindowRect.USER32(00000000,?), ref: 00EA1225

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: 6bccf396306a27f9627c8177061a6e40001176a89ec350f7715c795ebec76d24
Instruction ID: e113afa66156a49f003d46ce138b5938314554d9622f462ef24f454d00474e7c
Opcode Fuzzy Hash: 6bccf396306a27f9627c8177061a6e40001176a89ec350f7715c795ebec76d24
Instruction Fuzzy Hash: 23418F315047019FC321DB29C980A6BF7F9BFAA744F50595DF085AB561EB30F984CB52

Function 00EA92C0 Relevance: 12.1, APIs: 8, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,9F3ADAE5,?,00000000,?,?,?,?,?,00000000,0108B4B5,000000FF,?,00EA9082,?,?), ref: 00EA9302
GetWindowRect.USER32(?,?), ref: 00EA9321
IsWindowEnabled.USER32(?), ref: 00EA9330
SelectObject.GDI32(00000000,00000000), ref: 00EA938E
ExcludeClipRect.GDI32(?,?,?,?,00000000), ref: 00EA93B8
SelectObject.GDI32(?,?), ref: 00EA93D2
DeleteObject.GDI32(00000000), ref: 00EA93E1
DeleteDC.GDI32(?), ref: 00EA9404

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipEnabledExclude
String ID:
API String ID: 3871716574-0
Opcode ID: 84488f76f8520e566b081b8cb06a9c2871feb3c9770ec5f42c1a91b319a3ddad
Instruction ID: dbaebc75fe711b020aaadb844b4be56b44554ed7d6fab9d5f5962fee040fe248
Opcode Fuzzy Hash: 84488f76f8520e566b081b8cb06a9c2871feb3c9770ec5f42c1a91b319a3ddad
Instruction Fuzzy Hash: C4418171A04218AFDB14CFA5C988BAEBBB9FF8C310F104229F915A7384C7346945CB64

Function 0105C5C0 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0105C76A,?,?,?), ref: 0105C5E4
HeapAlloc.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C5EB

Part of subcall function 0105C6B6: IsProcessorFeaturePresent.KERNEL32(0000000C,0105C5D2,00000000,?,0105C76A,?,?,?), ref: 0105C6B8

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0105C76A,?,?,?), ref: 0105C5FB
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,0105C76A,?,?,?), ref: 0105C622
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,0105C76A,?,?,?), ref: 0105C636
InterlockedPopEntrySList.KERNEL32(00000000,?,0105C76A,?,?,?), ref: 0105C649
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0105C76A,?,?,?), ref: 0105C65C

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 33f415a1d5c740229b14aadff57ec2870e6ba98ee496b6660ecb20e0eac7df1b
Instruction ID: 9ff78f7943c8fac5d4e2e5583851f57c11761c19d26dbd48e9d327ffdb8f46d3
Opcode Fuzzy Hash: 33f415a1d5c740229b14aadff57ec2870e6ba98ee496b6660ecb20e0eac7df1b
Instruction Fuzzy Hash: C111BC71640321ABF7B116699E44F5776EDEB48B45F011430FEC1DA244CA65DD4087B4

Function 00EC7100 Relevance: 11.0, APIs: 7, Instructions: 469synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00EC72B0,010F9158,00000000,?), ref: 00EC722A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00EC7243
CloseHandle.KERNEL32(00000000), ref: 00EC7259

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleThreadWait
String ID:
API String ID: 51348343-0
Opcode ID: 186e86c71eec586bc1bbcbf3aaf9ba82d9cd8887e2b41f12063a705a6087b444
Instruction ID: 853bc378d46ac4bec349da9d4eb9f0792fb3289c26605e5e6e4e348e80af273f
Opcode Fuzzy Hash: 186e86c71eec586bc1bbcbf3aaf9ba82d9cd8887e2b41f12063a705a6087b444
Instruction Fuzzy Hash: 97027BB0D04249DFDB14CFA8C945BAEBBB8FF04318F20825DE859AB291D7759A45CF60

Function 00FACFB0 Relevance: 10.8, APIs: 7, Instructions: 346fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,9F3ADAE5), ref: 00FAD039
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00FAD0AB
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00FAD34C
CloseHandle.KERNEL32(?), ref: 00FAD3AA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID:
API String ID: 1724936099-0
Opcode ID: 2d7f7ea63785579f7da3ff1b6a219465891bb4d11451176a87fcb8fb476ecbe7
Instruction ID: ed8b348541701578e26bd681bbd5d562548cfbc42e9f68db8624b69789e38701
Opcode Fuzzy Hash: 2d7f7ea63785579f7da3ff1b6a219465891bb4d11451176a87fcb8fb476ecbe7
Instruction Fuzzy Hash: 55D1B2B1D003089BDF20CFA4C948BEEBBB5BF46714F20821DE855BB681D774AA45DB91

Function 00F5A2F0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 342COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F5A595
SystemParametersInfoW.USER32(00000030,00000000,01182B5C,00000000), ref: 00F5A5CC
__Init_thread_footer.LIBCMT ref: 00F5A661

Strings

Dialog, xrefs: 00F5A40C
`Dialog` = ', xrefs: 00F5A3C1
AI_FRAME_NO_CAPTION_, xrefs: 00F5A345

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$InfoParametersSystem
String ID: AI_FRAME_NO_CAPTION_$Dialog$`Dialog` = '
API String ID: 3910108132-2270296660
Opcode ID: 6cdb52480e98a2d74aff508a43869104c38eeb3e521031e5e460aa2b2fcf686c
Instruction ID: d07efd44a5ee487eb10a3ecc4acfda0f65f6679c1c0cbd206259b43c8d63ae89
Opcode Fuzzy Hash: 6cdb52480e98a2d74aff508a43869104c38eeb3e521031e5e460aa2b2fcf686c
Instruction Fuzzy Hash: 30D1EF71E01208CFCB29CFB8C985B9EB7B1EF58310F14832DE925AB291DB70A945CB51

Function 00FDEBF0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 319synchronizationfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 00FDEEFA

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

ResetEvent.KERNEL32(00000000,9F3ADAE5,?,?,00000000,010D2DFD,000000FF,?,80004005), ref: 00FDEF8F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,010D2DFD,000000FF,?,80004005), ref: 00FDEFAF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,010D2DFD,000000FF,?,80004005), ref: 00FDEFBA

Strings

TEST, xrefs: 00FDED42
tin9999.tmp, xrefs: 00FDED49

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: HeapInit_thread_footerObjectSingleWait$AllocateDeleteEventFileFindProcessResetResource
String ID: TEST$tin9999.tmp
API String ID: 3248508590-3424081289
Opcode ID: 132a05bff454a815cb212e921db7f731673727710e7b9e7df7f80e54b5bc8f4e
Instruction ID: 394ea68a1fdcd5295d27243d47f508414cf615b17882b0dc2ad1b2f44144a6d5
Opcode Fuzzy Hash: 132a05bff454a815cb212e921db7f731673727710e7b9e7df7f80e54b5bc8f4e
Instruction Fuzzy Hash: 19C1E671904649DFDB14EF68CD04BAEB7B5FF04320F1842AAE819AB381DB749E04DB50

Function 00E9E3F0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,9F3ADAE5), ref: 00E9E491
GetLastError.KERNEL32 ref: 00E9E4BA
RegCloseKey.ADVAPI32(?,010F42AC,00000000,010F42AC,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00E9E72E
CloseHandle.KERNEL32(?,9F3ADAE5,?,?,00000000,010897FD,000000FF,?,010F42AC,00000000,010F42AC,00000000,?,80000001,00000001,00000000), ref: 00E9E7BE

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00E9E4F2
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00E9E486

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: e3f57eef6cfb96fb7b46d27ca3cb96ad7777fb498a2ae3f242e8a813e28c4a36
Instruction ID: 98e8589b7c447ea7fd8cfae04aa6c345af5853fcdf68eb804c7e3e3f0b576a0b
Opcode Fuzzy Hash: e3f57eef6cfb96fb7b46d27ca3cb96ad7777fb498a2ae3f242e8a813e28c4a36
Instruction Fuzzy Hash: 65C1ED70D00348DFDB14CF68C988BAEBBB4EF54704F14829DE899A7781DB746A84CB91

Function 00E96480 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00E9654A
SysFreeString.OLEAUT32(00000000), ref: 00E96596
SysFreeString.OLEAUT32(00000000), ref: 00E965B8
SysFreeString.OLEAUT32(00000000), ref: 00E96713

Strings

.c, xrefs: 00E9668F, 00E96782
.c, xrefs: 00E9672A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: String$Free$Alloc
String ID: .c$.c
API String ID: 986138563-2435476076
Opcode ID: e1bc7a136795113765a95ebf684a052cc424ae84966ef04761a669701a2bfafc
Instruction ID: f7738efdeb9af800c240105873cecd3943136bf8659f7e4cfee561c7baeda4de
Opcode Fuzzy Hash: e1bc7a136795113765a95ebf684a052cc424ae84966ef04761a669701a2bfafc
Instruction Fuzzy Hash: 12A19371A00209DFDF15DFA8C948FAEBBB8EF44714F10465AE915E7281E7749A01CBA1

Function 00E9C570 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0117D628,9F3ADAE5,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010890F5), ref: 00E9C5DA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010890F5), ref: 00E9C65A
EnterCriticalSection.KERNEL32(0117D644,?,?,?,?,?,?,?,?,?,?,?,00000000,010890F5,000000FF), ref: 00E9C813
LeaveCriticalSection.KERNEL32(0117D644,?,?,?,?,?,?,?,?,?,?,00000000,010890F5,000000FF), ref: 00E9C834

Strings

v, xrefs: 00E9C82D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID: v
API String ID: 1807155316-3261393531
Opcode ID: 2e5b22aaa8fac49bebc4877a1aa196d46da5845074e040a1f97929cc91d1c8ab
Instruction ID: a507922558cd0a6609a7780044519fe222115dbf4b5799215aadf47fab85c715
Opcode Fuzzy Hash: 2e5b22aaa8fac49bebc4877a1aa196d46da5845074e040a1f97929cc91d1c8ab
Instruction Fuzzy Hash: ABB19070900249DFDF24DFA4C888BAEBBB4BF09718F244069E855BB341DB75A944CBA1

Function 00FA7040 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,9F3ADAE5), ref: 00FA7296
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00FA72A6
RegCloseKey.ADVAPI32(00000000), ref: 00FA72F8

Strings

RegOpenKeyTransactedW, xrefs: 00FA72A0
Advapi32.dll, xrefs: 00FA7291

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-3913318428
Opcode ID: 66f94e46b29f79898a5c0ac9e061b679cdbc0d708a253b28083d737808261458
Instruction ID: 24faca308f0b0fe03e732a5e30b91914242ef96412ac91650cb6bdc86323f39e
Opcode Fuzzy Hash: 66f94e46b29f79898a5c0ac9e061b679cdbc0d708a253b28083d737808261458
Instruction Fuzzy Hash: E0A15BB0D04308DFDB24DFA8C954B9EBBF4BF49314F208159E859AB291DB74AA44DF90

Function 00E91000 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00E910F4
SysFreeString.OLEAUT32(00000000), ref: 00E91169
GetProcessHeap.KERNEL32(?,?), ref: 00E911D9
HeapFree.KERNEL32(00000000,?,?), ref: 00E911DF
GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,9F3ADAE5), ref: 00E9120C
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,9F3ADAE5), ref: 00E91212
SysFreeString.OLEAUT32(00000000), ref: 00E9122A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: 5a341dd9c61b4fc2edfd36b2f9b95c3e522bb9a9e26935c8d07d5ec2ebc39183
Instruction ID: 99cf4020d1290dc75b5f30b781ebd3b215e32b2c1b63335277ec10a81546b123
Opcode Fuzzy Hash: 5a341dd9c61b4fc2edfd36b2f9b95c3e522bb9a9e26935c8d07d5ec2ebc39183
Instruction Fuzzy Hash: 58816970D0124ADFDF10EFA8C944BEEBBB8AF15318F144599E814BB291D7799E04CBA1

Function 00FA9460 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,010C4EAD,000000FF,?,00FA9776,?), ref: 00FA9503

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

RemoveDirectoryW.KERNEL32(?,9F3ADAE5,?,?,?,?,010C4EAD,000000FF,?,00FA9776,?,00000000), ref: 00FA9532
GetLastError.KERNEL32(?,9F3ADAE5,?,?,?,?,010C4EAD,000000FF,?,00FA9776,?,00000000), ref: 00FA9542
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,010C4EAD,000000FF,?,80004005,9F3ADAE5,?), ref: 00FA9613
GetLastError.KERNEL32(?,?,?,00000000,010C4EAD,000000FF,?,80004005,9F3ADAE5,?,?,?,?,010C4EAD,000000FF), ref: 00FA9652

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Strings

\\?\, xrefs: 00FA94C4, 00FA94D6, 00FA94E0, 00FA95D4, 00FA95E6, 00FA95F0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorInit_thread_footerLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 34920479-4282027825
Opcode ID: 9e26e57c05d25f070aaa1471a011d2da14561968342bf371ff718a9942d9e8a8
Instruction ID: 8dc9270f1cbc895476e45a4bd6ed1ae4b02a5f711b701fe83fbac8e6acc71dce
Opcode Fuzzy Hash: 9e26e57c05d25f070aaa1471a011d2da14561968342bf371ff718a9942d9e8a8
Instruction Fuzzy Hash: D951D0B19086049FDB10DFA8C819BAAB7F4FF06320F14466EF9A5D7290DBB99904DB50

Function 00FAAEF0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00FAB077
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FAB093
GetExitCodeProcess.KERNEL32(00000000,010C89E7), ref: 00FAB0A4
CloseHandle.KERNEL32(00000000), ref: 00FAB0B2

Strings

<, xrefs: 00FAAF5F
open, xrefs: 00FAAF87

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: <$open
API String ID: 2321548817-1930408713
Opcode ID: c07be31a784d35e5e3dd1dfb3077e4df649cf5fc95b91743d490fd7f758f856f
Instruction ID: 6be04cc844a5bbef12941c3b749afd4456bcf17807cdd62a7a773a3dbc20a6ef
Opcode Fuzzy Hash: c07be31a784d35e5e3dd1dfb3077e4df649cf5fc95b91743d490fd7f758f856f
Instruction Fuzzy Hash: E4618BB1D006499FDB10CF69C84879EBBB4FF46324F188259E825AB391D7799D04DB80

Function 00FAADA0 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,9F3ADAE5,00000010), ref: 00FAADE7
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,9F3ADAE5,010C895D), ref: 00FAAE5F
GetLastError.KERNEL32 ref: 00FAAE70
WaitForSingleObject.KERNEL32(010C895D,000000FF), ref: 00FAAE8C
GetExitCodeProcess.KERNEL32(010C895D,00000000), ref: 00FAAE9D
CloseHandle.KERNEL32(010C895D), ref: 00FAAEA7
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FAAEC2

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: ceff8d96b06c660bc40a8e1bf565ee490d1d7c9a7f99e8c0ffa1ca93e37fdaed
Instruction ID: 7c5a72a7ea9f1a5873129eb660263b75f2f0f945fd8ccc8844370f25c7a42ce6
Opcode Fuzzy Hash: ceff8d96b06c660bc40a8e1bf565ee490d1d7c9a7f99e8c0ffa1ca93e37fdaed
Instruction Fuzzy Hash: 64419F71E003899FDB20CFA5C9447EEBBF8AF4A714F104659F864A7284E7758E44CB51

Function 00FB3D40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00FBF141,?,9F3ADAE5,?,?), ref: 00FB3D5B
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00FB3D71
FreeLibrary.KERNEL32(00000000), ref: 00FB3DAA
FreeLibrary.KERNEL32(00000000,?,?,?,?,00FBF141,?,9F3ADAE5,?,?), ref: 00FB3DC6

Strings

DllGetVersion, xrefs: 00FB3D6B
Shlwapi.dll, xrefs: 00FB3D5A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: ad025f1bae67dbb731511aab5699c6096710037534239d790a1b091d847a9be0
Instruction ID: ae51f8c33305aa35c20e51aa38e9d6a548f08041b8dc7c7f1a7619e734008d01
Opcode Fuzzy Hash: ad025f1bae67dbb731511aab5699c6096710037534239d790a1b091d847a9be0
Instruction Fuzzy Hash: A421F9726043055BD714EF2AE8816AFB7E4FFDD611F80052EF889C3240EB35D9089BA2

Function 01076762 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0107686F,?,?,?,00000000,00000000,?,01076AD9,00000021,FlsSetValue,010EDE8C,010EDE94,?), ref: 01076823

Strings

api-ms-, xrefs: 010767B9
ext-ms-, xrefs: 010767CD

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 67ae3c5d95c52830bb23d1b8269a5706083fc620ae2732345e0d649282309326
Instruction ID: a9a0d8a5eb612ace958bb56467c1d7a4235eaa3d2bbf92176ed769dfb751523a
Opcode Fuzzy Hash: 67ae3c5d95c52830bb23d1b8269a5706083fc620ae2732345e0d649282309326
Instruction Fuzzy Hash: A2215E71E00615ABE7B19725DC40A5A7BE8FB017B0B1006A4F993B73C0E632ED00C7D4

Function 01059E5D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,01059ED8,01059E3B,0105A0DC), ref: 01059E74
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 01059E8A
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 01059E9F

Strings

ReleaseSRWLockExclusive, xrefs: 01059E94
AcquireSRWLockExclusive, xrefs: 01059E84
KERNEL32.DLL, xrefs: 01059E6F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: af2f5a5bdd104c3062919345d57ce69c2da238e4bccf91b7235377f4941b9db8
Instruction ID: 2131d38a551155feb32720c377e0855160668c9d566bf39a514ea51523197744
Opcode Fuzzy Hash: af2f5a5bdd104c3062919345d57ce69c2da238e4bccf91b7235377f4941b9db8
Instruction Fuzzy Hash: 0CF0C232244322DF1BF26DAE58895AB2BD99B0571E305007DEDC1D6600EB25CC80EBD0

Function 00EA0C70 Relevance: 9.2, APIs: 6, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00EA0CE8
GetClientRect.USER32(?,00000000), ref: 00EA0D09
GetParent.USER32(?), ref: 00EA0D29
SendMessageW.USER32(00000000,00000135,?,?), ref: 00EA0D39
FillRect.USER32(?,00000000,00000000), ref: 00EA0D47
EndPaint.USER32(?,?), ref: 00EA0EEE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: PaintRect$BeginClientFillMessageParentSend
String ID:
API String ID: 732421049-0
Opcode ID: a826b244de20700350de909092e2888c8d55fba9d51867b080991187721eb1e0
Instruction ID: 7d3d74bbb0ca3f3b7d1b2b9be01fe29e9441fcc383b4d9e5ba033fd80c9b9aeb
Opcode Fuzzy Hash: a826b244de20700350de909092e2888c8d55fba9d51867b080991187721eb1e0
Instruction Fuzzy Hash: 2C812970904219EFEF25DF64C948BAABBF4FF09304F1481A9E509A7291DB70AE94CF54

Function 00EBF330 Relevance: 9.2, APIs: 6, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EBF37A
std::_Lockit::_Lockit.LIBCPMT ref: 00EBF39C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBF3C4
__Getctype.LIBCPMT ref: 00EBF4A5
std::_Facet_Register.LIBCPMT ref: 00EBF507
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBF531

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 0b1e2e5e13fc8f5d062d188d6da8d8082066e6ae784769eaa6b8d6155c9242fa
Instruction ID: 4482b2ebaf3eadaa50b17d028afe2148fcde351ff174eca787d19d22de9453e8
Opcode Fuzzy Hash: 0b1e2e5e13fc8f5d062d188d6da8d8082066e6ae784769eaa6b8d6155c9242fa
Instruction Fuzzy Hash: 54619DB1D04249CFDB20DF68C944BAFBBF4FB14314F148269D895AB381E735AA84CB91

Function 00EBF130 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EBF16D
std::_Lockit::_Lockit.LIBCPMT ref: 00EBF18F
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBF1B7
__Getcoll.LIBCPMT ref: 00EBF281
std::_Facet_Register.LIBCPMT ref: 00EBF2C6
std::_Lockit::~_Lockit.LIBCPMT ref: 00EBF2FE

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 029a0c8c8a65cd6cd072805798285592ebce8ceca687ca435b1bcea1ff1e3866
Instruction ID: a8073197f4fb334d9cda5c10252be5fa692c0e82e99b7696aa894e0c3e40a3b9
Opcode Fuzzy Hash: 029a0c8c8a65cd6cd072805798285592ebce8ceca687ca435b1bcea1ff1e3866
Instruction Fuzzy Hash: 7D5197B1901209EFDB15DFA8D984BDEFBB0FF50314F204169E855AB281DB70AA05CB81

Function 00E9CCF0 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000005C,?), ref: 00E9CD7D
GetDC.USER32(?), ref: 00E9CDCC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E9CDDB
ReleaseDC.USER32(00000000), ref: 00E9CE22

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceObjectRelease
String ID:
API String ID: 2638590286-0
Opcode ID: 3b08b57f4a64ff70e57966633af0e224be880d5f13ec0394a67fedeb02e8f77d
Instruction ID: 371110d0d35b76684e1ebc368c5a00e7e26291dcf8e398e29545686f125260bd
Opcode Fuzzy Hash: 3b08b57f4a64ff70e57966633af0e224be880d5f13ec0394a67fedeb02e8f77d
Instruction Fuzzy Hash: 84510975A04349DFDF24DFA5C848BAA7BF8EF08714F104129F966A7280E7349944CB64

Function 00EB4F10 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00EB4F5B
GetClientRect.USER32(?,?), ref: 00EB4F8D
GetDC.USER32(?), ref: 00EB4FA0
GetDeviceCaps.GDI32(00000000), ref: 00EB4FA7
GetObjectW.GDI32(00000000,0000005C,?), ref: 00EB4FDC
SendMessageA.USER32(?,00000447,00000000,000000BC), ref: 00EB507D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CapsClientDeviceObjectRect
String ID:
API String ID: 565975350-0
Opcode ID: 6352a58179d27e6d95917c8ed31a256217ec58d28671b83270992a4c331c532c
Instruction ID: bde4b11dce5b6285f70e54ad7d0f8a0f087f4691ebacd366e0d063aaf591d8c3
Opcode Fuzzy Hash: 6352a58179d27e6d95917c8ed31a256217ec58d28671b83270992a4c331c532c
Instruction Fuzzy Hash: 9541A3316183059FE721DF35CC05F9BB7E8BF88300F004A29F599A72A0DB71A944CB91

Function 0105E7E3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0105E7DA,0105E7A6,?,?,00EBC5ED,00FA81D0,?,00000008), ref: 0105E7F1
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0105E7FF
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0105E818
SetLastError.KERNEL32(00000000,0105E7DA,0105E7A6,?,?,00EBC5ED,00FA81D0,?,00000008), ref: 0105E86A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2c2dde00ec991dd39ae21b45a0b4b9048e72e50d044c47f0ff32d130487d67c1
Instruction ID: 72c25b04a52d6716920e6753bfba17867a1ebd20daa85d0469f18b909eb7340f
Opcode Fuzzy Hash: 2c2dde00ec991dd39ae21b45a0b4b9048e72e50d044c47f0ff32d130487d67c1
Instruction Fuzzy Hash: 1401F1325482136EA7FA25B9FC886AB6AD8FB526393200239E9F8551D0EF2618405280

Function 00E897E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E898C5
__Init_thread_footer.LIBCMT ref: 00E89910

Strings

<a>, xrefs: 00E89AD6
</a>, xrefs: 00E89A16
<a href=", xrefs: 00E89885

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: bf29adb6ecec56026b3f5f26e80fa1b598761175e25cd3fe4d15b4da9fab600b
Instruction ID: abe43416be6f5ee28cbb8583806d3f93b4970002d3b5fe1caf8a47e8b8e9f6ce
Opcode Fuzzy Hash: bf29adb6ecec56026b3f5f26e80fa1b598761175e25cd3fe4d15b4da9fab600b
Instruction Fuzzy Hash: DBA19C70E00605DFCB19EFA4C945BADB7B1FF85314F14526DE429BB291EB70A981CB60

Function 00E98400 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

{, xrefs: 00E98530
:, xrefs: 00E984BA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: :${
API String ID: 0-3766677574
Opcode ID: 5c56242d71520f10dd5b7c18651deead4cf9f4ea6e0c458b394ab34647555eb0
Instruction ID: abbf6a2097600931ccfea36280c473add0028028fdf1095e3cbf3bb8ae62c6ab
Opcode Fuzzy Hash: 5c56242d71520f10dd5b7c18651deead4cf9f4ea6e0c458b394ab34647555eb0
Instruction Fuzzy Hash: CA61B170A002169BCF248F64C945BBD77B4AF0A718F14542DE962FB2A5EB75DD80CB60

Function 00EB7A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00EB7AFD
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00EB7B12
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00EB7B1A

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Part of subcall function 00EB9710: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EB975F

Strings

TabHost, xrefs: 00EB7A89, 00EB7A9B, 00EB7AA5
SysTabControl32, xrefs: 00EB7AF5

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: SysTabControl32$TabHost
API String ID: 2359350451-2872506973
Opcode ID: 605b32d0fcfd203feba9b1c7307f6044934fb111e810ba14a85307d6d5f8c0e4
Instruction ID: 6fd3d228a19db432a4db0cd56c15fae338d5fe644058d690add5ce1756249607
Opcode Fuzzy Hash: 605b32d0fcfd203feba9b1c7307f6044934fb111e810ba14a85307d6d5f8c0e4
Instruction Fuzzy Hash: 8B51B071A002059FDB14DF68C884BAEF7F5FF89710F10426DE915AB391DB35A900CBA0

Function 00E8F926 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,.dll,?,00000000), ref: 00E8F96B
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00E8F9B4
FreeLibrary.KERNEL32(00000000,00000000,DllGetActivationFactory,00000002,00000000,?,?,?,?,?,.dll,?,00000000), ref: 00E8FA02

Strings

DllGetActivationFactory, xrefs: 00E8F9AE
.dll, xrefs: 00E8F952

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 145871493-1250754257
Opcode ID: 400a79e2cca9f00735d4b16ba308b6b2155217f7729064b0eb88623c757129b3
Instruction ID: 199053bd8ae04e4b31497667f3bf5f4250b0f539ac3f49847a510aba2c96ed63
Opcode Fuzzy Hash: 400a79e2cca9f00735d4b16ba308b6b2155217f7729064b0eb88623c757129b3
Instruction Fuzzy Hash: 50518A30D0020AEEDF14EFA8C894BEDFBB1BF54314F249269D419B7290EB749A44CB50

Function 00F94550 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,9F3ADAE5,00000000,?,?,?,00000000,010850D0,000000FF), ref: 00F94593
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00F945BC
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,010850D0,000000FF), ref: 00F9461C

Strings

RegCreateKeyTransactedW, xrefs: 00F945B6
Advapi32.dll, xrefs: 00F9458E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 4190037839-2994018265
Opcode ID: 9c9e40fb611c09f30e1f1ddb06159027be1c019104be60d5f685af24439e9b8a
Instruction ID: fa1a6e405b2859e994455c3be42905c25d79cb9eec0bcd2d056b43880dc972ea
Opcode Fuzzy Hash: 9c9e40fb611c09f30e1f1ddb06159027be1c019104be60d5f685af24439e9b8a
Instruction Fuzzy Hash: AA318272A04205AFEF25CF85DC45FABBBA8FB14760F14412AF915D6280D771A841DB94

Function 00EB80D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00EB8128
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EB813E
SendMessageW.USER32(?,0000130C,8w,00000000), ref: 00EB8182

Strings

8w, xrefs: 00EB80F2, 00EB8197
8w, xrefs: 00EB8145, 00EB8176

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: 8w$8w
API String ID: 3850602802-3388467100
Opcode ID: 8454857df256b713991fab872fdd622ea2d50057ad2e5b3cab47bfeb7972bd23
Instruction ID: 7fedc4c773519e3cd62b82fdeba0e58b103fa3ec0b84fc26a6d212216010c9cd
Opcode Fuzzy Hash: 8454857df256b713991fab872fdd622ea2d50057ad2e5b3cab47bfeb7972bd23
Instruction Fuzzy Hash: 5421A170A45204ABDB25DFACCE55BEBBBF8FB48B10F204229F515A73C1DA705901CA54

Function 00EA4570 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,9F3ADAE5), ref: 00EA45DA
EnterCriticalSection.KERNEL32(?,9F3ADAE5), ref: 00EA45E7
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 00EA4617
LeaveCriticalSection.KERNEL32(?), ref: 00EA462E

Strings

v, xrefs: 00EA462E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID: v
API String ID: 3379552715-3261393531
Opcode ID: fb8eca40f2fcf0d88927f5e54c559096e8ccabcbcab962c5c6188133272c5bfd
Instruction ID: 2e92aab21808a19c26ed8b48add54528001160f09fab55f380884306d1961bbf
Opcode Fuzzy Hash: fb8eca40f2fcf0d88927f5e54c559096e8ccabcbcab962c5c6188133272c5bfd
Instruction Fuzzy Hash: 6C210376900240DFDF11DF64D844BD9BBB4FF5A728F1006A9EC96AB386D732A905CB90

Function 0106837C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9F3ADAE5,?,?,00000000,010E68E9,000000FF,?,0106830C,?,?,010682E0,?), ref: 010683B1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010683C3
FreeLibrary.KERNEL32(00000000,?,?,00000000,010E68E9,000000FF,?,0106830C,?,?,010682E0,?), ref: 010683E5

Strings

CorExitProcess, xrefs: 010683BB
mscoree.dll, xrefs: 010683AA

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 41915b94da616f392a5f8913de9cf247830a621e3f5c9bbdeab196ff188e907c
Instruction ID: 1177063a23b44a241e1cdde88f91fc34cf8125e93dad508728fc64c9365a88d7
Opcode Fuzzy Hash: 41915b94da616f392a5f8913de9cf247830a621e3f5c9bbdeab196ff188e907c
Instruction Fuzzy Hash: 7D01A731944629AFDB229B46DC09BAE7BF8FB04B15F00452AF951A6290DBB59400CB40

Function 00FB2410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0105D07E: EnterCriticalSection.KERNEL32(0117BF4C,?,?,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D089
Part of subcall function 0105D07E: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5,?,?), ref: 0105D0C6

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00FB246E
GetProcAddress.KERNEL32(00000000), ref: 00FB2475
__Init_thread_footer.LIBCMT ref: 00FB248C

Part of subcall function 0105D034: EnterCriticalSection.KERNEL32(0117BF4C,?,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D03E
Part of subcall function 0105D034: LeaveCriticalSection.KERNEL32(0117BF4C,?,00E8AE07,0117CB7C,010E6B00), ref: 0105D071
Part of subcall function 0105D034: RtlWakeAllConditionVariable.NTDLL ref: 0105D0E8

Strings

SymFromAddr, xrefs: 00FB2464
Dbghelp.dll, xrefs: 00FB2469

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3268644551-642441706
Opcode ID: 059de496fe237b11d20634369036d4558338063e4cc9b0f39e5fa4273c73e31e
Instruction ID: 56afc8d887fbee08a914f8c512f11e4a2c2776ae73cf3e628d48d25ca2b6f535
Opcode Fuzzy Hash: 059de496fe237b11d20634369036d4558338063e4cc9b0f39e5fa4273c73e31e
Instruction Fuzzy Hash: C501BCB1940640FFC728CF99E985B89B3B4F708F20F1046ADE93587780DB75A8408F04

Function 0105D106 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0105D0A3,00000064), ref: 0105D129
LeaveCriticalSection.KERNEL32(0117BF4C,?,?,0105D0A3,00000064,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5), ref: 0105D133
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0105D0A3,00000064,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5), ref: 0105D144
EnterCriticalSection.KERNEL32(0117BF4C,?,0105D0A3,00000064,?,00E8AD96,0117CB7C,9F3ADAE5,?,?,010851CD,000000FF,?,00FE97CC,9F3ADAE5), ref: 0105D14B

Strings

v, xrefs: 0105D133

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: v
API String ID: 3269011525-3261393531
Opcode ID: 73fa473c4b97e69de4b920ac511f9384749a15c3aa2aeb072ec8873b15704f16
Instruction ID: d7d5ea07963337a9e1d1be421bb19e40820676a43bf689ff9b75f46e542c2f96
Opcode Fuzzy Hash: 73fa473c4b97e69de4b920ac511f9384749a15c3aa2aeb072ec8873b15704f16
Instruction Fuzzy Hash: ADE01231649524BBCB263F92FC09ACE3E79DB08F65B000095FD496A314CB6B58508FDA

Function 00EA4100 Relevance: 7.7, APIs: 5, Instructions: 237windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00EA4172
GetParent.USER32(00000001), ref: 00EA419D
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 00EA41AD
FillRect.USER32(?,?,00000000), ref: 00EA41BB
ReleaseDC.USER32(00000001,00000000), ref: 00EA4391

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 8c4e422b54469d23d872260fbcbc6ad1b58aa01446c26047e3ba341d84d4cb07
Instruction ID: b0c6d06e1d5e3d156b46acc74b0ff27ac1ac91114382d1ee476ed584e0af9fb7
Opcode Fuzzy Hash: 8c4e422b54469d23d872260fbcbc6ad1b58aa01446c26047e3ba341d84d4cb07
Instruction Fuzzy Hash: 819145B1A00609EFDF15CFA5C904BAEBBB9FF49300F144129E911EB294EB71B955CB90

Function 00FE1E90 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 61e79ebd9597dd144e5911897612936b0c232dfe8ac63d7f173b052514ba7cf2
Instruction ID: b5688f10cd067ead448766cc5d6a45dcf7992de26a20f026799f6a4b5c7ced10
Opcode Fuzzy Hash: 61e79ebd9597dd144e5911897612936b0c232dfe8ac63d7f173b052514ba7cf2
Instruction Fuzzy Hash: D081AE70900249DFDF14CFA9C98878EBBF5FF09324F1882A9E918AB395D7748940DB91

Function 00FA9260 Relevance: 7.7, APIs: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?), ref: 00FA9384
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FA9391
GetFileAttributesW.KERNEL32(?,?,?,01109EB8,00000001,9F3ADAE5,?,0000000A,00000000,00000000,010C8545,000000FF), ref: 00FA93A0
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FA93AD
FindNextFileW.KERNEL32(?,?), ref: 00FA93EB

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: 55096307018dc5a0dfab21c487a85fba29f8be3f76391254e7de9cafbf5586ea
Instruction ID: f87f5bbf4aa9afcb847f09e223f3d1e4b6944f0801a2d75432c8f7a2a7012d33
Opcode Fuzzy Hash: 55096307018dc5a0dfab21c487a85fba29f8be3f76391254e7de9cafbf5586ea
Instruction Fuzzy Hash: 4C519D709042499BDF24EFA8CC54BED73B8EF45320F148269A825AB2D0DBB5AE04DB50

Function 00FE1540 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00FE15A1

Strings

FTP Server, xrefs: 00FE1F88, 00FE1F9A, 00FE1FA4
Local Network Server, xrefs: 00FE1D28, 00FE1D3A, 00FE1D44
GET, xrefs: 00FE1729
HTTP/1.0, xrefs: 00FE2398

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: FTP Server$GET$HTTP/1.0$Local Network Server
API String ID: 1452528299-797884378
Opcode ID: 24e7cc0ac7f63d23693376a7171cd988a2547a94970684572c19eb279c0c3156
Instruction ID: 3b3b1add0178a898d6d1493c16ca5d96d6c032ae900db8b26152abe62665e535
Opcode Fuzzy Hash: 24e7cc0ac7f63d23693376a7171cd988a2547a94970684572c19eb279c0c3156
Instruction Fuzzy Hash: DE41D671D00245DBEB10DFAACC45BAFB7FCFF55320F14452AE915AB280DB7499008BA1

Function 00E97230 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E9728E
GetDlgItem.USER32(?,?), ref: 00E972B3
SendMessageW.USER32(?,?,?,?), ref: 00E9737D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: c70c3f7bbdb3da7ad5fbcad412e12d3d5171847286ece212955f861702890976
Instruction ID: 2b46e89bc942c03358875339ecca9ce38aafee73d8f0881fc1b38c87b657670e
Opcode Fuzzy Hash: c70c3f7bbdb3da7ad5fbcad412e12d3d5171847286ece212955f861702890976
Instruction Fuzzy Hash: 5541B432328201DFCB28CF55D894AAAB7E9FB44311F04946AE9C5D6251D731EC58EB60

Function 00F88F40 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F88F9E

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Part of subcall function 00EA1FD0: GetWindowTextLengthW.USER32(?), ref: 00EA1FD7
Part of subcall function 00EA1FD0: GetWindowTextW.USER32(?,?,00000001), ref: 00EA2008

IsWindowEnabled.USER32(?), ref: 00F88FD4
GetFocus.USER32 ref: 00F88FE4
GetDC.USER32(?), ref: 00F89014

Part of subcall function 00FAF230: SelectObject.GDI32(?,?), ref: 00FAF293
Part of subcall function 00FAF230: SetTextColor.GDI32(?,?), ref: 00FAF2DF
Part of subcall function 00FAF230: DrawTextW.USER32(?,?,?,?,00000024), ref: 00FAF2FD
Part of subcall function 00FAF230: SelectObject.GDI32(?,?), ref: 00FAF309

CallWindowProcW.USER32(?,?,?,?,?), ref: 00F89043

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow$Init_thread_footerObjectSelect$CallClientColorDrawEnabledFocusHeapLengthProcProcessRect
String ID:
API String ID: 1398943273-0
Opcode ID: daa77938809695c5c06ffdaf1dad0e94e962817177320fc8a4d4b3a2dd8f53ef
Instruction ID: 172c0644b13ae98b526810876e768217d6c1553a9fbf6a2f9d9b202fc73d99ff
Opcode Fuzzy Hash: daa77938809695c5c06ffdaf1dad0e94e962817177320fc8a4d4b3a2dd8f53ef
Instruction Fuzzy Hash: DF414C71904209DFDF15EF64C984BE9BBF8FF08320F188169E815AB291DB75A944DF60

Function 00FA2AD0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FA2B04
std::_Lockit::_Lockit.LIBCPMT ref: 00FA2B26
std::_Lockit::~_Lockit.LIBCPMT ref: 00FA2B4E
std::_Facet_Register.LIBCPMT ref: 00FA2C37
std::_Lockit::~_Lockit.LIBCPMT ref: 00FA2C61

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a5ada55c194f69e15aac4d35616c1947c6178affd54c5c52e6d8a61b3e61b99c
Instruction ID: 364ff520fa9f14ac207abd33f1492b0a6b17bf0bd577f3f0cf8cfea0c92418ca
Opcode Fuzzy Hash: a5ada55c194f69e15aac4d35616c1947c6178affd54c5c52e6d8a61b3e61b99c
Instruction Fuzzy Hash: 4D51EDB0A00219DFDB65CF98C584BAEBBF4FB01364F24815DD891AB380D775AA45DBA0

Function 00EB0450 Relevance: 7.6, APIs: 5, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,?,?), ref: 00EB04C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EB0510
SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 00EB052C
SendMessageW.USER32(?,0000102B,000000FF,?), ref: 00EB055E
SetFocus.USER32(00000000,?,?), ref: 00EB0571

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: ab316b8a58040fa853342177f795c582beeb8dc9235307d11a2ed2407efba486
Instruction ID: 155800a82af5f18a7178281cd390117ddef0a612f70fa7970837ffd27500630b
Opcode Fuzzy Hash: ab316b8a58040fa853342177f795c582beeb8dc9235307d11a2ed2407efba486
Instruction Fuzzy Hash: 96415D74904709DFDB24DF68C985AAABBF4FF48710F10822AE965A7791DB70B950CF40

Function 00EA0200 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EA0249
GetClientRect.USER32(?,?), ref: 00EA026F
GetParent.USER32(?), ref: 00EA027D

Part of subcall function 0105C722: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FD3A1E,?,?), ref: 0105C727
Part of subcall function 0105C722: HeapAlloc.KERNEL32(00000000,?,?), ref: 0105C72E

SetWindowLongW.USER32(?,000000EB), ref: 00EA02B0
ShowWindow.USER32(?,00000000), ref: 00EA02C6

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: 32e4fc6accc4d90d800c0ce3488c2b3cf0d2cf50b4cc93366569ad4fe13b3c43
Instruction ID: 562c6eb9d16ee2355bcefc3a0855ea9d6c0975aeff7eb6204dd14f9af26103ec
Opcode Fuzzy Hash: 32e4fc6accc4d90d800c0ce3488c2b3cf0d2cf50b4cc93366569ad4fe13b3c43
Instruction Fuzzy Hash: 2C218E746047019FD724EF25D948A6BBBF8FF9A714B004A2DF896D2661EB30F844CB61

Function 00E9A5E0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E9A629
ClientToScreen.USER32(?,?), ref: 00E9A637
GetParent.USER32(?), ref: 00E9A63C
ScreenToClient.USER32(00000000,?), ref: 00E9A64E
ScreenToClient.USER32(00000000,?), ref: 00E9A65E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ClientScreen$Parent
String ID:
API String ID: 3677003336-0
Opcode ID: 734138f8472d2110479ed212cdaa4c8d9fbc1285583410a06b36b0e75852094a
Instruction ID: e1f8808c9a1929f754b9e0dbbe544947691ad0b8d159e81f82db658514d84677
Opcode Fuzzy Hash: 734138f8472d2110479ed212cdaa4c8d9fbc1285583410a06b36b0e75852094a
Instruction Fuzzy Hash: CD214F72108202AFE715DF28C844D6BB7F8FFD8610F44482DF995D3210DB30D9898BA2

Function 00E90B20 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90B6A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E90B70
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00E90B93
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,01086A76,000000FF), ref: 00E90BBB
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,01086A76,000000FF), ref: 00E90BC1

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 635668fc5dd28a5548e0443525961572de576659f140586f47b61d035eb31246
Instruction ID: aad0b762552c7c3af986a55212edb3cc752a595604227386d4ec5c952a71db6a
Opcode Fuzzy Hash: 635668fc5dd28a5548e0443525961572de576659f140586f47b61d035eb31246
Instruction Fuzzy Hash: 381100B1A44219ABEB10EF95CD05FAFBBB8EB04B08F104519E915AB2C0D7B59A048795

Function 00EA8BB0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EA8BBB
SendMessageW.USER32(?,?,?,0000102B), ref: 00EA8C18
SendMessageW.USER32(?,?,?,0000102B), ref: 00EA8C67
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00EA8C78
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00EA8C85

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 21ab7602634c2b142fd5e84710e7aec9a75a895e3d9c8984c0a948952b47ce45
Instruction ID: b7a590764b3192ca2a47cbcde2f17df98a0b9bc49deefde748458e68a6d8cc6f
Opcode Fuzzy Hash: 21ab7602634c2b142fd5e84710e7aec9a75a895e3d9c8984c0a948952b47ce45
Instruction Fuzzy Hash: 63218171918346A6E220DF11CD40B1ABBF1BFEE758F202B0EF1D021194E7F191848F86

Function 00EB4C90 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 314windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00EB4E3C
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00EB4E51
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00EB4E59

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Strings

RichEdit20W, xrefs: 00EB4E34

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: e2cf30b2a04db7f4eb150eab7ceaef80ae18c0787a7b891f101c06a293f85a54
Instruction ID: 89b6f386f04f84b587b293385923fb420f8826d7d0eb4202cb12bfc5ea07b33d
Opcode Fuzzy Hash: e2cf30b2a04db7f4eb150eab7ceaef80ae18c0787a7b891f101c06a293f85a54
Instruction Fuzzy Hash: E4B17BB1A002099FDB25CFA8C884BEEBBF4FF48714F144569E955AB391DB71AD40CB60

Function 00FDE030 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00FF10D0: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,0117D68C), ref: 00FF10E0
Part of subcall function 00FF10D0: LoadLibraryW.KERNEL32(Shell32.dll,?,?,0117D68C), ref: 00FF10F3
Part of subcall function 00FF10D0: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00FF1103

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,0117D68C), ref: 00FDE118

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Strings

Everyone, xrefs: 00FDE13B
ADVINST_LOGS, xrefs: 00FDE10B

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: ef41339accdd5252251f2dddb547623aac512e735c341e368099dc0d448dfdf4
Instruction ID: c7f25020af08df5b14eccae85baab64ecc2589b60c99296a6f50192479226fce
Opcode Fuzzy Hash: ef41339accdd5252251f2dddb547623aac512e735c341e368099dc0d448dfdf4
Instruction Fuzzy Hash: EB91E071D01209CFEB00EFA8C949BAEBBB5EF14324F284159E815BB391DB755E04DBA1

Function 00EAF1E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Part of subcall function 00F87AE0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00EA8188,00000000,80004005), ref: 00F87B48
Part of subcall function 00F87AE0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00EA8188,00000000,80004005), ref: 00F87B59
Part of subcall function 00F87AE0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F87B78

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00EAF37D
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00EAF394
SendMessageW.USER32(?,00001061,00000000,?), ref: 00EAF3F0

Strings

QuickSelectionList, xrefs: 00EAF2B9, 00EAF2CB, 00EAF2D5

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID: QuickSelectionList
API String ID: 884508843-3633591268
Opcode ID: 3582abf856ad0e1415794478117edb0cfe91963cf8e724dd5be8b1a1d17fd8e1
Instruction ID: ab8342febd342c54566a5b038b2312878ec3cd88d06c0d74b8ce7b30256f3d62
Opcode Fuzzy Hash: 3582abf856ad0e1415794478117edb0cfe91963cf8e724dd5be8b1a1d17fd8e1
Instruction Fuzzy Hash: 9A71AD71A002059FDB14DF68C884BEAB7F4FF88324F14466DE965A7290DB74AD04CB60

Function 00FDE4E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,9F3ADAE5), ref: 00FDE532
CloseHandle.KERNEL32(?,9F3ADAE5,?,?,00000000,010D2C43,000000FF,?,80004005), ref: 00FDE6B0
CloseHandle.KERNEL32(00000000,9F3ADAE5,?,?,00000000,010D2C43,000000FF,?,80004005), ref: 00FDE6DF

Strings

LOG, xrefs: 00FDE59A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: 37ba81ae2cd320791fbe2c4ed27ac4266e5b4dfa4e336752df1c0e93e97be7d8
Instruction ID: 876fc3eb8a341c5c4179a223be473d3f7d2631166bcb1c9ec4f90454d4fcc7b7
Opcode Fuzzy Hash: 37ba81ae2cd320791fbe2c4ed27ac4266e5b4dfa4e336752df1c0e93e97be7d8
Instruction Fuzzy Hash: 9951E271A003449FDB25EF28D8047AAB7F5EF44714F188A6EE81ADF780E7749A04C780

Function 00FA9570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,010C4EAD,000000FF,?,80004005,9F3ADAE5,?), ref: 00FA9613

Part of subcall function 00E8A2A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,*.*,?,?,?,*.*,?,80070057,9F3ADAE5), ref: 00E8A2C3

DeleteFileW.KERNEL32(?,9F3ADAE5,?,75923340,?,00000000,010C4EAD,000000FF,?,00FA93B7), ref: 00FA9642
GetLastError.KERNEL32(?,?,?,00000000,010C4EAD,000000FF,?,80004005,9F3ADAE5,?,?,?,?,010C4EAD,000000FF), ref: 00FA9652

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

Strings

\\?\, xrefs: 00FA94C4, 00FA94D6, 00FA94E0, 00FA95D4, 00FA95E6, 00FA95F0

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFileInit_thread_footer$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 1908169709-4282027825
Opcode ID: af0f7625e3caef6d1601b2fe9081c64e155243d2c2d4aa8cb02c7651ad8d0ec5
Instruction ID: 6e681c53d2d5fa50a75b6ffd2cfbe1e21822d3a506c908ec2f319d543dbe2fe3
Opcode Fuzzy Hash: af0f7625e3caef6d1601b2fe9081c64e155243d2c2d4aa8cb02c7651ad8d0ec5
Instruction Fuzzy Hash: 9721D171908614DFDB10DFA8C908BA9B7E4FF05320F144669E865D7290DB759900DF50

Function 00E90EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00E90F32
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00E90F38

Strings

combase.dll, xrefs: 00E90F2D
RoOriginateLanguageException, xrefs: 00E90F28

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 8904b1e93b03fe07e4363e67497b9e691a68911b85351d47dc00571a59c1b136
Instruction ID: 971ead45940b13150eb3b8a762fbfefd9d04212305a3ace12818f73709a318c3
Opcode Fuzzy Hash: 8904b1e93b03fe07e4363e67497b9e691a68911b85351d47dc00571a59c1b136
Instruction Fuzzy Hash: 1631697190420A9FDF60EFA8C845BEEBBF4EB14314F100629E865B72C0E7B55A44CB91

Function 00FE13B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00FDF37A,?,9F3ADAE5,?,?,?,?,010D2F55,000000FF), ref: 00FE13BD
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00FDF37A,?,9F3ADAE5,?,?,?,?,010D2F55,000000FF), ref: 00FE13DE
GetLastError.KERNEL32(00FDF37A,?,9F3ADAE5,?,?,?,?,010D2F55,000000FF,?,00FDECAD,?,?,00000000), ref: 00FE143E

Strings

AdvancedInstaller, xrefs: 00FE1426

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: f842da84b0d0a264546760a650cae5f63c0e9e948f93b2e86b4596a6529b3a9f
Instruction ID: 0baf0ebfa5c7f519065eca633bd5cda8bafb7a01b2e2d9b5a4e50c0b65fa1789
Opcode Fuzzy Hash: f842da84b0d0a264546760a650cae5f63c0e9e948f93b2e86b4596a6529b3a9f
Instruction Fuzzy Hash: 4D115B71740642BFE724DB23CC89F5ABBA4FB48719F204029F5159B684DBB1E851DBA0

Function 00F879F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F87F00: __Init_thread_footer.LIBCMT ref: 00F87F90
Part of subcall function 00F87F00: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F87FCD
Part of subcall function 00F87F00: __Init_thread_footer.LIBCMT ref: 00F87FE4
Part of subcall function 00F87F00: SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00F8800F

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F87A42
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F87A60
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F87A68

Part of subcall function 00E983A0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E983D6

Strings

SysListView32, xrefs: 00F87A39

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Init_thread_footerWindow$AddressCreateLongProc
String ID: SysListView32
API String ID: 605634508-78025650
Opcode ID: 1f455a92c233afaef00cc780657bb8aba5261f01e969eaced9c4eb3c0682cdfa
Instruction ID: ac3ef00fa4189090582791bb5a400ce8691061c736e5659908c0aff82dab31a4
Opcode Fuzzy Hash: 1f455a92c233afaef00cc780657bb8aba5261f01e969eaced9c4eb3c0682cdfa
Instruction Fuzzy Hash: 02117971344310BBD625AA268C05F6BFBA9FFC9B50F114619FA04AB390C7B1E900CBA4

Function 00E99DD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0118297C), ref: 00E99E0C
GetCurrentThreadId.KERNEL32 ref: 00E99E20
LeaveCriticalSection.KERNEL32(0118297C), ref: 00E99E5F

Strings

v, xrefs: 00E99E5F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: v
API String ID: 2351996187-3261393531
Opcode ID: d3eb06d79229389844976119781e587770cf17e4b8584677b327e616c5627a9d
Instruction ID: e6c059cabd9baeed107fc0a6de75f9bf496a41315dc79061da0dc21a610e7794
Opcode Fuzzy Hash: d3eb06d79229389844976119781e587770cf17e4b8584677b327e616c5627a9d
Instruction Fuzzy Hash: 0811E231E04215CFCB25CF59D80476EBBF4EB54B24F10926EE866A7340D7716800CB90

Function 0106190C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,010618BD,?,?,00000000,?,?,?,010619E7,00000002,FlsGetValue,010EAF18,FlsGetValue), ref: 01061919
GetLastError.KERNEL32(?,010618BD,?,?,00000000,?,?,?,010619E7,00000002,FlsGetValue,010EAF18,FlsGetValue,?,?,0105E804), ref: 01061923
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0106194B

Strings

api-ms-, xrefs: 01061930

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f84b2dc79b0cfb308edfe5acdec6892e0021a8353fd2dbbc412b368118c2fe99
Instruction ID: ca47e58c61a2f59f65989003c90c2da0cd76de271299e82e890dcd1377eb3074
Opcode Fuzzy Hash: f84b2dc79b0cfb308edfe5acdec6892e0021a8353fd2dbbc412b368118c2fe99
Instruction Fuzzy Hash: 75E04F30380305BBEF625A62EC06B593FDDAB40F58F5084A0FB8CBC1D1D7B796509654

Function 00EA7FF0 Relevance: 6.3, APIs: 4, Instructions: 321windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00EA8138
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00EA814D

Part of subcall function 00E8A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,9F3ADAE5,00000000,01084C50,000000FF,?,?,01173854,?,00FE9828,80004005,9F3ADAE5,?,?), ref: 00E8A9FA

Part of subcall function 00F87AE0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00EA8188,00000000,80004005), ref: 00F87B48
Part of subcall function 00F87AE0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00EA8188,00000000,80004005), ref: 00F87B59
Part of subcall function 00F87AE0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F87B78

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00EA8283
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00EA837F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID:
API String ID: 884508843-0
Opcode ID: 2ef76dfb40c0cf4603d39d73659d7e356ca1be443ff3898781e3bb2e8f7e8f82
Instruction ID: afeb834e9df1864df887d80a274fbdc43aea9591b7d1489509b342215d0b09f4
Opcode Fuzzy Hash: 2ef76dfb40c0cf4603d39d73659d7e356ca1be443ff3898781e3bb2e8f7e8f82
Instruction Fuzzy Hash: A2C19071A00209DFDB18DFA8C985BEEFBB5FF49314F144229E515BB290DB74A944CBA0

Function 00EB1800 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00EB18D5
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00EB1907
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00EB1A7E
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00EB1AA6

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: da048d263a4e8119a97426d176a596321c4df7faa5a079b42a392e992608998b
Instruction ID: 2724408f8d08e79348e4b380b4624b07fe0dfe4d9907b58deb8b1685fabe105c
Opcode Fuzzy Hash: da048d263a4e8119a97426d176a596321c4df7faa5a079b42a392e992608998b
Instruction Fuzzy Hash: EF917B71A01205EFCB25DF68D8A4AEEB7F5FF48320F4451A9E546B7291D730A944CBA0

Function 00EA8DD0 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 00EA8EAA
IsWindowEnabled.USER32(?), ref: 00EA8EED
CopyRect.USER32(?,?), ref: 00EA8F48
IsWindowEnabled.USER32(?), ref: 00EA8F6D

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: EnabledWindow$CopyRect
String ID:
API String ID: 2919275910-0
Opcode ID: fd82dc82b49480ecffc2d1e164cb962fe9c1dcb000f7ac9031720ce066a7a447
Instruction ID: d913b1052b18a69c356a223252b542a685b107f9f1276f62789dcd13cec56116
Opcode Fuzzy Hash: fd82dc82b49480ecffc2d1e164cb962fe9c1dcb000f7ac9031720ce066a7a447
Instruction Fuzzy Hash: FC61C331A006159FDB14CF68C985BAAB7F5EF8A700F108269ED56EB394CB74AC05CB60

Function 00EA1760 Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00EA17B9
GetLastError.KERNEL32 ref: 00EA17ED
SendMessageW.USER32(?,00000317,00000000,00000006), ref: 00EA1819
SendMessageW.USER32(?,00000318,?,00000006), ref: 00EA1877

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ClientErrorLastRect
String ID:
API String ID: 2591167063-0
Opcode ID: d58cc699734acc11db7bd2cb072d731065576948074357a4acd028054f61eed8
Instruction ID: 2699e3fe39ac1cfba1816e9c604bd10171cba6b92336284b55b51fbf3743aaa5
Opcode Fuzzy Hash: d58cc699734acc11db7bd2cb072d731065576948074357a4acd028054f61eed8
Instruction Fuzzy Hash: D031C571A44708AFE725CF24C849BAABBF8FB09714F100269F562EA6D0DB79A940C750

Function 00FAF230 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00EA1E40: CreateCompatibleDC.GDI32(?), ref: 00EA1E9B
Part of subcall function 00EA1E40: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00EA1EB4
Part of subcall function 00EA1E40: SelectObject.GDI32(?,00000000), ref: 00EA1EC0
Part of subcall function 00EA1E40: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00EA1ED9

SelectObject.GDI32(?,?), ref: 00FAF293
SetTextColor.GDI32(?,?), ref: 00FAF2DF
DrawTextW.USER32(?,?,?,?,00000024), ref: 00FAF2FD
SelectObject.GDI32(?,?), ref: 00FAF309

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateText$BitmapColorDrawViewport
String ID:
API String ID: 1496946490-0
Opcode ID: f25a45c117e4d3dfabeb24d334894f207c97762c4d52d2ca69d6bf1243deb847
Instruction ID: f5f75887558995d08fdd0a588c5c8e93bd9cc6398ade66991a3db1b10bc5c7af
Opcode Fuzzy Hash: f25a45c117e4d3dfabeb24d334894f207c97762c4d52d2ca69d6bf1243deb847
Instruction Fuzzy Hash: DA316B71805208FFDB11DF94DD45B9DBFB6FF08720F204225F925A6290D7316A64DB94

Function 00F38850 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000017,9F3ADAE5,?,0117D4C0,?,?,?,?,00000000,Function_00233CFD,000000FF,?,?,0117D4C0), ref: 00F38899
LoadResource.KERNEL32(00000000,00000000,?,0117D4C0,?,?,?,?,00000000,Function_00233CFD,000000FF,?,?,0117D4C0,?), ref: 00F388A8
LockResource.KERNEL32(00000000,?,0117D4C0,?,?,?,?,00000000,Function_00233CFD,000000FF,?,?,0117D4C0,?), ref: 00F388B3
SizeofResource.KERNEL32(00000000,?,?,0117D4C0,?,?,?,?,00000000,Function_00233CFD,000000FF,?,?,0117D4C0,?), ref: 00F388C4

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 12ed5dee9dda1fff970a8bc33ad452172b34e7dcdb58d971bd1d937931fd7e94
Instruction ID: 5255228adde1119e9113dc965bf9bd6c403bbda57deb250b0d143c48bbc1ce09
Opcode Fuzzy Hash: 12ed5dee9dda1fff970a8bc33ad452172b34e7dcdb58d971bd1d937931fd7e94
Instruction Fuzzy Hash: C131DF72D05705ABD7209F25D804BABBBF8EB48B60F004229FC55A7280EF349A0497A1

Function 00FF4A90 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FF4ADA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FF4AED
GetDC.USER32(00000000), ref: 00FF4B47
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FF4B5A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: 74334c6a8d0c24ded3f0346bf384818873638dfaff7f66cc5f2fbd2a3196698a
Instruction ID: d6b67402d3e0778ee367d242aeee1036426d6230b01c8725c35e80cc15f96b5c
Opcode Fuzzy Hash: 74334c6a8d0c24ded3f0346bf384818873638dfaff7f66cc5f2fbd2a3196698a
Instruction Fuzzy Hash: D631A1B1914A18EFD722CF74D845B6AF7B8FF093A5F108326E525E3285E7706941CB50

Function 00E97110 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00E971C4
IsChild.USER32(?,00000000), ref: 00E971CE
GetWindow.USER32(?,00000005), ref: 00E971DD
SetFocus.USER32(00000000), ref: 00E971E4

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: cdee3cf66b9cecc35a8eb855aedb5a94a880341c327184f0f658f87becc0d0eb
Instruction ID: f6e90a1af8ea4373d81211fa660fd33ae577685cd82c91b7fcf254a1705e0838
Opcode Fuzzy Hash: cdee3cf66b9cecc35a8eb855aedb5a94a880341c327184f0f658f87becc0d0eb
Instruction Fuzzy Hash: AD31BD70608606EFDB14CF65CD49FAABBB8FF48314F108229E965D7390DB75A814CB90

Function 00EA1060 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 00EA108C
ScreenToClient.USER32(?,?), ref: 00EA109B
ScreenToClient.USER32(?,?), ref: 00EA10AB
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?,00EA0B11,?,?,?), ref: 00EA110E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ClientScreenWindow$Rect
String ID:
API String ID: 3998357320-0
Opcode ID: ff89982b2e0f825afc53ebaaa5403873a82359205de98c45ad103a2beada5d17
Instruction ID: bb4f6a4da52d1e870dd0839e47b32f020f01b5d3bcec9995be6eeffd69b8f427
Opcode Fuzzy Hash: ff89982b2e0f825afc53ebaaa5403873a82359205de98c45ad103a2beada5d17
Instruction Fuzzy Hash: 9E218976608306AFD324CF28CD85E6BB7F9EBD9710F01852DF95497284D730E8448BA6

Function 00FE2EC0 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,00FE22F2,?,?,?,?,?,00000003,00000000,9F3ADAE5,00000000), ref: 00FE2ED2
GetLastError.KERNEL32(?,?,?,00FE22F2,?,?,?,?,?,00000003,00000000,9F3ADAE5,00000000), ref: 00FE2EFF
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,00FE22F2,?,?,?,?,?,00000003,00000000,9F3ADAE5,00000000), ref: 00FE2F35
SetEvent.KERNEL32(?,?,?,?,00FE22F2,?,?,?,?,?,00000003,00000000,9F3ADAE5,00000000), ref: 00FE2F58

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: 58bc0d3b5f2c5aa263008fa1ebf4bf139af020c951e3bdbe1abbe2bfa23ffb3e
Instruction ID: 53684a438bc4a1da0cc994f1f14a62715caa22683e948214f93cf655b277b707
Opcode Fuzzy Hash: 58bc0d3b5f2c5aa263008fa1ebf4bf139af020c951e3bdbe1abbe2bfa23ffb3e
Instruction Fuzzy Hash: DC119131B047C08EEBB09A27E448B577BF9BF60734F40486EE08686665D375EC86E750

Function 00EA43C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,9F3ADAE5,?), ref: 00EA441D
EnterCriticalSection.KERNEL32(?,9F3ADAE5,?), ref: 00EA442A
LeaveCriticalSection.KERNEL32(?), ref: 00EA4452

Strings

v, xrefs: 00EA4452

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: v
API String ID: 3991485460-3261393531
Opcode ID: 864fa914f1726f0efa733f801865fc8806557125a0591107f4bd45c51fd03af0
Instruction ID: 615cc55821f61171f48c08a358385ca237b3c6f866cd39ed2885d712ae1706b5
Opcode Fuzzy Hash: 864fa914f1726f0efa733f801865fc8806557125a0591107f4bd45c51fd03af0
Instruction Fuzzy Hash: 5521EC76904244DFCF11DF64D8407E9BFB4EB5A338F5002A9E865AB385D7326909CB50

Function 00EA1D90 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00EA1DE1
SelectObject.GDI32(?,?), ref: 00EA1DEC
DeleteObject.GDI32(?), ref: 00EA1DFE
DeleteDC.GDI32(?), ref: 00EA1E23

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: DeleteObject$Select
String ID:
API String ID: 207189511-0
Opcode ID: a96ac3200cfa94fac812878bdb0ca09f72eeb78ca16ff23f9fa915ff83d1beca
Instruction ID: 5a1d907788c3663d6d58b3c66f148fdadf9dd4928d44020d89e35b373428082b
Opcode Fuzzy Hash: a96ac3200cfa94fac812878bdb0ca09f72eeb78ca16ff23f9fa915ff83d1beca
Instruction Fuzzy Hash: A21119B1604606FFD724CF59D908B6AFBB9FB49720F108269F825D7680D771A960CBA0

Function 00EA1E40 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00EA1E9B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00EA1EB4
SelectObject.GDI32(?,00000000), ref: 00EA1EC0
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00EA1ED9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CompatibleCreate$BitmapObjectSelectViewport
String ID:
API String ID: 1881423421-0
Opcode ID: a6418889f9be482210b96ba16ec0df3d34583aa6092ec6c5b85bf02cdcb6efca
Instruction ID: 10ca97c33d3e50dff03cfc801306fde1cb2f3656285ee13b983a4796bd975191
Opcode Fuzzy Hash: a6418889f9be482210b96ba16ec0df3d34583aa6092ec6c5b85bf02cdcb6efca
Instruction Fuzzy Hash: 84210875504B05EFD734CF58C944B6ABBF8FB08710F108A6EE8A697B90D771A984CB90

Function 00E9A910 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E9A93B
BitBlt.GDI32(00000000,?,?,?,00000000,?,00000000,00000000,00CC0020), ref: 00E9A966
DeleteDC.GDI32(?), ref: 00E9A96D
ReleaseDC.USER32(?,?), ref: 00E9A97A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-0
Opcode ID: 6ed7a2bc55fd79d25b11d2ce812ef420a5b9e6f113048cedc0039cab8c1e203d
Instruction ID: eb743eacda8ca6c068e97c8a377faba97b062a08ecc33b1d1c10b91be1f5c5dd
Opcode Fuzzy Hash: 6ed7a2bc55fd79d25b11d2ce812ef420a5b9e6f113048cedc0039cab8c1e203d
Instruction Fuzzy Hash: 8A011772208205AFD318DF68DC89F2BBBF9FB8C310F448628F55582654D770E854CBA2

Function 0105A969 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0105A970
std::_Lockit::_Lockit.LIBCPMT ref: 0105A97B
std::_Lockit::~_Lockit.LIBCPMT ref: 0105A9E9

Part of subcall function 0105AACB: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0105AAE3

std::locale::_Setgloballocale.LIBCPMT ref: 0105A996

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: a38fed5dff6eddef270c069418ae1f3a28255060bd2c10becf8b0cc5f8c36865
Instruction ID: 19669929957471530ff745bc6ed69e0ab70bcd9a8b2bfcc25165fea63bb25794
Opcode Fuzzy Hash: a38fed5dff6eddef270c069418ae1f3a28255060bd2c10becf8b0cc5f8c36865
Instruction Fuzzy Hash: 50012F79A00122CBCB4AEB60C9845BE7BB1BF84200B148009DC915B384CF386E42CBD5

Function 00E94BA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00E94C16
SendMessageW.USER32(?,00000000,00000000), ref: 00E94D12

Part of subcall function 00E96670: SysFreeString.OLEAUT32(00000000), ref: 00E96713

Strings

AtlAxWin140, xrefs: 00E94C0E

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: b7485e96e69cbd9cf34e6ca719e4d9004df7fc4ab945ca302bf869f644c2a56a
Instruction ID: 457fde325594985315776b012b0a2fd16cc53dc1dc15810966472df09efc7f0a
Opcode Fuzzy Hash: b7485e96e69cbd9cf34e6ca719e4d9004df7fc4ab945ca302bf869f644c2a56a
Instruction Fuzzy Hash: 799116B4600208EFDB14DF64C888F6ABBB9FF49714F108599F969AB391C771E905CB90

Function 01070C7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01070D0D

Strings

pow, xrefs: 01070CE5, 01070D02

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8673fe906837e3a3ece0cefa9a514014af026a949c1baf5ce658ae7c32c57880
Instruction ID: d3bde2dd1a6c2403ad78502d930d8867fe27e2d5f841a2028e6d0982470b6ab5
Opcode Fuzzy Hash: 8673fe906837e3a3ece0cefa9a514014af026a949c1baf5ce658ae7c32c57880
Instruction Fuzzy Hash: E7513861F0420EDADB567B1CC9403BE2BD09B41B40F288EE9F5D64729DEA3598918B4E

Function 00FDCF60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

CloseHandle.KERNEL32(?,9F3ADAE5,000000C9,00000000), ref: 00FDD0E3
DeleteCriticalSection.KERNEL32(?,9F3ADAE5,000000C9,00000000), ref: 00FDD171

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00FDD04F

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: f1f314a2e4b8ebfb3a43ccbfb29887cc44396c07986404cd74cc07734f6b03c8
Instruction ID: 0d8d101c8166eca7d29e075785feae7b45b6832b9759382bb8998a8cb4d0c2e1
Opcode Fuzzy Hash: f1f314a2e4b8ebfb3a43ccbfb29887cc44396c07986404cd74cc07734f6b03c8
Instruction Fuzzy Hash: DE610370901649DFDB14DFA8D90874ABBF4FF45314F14826DE808AB381D7759A44CB91

Function 00F9ACC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,9F3ADAE5), ref: 00F9AD61

Strings

\\?\, xrefs: 00F9AE5E, 00F9AE89
\\?\UNC\, xrefs: 00F9AD88, 00F9ADE9

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: d94861f0af0d862539e8ae0a61b04cf4e01c4c4aec53ea7d8dd8c2676cfa5f98
Instruction ID: 3214a4c7bed773339686dbb252e7ef26bb884468ea938848aeb1f527aaea7c30
Opcode Fuzzy Hash: d94861f0af0d862539e8ae0a61b04cf4e01c4c4aec53ea7d8dd8c2676cfa5f98
Instruction Fuzzy Hash: 3651CE70D002049BEB14DF68D889BAEB7F5FF94304F20861EE8556B681EB756948CBE1

Function 00FFF5C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,9F3ADAE5,_pbl_evt,00000008,?,?,0110CB88,00000001,9F3ADAE5,00000000), ref: 00FFF66E
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00FFF68B

Strings

_pbl_evt, xrefs: 00FFF642

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 45aa3d3cdd930018f539da323403faa41944c6047b1a31bcc6d4f2eb0a44dbc2
Instruction ID: 6d1045e3703c46356ce6820ce7e4af7c7529afd5afea74ac080a624473958735
Opcode Fuzzy Hash: 45aa3d3cdd930018f539da323403faa41944c6047b1a31bcc6d4f2eb0a44dbc2
Instruction Fuzzy Hash: 8D51C171D00608AFDB10DF68CD85BEEB7B8EF14720F508229E955B7290EB746A05CBA1

Function 00FE2FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8ACF0: GetProcessHeap.KERNEL32 ref: 00E8AD45
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AD77
Part of subcall function 00E8ACF0: __Init_thread_footer.LIBCMT ref: 00E8AE02

GetLastError.KERNEL32(?,00000000,FTP Server,0000000A), ref: 00FE3064
WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,FTP Server,0000000A), ref: 00FE309D

Strings

REST %u, xrefs: 00FE3031

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Init_thread_footer$ErrorHeapLastObjectProcessSingleWait
String ID: REST %u
API String ID: 1670056567-3183379045
Opcode ID: 0d0b621b8b3d20f8d5ed3d6938ba91e3226f91126810de76c1c30b388aeeec2d
Instruction ID: 3a46b1d76d8c20e94a786b6dfcb8bfa751f47cfaac0926387e4224adb4222fdd
Opcode Fuzzy Hash: 0d0b621b8b3d20f8d5ed3d6938ba91e3226f91126810de76c1c30b388aeeec2d
Instruction Fuzzy Hash: F751EE31A006849FD720CF6ACC8CB6AB7E4FF41324F14862DE5569B6A1D779EE44DB40

Function 00FDE320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,9F3ADAE5,?,?,0117D68C), ref: 00FDE35F
CreateDirectoryW.KERNEL32(?,00000000,?,0117D68C), ref: 00FDE3C0

Strings

ADVINST_LOGS, xrefs: 00FDE398

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 10c8fe260a3ef0dfd5a88e8a786872dc4601ac56cb04e3e5c14f5996f46dbe3f
Instruction ID: 9aba05e54fad6d5307c4d46c7b1dad4089dde3f163ac86f3f63d648b702feae0
Opcode Fuzzy Hash: 10c8fe260a3ef0dfd5a88e8a786872dc4601ac56cb04e3e5c14f5996f46dbe3f
Instruction Fuzzy Hash: 7551B079D00215CACB30EF28C8447BAB7F5FF11724F2846AED8999B290EB355981DB90

Function 00FB1E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,9F3ADAE5,0110BF88), ref: 00FB1E7C
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00FB1F73

Part of subcall function 00F9DFB0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F9E085

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00FB1E9A

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 201254970-3373098694
Opcode ID: c809ca1d324bba6e72514164c72954b8b91a65eece4d52a43595fad862b093ad
Instruction ID: 7cb19448b04d3399e8808d413bdd49ef63cb92747aa0a536c309f9b6cceb3c0c
Opcode Fuzzy Hash: c809ca1d324bba6e72514164c72954b8b91a65eece4d52a43595fad862b093ad
Instruction Fuzzy Hash: 2941A371E003089BDB10DF59CD09BAEBBF8FF45714F108259E945AB2D0DBB89A48DB91

Function 00EC6C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EC6C6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EC6CCE

Strings

bad locale name, xrefs: 00EC6CF1

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 224fca24a41c1275c0134decad7a20a396a2a11809098475732623e2cbc281c5
Instruction ID: 9298eba86dc19249192cad90fab211b252f4e6e7bc826be68e6a0fe823f61cb3
Opcode Fuzzy Hash: 224fca24a41c1275c0134decad7a20a396a2a11809098475732623e2cbc281c5
Instruction Fuzzy Hash: 9021BD70A05784DED720CF68C904B4BBFF4AF15714F14869DE4859BB81D7B6AA04CBA1

Function 00EA922F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 00EA9262

Strings

Unknown exception, xrefs: 00EA9237
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00EA9247

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 39996ce72662a9eeda7c24a7d90b23fa9ea81da478317ac5a454ac1c2f59a6c9
Instruction ID: 521cddcbb7a2fb30cfa37a131659a08b894a14f16a236e8de46a4880bf9d9825
Opcode Fuzzy Hash: 39996ce72662a9eeda7c24a7d90b23fa9ea81da478317ac5a454ac1c2f59a6c9
Instruction Fuzzy Hash: 65016D30D05288EFCB04EBE4CA55ADDBBB0AF59304F54809CE445BF386DBB55A08DB92

Function 00E947D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E94802

Strings

Unknown exception, xrefs: 00E947DA
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00E947ED

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 65d322fcec6cc2c3ea86eeebcdd18196fc50936468c9c17be8c5b4b16f1e9193
Instruction ID: c93670a3f5e7943c90d76062ad4cc734b07165b10ce1ee5e04a99b85dc738092
Opcode Fuzzy Hash: 65d322fcec6cc2c3ea86eeebcdd18196fc50936468c9c17be8c5b4b16f1e9193
Instruction Fuzzy Hash: C1018C30D05288EECF09EBE4CA55ADDBBB0AF55300F54809CE045BB386DBB45A08D792

Function 00E9445E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E9448B

Strings

Unknown exception, xrefs: 00E94466
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00E94476

Memory Dump Source

Source File: 00000000.00000002.3318740243.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.3318725534.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318935584.0000000001178000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318952526.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318967679.000000000117B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: cf0851a7b31f0688d5a2457ce01076509c6a2230d7b369b5a19fc361d316f2d2
Instruction ID: 2c014f8c17345440406bb4fd40b39132c2bab94cb9cdff803e48432528cb9279
Opcode Fuzzy Hash: cf0851a7b31f0688d5a2457ce01076509c6a2230d7b369b5a19fc361d316f2d2
Instruction Fuzzy Hash: EB018C30D05288EECB09EBE4CA556DDBFB0AF55304F54809CE045BB286DBB45A08D792

Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2091463542.0000000003EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp	Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3319283327.0000000003E10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3319283327.0000000003EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameMicrosoft Outlook vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2088123615.0000000003E8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe	Binary or memory string: OriginalFileNameMicrosoft Outlook vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\New

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ProgressImage.png

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\Up

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton.xaml

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backgroundprepare

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backgroundsurface

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton.xaml

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox_for_ctrls

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox_for_list_ctrls

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\cmdlinkarrow

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\completi

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\custicon

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\exclamic

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left.bmp

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe