Edit tour

Windows Analysis Report
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Overview

General Information

Sample name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Analysis ID:	1521531
MD5:	b1382f20fc2ac8ee00bc5d35cfe2a883
SHA1:	92dbed9a976191f17357082391fd69c38847875e
SHA256:	abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d
Tags:	AdwareInstallCoreexe
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Uses shutdown.exe to shutdown or reboot the system

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe (PID: 432 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe" MD5: B1382F20FC2AC8EE00BC5D35CFE2A883)

SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp (PID: 3360 cmdline: "C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe" MD5: 5F7561BFCBA09FC14E1B7F03E65C99E0)

shutdown.exe (PID: 1912 cmdline: "shutdown.exe" -r -f -t 0 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0042F9C0 NtdllDefWindowProc_A,	1_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00423FD4 NtdllDefWindowProc_A,	1_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00412A28 NtdllDefWindowProc_A,	1_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00479D08 NtdllDefWindowProc_A,	1_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457D90

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042ED84

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00408888	0_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00468034	1_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00488030	1_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0046A088	1_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00452100	1_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0043E1F0	1_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004307FC	1_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00444968	1_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00434A64	1_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00444F10	1_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00488F90	1_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00431388	1_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00445608	1_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00471688	1_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0048F6BC	1_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00435768	1_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0045F8C0	1_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0045B970	1_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00445A14	1_2_00445A14

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: String function: 00403684 appears 229 times

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus29.rans.winEXE@6/2@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_004565A8

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_00456DD4 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456DD4

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Code function: 0_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A0D4

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

File created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe "C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp "C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp "C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450994

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00406A18 push 00406A55h; ret	0_2_00406A4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_004093B4 push 004093E7h; ret	0_2_004093DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: 0_2_00408580 push ecx; mov dword ptr [esp], eax	0_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00409D9C push 00409DD9h; ret	1_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0041A078 push ecx; mov dword ptr [esp], ecx	1_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00452100 push ecx; mov dword ptr [esp], eax	1_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040A273 push ds; ret	1_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040A29F push ds; ret	1_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00460518 push ecx; mov dword ptr [esp], ecx	1_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00496594 push ecx; mov dword ptr [esp], ecx	1_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004587B4 push 004587ECh; ret	1_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00410930 push ecx; mov dword ptr [esp], edx	1_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00486A94 push ecx; mov dword ptr [esp], ecx	1_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00478D50 push ecx; mov dword ptr [esp], edx	1_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00412D78 push 00412DDBh; ret	1_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040D288 push ecx; mov dword ptr [esp], edx	1_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0040F7E8 push ecx; mov dword ptr [esp], edx	1_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004438E0 push ecx; mov dword ptr [esp], ecx	1_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00459ACC push 00459B10h; ret	1_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0049BD44 pushad ; retf	1_2_0049BD53

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	File created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0041811E IsIconic,SetWindowPos,	1_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004245E4 IsIconic,SetActiveWindow,	1_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0042462C IsIconic,SetActiveWindow,SetFocus,	1_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004179E8 IsIconic,GetCapture,	1_2_004179E8

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F568

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-6079

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-52222

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Code function: 0_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_0040A018

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450994

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047974C

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042F254

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E4EC

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: GetLocaleInfoA,	0_2_0040565C
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	Code function: GetLocaleInfoA,	0_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: GetLocaleInfoA,	1_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	Code function: GetLocaleInfoA,	1_2_00408A04

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458DC4

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Code function: 1_2_00455D38 GetUserNameA,

1_2_00455D38

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_00404654

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	11 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	2 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	3 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp	10%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	false		unknown
http://www.remobjects.com/psU	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	false		unknown
http://www.remobjects.com/ps	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521531
Start date and time:	2024-09-28 22:24:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Detection:	SUS
Classification:	sus29.rans.winEXE@6/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 103 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exe	Get hash	malicious	Socks5Systemz	Browse
	SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe	Get hash	malicious	Socks5Systemz	Browse
	SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exe	Get hash	malicious	Socks5Systemz	Browse
	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: boSodF2WmT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	733184
Entropy (8bit):	6.527940424581213
Encrypted:	false
SSDEEP:	12288:ZsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce05aDCUFJyx9Z6:6McMoi3rPR37dzHRA6G7WbuSEmK50qy0
MD5:	5F7561BFCBA09FC14E1B7F03E65C99E0
SHA1:	A94D724FF5F2EB5EE5DA58ABF81C9088D19B5A2A
SHA-256:	2D6377C5105EBC6EE27ED61F3FB342D2F6FB6394CCEC0E81A82D019D74586D30
SHA-512:	F4E88D4ED8702A940D336AA172C157816CDA5EFFB448AFBC2BF58E7DEA096EB2BEDE957AD4278E4697B31572D14BFEFCC2DCA5DCEBC9170BBCA7FE39AE5E2FA9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 10%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0............@......@...............................&......(V...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...(V.......X..................@..P.....................r..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.820907275699891
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
File size:	333'639 bytes
MD5:	b1382f20fc2ac8ee00bc5d35cfe2a883
SHA1:	92dbed9a976191f17357082391fd69c38847875e
SHA256:	abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d
SHA512:	e34b752a0c6c9918b822640f5564449a5e82c31fe3d0cf57aaf3baae5b57bbf805f0194761c40f9444ba87d0b43828669b564c342e8cf9f834c3eed72fcd382d
SSDEEP:	6144:oP7OolMPaDCUFSjKDQBH3AgeedRuUCFJ2H/uRGtfotLxVDZF8b8a0gX5jT/R26WM:g7blMPaDCUFSO0d37N3uUCeYGtf0jZOX
TLSH:	23641203D7CA81B8D07286742D3657248737BE223EB4542A7B9D3E9ECF77081991D78A
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	29226ee6b692c62f

Static PE Info

General

Entrypoint:	0x40aa98
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F539C8CF9C3h
call 00007F539C8D0BCAh
call 00007F539C8D0F31h
call 00007F539C8D134Ch
call 00007F539C8D32EBh
call 00007F539C8D5C82h
call 00007F539C8D5DE9h
xor eax, eax
push ebp
push 0040B169h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040B132h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040D014h]
call 00007F539C8D68BBh
call 00007F539C8D64A6h
cmp byte ptr [0040C234h], 00000000h
je 00007F539C8D739Eh
call 00007F539C8D69B8h
xor eax, eax
call 00007F539C8D06B9h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F539C8D38FBh
mov edx, dword ptr [ebp-10h]
mov eax, 0040DE30h
call 00007F539C8CFA5Ah
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040DE30h]
mov dl, 01h
mov eax, 00407808h
call 00007F539C8D41B6h
mov dword ptr [0040DE34h], eax
xor edx, edx
push ebp
push 0040B0EAh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F539C8D6916h
mov dword ptr [0040DE3Ch], eax
mov eax, dword ptr [0040DE3Ch]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x75f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa1d0	0xa200	b7ea439d9c6d5ec722056c9243fb3054	False	0.6025028935185185	data	6.643749028594943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	9b2268ed5360951559d8041925d025fb	False	0.3037109375	data	2.740124513017086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x91c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x75f4	0x7600	748bb4ec7fe23e0a492c0aafb8763af9	False	0.5161877648305084	data	5.864643451923147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12414	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.4543010752688172
RT_ICON	0x126fc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.5472972972972973
RT_ICON	0x12824	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.6090085287846482
RT_ICON	0x136cc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.8172382671480144
RT_ICON	0x13f74	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.7023121387283237
RT_ICON	0x144dc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.41369294605809126
RT_ICON	0x16a84	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6672138836772983
RT_ICON	0x17b2c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.8164893617021277
RT_STRING	0x17f94	0x2f2	data			0.35543766578249336
RT_STRING	0x18288	0x30c	data			0.3871794871794872
RT_STRING	0x18594	0x2ce	data			0.42618384401114207
RT_STRING	0x18864	0x68	data			0.75
RT_STRING	0x188cc	0xb4	data			0.6277777777777778
RT_STRING	0x18980	0xae	data			0.5344827586206896
RT_RCDATA	0x18a30	0x2c	data			1.0909090909090908
RT_GROUP_ICON	0x18a5c	0x76	data	English	United States	0.6440677966101694
RT_VERSION	0x18ad4	0x4f4	data	English	United States	0.26419558359621453
RT_MANIFEST	0x18fc8	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	16:25:24
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Imagebase:	0x400000
File size:	333'639 bytes
MD5 hash:	B1382F20FC2AC8EE00BC5D35CFE2A883
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:25:24
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Imagebase:	0x400000
File size:	733'184 bytes
MD5 hash:	5F7561BFCBA09FC14E1B7F03E65C99E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 10%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:25:26
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	"shutdown.exe" -r -f -t 0
Imagebase:	0x940000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:25:26
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exePID: 432, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.9%
Total number of Nodes:	1541
Total number of Limit Nodes:	23

Executed Functions

Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 0040466F
GetVersion.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 00404676
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048B5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048CB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 004048D6

Strings

apphelp.dll, xrefs: 00404785
profapi.dll, xrefs: 00404857
SetProcessDEPPolicy, xrefs: 004048C5
kernel32.dll, xrefs: 0040466A
uxtheme.dll, xrefs: 0040471C
SetDllDirectoryW, xrefs: 004046AD
version.dll, xrefs: 00404834
setupapi.dll, xrefs: 00404762
SetSearchPathMode, xrefs: 004048AF
oleacc.dll, xrefs: 00404811
userenv.dll, xrefs: 0040473F
dwmapi.dll, xrefs: 004047CB
propsys.dll, xrefs: 004047A8
clbcatq.dll, xrefs: 0040489D
comres.dll, xrefs: 0040487A
cryptbase.dll, xrefs: 004047EE
SetDefaultDllDirectories, xrefs: 00404685

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-2388063882
Opcode ID: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
Instruction ID: 9e7baa03e94b680687c531d55c537e9110a8ac934c54f9465d7227ec1282235b
Opcode Fuzzy Hash: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
Instruction Fuzzy Hash: B2611070600149AFDB00FBF6DA8398E77A99F80309B2045BBA604772D6D778EF059B5D

Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 0040A02A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A035
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A076
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0A8
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0B8

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
Instruction ID: f5309bbdda193f62b4be3c179e768a57e3f3f612c04de257546ab44ee606f1f6
Opcode Fuzzy Hash: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
Instruction Fuzzy Hash: 142190B1240308ABD6309E69CC85F5777D8DF85354F08493AFAC5E33C2D63DE860866A

Function 0040565C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
Instruction ID: d14b50eaf9df709ed1cf3d56deeb77a2084f63d122e7671578114c6bad5e918b
Opcode Fuzzy Hash: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
Instruction Fuzzy Hash: 68E0D87170021427D711A9699C86EFB735CDB58314F4006BFB909E73C6EDB59E8046ED

Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 00409542
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409548
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 0040955C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409562

Strings

shell32.dll, xrefs: 0040959F
kernel32.dll, xrefs: 0040953D, 00409557
Wow64RevertWow64FsRedirection, xrefs: 00409552
Wow64DisableWow64FsRedirection, xrefs: 00409538

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
Instruction ID: 3d1781b746021e9606986d5b6d55f7cbde73f6a932e0ba52378b2443c6d91f24
Opcode Fuzzy Hash: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
Instruction Fuzzy Hash: 79115470908244BEDB01FBA2CD43B5A7B68D784744F204477F501762D3DA7D5E08DA2D

Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
SetWindowLongA.USER32(000103E6,000000FC,Function_00009E00), ref: 0040AFB5

Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4

Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(000103E6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Strings

InnoSetupLdrWindow, xrefs: 0040AF92
/SL5="$%x,%d,%d,, xrefs: 0040AFF5
STATIC, xrefs: 0040AF97

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 849423697-3001827809
Opcode ID: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
Instruction ID: d96ad4f456555d006dfdd6a111ba55fa130d32b67bbf9cfe256734ebf9c0f5f1
Opcode Fuzzy Hash: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
Instruction Fuzzy Hash: 95413070A006449BD711EBE9EE85B9A77E4EB58304F10427BF514BB2E1C7B89C49CB9C

Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
SetWindowLongA.USER32(000103E6,000000FC,Function_00009E00), ref: 0040AFB5

Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4

Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(000103E6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Strings

InnoSetupLdrWindow, xrefs: 0040AF92
/SL5="$%x,%d,%d,, xrefs: 0040AFF5
STATIC, xrefs: 0040AF97

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
Instruction ID: 22e85acea042a1c9b241f29fbd05952515ad99a43a6683ef4ce3977848861488
Opcode Fuzzy Hash: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
Instruction Fuzzy Hash: 00410971A006049BD710EBE9EE85BAA77A4EB58304F10427AF514BB2E1D7789C48CB9C

Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C

Strings

D, xrefs: 00409ED6

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
Instruction ID: c83664c5db2498e28503e3c1fa1a9009394fa647db11d74ebe1f458a85c7f7ae
Opcode Fuzzy Hash: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
Instruction Fuzzy Hash: 19113DB16042096ADB00EBE6CC42F9EB7ACEF89714F50017AB604F72C6DA789D048669

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D

Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18

Strings

.tmp, xrefs: 0040AD5E
@z@, xrefs: 0040ADCC
d~@, xrefs: 0040AE21

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp$@z@$d~@
API String ID: 2030045667-2080866987
Opcode ID: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
Instruction ID: dd76c9251985b1ff4450233ddc9785193850427026a6d5c0e90a1b5537d094b7
Opcode Fuzzy Hash: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
Instruction Fuzzy Hash: 4B419570A046009FD705EFA5DE91A2A77A5EB59304B11447BF804BB7E1CA79AC04CB9D

Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18

Strings

.tmp, xrefs: 0040AD5E
@z@, xrefs: 0040ADCC
d~@, xrefs: 0040AE21

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp$@z@$d~@
API String ID: 2030045667-2080866987
Opcode ID: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
Instruction ID: bf9d77eae5c07405b3109107b1835c74e23881a639ebcc62aff07684a9841850
Opcode Fuzzy Hash: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
Instruction Fuzzy Hash: BF419570B006019FD705EFA5DE92A6A77A5EB59304B10447BF804BB7E1CBB9AC04CB9D

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Runtime error at 00000000, xrefs: 00403D96, 00403DA9
Error, xrefs: 00403D91

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D

Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409816
GetLastError.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040981F

Strings

.tmp, xrefs: 004097FF

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
Instruction ID: 48b9f2fdce89366346d31e95a36bae064327856a755920fc8e2ea7d65379a348
Opcode Fuzzy Hash: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
Instruction Fuzzy Hash: 23211575A10208ABDB05FFE5C8529DFB7B9EB48304F10457BE901B73C2DA789E05CAA5

Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?), ref: 00409997
Sleep.KERNEL32(?), ref: 004099A7
GetLastError.KERNEL32(?), ref: 004099BA
GetLastError.KERNEL32(?), ref: 004099C4

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
Instruction ID: 55ccdd2d2ee1bdbcd31af2ea42c7aee1c1b219f05c386506858fe4dd166fe014
Opcode Fuzzy Hash: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
Instruction Fuzzy Hash: 6AF090B2A0511856CA25A6AE9881B6FB28CEAC0368714413FFA44F7383D43DDC0152BA

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48

Function 00409438 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00409495), ref: 0040946F
GetLastError.KERNEL32(00000000,00000000,00409495), ref: 00409477

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
Instruction ID: 3a2bfa3924d7da3ec485a5c2eebce42195f764b2344cc107bbad9e5710e02f6c
Opcode Fuzzy Hash: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
Instruction Fuzzy Hash: 3EF0AF71A08608ABCB01EFB59C4159EB3A8EB8831476045BBF808F32C3E6395E018599

Function 0040741C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00407426
LoadLibraryA.KERNEL32(00000000,00000000,00407470,?,00000000,0040748E,?,00008000), ref: 00407455

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
Instruction ID: f52ba4a9feec5d4d4615fe406f45eaba014741ff6d770d8a308f032ff20cb8dd
Opcode Fuzzy Hash: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
Instruction Fuzzy Hash: 26F08270A14708BEDB025FB68C5282ABAECE749B1475288B6F900A2AD2E53C5820C569

Function 0040B0EF Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(000103E6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Part of subcall function 00409978: Sleep.KERNEL32(?), ref: 00409997
Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099BA
Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099C4

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
String ID:
API String ID: 2192421792-0
Opcode ID: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
Instruction ID: 80fe6e0f7824975e72fa29ef6d7a10d3d2514edd0f005a574200bdc13b2d30de
Opcode Fuzzy Hash: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
Instruction Fuzzy Hash: C9F0CD70A105009BD725ABA9EE99B2632E5E7A4305F04453AA110BB2F1C7BD9C88CA8D

Function 00407AE8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B07
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B0F

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020903AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
Instruction ID: 2b235249b0a7ee07bcb8c1d8603e448d3cb6330bb11491e7c51f1e2a1a123f33
Opcode Fuzzy Hash: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
Instruction Fuzzy Hash: 13E092767081005FD610E55DC881A9B33DCDFC53A8F004537B654EB1D1D675B8008366

Function 00407AA8 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407ABF
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407ACE

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
Instruction ID: e15dfe76c2c2153dd18fa5b66318eead10a3336b01bc7908bb5745e2d55223c8
Opcode Fuzzy Hash: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
Instruction Fuzzy Hash: DAE092A17181106EEB20A65E9884F6B67DCCBC9314F04817BF508EB282D6B8DC008777

Function 00407A40 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A57
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A63

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020903AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
Instruction ID: b2e9c79a061d94bc6c1ac4e6a69a759f2ef78579472dc31f5d333ffaff30462c
Opcode Fuzzy Hash: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
Instruction Fuzzy Hash: C7E01AB1A002109EEB20EBB58981B5662D89B44364B048576A654DB2C6D274E800CB66

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9

Function 004056D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405806), ref: 004056EF

Part of subcall function 0040512C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405149

Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
Instruction ID: 82c784cd7830e1ca4cd44457dad2f2fa429cf4e25a926eea24d274db27b93b1b
Opcode Fuzzy Hash: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
Instruction Fuzzy Hash: C1316F75E00509ABCB00EF95CC819EEB379FF84304F508577E819BB285E739AE058B98

Function 004079F2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
Opcode Fuzzy Hash: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8

Function 004079F4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
Opcode Fuzzy Hash: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8

Function 00406E2C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406E74,?,?,?,?,00000000,?,00406E89,004071E3,00000000,00407228,?,?,?), ref: 00406E57

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
Instruction ID: 5d103c24ca312c86e291a35865c809fd23e08ae6a8f6832d02acb9ca341f4446
Opcode Fuzzy Hash: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
Instruction Fuzzy Hash: ADE0E530300308BBD301EE72DC42D0ABBACDB89704B920476B400A26C2D5785E108068

Function 00407B44 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B5B

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020903AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
Instruction ID: 30ae2be02b9f15b9cba2c15a2490e5271afae9e105f225727eb8a6e5b17a7771
Opcode Fuzzy Hash: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
Instruction Fuzzy Hash: 3FE06D727081106BD710A65A98C0E5777ECCF85764F00403BB608DB281C574AC01867A

Function 00407700 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095C3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0040771F

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
Instruction ID: cd8e50964804133df0be52219a4bf40107040f8cbf32d452899ff663d46cfc84
Opcode Fuzzy Hash: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
Instruction Fuzzy Hash: 7CE04FB1B8830126F62519545C87F7B164E47C0B84F64403B7B50EE3D2DABEB94B429F

Function 00407B28 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,020A8000,0040AEF9,00000000), ref: 00407B2F

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020903AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
Instruction ID: c094c2b5ec81b014f7647aed55f46f5be6f6c9eff784118cc89584b894c57cec
Opcode Fuzzy Hash: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
Instruction Fuzzy Hash: AFC04CB1B141045BDB00A6AA85C2A1672DC5A482083404076B504DB247D678F8504755

Function 00407477 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407495), ref: 00407488

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
Instruction ID: fee884e8913e26ea2b20a1c4334648daa9a2c142b99fe0c27f31eb53e83e856d
Opcode Fuzzy Hash: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
Instruction Fuzzy Hash: C6B09B76A0C2006DE705DEE5645153877D4D7C47103B14877F100D65C1D93C94108519

Function 00407493 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407495), ref: 00407488

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
Instruction ID: c7febe38ef9f985557de65a49c8e3beabd1cb56d23a205183508381f5ecd03fa
Opcode Fuzzy Hash: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
Instruction Fuzzy Hash: EEA022A8C08008BACE00EEE88080A3C33A82A883003C008E23200B2082C03CE000820B

Function 00406DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00406DBC,?,00406A99,?,?,0040959C,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE), ref: 00406DC2

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
Opcode Fuzzy Hash: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
Instruction Fuzzy Hash:

Function 0040838C Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040841C

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
Instruction ID: 68aadeca7c52aa1374545c41b60170f14cbd4c45bc0c673343149efe9cc76684
Opcode Fuzzy Hash: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
Instruction Fuzzy Hash: 7B116D716042059BDB00EF19C981B4B37A4AF84359F04847EF998AF2C7DF78D8058B6A

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
Opcode Fuzzy Hash: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8

Function 004079C4 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 004079D4

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
Instruction ID: 1333f047c66b0d9688efca9d11da816c999e90cdcd736c06211d3ba452c28d9f
Opcode Fuzzy Hash: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
Instruction Fuzzy Hash: B4D0A7D1B00A6007E315F2BF498964B92C85F88655F08843BF685E73D1D67CAC00D38D

Function 00408334 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00408319), ref: 0040834B

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
Instruction ID: 2902acfab023b9b2f0de86f7a78627cda5d54dfc4b924a21aa22279fbea0049e
Opcode Fuzzy Hash: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
Instruction Fuzzy Hash: 64D002B17553046FDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6F775D8008B14

Non-executed Functions

Function 004098E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004098F7
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004098FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409916
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040993D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 00409942
ExitWindowsEx.USER32(00000002,00000000), ref: 00409953

Strings

SeShutdownPrivilege, xrefs: 0040990F

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
Instruction ID: c716305aa6b255ea0f8bf04b803605974c64d9a32ef9e4c16490a57abd096404
Opcode Fuzzy Hash: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
Instruction Fuzzy Hash: 17F062B0284302B6E610AAB18C07F2722885B81B18F40493EB711F52C3D7BDD904866F

Function 0040A0D4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A0DE
SizeofResource.KERNEL32(00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040A0F1
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000), ref: 0040A103
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132), ref: 0040A114

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
Instruction ID: 6e0ad9993521ca4487a6dc9182c9ec88a9d7ecf9898e216691337b01ea42cf55
Opcode Fuzzy Hash: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
Instruction Fuzzy Hash: 92E0EA9078970725EAA136E608D6B6B10884BB578EF40113ABB14B92C3DDBC8C14516E

Function 004056A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
Instruction ID: 0ac2273093169a9723f5a49d7def2a1a0e4efde15c2d8dcba0568209acb81ea7
Opcode Fuzzy Hash: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
Instruction Fuzzy Hash: 34D05EA631E6502AE310519B2D85EBB4EACCAC57A4F54483BF64CD7252D2248C069776

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748

Function 00408888 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 388b29b0a79f5f19ed4b4953a6a76f47c3e14b9604a8131d453ab3a085cd796f
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: BC32E675E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF54

Function 004074A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 004074C9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004074CF
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 0040751D

Strings

kernel32.dll, xrefs: 004074C4
GetUserDefaultUILanguage, xrefs: 004074BF
.DEFAULT\Control Panel\International, xrefs: 004074F4
Control Panel\Desktop\ResourceLocale, xrefs: 0040752C
Locale, xrefs: 0040750C

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
Instruction ID: b0f7b576ff72b1c2059ac61aa9c71175e867ef76c41006bc9f97b140b7c9741a
Opcode Fuzzy Hash: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
Instruction Fuzzy Hash: 02215470E04209BBDB00EAE5CC55ADE77A8AB44304F508877A900F36C1E77CBA01C75A

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 00405814 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405A5C,?,?,?,?,00000000,00000000,00000000,?,00406A3B,00000000,00406A4E), ref: 0040582E

Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Part of subcall function 004056A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB

Strings

m/d/yy, xrefs: 004058FD
mmmm d, yyyy, xrefs: 0040591F
AMPM, xrefs: 004059F9
:mm, xrefs: 00405A10
:mm:ss, xrefs: 00405A2A

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
Instruction ID: 1f8fb3564ea85801462352e9f704d9e8acf1e4fd8595550e023c4eac14c4b858
Opcode Fuzzy Hash: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
Instruction Fuzzy Hash: 2B513E34B006486BDB00FAA58C81A8F77A9DB99304F50857BA515BB3C6CA3DDA098F5C

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 0040A128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A15D

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A141
Setup, xrefs: 0040A14D

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
Instruction ID: 9b5d989b58a55d658cadae164e54e3781760331d38193a884cd145b826483737
Opcode Fuzzy Hash: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
Instruction Fuzzy Hash: 87E065302443087EE312EA629C13F5E7BACE789B54F614477F500B55C1D6795E10D46D

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040AAAE), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040AAAE), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.1468243217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1468229563.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468258266.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1468271776.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmpPID: 3360, Parent PID: 432COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	80

Executed Functions

Function 0042E4EC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E526
GetVersion.KERNEL32(00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E543
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E55C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E562
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E577
FreeSid.ADVAPI32(00000000,0042E6D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E6CA

Strings

CheckTokenMembership, xrefs: 0042E552
advapi32.dll, xrefs: 0042E557

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: deafe6b7757909291430a7e68a5a22869ae20224b631ead964b334e030043609
Instruction ID: 33373ee259e646c263c3edb0d375fd355344fbe6f0fea3053a31bb261822ccd7
Opcode Fuzzy Hash: deafe6b7757909291430a7e68a5a22869ae20224b631ead964b334e030043609
Instruction Fuzzy Hash: 33518371B44619AEDB10EAE69842B7F77ACDB19304FD4047BB500F72C2D57CD904876A

Function 00450994 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509BF

Part of subcall function 00450964: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045097C

LoadLibraryA.KERNEL32(00000000,00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509FB
GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450A19
GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 00450A2E
GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450A43
GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450A58
GetProcAddress.KERNEL32(00000000,RmRestart), ref: 00450A6D
GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450A82

Strings

RmStartSession, xrefs: 00450A0E
RmEndSession, xrefs: 00450A77
RmShutdown, xrefs: 00450A4D
RmGetList, xrefs: 00450A38
Rstrtmgr.dll, xrefs: 004509E8
RmRegisterResources, xrefs: 00450A23
RmRestart, xrefs: 00450A62

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: 48feb3d18bb3249ae5a53bbacc216d9b6c25640ebcfb5a938a283db57bcc8296
Instruction ID: 7e76809d132c55fa29070b713de61cc7a3e08993567f6b48a797f9432d6667d5
Opcode Fuzzy Hash: 48feb3d18bb3249ae5a53bbacc216d9b6c25640ebcfb5a938a283db57bcc8296
Instruction Fuzzy Hash: 58212AB4A00304AEE710FBA5EC86A6E77F8E764755F50053BB810A71A3D6789D49CB1C

Function 0042405C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1d4311efb6c65e198997e93c19565dd4c2e83c258eeb41370f625f2e8048b
Instruction ID: 43e49367b0b6739e18dd975752e7d81306140be7a57883210305ee73c05c6530
Opcode Fuzzy Hash: 21c1d4311efb6c65e198997e93c19565dd4c2e83c258eeb41370f625f2e8048b
Instruction Fuzzy Hash: 59E16E30704124EFD710DB6AE685A5DB7F4EF84314FA540A6F6859B392CB38EE81DB09

Function 004531A4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E1
GetLastError.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 463e487d8d9145aa6576d943d4051b9a59c7b8ef21b6fe351ba6d4d416e364c7
Instruction ID: d0bf465202dae3429285692917932fac375c13b7b10a14b33624456fe0da4cd4
Opcode Fuzzy Hash: 463e487d8d9145aa6576d943d4051b9a59c7b8ef21b6fe351ba6d4d416e364c7
Instruction Fuzzy Hash: FEF02371A046047BCB10DF7AAC0145EF7ACDB4577675046BBFC14D3291DB784F088558

Function 004089B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
Instruction ID: 37d1d3aac47cb6b8cd62020f591dd9ac8cec50bf03644e7f1bddec785b1dbc63
Opcode Fuzzy Hash: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
Instruction Fuzzy Hash: 63E0227170021452C315A91A8C82AFAB24C9B18314F00427FB948E73C3EDB89E8042ED

Function 00423FD4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245A1,?,00000000,004245AC), ref: 00423FFE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
Opcode Fuzzy Hash: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94

Function 0042F9C0 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F9DC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
Instruction ID: 416a4692ed3cb8c0a12f59f0b22837e163b9cfd3c66ebd18f18690eb3ad7abe4
Opcode Fuzzy Hash: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
Instruction Fuzzy Hash: 07D0A7B220010C7FDB00DE98D840D6B33BC9B8C700B90C826F945C7241D234EDA0CBB8

Function 004063F4 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406655
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040666B
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406676

Strings

userenv.dll, xrefs: 004064DF
setupapi.dll, xrefs: 00406502
SetSearchPathMode, xrefs: 0040664F
kernel32.dll, xrefs: 0040640A
dwmapi.dll, xrefs: 0040656B
version.dll, xrefs: 004065D4
SetProcessDEPPolicy, xrefs: 00406665
apphelp.dll, xrefs: 00406525
propsys.dll, xrefs: 00406548
SetDefaultDllDirectories, xrefs: 00406425
uxtheme.dll, xrefs: 004064BC
cryptbase.dll, xrefs: 0040658E
oleacc.dll, xrefs: 004065B1
profapi.dll, xrefs: 004065F7
clbcatq.dll, xrefs: 0040663D
SetDllDirectoryW, xrefs: 0040644D
comres.dll, xrefs: 0040661A

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-2388063882
Opcode ID: 5389efc0ffea24bf8a606d939aa13ccb9694e00964d43272de38489a6f5244ea
Instruction ID: 52ceb319b1b10a2745084cc2a18598c2ecefae742a63aceaaee3a2f28509b87b
Opcode Fuzzy Hash: 5389efc0ffea24bf8a606d939aa13ccb9694e00964d43272de38489a6f5244ea
Instruction Fuzzy Hash: 7061F130A00109EBCB01FBA6D982D8E77B9AB44709B214077B405772E6DB3DEF199B5D

Function 00484E68 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484EF9

Strings

GetNativeSystemInfo, xrefs: 00484E80
kernel32.dll, xrefs: 00484E74
advapi32.dll, xrefs: 00484ED7
GetSystemWow64DirectoryA, xrefs: 00484EC3
IsWow64Process, xrefs: 00484E96
RegDeleteKeyExA, xrefs: 00484ED2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: a9e7c72b88ffdf774222e8b1eec2b6d32a2bc4fa4b8ab495cd5abb19adf26cf6
Instruction ID: 19f93fc1e60286517b98713993879556ba5b021e510ed05db2a10d1898c9039d
Opcode Fuzzy Hash: a9e7c72b88ffdf774222e8b1eec2b6d32a2bc4fa4b8ab495cd5abb19adf26cf6
Instruction Fuzzy Hash: E8110351109353A4E721B3796E46B7F25889B8031CF080C7F7B84666C6EA7CC845833F

Function 0047D978 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DCE8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0045451C,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D), ref: 0042DCFB

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042DD40: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
Part of subcall function 0042DD40: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60

SHGetKnownFolderPath.SHELL32(0049BD44,00008000,00000000,?,00000000,0047DC4C), ref: 0047DB52
CoTaskMemFree.OLE32(?,0047DB95), ref: 0047DB88

Part of subcall function 0042D658: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DE8E,00000000,0042DF20,?,?,?,0049D62C,00000000,00000000), ref: 0042D683

Strings

CommonFilesDir, xrefs: 0047DA7A, 0047DAF6
Failed to get path of 64-bit Common Files directory, xrefs: 0047DB18
\Program Files, xrefs: 0047DA67
ProgramFilesDir, xrefs: 0047DA40, 0047DAC7
Failed to get path of 64-bit Program Files directory, xrefs: 0047DAE9
cmd.exe, xrefs: 0047DC06
Common Files, xrefs: 0047DAB1
SystemDrive, xrefs: 0047D9DF
COMMAND.COM, xrefs: 0047DC27

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3771764029-544719455
Opcode ID: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
Instruction ID: 0fe7c2c5921331aa3b985ab989dbf77b3a087c61dea5e3792aec770f31e1cce1
Opcode Fuzzy Hash: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
Instruction Fuzzy Hash: A061B234E24204AFDB11EFA6D84269E7B78EF84318F51C57BE404AB391D77CAA41CA1D

Function 0047E184 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047E2B1

Strings

Failed to get address of SHGetFolderPath function, xrefs: 0047E2C2
SHGetFolderPathA, xrefs: 0047E2A6
Failed to load DLL "%s", xrefs: 0047E294
2, xrefs: 0047E1F3
_isetup\_shfoldr.dll, xrefs: 0047E222
SHFOLDERDLL, xrefs: 0047E22F
shell32.dll, xrefs: 0047E24F
shfolder.dll, xrefs: 0047E1BF

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryProcSystem
String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 996212319-3422985891
Opcode ID: f69e38f6b699ed73f32ac96f2dd1254bf471a540d8ea9ce7556b74a8ed90f622
Instruction ID: 9758cc0716918fe71002c31ee1435c1447d2ac946059de1b269defc554b01a12
Opcode Fuzzy Hash: f69e38f6b699ed73f32ac96f2dd1254bf471a540d8ea9ce7556b74a8ed90f622
Instruction Fuzzy Hash: C9415830A00119DFDB10DFA6C9415DE77B8FB48309F50C9BBE414A7252D7389E05CB59

Function 00423CC4 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F814: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832

GetClassInfoA.USER32(00400000,00423ACC), ref: 00423CEF
RegisterClassA.USER32(0049B630), ref: 00423D07
GetSystemMetrics.USER32(00000000), ref: 00423D29
GetSystemMetrics.USER32(00000001), ref: 00423D38
SetWindowLongA.USER32(004108B0,000000FC,00423ADC), ref: 00423D94
SendMessageA.USER32(004108B0,00000080,00000001,00000000), ref: 00423DB5
GetSystemMenu.USER32(004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DC0
DeleteMenu.USER32(00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DCF
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423DDC
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423DF2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
Instruction ID: 7df3f4c256e16cf88ed5bb8a347b5b3a25df550de305930316ee8fcfc6e0617b
Opcode Fuzzy Hash: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
Instruction Fuzzy Hash: 203164B17502106AEB10AF65DC86F6A3698D714709F60017AFA40EF2D7C6BDED40476D

Function 00482C40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000), ref: 00482DFD
FreeLibrary.KERNEL32(00000000), ref: 00482E11
SendNotifyMessageA.USER32(000103E6,00000496,00002710,00000000), ref: 00482E83

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 00482E32
Deinitializing Setup., xrefs: 00482C5E
Restarting Windows., xrefs: 00482E5E
DeinitializeSetup, xrefs: 00482CF9
GetCustomSetupExitCode, xrefs: 00482C9D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 9c2bbffa538aa2e5b055a523d915f2d38be36e5908d6c0a026212498e4b0fc52
Instruction ID: 87ca8a1097935e6c4637b022688acffdd958b69fb8a4991d3dc3ea9519d40e2c
Opcode Fuzzy Hash: 9c2bbffa538aa2e5b055a523d915f2d38be36e5908d6c0a026212498e4b0fc52
Instruction Fuzzy Hash: F851AA30600200EFD711EF6AD949B6E7BE4EB19718F51897BE800D72A1DBB89C45CB5D

Function 0042FA00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042FA2F
GetFocus.USER32 ref: 0042FA37
RegisterClassA.USER32(0049B7AC), ref: 0042FA58
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB2C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FA96
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FADC
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FAED
SetFocus.USER32(00000000,00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FAF4

Strings

TWindowDisabler-Window, xrefs: 0042FA8F, 0042FAD5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: 3c7406693a806fc702599f26db20f40cbea2d46a7ea9eeed4cdd03095dd28fc9
Instruction ID: be32ada46e774ba6914a87ad40c025b2c9e25f6d11d521099bf08b28c91ad89a
Opcode Fuzzy Hash: 3c7406693a806fc702599f26db20f40cbea2d46a7ea9eeed4cdd03095dd28fc9
Instruction Fuzzy Hash: E121B570B40720BAE210EB65EC03F1A76B4EB04B04FA1813BF504BB2D1D7B96C1487AD

Function 00453934 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976

Strings

Wow64RevertWow64FsRedirection, xrefs: 00453966
kernel32.dll, xrefs: 00453951, 0045396B
Wow64DisableWow64FsRedirection, xrefs: 0045394C
shell32.dll, xrefs: 004539B3

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 1fb098f05e18c104bfd33b87b24b51fb30a113402864c12f9b3e2886ec2a11b3
Instruction ID: a193a4472c2853cf72940ff7690ab9972ac4b2f80f688c1a00737a0c34b4483d
Opcode Fuzzy Hash: 1fb098f05e18c104bfd33b87b24b51fb30a113402864c12f9b3e2886ec2a11b3
Instruction Fuzzy Hash: B211E3B0A00244BBDB00EF66DC03F5E7BA8D70475AF60447BF84166282D6BC9F088A2D

Function 00430DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430DE8
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430DF7
GetCurrentThreadId.KERNEL32 ref: 00430E11
GlobalAddAtomA.KERNEL32(00000000), ref: 00430E32

Strings

commdlg_help, xrefs: 00430DE3
WndProcPtr%.8X%.8X, xrefs: 00430E23
commdlg_FindReplace, xrefs: 00430DF2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 3d8cc781ee18fa8c952338c7aeccd5cde5f7178f92cefd0c0b13886a56b953da
Instruction ID: dd09876b0f9c3184917b018614b917cdad608ae665b29eb2c15b2e3af62d5cdc
Opcode Fuzzy Hash: 3d8cc781ee18fa8c952338c7aeccd5cde5f7178f92cefd0c0b13886a56b953da
Instruction Fuzzy Hash: 98F082B09483409ED300EF26890371A7AE0AB58708F404F3FB48CA2291D7399910CB1F

Function 00455778 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994,00000000), ref: 00455922
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994), ref: 0045592F

Part of subcall function 004556E4: WaitForInputIdle.USER32(?,00000032), ref: 00455710
Part of subcall function 004556E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
Part of subcall function 004556E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
Part of subcall function 004556E4: CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761

Strings

.cmd, xrefs: 00455823
COMMAND.COM" /C , xrefs: 0045588C
D, xrefs: 004558C0
cmd.exe" /C ", xrefs: 00455855
.bat, xrefs: 00455808

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 73fd1b88a1d83c3c694b0698d8f27993cd14c46a6ca70bf0dbfba164b18fe5ee
Instruction ID: 19165e213e9236b89a5b086241af4e71530f18fc7e42ed674525c8849c01d6f6
Opcode Fuzzy Hash: 73fd1b88a1d83c3c694b0698d8f27993cd14c46a6ca70bf0dbfba164b18fe5ee
Instruction Fuzzy Hash: F4514A7060074DABDB11EF96C892BEEBBB9AF44315F50403BF804BB282D77C99198759

Function 00423ADC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
OemToCharA.USER32(?,?), ref: 00423BAC
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC

Strings

MAINICON, xrefs: 00423B61
2, xrefs: 00423B3A

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
Instruction ID: e5d3831d9b5483d4bbbd2f836839ca6b10e9aa02fde8f17f2ef2fb4492c3d901
Opcode Fuzzy Hash: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
Instruction Fuzzy Hash: 6031A271A042549ADB10EF29C8C57C67BE8AF14308F4045BAE844DB383D7BED988CB59

Function 00419388 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 0041938D
GlobalAddAtomA.KERNEL32(00000000), ref: 004193AE
GetCurrentThreadId.KERNEL32 ref: 004193C9
GlobalAddAtomA.KERNEL32(00000000), ref: 004193EA

Part of subcall function 00423518: GetDC.USER32(00000000), ref: 0042356E
Part of subcall function 00423518: EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
Part of subcall function 00423518: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
Part of subcall function 00423518: ReleaseDC.USER32(00000000,00000000), ref: 00423594

Part of subcall function 00423ADC: LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
Part of subcall function 00423ADC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
Part of subcall function 00423ADC: OemToCharA.USER32(?,?), ref: 00423BAC
Part of subcall function 00423ADC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC

Part of subcall function 0041F568: GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
Part of subcall function 0041F568: SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
Part of subcall function 0041F568: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
Part of subcall function 0041F568: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD

Strings

Delphi%.8X, xrefs: 0041939F
ControlOfs%.8X%.8X, xrefs: 004193DB

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: f95d04e94164b50ac2ab58baf663b117a75a9c0d8836e65ac0a83676a8f573fc
Instruction ID: 7870b9ea93aa7f75565cd31cdf92f475c288cd9ab0443d66b722f1effdfa130a
Opcode Fuzzy Hash: f95d04e94164b50ac2ab58baf663b117a75a9c0d8836e65ac0a83676a8f573fc
Instruction Fuzzy Hash: 8D112C70A182419AC300FF36D44279A7AE09BA430CF50893FF488AB3A1DB3D9D458B5E

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049D420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
Instruction ID: 86217af8f0c65890f5da76d4fe10d609cc5e2f7049d93a5e71f2b830536aceac
Opcode Fuzzy Hash: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
Instruction Fuzzy Hash: 7A11BF70E003405AEB15AB659D82B267BE4976570CF44007BF50067AF1D77CB840C76E

Function 0047DEA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF33
GetLastError.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF3C

Strings

Created temporary directory: , xrefs: 0047DED5
_isetup, xrefs: 0047DF1E
\_setup64.tmp, xrefs: 0047DFAE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 3cf7176a2f833250ea6f039e9bac44038ac4a0ff8092d6bf07e5b81213f8e26d
Instruction ID: ecaa8d991a706e785fb0a456308ec2ceb04ba6e672c042181299f5b248b5f278
Opcode Fuzzy Hash: 3cf7176a2f833250ea6f039e9bac44038ac4a0ff8092d6bf07e5b81213f8e26d
Instruction Fuzzy Hash: A2414634A101099BCB01EF95DC81ADEB7B9EF44309F50847BE901B7392DB38AE05CB69

Function 00454868 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000), ref: 00454A8A
FindClose.KERNEL32(000000FF,00454AB5,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000,00000000), ref: 00454AA8

Strings

.H, xrefs: 00454B14, 004548F1, 00454902, 004548D4
.H, xrefs: 00454AB5, 00454A2F, 00454A32

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: .H$ .H
API String ID: 2066263336-1676226347
Opcode ID: b812543ddd1e95e384549bb7c1e7a692720bc7ce5864c938cf5b8a0bd1faa7d1
Instruction ID: 86a97b531f1ad2b4b7463d4220b8e0547854eedc1a857b6a9afda59406c2b972
Opcode Fuzzy Hash: b812543ddd1e95e384549bb7c1e7a692720bc7ce5864c938cf5b8a0bd1faa7d1
Instruction Fuzzy Hash: CF81A43490428DAFCF11DF65C8417EFBBB4AF89309F1440A6D8546B392C3399E8ACB58

Function 00452C54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

75381520.VERSION(00000000,?,?,?,?), ref: 00452C74
75381500.VERSION(00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CA1
75381540.VERSION(?,00452D18,?,?,00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CBB

Strings

)-E, xrefs: 00452CFF, 00452CC7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: 753815007538152075381540
String ID: )-E
API String ID: 3367396946-3997256589
Opcode ID: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
Instruction ID: 50707f88950aac898d8c4389756beb7c92bb5193b179b1fc1fca76f0aa7be7f8
Opcode Fuzzy Hash: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
Instruction Fuzzy Hash: 2B219275A00648AFDB01DAA99D419AFB7FCEB4A301F554077FC00E3282D6B99E088769

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
Error, xrefs: 00404DB9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
Instruction ID: c00c8b1b907268fe45c84c5108a6570d36dd98a08fca56cdb76ff5d345661702
Opcode Fuzzy Hash: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
Instruction Fuzzy Hash: 8F21D360E452418ADB10AB75ED8171A3B8097F930CF04817BE700B73E2C67CD84687AE

Function 00423ED4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423E6C), ref: 00423EF8
GetWindow.USER32(?,00000003), ref: 00423F0D
GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
Instruction ID: 800f3c7d6b650a9444741cf3b456662361ea129bec99247a5177c247b1bc03b7
Opcode Fuzzy Hash: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
Instruction Fuzzy Hash: 5B117071B04610ABDB109F28ED85F5673F4EB08715F12026AF9649B2E2C37CDD40CB58

Function 00423518 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042356E
EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
ReleaseDC.USER32(00000000,00000000), ref: 00423594

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
Instruction ID: 3e91f746c00fb2f600ae5fc17e333cd129bb14a9c5a67b8d5949c9a763c02f3d
Opcode Fuzzy Hash: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
Instruction Fuzzy Hash: 5C019EB17457102AE710BF6A5C82B9B37A49F0531DF40427FF908AB3C2DA7E990547AE

Function 004556E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 00455710
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
Instruction ID: d914ecb4f604d225e93de076450c6742835d04a0b91abb11bcb899d5d614385b
Opcode Fuzzy Hash: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
Instruction Fuzzy Hash: 6101B570A40A09FEEB20A7A58D16F7F7BADDB49760F610167F904D32C2C6789D00CA68

Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
Instruction ID: 7339f3ebbe1eed2a5a633cb922c09bf0bd68a71b88021a6e55e3f3fb74b7268e
Opcode Fuzzy Hash: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
Instruction Fuzzy Hash: AB01CCB0E482405EFB19AF699902B293FD4D799748F51803BF441A7AF1CA7C6840CB2E

Function 0047E054 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047E075
GetLastError.KERNEL32 ref: 0047E07F
GetTickCount.KERNEL32 ref: 0047E089
Sleep.KERNEL32(00000032), ref: 0047E099

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 9058e7e476f03d8e95d8f18454d4e24bc94f2ef3d9c0d2f85b863d506517b458
Instruction ID: 9be5390d37519caeffefa09d8943b7800c28e667e42796fceef54f4227176e6c
Opcode Fuzzy Hash: 9058e7e476f03d8e95d8f18454d4e24bc94f2ef3d9c0d2f85b863d506517b458
Instruction Fuzzy Hash: 28E0E5213092A855C63035BB58C26AF45C9DA89768B244ABFE088D6283C89C4C05652E

Function 0049A490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
Part of subcall function 004063F4: GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453

Part of subcall function 00406814: 6FB81CD0.COMCTL32(0049A4AD), ref: 00406814

Part of subcall function 00410BB4: GetCurrentThreadId.KERNEL32 ref: 00410C02

Part of subcall function 00419490: GetVersion.KERNEL32(0049A4C6), ref: 00419490

Part of subcall function 0044FD1C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
Part of subcall function 0044FD1C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D

Part of subcall function 004501E8: GetVersionExA.KERNEL32(0049D794,0049A4DF), ref: 004501F7

Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976

Part of subcall function 00457850: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA

Part of subcall function 00465214: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
Part of subcall function 00465214: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265

Part of subcall function 0046DAB0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB

Part of subcall function 00479E68: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B

Part of subcall function 00485374: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485

Part of subcall function 0049749C: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004974B5

SetErrorMode.KERNEL32(00000001,00000000,0049A554), ref: 0049A526

Part of subcall function 0049A250: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
Part of subcall function 0049A250: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260

Part of subcall function 00424924: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424943

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

ShowWindow.USER32(?,00000005,00000000,0049A554), ref: 0049A587

Part of subcall function 004839B4: SetActiveWindow.USER32(?), ref: 00483A62

Strings

Setup, xrefs: 0049A56D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 56708735-3839654196
Opcode ID: 5ebf63c816ce0926393bda34e310f182705e6753737ca883e7f4fbe973062e60
Instruction ID: 2627a5300f3eb19f067de96b875d46ae0be93d5911e26a22e66c9acfb87dca20
Opcode Fuzzy Hash: 5ebf63c816ce0926393bda34e310f182705e6753737ca883e7f4fbe973062e60
Instruction Fuzzy Hash: AA31B3712046409EDB01BBB7AC1391D3BA8EB8971CB62487FF90486563DE3D5C24867F

Function 0045418C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541D2
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541DB

Strings

.tmp, xrefs: 004541BB

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: cd2a3252ecaf260815823af67aa2b094056b5513c9df15a8aebd7a9e3b97fefd
Instruction ID: f8da180511d522ff1cc3db6e91f047bd7ddaecfb92c8c1642a91e8309ff3a61b
Opcode Fuzzy Hash: cd2a3252ecaf260815823af67aa2b094056b5513c9df15a8aebd7a9e3b97fefd
Instruction Fuzzy Hash: 19214E75A002189BDB01EFA1C8465DEB7BDEF44305F50457BF801B7382D67C5E458BA9

Function 00485374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
Part of subcall function 00484E68: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
Part of subcall function 00484E68: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2

Part of subcall function 00485194: GetVersionExA.KERNEL32(?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851A2
Part of subcall function 00485194: GetVersionExA.KERNEL32(0000009C,?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851F4

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485

Strings

shell32.dll, xrefs: 0048546D
SHGetKnownFolderPath, xrefs: 00485452

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 1303913335-2936008475
Opcode ID: 30b2113fc11c108fefb6c9d7cc484c8701cb0e3681c30726207d50507da89b68
Instruction ID: 7070cd684f6103364e9f8a31a7d8965128adaac247882cc77746aeeddc076857
Opcode Fuzzy Hash: 30b2113fc11c108fefb6c9d7cc484c8701cb0e3681c30726207d50507da89b68
Instruction Fuzzy Hash: F9215E70600200ABC711FFAF995674E37A4EB9570CB51993FF400AB2D1D77DA8059B6E

Function 0045304C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 00453083
GetLastError.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 0045308B

Strings

@8H, xrefs: 004530B9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: @8H
API String ID: 2018770650-3762495883
Opcode ID: 740164d06d4b5ecf50d785a3f514d94b90e51079369cdd24e5e2a0e59ac3d097
Instruction ID: 483a50349848f844724b37c9089874c2f5155cc8dca7ffd3c90c1c5b4081c312
Opcode Fuzzy Hash: 740164d06d4b5ecf50d785a3f514d94b90e51079369cdd24e5e2a0e59ac3d097
Instruction Fuzzy Hash: 74F0C871A04708AFCB01DFB9AC4249EB7ECDB0975675045B7FC04E3282EB785F188599

Function 00453554 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 0045358B
GetLastError.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 00453593

Strings

@8H, xrefs: 004535C1

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: @8H
API String ID: 377330604-3762495883
Opcode ID: 3231ec27617ec579b03d87c8a7638ffef7de7386d21531307dfc59fc3638464b
Instruction ID: 7fd71ab76445d730fbf8dcc8275d2678ef65a3f2b88ec35f2c7a4b5c8e56db9b
Opcode Fuzzy Hash: 3231ec27617ec579b03d87c8a7638ffef7de7386d21531307dfc59fc3638464b
Instruction Fuzzy Hash: B2F0C271A04608BBCB01EFB9AC4249EB7E8EB0975675049BBFC04E3242F7785F088598

Function 00457850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004577E0: CoInitialize.OLE32(00000000), ref: 004577E6

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA

Strings

shell32.dll, xrefs: 00457892
SHCreateItemFromParsingName, xrefs: 00457877

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 1013667774-2320870614
Opcode ID: 1792bbe59ceac3f7532cfc20468d2190806302f686f303ce2f9deea7295c62da
Instruction ID: 9566a5db5de29e1f96e1247fa15de811f0c6c8f84fbefe9709ba2c3b4718617c
Opcode Fuzzy Hash: 1792bbe59ceac3f7532cfc20468d2190806302f686f303ce2f9deea7295c62da
Instruction Fuzzy Hash: 4DF03670604608BBE701FBA6E842F5D7BACDB45759F604477B800A6592D67CAE04C92D

Function 0046DAB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB

Strings

shell32.dll, xrefs: 0046DAE3
SHPathPrepareForWriteA, xrefs: 0046DAC8

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2552568031-2683653824
Opcode ID: 2d5343be83e8358071b9bd9d4eaaac5a82e789fda822a879ea0601a38230bab5
Instruction ID: 91b75a77547c13e1772f921c750cf7bd45708da1ec0dc58a0f4cb33c0377533c
Opcode Fuzzy Hash: 2d5343be83e8358071b9bd9d4eaaac5a82e789fda822a879ea0601a38230bab5
Instruction Fuzzy Hash: B5F04430B04608BBD700EF52DC52F5DBBACEB45B14FA14076B40067595E678AE048A2D

Function 0047D8E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047DC36,00000000,0047DC4C), ref: 0047D946

Strings

RegisteredOrganization, xrefs: 0047D935
RegisteredOwner, xrefs: 0047D923

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 4417b24f936b773814fa274ae0962c207b01253452d24554fe1b7e397a44036f
Instruction ID: 03cfcff152a519ea80d4f5543ba1c5a79f91faf414c5488bd5ec988fdc31f9f9
Opcode Fuzzy Hash: 4417b24f936b773814fa274ae0962c207b01253452d24554fe1b7e397a44036f
Instruction Fuzzy Hash: B6F0BBB0B042449BDB04D667AC93BDB37B9CB41308F24847BA2459B392D67C9D00D75D

Function 0047E0A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0047E0F2

Strings

Failed to remove temporary directory: , xrefs: 0047E10B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory:
API String ID: 536389180-3544197614
Opcode ID: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
Instruction ID: ac5e1a37918f7d070e72ace47ef54387b1d6805ebc6ff4ed15476670fa48ed12
Opcode Fuzzy Hash: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
Instruction Fuzzy Hash: 5A017930604204AADB11EB73DC47FDA3798DB49709F6089BBB504B62E2DBBC9D04D55C

Function 00402E70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

RtlUnwind.KERNEL32(?,?,Function_00002E70,00000000,?,?,Function_00002E70,?), ref: 00402EDC

Part of subcall function 00402D90: RaiseException.KERNEL32(0EEDFAD4,00000000,00000002), ref: 00402DA6

Strings

/@, xrefs: 00402EB7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaiseUnwind
String ID: /@
API String ID: 478881706-2472096700
Opcode ID: 499441b971b57391d74a26d503e0120d5b334c1de8607420bc0463d9fe128394
Instruction ID: 9ce5d78024ec260da94c0a854ad992de276e46e661de1c3f6cf596ac2f908521
Opcode Fuzzy Hash: 499441b971b57391d74a26d503e0120d5b334c1de8607420bc0463d9fe128394
Instruction Fuzzy Hash: 260139B0200201AFD310DB55CA89F27B7F9EF88744F15C5B9B508672E1C774EC40CA69

Function 0047D800 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047DA4C,00000000,0047DC4C), ref: 0047D845

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047D815

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: e9682fbab4657f03bea14a90e8bd788d9062128f143b0ad79c7d71c705787334
Instruction ID: 9e1ac37bc360ea69ca44dde089ba04ba4b826bb97de6a423fadd5e819c649f8f
Opcode Fuzzy Hash: e9682fbab4657f03bea14a90e8bd788d9062128f143b0ad79c7d71c705787334
Instruction Fuzzy Hash: 09F08231B04114A7DB00B69A9C42BAEA7AC8F84758F20807BF519EB242D9B99E0143AD

Function 0042E26C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042E286

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
Instruction ID: 65e6a506820a5022674633d18044d67bbd02e357da0c4a821f6ebd0b5300d4b8
Opcode Fuzzy Hash: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
Instruction Fuzzy Hash: B7D09272910228BBAB009A89DC41DFB77ADDB1A760F80806AF91897241D2B4AC519BF4

Function 0047F778 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047FA57,?,-0000001A,00481956,-00000010,?,00000004,0000001C,00000000,00481CA3,?,0045E364), ref: 0047F7EE

Part of subcall function 0042E76C: GetDC.USER32(00000000), ref: 0042E77B
Part of subcall function 0042E76C: EnumFontsA.GDI32(?,00000000,0042E758,00000000,00000000,0042E7C4,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0042E7A6
Part of subcall function 0042E76C: ReleaseDC.USER32(00000000,?), ref: 0042E7BE

SendNotifyMessageA.USER32(000103E6,00000496,00002711,-00000001), ref: 0047F9BE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
Instruction ID: 2351f95844d6f0f86e4a4553bb1ee5652cba21286aa46acec5315b7e6dd2a420
Opcode Fuzzy Hash: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
Instruction Fuzzy Hash: 865196B46001009BD710FF26D98179A37A9EB54309B50C53BA4099F3A7CB3CED4ACB9E

Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049D420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
Instruction ID: 28de6049d60bc6243b4bd9e8b7e4b04bc6e7afcf6678d0e749794f980a6998b8
Opcode Fuzzy Hash: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
Instruction Fuzzy Hash: 3D41C4B2E003019FDB10CF69DE8521A77A4F7A9328F15417BD954A77E1D378A842CB48

Function 0042E050 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E08C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E0FC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
Instruction ID: f9a1da9ca9b7937b0bb3d9b331acc3eaa2fb365deabda7ea02547e95fe34f262
Opcode Fuzzy Hash: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
Instruction Fuzzy Hash: 77415E71E00129ABDB11DF92D881BBFB7B9EB01704F944576E814F7281D778AE01CBA9

Function 00452F2C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F80
GetLastError.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F88

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: 45a7ef4815598ad6d760f922fca5c8b784324ceeca6d5903799f39ea771ca291
Instruction ID: 1642ece03f316e66375c060ca7626bc18a341a32778e3b1f8c5ba0bc81bd916e
Opcode Fuzzy Hash: 45a7ef4815598ad6d760f922fca5c8b784324ceeca6d5903799f39ea771ca291
Instruction Fuzzy Hash: E7112772A04208AF8B40DEA9ED41D9FB7ECEB4E310B11456BBD08D3241D678AD159B68

Function 0041F2F4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F343
EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
Instruction ID: ded2603fe903b3ccb75c053802ed51acc4a1ef0e0cc57bb05547c7342bcbb188
Opcode Fuzzy Hash: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
Instruction Fuzzy Hash: B2016D74A04B08BFD301CF66ED1195ABBF8F749724B22C877E854D3AA0E73459119E58

Function 0042368C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423699
LoadCursorA.USER32(00000000,00000000), ref: 004236C3

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
Instruction ID: 05fd857f6409e6a60644ea24615d01c87e42662e453bf4d6e4e1dfbb00014e4e
Opcode Fuzzy Hash: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
Instruction Fuzzy Hash: F2F0A7517002107ADA205E3E6CC0A2A72ADCBC1735B61437BFA2AE73D1C72D5D45556D

Function 0042E7E4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 1888120ec642a14ddfe20f8f6a13270cb26bc9381dbb943de7a3fd9ae0886bdd
Instruction ID: 76a16bdd6934cf9e499703eeb82aeaab1faf94a78ecb328ba4f7015bbedd62a6
Opcode Fuzzy Hash: 1888120ec642a14ddfe20f8f6a13270cb26bc9381dbb943de7a3fd9ae0886bdd
Instruction Fuzzy Hash: 13F08270B14744BEDB116F779C6282BBBECE749B1079348B6F800A3A91E63C4C10C968

Function 0047DB95 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(0049BD54,00008000,00000000,?), ref: 0047DBA5
CoTaskMemFree.OLE32(?,0047DBE8), ref: 0047DBDB

Strings

CommonFilesDir, xrefs: 0047DA7A, 0047DAF6
Failed to get path of 64-bit Common Files directory, xrefs: 0047DB18
\Program Files, xrefs: 0047DA67
ProgramFilesDir, xrefs: 0047DA40, 0047DAC7
Failed to get path of 64-bit Program Files directory, xrefs: 0047DAE9
cmd.exe, xrefs: 0047DC06
Common Files, xrefs: 0047DAB1
SystemDrive, xrefs: 0047D9DF
COMMAND.COM, xrefs: 0047DC27

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
Instruction ID: 547cb950fcd41f41a68947569da9652c82defc7c7397c5e87919afd81bca1a0c
Opcode Fuzzy Hash: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
Instruction Fuzzy Hash: F5E06534714640BEEB119A619D12B5977B8EB85B04FB28476F50496690D678A9009A18

Function 0040626C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0040626E
GlobalLock.KERNEL32(00000000), ref: 00406274

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
Instruction ID: a6323659c4e3f22e280215c11bf30f87fcb27bed7f3312751ebcd43238c0638b
Opcode Fuzzy Hash: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
Instruction Fuzzy Hash: CCF08272A0063067EB60596A4C81B5359849BC5794F154076FD09FF3E9D6B58C0142A9

Function 00408A2C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408B62), ref: 00408A4B

Part of subcall function 0040723C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407259

Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
Instruction ID: 2280d21d464d6860fad4d2303e4b2489916fa30e512bd771d5ffef80d8a4ef38
Opcode Fuzzy Hash: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
Instruction Fuzzy Hash: F6315275E001099BCF00EF95C8819EEB779EF84314F51857BE815BB385E738AE058B99

Function 00441834 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 0044184B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 0aa468cb5a5762bb6f279ef61ce1387cc8ae2cf3aa5b1c02f01331a8f16cbc06
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: F8F06D30604109DBEB1CEF59D4619AF7BA0EF59340B20806FE517873B0DA34AE80D658

Function 00450F08 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450F48

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 71421a353c7d946f4a8c6fccaaf9ef1ebb7d4f3a2acf703d7621df67c6c459cb
Instruction ID: 8219f7e09200e9d280371fd8822ce49b3febf2e1364c7dcaf59ee2aef9f1cf3d
Opcode Fuzzy Hash: 71421a353c7d946f4a8c6fccaaf9ef1ebb7d4f3a2acf703d7621df67c6c459cb
Instruction Fuzzy Hash: E2E0EDB53541483ED6809AAD7D42F9667DCD71A724F008033B998D7241D5619D158BE8

Function 0042D11C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042D164,?,00000001,?,?,00000000,?,0042D1B6,00000000,00453169,00000000,0045318A,?,00000000), ref: 0042D147

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
Instruction ID: 9806b9c164805e7544688198397d180b04c1e4ca63c7d3d80aa3ce68cdb407ca
Opcode Fuzzy Hash: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
Instruction Fuzzy Hash: 74E09271704704BFD701EF62DC53E6BBBECDB89B18BA14876B400E7692D6789E10D468

Function 0042ED18 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
Instruction ID: 20bfa46e39afc277729b0f592bdc1926ad718625f52f7f76be7811270f12921f
Opcode Fuzzy Hash: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
Instruction Fuzzy Hash: 0DE0206179471216F2351416AC47B77530E43C0704F944436BF50DD3E3D6AED906465E

Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00423ACC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00406321

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71

Function 00407360 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407374

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 56f2c6ca40c6286e2407e08fcad0208f925abe1420ed3d4fba62cc8f550d2764
Instruction ID: 7137799a8a619894c36928dc497025c8ae4ce5b7c347e91e7b4e2a044eac2fb2
Opcode Fuzzy Hash: 56f2c6ca40c6286e2407e08fcad0208f925abe1420ed3d4fba62cc8f550d2764
Instruction Fuzzy Hash: CFD05B723082507BE320A55B5C44EAB6BDCCBC5774F10063EF958D31C1D6349C01C675

Function 00423A9C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423A48: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A5D

ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Part of subcall function 00423A78: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423A94

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
Instruction ID: b4979a057c5364df20928e0f8112b75834207fc47edce7a1cb621b48fadbe9ee
Opcode Fuzzy Hash: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
Instruction Fuzzy Hash: E4D0A7137811703143117BB738469BF46EC4DD26AB38808BBB5C0DB303E91E8E051278

Function 00424714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0042472C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
Instruction ID: 0401e0c0b6f3d46f422729750133087b7afca2a32056b90ced50410e3746bfe3
Opcode Fuzzy Hash: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
Instruction Fuzzy Hash: 17D05EE27011602BCB01BAAD54C4ACA67CC8B8936AB1440BBF908EF257C638CE458398

Function 0042D1BC Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00453399,00000000,004533B2,?,-00000001,00000000), ref: 0042D1C7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
Instruction ID: bf35e0695d646f252302ae8c05399a3b1551c06c76099583daea3b520eb86f7d
Opcode Fuzzy Hash: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
Instruction Fuzzy Hash: 3ED022D071121001DE10A0BC28C533711880B74336BA41A33BD69E26E3C33D8823542C

Function 00407310 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB24,0040D0D0,?,00000000,?), ref: 0040732D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7ab38c9d2030f91d4c2faf0e26377bdf9e0bb8d1fc7b6e238f7ff5e282f1814
Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
Opcode Fuzzy Hash: b7ab38c9d2030f91d4c2faf0e26377bdf9e0bb8d1fc7b6e238f7ff5e282f1814
Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C

Function 0047E3D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
Instruction ID: be2fe49a244c431ec9946715e535269e6deba234050b303873a188c7b9bcae40
Opcode Fuzzy Hash: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
Instruction Fuzzy Hash: C5C00271511210AED750DFBA9D4C75637D4A71832AF068477F40CC3160F6344840CB09

Function 0042E83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E85D), ref: 0042E850

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
Instruction ID: 289f6c2202f902c5fbbb0b24ee8d848b414576690a26c35d590b8c03c3951524
Opcode Fuzzy Hash: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
Instruction Fuzzy Hash: A7B09B76B0C6005DF705D6D5745152D63D4D7C57203E1457BF454D35C0D93C58004918

Function 00448BC8 Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee96f6740eff3dbf417435cfc9d3f388c69a0176123ded3721ea93298cab944
Instruction ID: 95dd084d42e1a0ec26c41173bf9ec14b880c0887755d66d69d77494f4da09d79
Opcode Fuzzy Hash: 7ee96f6740eff3dbf417435cfc9d3f388c69a0176123ded3721ea93298cab944
Instruction Fuzzy Hash: 1B5157B4E041099FDB01EFA9C882AAEBBF5EB45314F50417AE504E7391DB389D45CB98

Function 0041F814 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
Instruction ID: 12b252a98648104a36852bc9e66bdd9c626d3d2234b6f24232172dde86ff5d2a
Opcode Fuzzy Hash: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
Instruction Fuzzy Hash: FA1148746007059BCB10DF19C880B82FBE4EB98350F10C53AE9588B385D374E849CBA8

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
Instruction ID: 191f0f4b7cd680364798b3dc381f6aadc2f07e0dbee61be3c45a65ffd8c3a871
Opcode Fuzzy Hash: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
Instruction Fuzzy Hash: 9E01FC766442148FC3109E29DCC0E2677E8D794378F15453EDA85673A1D37A7C4187D8

Non-executed Functions

Function 0041F568 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
FreeLibrary.KERNEL32(00000001,?,00419440,00000000,?,?,?,00000001), ref: 0041F6BF

Strings

Ctl3dAutoSubclass, xrefs: 0041F663
Ctl3DColorChange, xrefs: 0041F68D
Ctl3dSubclassCtl, xrefs: 0041F60F
Ctl3dDlgFramePaint, xrefs: 0041F639
Ctl3dUnregister, xrefs: 0041F5FA
Ctl3dCtlColorEx, xrefs: 0041F64E
Ctl3dRegister, xrefs: 0041F5D1
Ctl3dSubclassDlgEx, xrefs: 0041F624
BtnWndProc3d, xrefs: 0041F6A2
Ctl3dUnAutoSubclass, xrefs: 0041F678
CTL3D32.DLL, xrefs: 0041F599

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 4f7f688a8a3f112daba0e3eddd409aebec5aa7d0bd61d62da445d46955fd6860
Instruction ID: 05ddd3b6a7babc3b5f2b58818bfec20f43c940fb7309246182468bed43dc01b1
Opcode Fuzzy Hash: 4f7f688a8a3f112daba0e3eddd409aebec5aa7d0bd61d62da445d46955fd6860
Instruction Fuzzy Hash: C93104B1A00604BBD710EF75BD46A6933A4F728B28B59093BB148D71A2E77C9C468F5C

Function 00458DC4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00458E2B
QueryPerformanceCounter.KERNEL32(00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E34
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00458E3E
GetCurrentProcessId.KERNEL32(?,00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E47
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458EBD
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00458ECB
CreateFileA.KERNEL32(00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F13
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00459069,?,00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F4C

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458FF5
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045902B
CloseHandle.KERNEL32(000000FF,00459070,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459063

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

i, xrefs: 00458FA8
64-bit helper EXE wasn't extracted, xrefs: 00458E1F
CreateNamedPipe, xrefs: 00458EDB
Starting 64-bit helper process., xrefs: 00458DF9
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458E93
D, xrefs: 00458F6E
CreateFile, xrefs: 00458F21
Helper process PID: %u, xrefs: 00459048
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458E0C
SetNamedPipeHandleState, xrefs: 00458F55
CreateProcess, xrefs: 00458FFE
helper %d 0x%x, xrefs: 00458FD4

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 82c233c88e0d37a263cb0783750b3b387f228d13c71702c9729d38acfd602ae7
Instruction ID: c4bf9a6304175502231bb311a6f33329fdfd9ee29416440b986483e0f2b1c780
Opcode Fuzzy Hash: 82c233c88e0d37a263cb0783750b3b387f228d13c71702c9729d38acfd602ae7
Instruction Fuzzy Hash: 9071F270A00654DADB10DF65CC46B9E7BF8EB05705F1045AAF908FB282DB785D448F69

Function 00456DD4 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0049BA74,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E1A
CoCreateInstance.OLE32(0049B764,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E40
SysFreeString.OLEAUT32(00000000), ref: 00456FF7

Strings

IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004570A0
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045702E
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456F8D
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456FDC
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00457066
IPersistFile::Save, xrefs: 004570FE
%ProgramFiles(x86)%\, xrefs: 00456ECA
{pf32}\, xrefs: 00456EBA
CoCreateInstance, xrefs: 00456E4B
IPropertyStore::Commit, xrefs: 0045707F
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456F59

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 308859552-2363233914
Opcode ID: 3ac96debb6eb05856b77dec55ef76563f881696d2ef6aa7bf2a4a7380679b832
Instruction ID: 02ec3099c1e013a4d2a6014e0405d8002507ef7a0ca247d1a979c15f6e32810c
Opcode Fuzzy Hash: 3ac96debb6eb05856b77dec55ef76563f881696d2ef6aa7bf2a4a7380679b832
Instruction Fuzzy Hash: 57B18071A04204AFDB11DFA9D845B9E7BF8AF08706F5440B6F904E7262DB38DD48CB69

Function 0047974C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 004795B8: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
Part of subcall function 004795B8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
Part of subcall function 004795B8: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
Part of subcall function 004795B8: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54), ref: 00479614
Part of subcall function 004795B8: CloseHandle.KERNEL32(00000000,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632

Part of subcall function 00479690: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00479722,?,?,?,02207A54,?,00479784,00000000,0047989A,?,?,?,?), ref: 004796C0

ShellExecuteEx.SHELL32(0000003C), ref: 004797D4
GetLastError.KERNEL32(00000000,0047989A,?,?,?,?), ref: 004797DD
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047982A
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047984E
CloseHandle.KERNEL32(00000000,0047987F,00000000,00000000,000000FF,000000FF,00000000,00479878,?,00000000,0047989A,?,?,?,?), ref: 00479872

Strings

<, xrefs: 00479793
MsgWaitForMultipleObjects, xrefs: 00479837
runas, xrefs: 004797A1
ShellExecuteEx, xrefs: 004797EE
ShellExecuteEx returned hProcess=0, xrefs: 004797FE
GetExitCodeProcess, xrefs: 00479857

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 8e3fa59751d95d2da539948543dbf141a7a7757bbf4aff0c1985467a287ac7a1
Instruction ID: ef977962423105e2be3f30a06cf623b0e2f7e3d3d4ebd630472f9d2e264b432c
Opcode Fuzzy Hash: 8e3fa59751d95d2da539948543dbf141a7a7757bbf4aff0c1985467a287ac7a1
Instruction Fuzzy Hash: 35314471910204AADB10FFAA88416DEBAB8EF45314F51857FF518F7281D77C8D058B1A

Function 00422CAC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E44
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042300E), ref: 00422E54

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: da2a8fcb43fd68633aa304b3626bddf0313ebff2ba0c1bed8b946ec021528c35
Instruction ID: bacc4b86db7cb1d0e13acf93141a7ddfdaa0ad6c2af5cb9121abc77d57b19b6c
Opcode Fuzzy Hash: da2a8fcb43fd68633aa304b3626bddf0313ebff2ba0c1bed8b946ec021528c35
Instruction Fuzzy Hash: 1B916270B14254AFD700DBA9DB46F9E77F4AB04304F5600B6F904AB292C7B8AE01AB58

Function 004187D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004187E3
GetWindowPlacement.USER32(?,0000002C), ref: 00418800
GetWindowRect.USER32(?), ref: 0041881C
GetWindowLongA.USER32(?,000000F0), ref: 0041882A
GetWindowLongA.USER32(?,000000F8), ref: 0041883F
ScreenToClient.USER32(00000000), ref: 00418848
ScreenToClient.USER32(00000000,?), ref: 00418853

Strings

,, xrefs: 004187EC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
Instruction ID: c8128d77bd0d7ceb2c04d713c679bf83e48da9b619e6265fa23865d78167b210
Opcode Fuzzy Hash: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
Instruction Fuzzy Hash: 1B111971505201ABDB00EF69C885E9B77E8AF48314F140A7EB958DB286C738D900CB65

Function 0042F71C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042F744
GetWindowLongA.USER32(?,000000F0), ref: 0042F758
GetWindowLongA.USER32(?,000000EC), ref: 0042F76F
GetActiveWindow.USER32 ref: 0042F778
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7A5
SetActiveWindow.USER32(?,0042F8D5,00000000,?), ref: 0042F7C6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 2f4e0ac8b91a9cac30f41a6fef11267aa66e4b9fa18fe0b08669371a869f6fb0
Instruction ID: 4c2db8bb30fa69d0e852579bfabd785c91e73d104037fd1269e13a33cc275b58
Opcode Fuzzy Hash: 2f4e0ac8b91a9cac30f41a6fef11267aa66e4b9fa18fe0b08669371a869f6fb0
Instruction Fuzzy Hash: 0D31B170A00654AFDB01EFB5DC52D6EBBF8EB09704B9244BBF804E7291D6389D04CB18

Function 00455D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00455D8F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455D95
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455DAE
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DD5
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DDA
ExitWindowsEx.USER32(00000002,00000000), ref: 00455DEB

Strings

SeShutdownPrivilege, xrefs: 00455DA7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 6b93d7df648ddfbe47d244892cbfb38d0bfa797355aef2af63c68983705a1af9
Instruction ID: 02e3d1fa5e569da00b44776faf89310fbaa28c239a726f1a6525e170f6cce7ee
Opcode Fuzzy Hash: 6b93d7df648ddfbe47d244892cbfb38d0bfa797355aef2af63c68983705a1af9
Instruction Fuzzy Hash: 55F06871294B02BAE650A6718C1BF7B21A8DB40749F50892ABD41EA1C3D7BDD40C8A7A

Function 0049998C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8,?,?,00000000,0049D62C), ref: 004999E3
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00499A66
FindNextFileA.KERNEL32(000000FF,?,00000000,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000), ref: 00499A7E
FindClose.KERNEL32(000000FF,00499AA9,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8), ref: 00499A9C

Strings

isRS-, xrefs: 00499A03
isRS-???.tmp, xrefs: 004999CD

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: a1f0fefd34916e957a48392730316672e9a8d2ce3a74582890db343c928d0c72
Instruction ID: e7bbbac40fef3dfc3cc8058b31a588cc53a4b1370f1491e53b11de7997221e0f
Opcode Fuzzy Hash: a1f0fefd34916e957a48392730316672e9a8d2ce3a74582890db343c928d0c72
Instruction Fuzzy Hash: 98318871A015586FDF10EF66CC41ADEBBBCDB45304F5184BBA808A32A1DA389F45CE58

Function 00457D90 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E0D
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E34
SetForegroundWindow.USER32(?), ref: 00457E45
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045811D,?,00000000,00458159), ref: 00458108

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457F88

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
Instruction ID: fc8679ff921622e129be82b5c7b8b9d6156041410e322bf9d6052ebf871bd799
Opcode Fuzzy Hash: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
Instruction Fuzzy Hash: E8911234604204DFDB15CF55D952F1ABBF9EB88700F2180BAED04AB792CB79AE05CB58

Function 004565A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004566E7), ref: 004565D8
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004565DE

Strings

kernel32.dll, xrefs: 004565D3
GetDiskFreeSpaceExA, xrefs: 004565CE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 19b29b05b4f049c71285320e67c4507336b438f8c50447e7cc98b76a431b265d
Instruction ID: b48cc3d91c9fc3d8a1033014b63779c50d18bc65ef0bc06e4cd1291adb105b9d
Opcode Fuzzy Hash: 19b29b05b4f049c71285320e67c4507336b438f8c50447e7cc98b76a431b265d
Instruction Fuzzy Hash: A2417471A00249AFCF01EFA5C8829EFBBB8EF48304F514567F800F7252D6795D098B69

Function 00476120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476179
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476256
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476264

Strings

unins???.*, xrefs: 00476163
unins, xrefs: 004761CC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 5e70da6d7b7899624856419d642b9a30a3442578c6172b99f9e5aa13c9ee4f6f
Instruction ID: eb89464c752a784b36226a23c26c23c5edadcf818cb3280f2000aa581376a5b5
Opcode Fuzzy Hash: 5e70da6d7b7899624856419d642b9a30a3442578c6172b99f9e5aa13c9ee4f6f
Instruction Fuzzy Hash: 11312E70600548ABDB50EB65CC81ADEBBADDB45314F5180F6A84CAB3A6DB389F418F58

Function 00418120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041815F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA

Strings

,, xrefs: 004181A1

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
Instruction ID: 655d5dfc889397085a04c255a013ff48624dbcd9c32011b5bbe491b24769000a
Opcode Fuzzy Hash: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
Instruction Fuzzy Hash: 3C211D72600204ABDF00EF69CCC1ADA77E8AF49314F55456AFD18DF246CB78D9458BA8

Function 004648D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00464A8D), ref: 00464901
FindFirstFileA.KERNEL32(00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464990
FindNextFileA.KERNEL32(000000FF,?,00000000,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A22
FindClose.KERNEL32(000000FF,00464A49,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A3C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 48c0732eae783cba177e05ac1aa234ae16bb41976722f902c089bc45bad1ce8e
Instruction ID: ae00aa0afc7aa582470d59ca75ba9400823c3a1943f8949d3747a5def8a0c8eb
Opcode Fuzzy Hash: 48c0732eae783cba177e05ac1aa234ae16bb41976722f902c089bc45bad1ce8e
Instruction Fuzzy Hash: B541C570A00658AFDF11EFA5DC45ADEB7B8EB89305F4044BAF404E7381E63C9E488E19

Function 00464D4C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00464F33), ref: 00464DC1
FindFirstFileA.KERNEL32(00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464E07
FindNextFileA.KERNEL32(000000FF,?,00000000,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EBC
FindClose.KERNEL32(000000FF,00464EE7,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EDA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: ec937dbce600953c5d0d9fe6d2f2e6b7206311b8e6b35776b55d12eec71b02e8
Instruction ID: 8e27f6cc4c7e55bed8f6d5ebd72a4c3c722eac7afebeb0f1b00dc6af3d7f2fe3
Opcode Fuzzy Hash: ec937dbce600953c5d0d9fe6d2f2e6b7206311b8e6b35776b55d12eec71b02e8
Instruction Fuzzy Hash: 31416535A006589FCB11EFA5CD859DEB7B9FBC8305F5044AAF804E7341EB389E448E59

Function 0042ED84 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDA6
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EDD1
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDDE
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDE6
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDEC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 29db8fce105cec5f3143bbfa5ea21b58fd084d018b29bb323eae88079787b565
Instruction ID: d5f14a2582f403684e4f7b299b1070748df424b87161b08669007267f0031b9d
Opcode Fuzzy Hash: 29db8fce105cec5f3143bbfa5ea21b58fd084d018b29bb323eae88079787b565
Instruction Fuzzy Hash: 21F0F0723A07203AF620B17A6C82F7F018CC784B68F10423AF704FF1D1D9A84D0515AD

Function 00484D28 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00484D66
GetWindowLongA.USER32(00000000,000000F0), ref: 00484D84
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DA6
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DBA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
Instruction ID: c453c85064c149f2f8de5328ae0569b6634ad2f96c4c2f1b45344ef68f201c80
Opcode Fuzzy Hash: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
Instruction Fuzzy Hash: 3D015E706002129EDB10FB769D89B9A22D95B50344F19083FB8449B2E2CB7C9841975C

Function 00463344 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00463418), ref: 0046339C
FindNextFileA.KERNEL32(000000FF,?,00000000,004633F8,?,00000000,?,00000000,00463418), ref: 004633D8
FindClose.KERNEL32(000000FF,004633FF,004633F8,?,00000000,?,00000000,00463418), ref: 004633F2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 635e217b2fc9f7435441bd5570030132af4e7fadc4977a31bbca5b6ea47d96a6
Instruction ID: 0500e82312f9f08261d57c94a6d9b1f58695be5d4d7593f033a5dbf80f84d4fc
Opcode Fuzzy Hash: 635e217b2fc9f7435441bd5570030132af4e7fadc4977a31bbca5b6ea47d96a6
Instruction Fuzzy Hash: 1421DB315046886FDB11DF66CC41ADEB7ACDB49305F5084F7B808D3251EA389F44C959

Function 0042462C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424634
SetActiveWindow.USER32(?,?,?,?,0046DA13), ref: 00424641

Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Part of subcall function 00423F64: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,022025AC,0042465A,?,?,?,?,0046DA13), ref: 00423F9F

SetFocus.USER32(00000000,?,?,?,?,0046DA13), ref: 0042466E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
Instruction ID: 5ae1608fbac1b61a262bbd8080f57afdf1b64e8a1d97d82fcb33e84f02d7d1dc
Opcode Fuzzy Hash: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
Instruction Fuzzy Hash: DBF0D07170122187CB00BFA9D9C5A9633A8AF48714B56407BBD09DF25BC67CDC458768

Function 0042F254 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F261
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F271
CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F299

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
Opcode Fuzzy Hash: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96

Function 0041811E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041815F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
Instruction ID: b17f17ea660f77e7302433a0225cb82371cce2f83056bcd31e3690383aca5fbc
Opcode Fuzzy Hash: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
Instruction Fuzzy Hash: E5012C72300104BBDF10EE69CCC1EEB7798AB55364F55416AFD18DF242DA38ED8287A8

Function 004179E8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417A13
GetCapture.USER32 ref: 00417A1C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: ac6aa1af0e1d137f6700960f31413d4ebc5a5ea2cfe80ba42947f9ea9a851159
Instruction ID: c42435c704d87005acf5b6d7044dd68bff31d3bfeee1bac994fdbb5906758c2c
Opcode Fuzzy Hash: ac6aa1af0e1d137f6700960f31413d4ebc5a5ea2cfe80ba42947f9ea9a851159
Instruction Fuzzy Hash: 79F049313446014BD720A72DC889AAF62F99F84394B1C643BE41AC7756EB7DDDC48758

Function 004245E4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004245EB

Part of subcall function 00423ED4: EnumWindows.USER32(00423E6C), ref: 00423EF8
Part of subcall function 00423ED4: GetWindow.USER32(?,00000003), ref: 00423F0D
Part of subcall function 00423ED4: GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
Part of subcall function 00423ED4: SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52

SetActiveWindow.USER32(?,?,?,004241C3,00000000,004245AC), ref: 004245FF

Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
Instruction ID: 0eb0e95855424de6865fa4d756a676c77cd5728601e575884a8a50090c80911a
Opcode Fuzzy Hash: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
Instruction Fuzzy Hash: 3BE01A6070010187DB00EFAAE8C4B8622A8BF88305F55017ABC08CF24BDA3CDC048728

Function 00412A28 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C25), ref: 00412C13

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
Instruction ID: cdfe5c129d614e166dcfab814c58775b37bd24f4e82d9105b90a581207f53ed6
Opcode Fuzzy Hash: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
Instruction Fuzzy Hash: 0451C2316082058FC720DF6AD781A9AF3E5EF98304B2086ABD904C7351EAB9ED91C74D

Function 00479D08 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00479E56

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
Instruction ID: 77384fbc8b33c5310ab19163c687e45bac72601044cd1e9f95c219b02d082465
Opcode Fuzzy Hash: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
Instruction Fuzzy Hash: 71414A75604105EFCB20CF99C6808AAB7F5EB48310B74C9A6E849DB745D338EE41DB94

Function 00455D38 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00455D4E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
Instruction ID: 82cf1e81aeab4cdf4c711474db213eebdc1b2e178f500b1422eacd8e28b83923
Opcode Fuzzy Hash: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
Instruction Fuzzy Hash: 0AD0C27230460063C700AAA99C826AA359C8B84305F00883F3CC5DA2C3EABDDA4C5696

Function 0044BB28 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BAA4: GetVersionExA.KERNEL32(00000094), ref: 0044BAC1

Part of subcall function 0044BAF8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BB10

LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BC8C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BC9E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BCB0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BCC2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BCD4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BCE6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BCF8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD0A
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BD1C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BD2E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BD40
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BD52
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BD64
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BD76
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BD88
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BD9A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BDAC
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BDBE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BDD0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BDE2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BDF4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE06
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BE18
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BE2A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BE3C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BE4E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BE60
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BE72
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BE84
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BE96
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BEA8
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BEBA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BECC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BEDE

Strings

GetThemeAppProperties, xrefs: 0044BE7C
IsThemeDialogTextureEnabled, xrefs: 0044BE6A
DrawThemeText, xrefs: 0044BBD0
GetThemeInt, xrefs: 0044BCF0
GetThemeBackgroundContentRect, xrefs: 0044BBE2, 0044BBF4
IsThemeActive, xrefs: 0044BE22
DrawThemeBackground, xrefs: 0044BBBE
uxtheme.dll, xrefs: 0044BB77
OpenThemeData, xrefs: 0044BB9A
GetThemeFilename, xrefs: 0044BD92
GetThemeTextMetrics, xrefs: 0044BC2A
DrawThemeEdge, xrefs: 0044BC60
IsThemeBackgroundPartiallyTransparent, xrefs: 0044BC96
GetThemeEnumValue, xrefs: 0044BD02
GetCurrentThemeName, xrefs: 0044BEA0
GetThemeSysString, xrefs: 0044BDFE
DrawThemeParentBackground, xrefs: 0044BEC4
GetThemeMetric, xrefs: 0044BCBA
GetThemePropertyOrigin, xrefs: 0044BD6E
GetThemeBool, xrefs: 0044BCDE
GetThemeTextExtent, xrefs: 0044BC18
GetThemeSysSize, xrefs: 0044BDDA
CloseThemeData, xrefs: 0044BBAC
GetThemePartSize, xrefs: 0044BC06
GetThemeColor, xrefs: 0044BCA8
GetThemeSysColor, xrefs: 0044BDA4
SetWindowTheme, xrefs: 0044BD80
GetThemeSysFont, xrefs: 0044BDEC
GetThemePosition, xrefs: 0044BD14
IsAppThemed, xrefs: 0044BE34
GetThemeMargins, xrefs: 0044BD4A
SetThemeAppProperties, xrefs: 0044BE8E
DrawThemeIcon, xrefs: 0044BC72
GetThemeSysColorBrush, xrefs: 0044BDB6
GetThemeIntList, xrefs: 0044BD5C
EnableThemeDialogTexture, xrefs: 0044BE58
GetThemeBackgroundRegion, xrefs: 0044BC3C
GetWindowTheme, xrefs: 0044BE46
GetThemeSysBool, xrefs: 0044BDC8
IsThemePartDefined, xrefs: 0044BC84
GetThemeFont, xrefs: 0044BD26
HitTestThemeBackground, xrefs: 0044BC4E
GetThemeDocumentationProperty, xrefs: 0044BEB2
GetThemeRect, xrefs: 0044BD38
GetThemeString, xrefs: 0044BCCC
GetThemeSysInt, xrefs: 0044BE10
EnableTheming, xrefs: 0044BED6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 1a560d406fd28363c82114fe615e1cf3cd8c7e96d78b4122faffdbe0687169de
Instruction ID: 345b4916510d3cb7c096cba84ec2b1d1bd9d6ff2ab3c947e91cb1c242a843473
Opcode Fuzzy Hash: 1a560d406fd28363c82114fe615e1cf3cd8c7e96d78b4122faffdbe0687169de
Instruction Fuzzy Hash: 49A16AB0A41A50EBEB00EFF5DC86A2A37A8EB15B14B1405BBB444EF295D678DC048F5D

Function 00493FEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,004944E1,?,?,?,?,00000000,00000000,00000000), ref: 0049402C
FindWindowA.USER32(00000000,00000000), ref: 0049405D

Strings

OEMTOCHARBUFF, xrefs: 0049443F
SENDBROADCASTMESSAGE, xrefs: 004941F9
POSTMESSAGE, xrefs: 00494107
FINDWINDOWBYCLASSNAME, xrefs: 00494039
REGISTERWINDOWMESSAGE, xrefs: 004941BF
POSTBROADCASTMESSAGE, xrefs: 00494247
CREATEMUTEX, xrefs: 0049440D
FREEDLL, xrefs: 004943D8
SENDMESSAGE, xrefs: 004940B1
CHARTOOEMBUFF, xrefs: 00494482
CALLDLLPROC, xrefs: 00494351
SLEEP, xrefs: 00494016
LOADDLL, xrefs: 004942EF
FINDWINDOWBYWINDOWNAME, xrefs: 00494075
SENDNOTIFYMESSAGE, xrefs: 00494163
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049429B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 6c13f5a393d1a9c00e8787351cf7d3ffbfb63decb9f63bc49c4143e268631f25
Instruction ID: aaf63752e06fee66a7d05b71673dc8e7902340e663ecb0da5339ca9489632561
Opcode Fuzzy Hash: 6c13f5a393d1a9c00e8787351cf7d3ffbfb63decb9f63bc49c4143e268631f25
Instruction Fuzzy Hash: 7EC14060B0421027DB14FB7ACC4692E5A999BD4704750CA3FB40AEB78BDE3CDC0B4799

Function 0041CE5C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CE90
CreateCompatibleDC.GDI32(?), ref: 0041CE9C
CreateBitmap.GDI32(0041AD94,?,00000001,00000001,00000000), ref: 0041CEC0
CreateCompatibleBitmap.GDI32(?,0041AD94,?), ref: 0041CED0
SelectObject.GDI32(0041D28C,00000000), ref: 0041CEEB
FillRect.USER32(0041D28C,?,?), ref: 0041CF26
SetTextColor.GDI32(0041D28C,00000000), ref: 0041CF3B
SetBkColor.GDI32(0041D28C,00000000), ref: 0041CF52
PatBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00FF0062), ref: 0041CF68
CreateCompatibleDC.GDI32(?), ref: 0041CF7B
SelectObject.GDI32(00000000,00000000), ref: 0041CFAC
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CFC4
RealizePalette.GDI32(00000000), ref: 0041CFCD
SelectPalette.GDI32(0041D28C,00000000,00000001), ref: 0041CFDC
RealizePalette.GDI32(0041D28C), ref: 0041CFE5
SetTextColor.GDI32(00000000,00000000), ref: 0041CFFE
SetBkColor.GDI32(00000000,00000000), ref: 0041D015
BitBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00000000,00000000,00000000,00CC0020), ref: 0041D031
SelectObject.GDI32(00000000,?), ref: 0041D03E
DeleteDC.GDI32(00000000), ref: 0041D054

Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
Instruction ID: f3cd37e79d0242250547ce8a95e3067296a2558137ee74c5e82542f4c8f5946c
Opcode Fuzzy Hash: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
Instruction Fuzzy Hash: 6F61CD71A44604AFDB10EBE9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69

Function 00469A0C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,00469C26,?,?,00000001,00000000,00000000,00469C41,?,00000000,00000000,?), ref: 00469C0F

Strings

Inno Setup: Icon Group, xrefs: 00469AEA
Inno Setup: User Info: Serial, xrefs: 00469BF1
Inno Setup: Selected Tasks, xrefs: 00469B7B
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469A6B
Inno Setup: No Icons, xrefs: 00469AF7
Inno Setup: Deselected Tasks, xrefs: 00469B9D
Inno Setup: User Info: Organization, xrefs: 00469BDE
Inno Setup: App Path, xrefs: 00469ACE
Inno Setup: User Info: Name, xrefs: 00469BCB
Inno Setup: Setup Type, xrefs: 00469B1E
Inno Setup: Selected Components, xrefs: 00469B2E
%s\%s_is1, xrefs: 00469A89
Inno Setup: Deselected Components, xrefs: 00469B50

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 483f58ed5ea1caa2215aad72aa4fbba2634ec1474e25935b186163811d3f8b9c
Instruction ID: c7de7197f4a769c9e7c3cd52df4c64fbb683598124d789e1de9a85ab418445f9
Opcode Fuzzy Hash: 483f58ed5ea1caa2215aad72aa4fbba2634ec1474e25935b186163811d3f8b9c
Instruction Fuzzy Hash: C4519430A006089BCB15DB66D941BEEB7F9EF49304F5084BAE84067395E7B8AF01CB5D

Function 00473AA0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473C58
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473D73
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00473D89
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00473DAE

Strings

Desktop.ini, xrefs: 00473E2F
Dest filename: %s, xrefs: 00473BFA
.lnk, xrefs: 00473B2C
{group}\, xrefs: 00473AFA
target.lnk, xrefs: 00473DF8
.pif, xrefs: 00473B4F, 00473CED
Creating the icon., xrefs: 00473C6D
.url, xrefs: 00473B72
Successfully created the icon., xrefs: 00473D4D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 971782779-2902529204
Opcode ID: c6b7fa7affdc9fb62b84ae8e421d73df12b763fd4200ba090a8c7e9b83a24d61
Instruction ID: 9b31a6288a8d0ad81c732a29d19026b8086b57763a6276d7ac4447936d78ea7d
Opcode Fuzzy Hash: c6b7fa7affdc9fb62b84ae8e421d73df12b763fd4200ba090a8c7e9b83a24d61
Instruction Fuzzy Hash: EBD11374A00148ABDB11DFA9D582BDDBBF4AF08305F50806AF804B7392D778AE45DB69

Function 00499CB8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000,0049A411,?,00000000), ref: 00499D3B
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000), ref: 00499D4E
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000), ref: 00499D5E
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00499D7F
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000), ref: 00499D8F

Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1

Strings

Setup, xrefs: 00499D27
/REGU, xrefs: 00499D11
.msg, xrefs: 00499DB2
/REG, xrefs: 00499CED
Inno-Setup-RegSvr-Mutex, xrefs: 00499D45
.lst, xrefs: 00499DCC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 6c6239035cda5b1c4d26cc66e6061e20cf0a5a8c62d227012637540de454186f
Instruction ID: 24b702ce4587ab849973673670b37801b9677cadbfb3bf4f1077f7c12e9ac28d
Opcode Fuzzy Hash: 6c6239035cda5b1c4d26cc66e6061e20cf0a5a8c62d227012637540de454186f
Instruction Fuzzy Hash: 5591C430A04205AFDF11EF69C852BAEBBB4EB49304F51447AF500AB792C63DAC05CB6D

Function 0045AED4 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045B190,?,?,?,?,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045B042

Strings

.chw, xrefs: 0045AF89
Stripped read-only attribute., xrefs: 0045B01B
.hlp, xrefs: 0045AF0B
Failed to strip read-only attribute., xrefs: 0045B027
.chm, xrefs: 0045AF70
.gid, xrefs: 0045AF24
.fts, xrefs: 0045AF48
Deleting file: %s, xrefs: 0045AFE1
.lnk, xrefs: 0045AFAF
Failed to delete the file; it may be in use (%d)., xrefs: 0045B131
The file appears to be in use (%d). Will delete on restart., xrefs: 0045B08B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 3d9e3a5314c5b4e0fd7d2bce45321bf51c5b66cfc100c7b458080a39117b5d19
Instruction ID: 1722664f16d817fc675012576ec738190a07adef69c32437d7057340c1fc2b4b
Opcode Fuzzy Hash: 3d9e3a5314c5b4e0fd7d2bce45321bf51c5b66cfc100c7b458080a39117b5d19
Instruction Fuzzy Hash: 3271AE307006445BDB01EB6A88927AE7BA5EF49755F50846BFC01EB383CB7C8E49879D

Function 0045D3BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045D3D6
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D3F6
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D403
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D410
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D41E

Part of subcall function 0045D2C4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D363,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D33D

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4D7
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4E0

Strings

SetEntriesInAclW, xrefs: 0045D418
GetNamedSecurityInfoW, xrefs: 0045D3FD
advapi32.dll, xrefs: 0045D3F1
W, xrefs: 0045D4EE
SetNamedSecurityInfoW, xrefs: 0045D40A

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: c51607bbed49a3986bcf40b6c03b8a94b2df1a44d19d34c8b1d67d5ae9631035
Instruction ID: 1fdbc06bdf38f6500452038ca5d2f44928d617c4984e35671f0aa61f53d98d16
Opcode Fuzzy Hash: c51607bbed49a3986bcf40b6c03b8a94b2df1a44d19d34c8b1d67d5ae9631035
Instruction Fuzzy Hash: D35183B1D00208EFDB20DF99C841BAEB7B8EF49315F14806AF904B7382D6789945CF69

Function 0041B7FC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B813
CreateCompatibleDC.GDI32(00000000), ref: 0041B81D
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B82F
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B846
GetDC.USER32(00000000), ref: 0041B852
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B87F
ReleaseDC.USER32(00000000,00000000), ref: 0041B8A5
SelectObject.GDI32(00000000,?), ref: 0041B8C0
SelectObject.GDI32(?,00000000), ref: 0041B8CF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
SelectObject.GDI32(00000000,00000000), ref: 0041B909
SelectObject.GDI32(?,00000000), ref: 0041B917
DeleteDC.GDI32(00000000), ref: 0041B920
DeleteDC.GDI32(?), ref: 0041B929

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
Instruction ID: 5456327a1e321ce8c2b8187df1c916a831ebe275c46a8a968a344784d91ca00b
Opcode Fuzzy Hash: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
Instruction Fuzzy Hash: FC419F71E44609ABDB10EAE9C845FEFB7BCEB08704F104466F614F7281D7786D418BA8

Function 00454FDC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,?,00000000,?,00000000,00455275,?,0045B366,00000003,00000000,00000000,004552AC), ref: 004550F5

Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 00455179
RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 004551A8

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00455013
, xrefs: 00455066
RegOpenKeyEx, xrefs: 00455078
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045504C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 02c8e919cbe9c8ea519eaa916f6c6eac6bc29195dc3cf6561bf7061779b77b2a
Instruction ID: 06452bf81ef06fa34888f2ab1cc7b3841a1100f4c60e90cd60a05f06e497d7d6
Opcode Fuzzy Hash: 02c8e919cbe9c8ea519eaa916f6c6eac6bc29195dc3cf6561bf7061779b77b2a
Instruction Fuzzy Hash: E0913371D04608ABDB10DFA5C952BEEB7F8EB08305F50406BF904F7282D6799E088B69

Function 00459C54 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459B60: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459CFB
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459D65

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459DCC

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459D18
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459D7F
.NET Framework version %s not found, xrefs: 00459E05
.NET Framework not found, xrefs: 00459E19
v1.1.4322, xrefs: 00459DBE
v4.0.30319, xrefs: 00459CED
v2.0.50727, xrefs: 00459D57
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459CAE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: a3f1e93d4e7ba3fda042b2f30cdd9edc56e8298a3f53841293840353788f2ced
Instruction ID: 13a12a4b366685baa8d6a2e304724611cbcec49206d2204e0959de5a5d6478e2
Opcode Fuzzy Hash: a3f1e93d4e7ba3fda042b2f30cdd9edc56e8298a3f53841293840353788f2ced
Instruction Fuzzy Hash: 6451B235A04104EFCB04DB66D862BEE77BADB49305F1844BBA941D7382E7799E0D8B18

Function 00459240 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00459277
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459293
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004592A1
GetExitCodeProcess.KERNEL32(?), ref: 004592B2
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004592F9
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00459315

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00459269
Helper process exited with failure code: 0x%x, xrefs: 004592DF
Helper process exited, but failed to get exit code., xrefs: 004592EB
Helper isn't responding; killing it., xrefs: 00459283
Helper process exited., xrefs: 004592C1

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
Instruction ID: 475b633a8f1197f12a32b7740e8dffccf3703e2e74a756bc360da45c31bde27f
Opcode Fuzzy Hash: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
Instruction Fuzzy Hash: 7B215C70604700EAC720EA7DC486B5B77D49F49305F048D2EB899DB693DA7CEC489B2A

Function 00454C90 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E234: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454DB7
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454EF3

Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CCF
RegCreateKeyEx, xrefs: 00454D2B
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CFF
, xrefs: 00454D19

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 651842d0f4ad9c4ad2a8b1aa2e40d639b19969428397b1c3b65e76aead969962
Instruction ID: 61cb1c98edcfe528623c145d9993427f2b00fea00e486b8f0244815ce8f04fab
Opcode Fuzzy Hash: 651842d0f4ad9c4ad2a8b1aa2e40d639b19969428397b1c3b65e76aead969962
Instruction Fuzzy Hash: 18810175900209ABDB01DFD5C942BDEB7B8FB49709F50442AF900FB282D7789A49CB69

Function 00498538 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00454024: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
Part of subcall function 00454024: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004985B5
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00498709), ref: 004985D6
CreateWindowExA.USER32(00000000,STATIC,00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004985FD
SetWindowLongA.USER32(?,000000FC,00497D90), ref: 00498610
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC,00498718), ref: 00498640
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004986B4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000), ref: 004986C0

Part of subcall function 00454498: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F

DestroyWindow.USER32(?,004986E3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC), ref: 004986D6

Strings

STATIC, xrefs: 004985F6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0049866F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: e7778411e9b1b6630edda92c2df3270715494436d156fffcbb967f4de96f6acd
Instruction ID: 19a9ac76a87cbdbac9fefc72f4bc8d66673aab5a8439699f4ab81f25108c8d39
Opcode Fuzzy Hash: e7778411e9b1b6630edda92c2df3270715494436d156fffcbb967f4de96f6acd
Instruction Fuzzy Hash: 78414771A54204AFDF00EBA5CC42F9E7BF8EB09714F51457AF500FB291DA799E048B58

Function 0042E868 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E891
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E897
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E8E5

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0042E8F4
Locale, xrefs: 0042E8D4
kernel32.dll, xrefs: 0042E88C
hE, xrefs: 0042E927, 0042E92F, 0042E93A, 0042E95C
.DEFAULT\Control Panel\International, xrefs: 0042E8BC
GetUserDefaultUILanguage, xrefs: 0042E887

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$hE
API String ID: 4190037839-2100363064
Opcode ID: 239c3c02294f51b8c912056430f27a88fc2a2be1332949b179e9f088037ce780
Instruction ID: 343416b7bfae85f45959abe8e21461bd4048f30ead5244c3b453dfa896624356
Opcode Fuzzy Hash: 239c3c02294f51b8c912056430f27a88fc2a2be1332949b179e9f088037ce780
Instruction Fuzzy Hash: 06214470B00229EBDB50EAA7DC42BAE77A8EB44314F904477A500E7281DB7C9E45DB1C

Function 004635E4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004635F0
GetModuleHandleA.KERNEL32(user32.dll), ref: 00463604
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463611
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0046361E
GetWindowRect.USER32(?,00000000), ref: 0046366A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004636A8

Strings

MonitorFromWindow, xrefs: 0046360B
user32.dll, xrefs: 004635FF
GetMonitorInfoA, xrefs: 00463618
(, xrefs: 00463649

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: ad842200cfa6e8a47196dba0d23866f984cf60195872fdf45755fb4f31d5380a
Instruction ID: 23225dc964baf5770c03b9449d190f9fd0809e25ab0c2f23061680c52a7637e8
Opcode Fuzzy Hash: ad842200cfa6e8a47196dba0d23866f984cf60195872fdf45755fb4f31d5380a
Instruction Fuzzy Hash: AE21C2B17006446BD320EE68CC45F3B76D9EB84B05F09452EF944DB3C1EA78DD004B5A

Function 0042F614 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F620
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F634
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F641
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F64E
GetWindowRect.USER32(?,00000000), ref: 0042F69A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F6D8

Strings

MonitorFromWindow, xrefs: 0042F63B
user32.dll, xrefs: 0042F62F
GetMonitorInfoA, xrefs: 0042F648
(, xrefs: 0042F679

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 12727d74b9d159a374f9225cc8b39a186865ffad57b7795b885c82a727b8d1b1
Instruction ID: 8e363f887434259cf3ecd6bfca6d9ac669349ab4594bae960fb014309ef79425
Opcode Fuzzy Hash: 12727d74b9d159a374f9225cc8b39a186865ffad57b7795b885c82a727b8d1b1
Instruction Fuzzy Hash: BC21C2B27006146FD600EA68DC85F3B72A9EB84704F89463AF944DB391DA78DC098B59

Function 00459418 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004595F7,?,00000000,0045965A,?,?,00000000,00000000), ref: 00459475
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594D2
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594DF
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045952B
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459551
GetLastError.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459558

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

CreateEvent, xrefs: 00459483
TransactNamedPipe, xrefs: 004594EB

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: b55503e34f8d962b7f84c3645a894460d14b73b41b2716c2d68c559e670bf211
Instruction ID: 77fbb71d8e7aac064b87aac98c1c55f9fcb2258c1561d492b861e589c0c855dd
Opcode Fuzzy Hash: b55503e34f8d962b7f84c3645a894460d14b73b41b2716c2d68c559e670bf211
Instruction Fuzzy Hash: CF418B71A00208FFDB11DF99C981F9EB7F9EB48710F5040AAF904E7282D6789E54CB68

Function 004574BC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00457621,?,?,00000031,?), ref: 004574E4
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004574EA
LoadTypeLib.OLEAUT32(00000000,?), ref: 00457537

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

GetProcAddress, xrefs: 004574F7
UnRegisterTypeLib, xrefs: 004575A3
LoadTypeLib, xrefs: 00457542
ITypeLib::GetLibAttr, xrefs: 0045756D
OLEAUT32.DLL, xrefs: 004574DF
UnRegisterTypeLib, xrefs: 004574DA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 8cf50e875a9dcf410b8dd877ec8f296a8ac8dcccebe425cefeb95bbf43ac864a
Instruction ID: 559faf3bdf9cccbe36ab56d48fd8e4aa4276a02661c60707683b87f46ce48c1c
Opcode Fuzzy Hash: 8cf50e875a9dcf410b8dd877ec8f296a8ac8dcccebe425cefeb95bbf43ac864a
Instruction Fuzzy Hash: 8131B471A04604BFCB01EFAADC01D5FB7BEEB8975571044B6BD04D3652EA38DD04CA68

Function 004171D0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00417263
SaveDC.GDI32(?), ref: 00417277
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0041729A
RestoreDC.GDI32(?,?), ref: 004172B5
CreateSolidBrush.GDI32(00000000), ref: 00417335
FrameRect.USER32(?,?,?), ref: 00417368
DeleteObject.GDI32(?), ref: 00417372
CreateSolidBrush.GDI32(00000000), ref: 00417382
FrameRect.USER32(?,?,?), ref: 004173B5
DeleteObject.GDI32(?), ref: 004173BF

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 7081892d67a76e5858c75433181940d26fd285d77869ff40be0b6357be773945
Instruction ID: 6654575de22a121332528345891e4d9aada139d791074539051cb87a9fd886f5
Opcode Fuzzy Hash: 7081892d67a76e5858c75433181940d26fd285d77869ff40be0b6357be773945
Instruction Fuzzy Hash: 30515D712086455FDB50EF69C8C0B9B7BE8AF48314F1455AAFD588B286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 00422638 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422683
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226A1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226AE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226BB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226C8
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004226D5
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004226E2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004226EF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042270D
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422729

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
Instruction ID: df9c0873c136ddd24b8aa988775969986c1613bec62327c4069b14a2c43cb384
Opcode Fuzzy Hash: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
Instruction Fuzzy Hash: 5F2156743847047AE721E724CD8BF9B7BD89B54748F144069B6487F2D3C6FCAA40869C

Function 00462174 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004621AF
GetActiveWindow.USER32 ref: 00462213
CoInitialize.OLE32(00000000), ref: 00462227
SHBrowseForFolder.SHELL32(?), ref: 0046223E
CoUninitialize.OLE32(0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462253
SetActiveWindow.USER32(?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462269
SetActiveWindow.USER32(?,?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462272

Strings

A, xrefs: 004621E7

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 1d7e40e0b8975f0196f46b8df0cc514a16ab06fdd2250966ca1bbca8027be4ac
Instruction ID: 1e82777cc352b96db12449cf8796706bfa71e84f11e11660080683620fe74db3
Opcode Fuzzy Hash: 1d7e40e0b8975f0196f46b8df0cc514a16ab06fdd2250966ca1bbca8027be4ac
Instruction Fuzzy Hash: E23130B0E04208AFDB00EFB5D945ADEBBF8EB09304F51447AF914E7251E7789A04CB59

Function 00473950 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D,?,?,00000000,00473EF0), ref: 00473974

Part of subcall function 0042D1E4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D25A

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D), ref: 004739EB
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000), ref: 004739F1

Strings

.ShellClassInfo, xrefs: 004739A3
desktop.ini, xrefs: 00473988
CLSID2, xrefs: 0047399E
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004739AD
target.lnk, xrefs: 004739C9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
Instruction ID: bfb262a57c212aacfed1a05d1298e64af55acb3d3cb9d0523fd91374b550827c
Opcode Fuzzy Hash: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
Instruction Fuzzy Hash: 8F11D3B07006047BD701EA698C83AAE73ACDB48715F50813BB844A72C1DB3C9F02961D

Function 0045DAB0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DAB9
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DAC9
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DAD9
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DAE9

Strings

inflateReset, xrefs: 0045DAE3
inflate, xrefs: 0045DAC3
inflateEnd, xrefs: 0045DAD3
inflateInit_, xrefs: 0045DAB3

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 9767c856fa4677b80cc6d2bf323e91fa1147838bf647a7aa43f1430cd9329df0
Instruction ID: 9991d33b7b3f44c4a287d390de66c621eb38f0a325e11cae05c3c9c0ae6f74c7
Opcode Fuzzy Hash: 9767c856fa4677b80cc6d2bf323e91fa1147838bf647a7aa43f1430cd9329df0
Instruction Fuzzy Hash: ED016CB0D00710DAE324DF335C827223AA79B94306F1584376B4853266D3FC184DCE2D

Function 0041AD2C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041AE09
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE43
SetBkColor.GDI32(?,?), ref: 0041AE58
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEA2
SetTextColor.GDI32(00000000,00000000), ref: 0041AEAD
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEBD
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AEFC
SetTextColor.GDI32(00000000,00000000), ref: 0041AF06
SetBkColor.GDI32(00000000,?), ref: 0041AF13

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
Instruction ID: 4ec4bb7d7ecd06ab75a809c898bbb7394ceff3bd51f581de865bbf99f3132505
Opcode Fuzzy Hash: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
Instruction Fuzzy Hash: E761A6B5A01605EFC740EFADE985E9AB7F9EF08318B108566F518DB251C734ED408F98

Function 004588C0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458A74,?, /s ",?,regsvr32.exe",?,00458A74), ref: 004589E6

Strings

/s ", xrefs: 0045892F
Spawning 64-bit RegSvr32: , xrefs: 0045894B
D, xrefs: 0045899C
/u, xrefs: 00458922
CreateProcess, xrefs: 004589D8
0x%x, xrefs: 00458A09
Spawning 32-bit RegSvr32: , xrefs: 0045896D
regsvr32.exe", xrefs: 00458907

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
Instruction ID: 5e566bfdb395c8031f807e0e6dfcda5b961088fbae7d5a2ae3caad0b9f5d9a1a
Opcode Fuzzy Hash: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
Instruction Fuzzy Hash: 94410770A003486BDB10EFE5C842B9DB7F9AF45305F50407FA914BB296DF789E098B59

Function 0044D750 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D781
GetSysColor.USER32(00000014), ref: 0044D788
SetTextColor.GDI32(00000000,00000000), ref: 0044D7A0
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D7C9
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D7D3
GetSysColor.USER32(00000010), ref: 0044D7DA
SetTextColor.GDI32(00000000,00000000), ref: 0044D7F2
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D81B
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D846

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
Instruction ID: 83f763003a0c4173e52025d9049416b14570b2719a823760897ab970dc451d42
Opcode Fuzzy Hash: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
Instruction Fuzzy Hash: B221ACB46015047FC710FB2ACD8AE8AB7DC9F59319B00857BB918EB3A3C67CDE444669

Function 00467E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467ED9

Part of subcall function 00467D4C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467DE7
Part of subcall function 00467D4C: DestroyCursor.USER32(00000000), ref: 00467DFD

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467F30
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467F91
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467FB7

Strings

shell32.dll, xrefs: 00467F14
c:\directory, xrefs: 00467EAE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 875611d6e7e42d004a6822cd0457b29277af2731bfce7ef18235f4e05af839d0
Instruction ID: adf232676f9dc8545d434ff73a7213ff4163269ef5d9f53791e9b27a0c2465ea
Opcode Fuzzy Hash: 875611d6e7e42d004a6822cd0457b29277af2731bfce7ef18235f4e05af839d0
Instruction Fuzzy Hash: 64516D70644208AFD750EF65CC85FDEBBA8EB48308F1085A7F5089B391DA399E85CB59

Function 00497DDC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

GetWindowThreadProcessId.USER32(00000000,?), ref: 00497E6D
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00497E81
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00497E9B
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EA7
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EAD
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EC0

Strings

Deleting Uninstall data files., xrefs: 00497DE3

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
Instruction ID: 7989a93d4f85e89f9f4a8d52eef74e044f35551c753dc98037dc67a034be62a8
Opcode Fuzzy Hash: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
Instruction Fuzzy Hash: 78213270718204BEEF10EBB6AC42B5737A8E755758F15497BF500961E2EA7C5C048B1D

Function 00471058 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155,?,?,?,?,00000000), ref: 004710BF
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155), ref: 004710D6
AddFontResourceA.GDI32(00000000), ref: 004710F3
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471107

Strings

Failed to set value in Fonts registry key., xrefs: 004710C8
AddFontResource, xrefs: 00471111
Failed to open Fonts registry key., xrefs: 004710DD

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: a03f27855fc87ca96a169c1e143b765b8136624149cc9ecf5b4944870508d104
Instruction ID: e530b8863bd5b0940b7b47d45e6c2b04f0dd933a31ed90210a2cbfb1d5868c86
Opcode Fuzzy Hash: a03f27855fc87ca96a169c1e143b765b8136624149cc9ecf5b4944870508d104
Instruction Fuzzy Hash: 3821B27074024477D710EA6A9C42F9A77ACCB09708F60C43BBA04EB3D2DA7CDE05862D

Function 00463A24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416860: GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
Part of subcall function 00416860: UnregisterClassA.USER32(?,00400000), ref: 004168FB
Part of subcall function 00416860: RegisterClassA.USER32(?), ref: 0041691E

GetVersion.KERNEL32 ref: 00463A54
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00463A92
SHGetFileInfo.SHELL32(00463B30,00000000,?,00000160,00004011), ref: 00463AAF
LoadCursorA.USER32(00000000,00007F02), ref: 00463ACD
SetCursor.USER32(00000000,00000000,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463AD3
SetCursor.USER32(?,00463B13,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463B06

Strings

Explorer, xrefs: 00463A6E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
Instruction ID: 0956d246c88e4b13c617490cc10e92cdb10fa67267cb1644ec11604dcab5a564
Opcode Fuzzy Hash: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
Instruction Fuzzy Hash: 6A212C307403446AE710BFB58C47F9A76989B08708F5000BFBA09EE1C3EABD9D4586AD

Function 004795B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02207A54,?,?,?,02207A54), ref: 00479614
CloseHandle.KERNEL32(00000000,?,?,?,02207A54,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632

Strings

GetFinalPathNameByHandleA, xrefs: 004795C7
kernel32.dll, xrefs: 004795CC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 7a7a0c7d3d9abbb2ee4536f3f8a99bce4920bee079e61f013f30ba3956b0f975
Instruction ID: 19ddb68189d16dccfde8b10573e35333770f7cebea86a77b7f1be6907437da3a
Opcode Fuzzy Hash: 7a7a0c7d3d9abbb2ee4536f3f8a99bce4920bee079e61f013f30ba3956b0f975
Instruction Fuzzy Hash: CC01D26034470436E52131BA4C86FBB248C8B50768F148237BA1CEA2E2EDAD9E0601AE

Function 0045A608 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A78A,?,00000000,00000000,00000000,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045A6CE

Part of subcall function 00454B5C: FindClose.KERNEL32(000000FF,00454C52), ref: 00454C41

Strings

Failed to delete directory (%d). Will retry later., xrefs: 0045A6E7
Failed to strip read-only attribute., xrefs: 0045A69C
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A743
Deleting directory: %s, xrefs: 0045A657
Stripped read-only attribute., xrefs: 0045A690
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A6A8
Failed to delete directory (%d)., xrefs: 0045A764

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 1f29af1371db45d32686fca523b5f3451fb5bee88339468040673f7751c6b4fe
Instruction ID: 6800a92dfaec35f14ad088af188abd42280c19cea7490fe80134e7d3278dcbe3
Opcode Fuzzy Hash: 1f29af1371db45d32686fca523b5f3451fb5bee88339468040673f7751c6b4fe
Instruction Fuzzy Hash: 62418630A002485ACB10EB6988017AE7AF59B4D306F55867FAC11A7393DB7CCE1D875B

Function 004232A0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004232F4
GetCapture.USER32 ref: 00423303
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423309
ReleaseCapture.USER32 ref: 0042330E
GetActiveWindow.USER32 ref: 0042331D
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0042339C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423400
GetActiveWindow.USER32 ref: 0042340F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: b33e7267c2f8ff98d33321ddaf8eefadd9ab5bb9bc7e5d18a67e741f193460e0
Instruction ID: 3a9af59dda1f98e95100fec3f153a7acb7f05633bd4cd2eb2e4992da2b7770c9
Opcode Fuzzy Hash: b33e7267c2f8ff98d33321ddaf8eefadd9ab5bb9bc7e5d18a67e741f193460e0
Instruction Fuzzy Hash: 68414170B10258AFDB10EFAAD942B9DB7F1AF44704F5140BAE404AB292DB7C9F41CB18

Function 004298D0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004298DA
GetTextMetricsA.GDI32(00000000), ref: 004298E3

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(00000000,00000000), ref: 004298F2
GetTextMetricsA.GDI32(00000000,?), ref: 004298FF
SelectObject.GDI32(00000000,00000000), ref: 00429906
ReleaseDC.USER32(00000000,00000000), ref: 0042990E
GetSystemMetrics.USER32(00000006), ref: 00429933
GetSystemMetrics.USER32(00000006), ref: 0042994D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
Instruction ID: 0ef879b540a67ceb128a5e1141d84f2d1524799c58b88ee5a2ee57f477153a9f
Opcode Fuzzy Hash: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
Instruction Fuzzy Hash: 8401A19170971127F310667A9CC2B6F6688DB54368F44053EFA86963E3D96C8C81876E

Function 0041E274 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041E277
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E281
ReleaseDC.USER32(00000000,00000000), ref: 0041E28E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E29D
GetStockObject.GDI32(00000007), ref: 0041E2AB
GetStockObject.GDI32(00000005), ref: 0041E2B7
GetStockObject.GDI32(0000000D), ref: 0041E2C3
LoadIconA.USER32(00000000,00007F00), ref: 0041E2D4

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
Instruction ID: 718266ba1944efb5b46721f14e799226cd24d8dfc19287898d5783b558d94fa9
Opcode Fuzzy Hash: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
Instruction Fuzzy Hash: 1111FB70A453015AE340BFA69D52BAA3691D724709F00813BF608EF3D2DB7D5C809BAD

Function 00463E34 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00463F38
SetCursor.USER32(00000000,00000000,00007F02,00000000,00463FCD), ref: 00463F3E
SetCursor.USER32(?,00463FB5,00007F02,00000000,00463FCD), ref: 00463FA8

Strings

, xrefs: 004641CE
, xrefs: 004641B3
Internal error: Item already expanding, xrefs: 00463ED5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
Instruction ID: aa82ab3995de3935e6727d947cb2bd0e3876d59c6d9623ce98a17a39b04bf081
Opcode Fuzzy Hash: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
Instruction Fuzzy Hash: 67B1E230A00244DFDB14DF65C549B9EBBF1AF45304F1584AAE8459B392E778EE84CB0A

Function 00454498 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F

Strings

NUL, xrefs: 00454641
[rename], xrefs: 004545E2, 0045461E
WININIT.INI, xrefs: 0045452D
MoveFileEx, xrefs: 0045478F
.tmp, xrefs: 0045453B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 4a2274e56af3fbfcb9aacc656bff9e3b9647cb3a559fec57fce4c80b10c2dbcd
Instruction ID: e87d0749b1697b84d3b9cc82c23e20e51564d8fa8ce324392089b518a873d649
Opcode Fuzzy Hash: 4a2274e56af3fbfcb9aacc656bff9e3b9647cb3a559fec57fce4c80b10c2dbcd
Instruction Fuzzy Hash: B8913334E001499BDB01EFA5D882BDEB7B5EF49309F508467E900BB292D77C9E49CB58

Function 00477E98 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00477EF1
SetWindowLongW.USER32(00000000,000000FC,Function_00077E4C), ref: 00477F18
GetACP.KERNEL32(00000000,00478130,?,00000000,0047815A), ref: 00477F55
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00477F9B

Strings

Inno Setup: Language, xrefs: 00478023
COMBOBOX, xrefs: 00477EEA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
Instruction ID: 81c94a85f2d0ae2d33cbd4ee74d6221623364a49e9b2571c8ba4411711431487
Opcode Fuzzy Hash: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
Instruction Fuzzy Hash: 65813C34A00205DFD710EF69C989AAAB7F0FB49304F55C1BAE848D7362DB38AD45CB59

Function 0047E980 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58), ref: 0047EAD0
FindClose.KERNEL32(000000FF,0047EAFB,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58,00000000), ref: 0047EAEE

Strings

TG, xrefs: 0047E9C0, 0047E9D7
TG, xrefs: 0047EB72, 0047EA9F, 0047EAA5, 0047EB75

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: TG$TG
API String ID: 2066263336-2531790037
Opcode ID: e11fe1f409109a0bb18fd9fab999c4355e57a24987c5da876cabd545c71bdb31
Instruction ID: 49c023a3d40347f396a503d53546bb693b8cfca30f5629bd36de7deb8458e88f
Opcode Fuzzy Hash: e11fe1f409109a0bb18fd9fab999c4355e57a24987c5da876cabd545c71bdb31
Instruction Fuzzy Hash: F5812C7490024D9FDF11DF96C841ADFBBB9EF4D304F1081EAE508A7291D6399A46CF54

Function 00408B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408DB8,?,?,?,?,00000000,00000000,00000000,?,00409DBF,00000000,00409DD2), ref: 00408B8A

Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Part of subcall function 00408A04: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C06,?,?,?,00000000,00408DB8), ref: 00408A17

Strings

m/d/yy, xrefs: 00408C59
:mm:ss, xrefs: 00408D86
mmmm d, yyyy, xrefs: 00408C7B
AMPM, xrefs: 00408D55
:mm, xrefs: 00408D6C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
Instruction ID: a8d7ab9d838d1b353a0e5ff474912d8a0235132b07344be0acb9e4c83fee81e1
Opcode Fuzzy Hash: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
Instruction Fuzzy Hash: D8513D34B001486BDB01FBA5DA41A9F77A9DB98308F50947FB181BB7C6CE3CDA068759

Function 00411B44 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411D49), ref: 00411BDC
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411C9A

Part of subcall function 00411EFC: CreatePopupMenu.USER32 ref: 00411F16

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D26

Part of subcall function 00411EFC: CreateMenu.USER32 ref: 00411F20

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D0D

Strings

,, xrefs: 00411BEF
?, xrefs: 00411BF6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
Instruction ID: 125356fab78159fbe3d4b3b77ff780d7a0eb3536e5c02055c9c5492709250fea
Opcode Fuzzy Hash: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
Instruction Fuzzy Hash: 7D512674A001049BDB10EF6AED815EE7BF9EF08304B1141BAFA04E73A2E738D941CB58

Function 0041C2B3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041C378
GetObjectA.GDI32(?,00000018,?), ref: 0041C387
GetBitmapBits.GDI32(?,?,?), ref: 0041C3D8
GetBitmapBits.GDI32(?,?,?), ref: 0041C3E6
DeleteObject.GDI32(?), ref: 0041C3EF
DeleteObject.GDI32(?), ref: 0041C3F8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C415

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
Instruction ID: 7028de2688ff158aa25c0b8276400e232655bb6670dd4605646626e5bfc1af4e
Opcode Fuzzy Hash: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
Instruction Fuzzy Hash: F651F671E002199FCB50DFE9C8819EEB7F9EB48314B218066F914E7295D638AD81CB68

Function 0041D328 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D34E
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D36D
SelectPalette.GDI32(?,?,00000001), ref: 0041D3D3
RealizePalette.GDI32(?), ref: 0041D3E2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D44C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D48A
SelectPalette.GDI32(?,?,00000001), ref: 0041D4AF

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
Instruction ID: 60201597840efc574cdf5035eb35bbfd27a544e021146ecd029e3556dfc27432
Opcode Fuzzy Hash: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
Instruction Fuzzy Hash: 305121B0A00604AFD714DFA9C985F9AB7F9EF08304F14859AB944D7392C778ED80CB58

Function 00457AD8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00457B2A

Part of subcall function 004246CC: GetWindowTextA.USER32(?,?,00000100), ref: 004246EC

Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
Part of subcall function 0041F2F4: EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457B91
TranslateMessage.USER32(?), ref: 00457BAF
DispatchMessageA.USER32(?), ref: 00457BB8

Strings

[Paused] , xrefs: 00457B60

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 98084dd36b6af8f16272a20be3aacf42a012ac0efe2a720a42a28a5909de81af
Instruction ID: d952aa0340fda6d06c899081e645d661bac1146de2c671e539639067201b9655
Opcode Fuzzy Hash: 98084dd36b6af8f16272a20be3aacf42a012ac0efe2a720a42a28a5909de81af
Instruction Fuzzy Hash: BB3196309082445EDB11DFB9E845FDE7BF8DB49318F5180B7E814E7292D67CA909CB29

Function 0046C0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046C21F), ref: 0046C19C
LoadCursorA.USER32(00000000,00007F02), ref: 0046C1AA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1B0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1BA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1C0

Strings

CheckPassword, xrefs: 0046C144

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: c2fe5332046b00ec619954058f05e209d56247e563ca7958298a020a06cd3411
Instruction ID: ee4704442a97aa51a819b3d11b93b6eea7a80086b594a8aac8f18d25b90f0006
Opcode Fuzzy Hash: c2fe5332046b00ec619954058f05e209d56247e563ca7958298a020a06cd3411
Instruction Fuzzy Hash: 063175346402449FD711EF69C8C9F9E7BE4AF49304F5580BAB9449B3E2E7789E40CB49

Function 00478EB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00478DDC: GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
Part of subcall function 00478DDC: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
Part of subcall function 00478DDC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD

SendMessageA.USER32(00000000,0000004A,00000000,0047926E), ref: 00478EE9
GetTickCount.KERNEL32 ref: 00478F2E
GetTickCount.KERNEL32 ref: 00478F38
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478F8D

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 00478F1E
CallSpawnServer: Unexpected status: %d, xrefs: 00478F76

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
Instruction ID: 2b74b3330966d0da2430542d23b63ad4dc4eec681a1128910255243e8f8c0985
Opcode Fuzzy Hash: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
Instruction Fuzzy Hash: E0319374F502149ADB10EBB9884A7EE76A19F48304F50843EF148EB382DA7C4D0187A9

Function 00459F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A03B

Strings

Fusion.dll, xrefs: 00459FDB
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A046
CreateAssemblyCache, xrefs: 0045A032
.NET Framework CreateAssemblyCache function failed, xrefs: 0045A05E
Failed to load .NET Framework DLL "%s", xrefs: 0045A020

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 9d9456cadcc6d1d315cbfafabf714a56aeba3fe1243bbf9102a6a40f5fef5107
Instruction ID: ac224aa19d502af52a8aeeb8631c7515eb40ef1487658bef2565bb8923ebe5d4
Opcode Fuzzy Hash: 9d9456cadcc6d1d315cbfafabf714a56aeba3fe1243bbf9102a6a40f5fef5107
Instruction Fuzzy Hash: 7931A971E006059FDB10EFA5C88169EB7B4AF44715F50867BE814E7382D7389E18C79A

Function 0041C598 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C498: GetObjectA.GDI32(?,00000018), ref: 0041C4A5

GetFocus.USER32 ref: 0041C5B8
GetDC.USER32(?), ref: 0041C5C4
SelectPalette.GDI32(?,?,00000000), ref: 0041C5E5
RealizePalette.GDI32(?), ref: 0041C5F1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C608
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C630
ReleaseDC.USER32(?,?), ref: 0041C63D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
Instruction ID: 5608d60df95c2c9a4937b8f20fdaccdf81dd4bf5f719291f5ec9f8ce647d196e
Opcode Fuzzy Hash: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
Instruction Fuzzy Hash: 00116DB1A00619BBDF10DBA9CC85FAFB7FCEF48700F14446AB614E7281D67899008B28

Function 004190A4 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 004190C0
GetSystemMetrics.USER32(0000000D), ref: 004190C8
6FB62980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 004190CE

Part of subcall function 00410C48: 6FB5C400.COMCTL32(?,000000FF,00000000,004190FC,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00410C4C

6FBCCB00.COMCTL32(?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 0041911E
6FBCC740.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419129
6FBCCB00.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000), ref: 0041913C
6FB60860.COMCTL32(?,0041915F,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E), ref: 00419152

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$B60860B62980C400C740
String ID:
API String ID: 2995079530-0
Opcode ID: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
Instruction ID: 9903b46d79d4c0b31f098cc3390b5efedd2ad94e5cf824da9eef417fc70482b9
Opcode Fuzzy Hash: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
Instruction Fuzzy Hash: 0611B971B44204BBEB14EFA5CC87F9E73B9EB09704F504166B604EB2C1E5B99D848B58

Function 00485058 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00485110), ref: 004850F5

Strings

WinNT, xrefs: 004850A5
ServerNT, xrefs: 004850D9
System\CurrentControlSet\Control\ProductOptions, xrefs: 0048507C
LanmanNT, xrefs: 004850BF
ProductType, xrefs: 00485094

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 184b19cebd6d8334b1e93ba3aa01aba398a8e66ee23a853c067fda7279a9c5b5
Instruction ID: 02a49102d00d8724c0d73e8972acf5231ddb46999e19ea23a0f5791770e41de6
Opcode Fuzzy Hash: 184b19cebd6d8334b1e93ba3aa01aba398a8e66ee23a853c067fda7279a9c5b5
Instruction Fuzzy Hash: FE11B230A04644ABDB00F766DC56B5F7BA8DB42744F508877A800DB782D73D9E41975D

Function 0044CD48 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044CD18: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CD30

LoadLibraryA.KERNEL32(00000000,00000000,0044CE0A,?,?,?,?,00000000,00000000), ref: 0044CD92
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CDA3
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CDB3

Strings

oleacc.dll, xrefs: 0044CD7F
CreateStdAccessibleObject, xrefs: 0044CDAD
LresultFromObject, xrefs: 0044CD9D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: ffe80d66edf329cef2b7eeb74166804ed389ba2e745c026748ea17e8f4cabc36
Instruction ID: 55534d0cd89e21a5042de7d2cb1dd0110792ae2e246426a933e63f936c6ed6e6
Opcode Fuzzy Hash: ffe80d66edf329cef2b7eeb74166804ed389ba2e745c026748ea17e8f4cabc36
Instruction Fuzzy Hash: 361151B0A01704AFF710EFA1DCC2B5A7BA8E758719F64047BE400666A1DBBD9D448A1C

Function 00496DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00496E01

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(00000000,00000000), ref: 00496E23
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004973A1), ref: 00496E37
GetTextMetricsA.GDI32(00000000,?), ref: 00496E59
ReleaseDC.USER32(00000000,00000000), ref: 00496E76

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00496E2E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
Instruction ID: 569e85929f3d385eaff6f9e1b1d1d5c6dd8a65a34f46b30b3a8bef4bdf425d44
Opcode Fuzzy Hash: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
Instruction Fuzzy Hash: 36018476A04608AFDB05DBE9CC41F5FB7ECDB49704F11047ABA04E7281D678AE008B68

Function 0041B8B2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B8C0
SelectObject.GDI32(?,00000000), ref: 0041B8CF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
SelectObject.GDI32(00000000,00000000), ref: 0041B909
SelectObject.GDI32(?,00000000), ref: 0041B917
DeleteDC.GDI32(00000000), ref: 0041B920
DeleteDC.GDI32(?), ref: 0041B929

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
Instruction ID: b8528283d587f8f5f7158778d976388ea9280e6d202ec49eeb693ac58173ed71
Opcode Fuzzy Hash: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
Instruction Fuzzy Hash: 5A118EB2F04619ABDB10D6DDC885FEFB7BCEB08314F044415B614FB241C678AD418B54

Function 004237E4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004237FF
WindowFromPoint.USER32(?,?), ref: 0042380C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042381A
GetCurrentThreadId.KERNEL32 ref: 00423821
SendMessageA.USER32(00000000,00000084,?,?), ref: 0042383A
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423851
SetCursor.USER32(00000000), ref: 00423863

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
Instruction ID: d55a13ab3e3fc67d9c1f0c697d1027359b93869cc9afd0973a071b09e334c979
Opcode Fuzzy Hash: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
Instruction Fuzzy Hash: 9901D42230521036D6207B7A5C86E2F22E8CBC5B65F51443FB609BF282D93D8C01976D

Function 00496C14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00496C24
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00496C31
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00496C3E

Strings

GetMonitorInfoA, xrefs: 00496C38
MonitorFromRect, xrefs: 00496C2B
user32.dll, xrefs: 00496C1F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: a15c728cd8d599267d60a144e17c2b77475c085beb782b7d7897845305a9bbaf
Instruction ID: 0100053a3692f287516410ec157e21cb1b88c24c6f2ed11ec452f60a58bd69cd
Opcode Fuzzy Hash: a15c728cd8d599267d60a144e17c2b77475c085beb782b7d7897845305a9bbaf
Instruction Fuzzy Hash: 5AF0F692701B1526DA1025764C81B7B698CCBC27A0F060037BD85A7382E9AD9C0552AD

Function 0045D984 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D98D
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D99D
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D9AD

Strings

ISCryptGetVersion, xrefs: 0045D987
ArcFourCrypt, xrefs: 0045D9A7
ArcFourInit, xrefs: 0045D997

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: 42b372105176c7b3ae22dc402b1945839026cfe0be44895b4df4f1b0478ef8df
Instruction ID: 0705cba7109997b41c54f5ec5154c4026f190107a5f336fc7dc4235633f43cad
Opcode Fuzzy Hash: 42b372105176c7b3ae22dc402b1945839026cfe0be44895b4df4f1b0478ef8df
Instruction Fuzzy Hash: E9F030F1901620EBF314EF77AC457273695EBA4302F14843BA445E11B2D7BA085AEA2C

Function 0045DE84 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DE8D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DE9D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DEAD

Strings

BZ2_bzDecompressEnd, xrefs: 0045DEA7
BZ2_bzDecompressInit, xrefs: 0045DE87
BZ2_bzDecompress, xrefs: 0045DE97

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 23227c11640e968cece00dcc8d99c1daeac6667b5c25bc9180a105fe17196e12
Instruction ID: ffc1661d06bbefe96a91e36acebf6432405697aaa326f86a6f465272ccde7cfc
Opcode Fuzzy Hash: 23227c11640e968cece00dcc8d99c1daeac6667b5c25bc9180a105fe17196e12
Instruction Fuzzy Hash: 84F01DB1D00A18DED724DF37AC4A72736D5EF74316F08843BA9465A2A2D7B80858DF1D

Function 00479E68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B

Strings

VerSetConditionMask, xrefs: 00479E75
VerifyVersionInfoW, xrefs: 00479E85
kernel32.dll, xrefs: 00479E69

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: e485ad2fa94f161872b4193887792cc46d5bcb190675b0327a10f44422fb05aa
Instruction ID: 2eb801612c02c2f681ec2550ef92dd2b82403b3208254216f30f7223daafca7c
Opcode Fuzzy Hash: e485ad2fa94f161872b4193887792cc46d5bcb190675b0327a10f44422fb05aa
Instruction Fuzzy Hash: BFC0C9E1680710A9D600F7725C82DBB2548D510B25310883FB499651D2E7BD0C144A2C

Function 0041BABC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BB95
GetDC.USER32(?), ref: 0041BBA1
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BBD6
RealizePalette.GDI32(00000000), ref: 0041BBE2
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC10
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC44

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
Instruction ID: d5c29bb792210f064481fc70285f12689ccfb8d13ad776c980584781b3891df8
Opcode Fuzzy Hash: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
Instruction Fuzzy Hash: E4511E74A002099FCF11DFA9C895AEEBBB5FF49704F10406AF500A7790D779AD81CBA9

Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BE67
GetDC.USER32(?), ref: 0041BE73
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEAD
RealizePalette.GDI32(00000000), ref: 0041BEB9
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BEDD
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF11

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
Instruction ID: 6bf5c6e251c24ad455d3524f1730cbba616f151bd8f8db37d5e0169c444cf9bf
Opcode Fuzzy Hash: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
Instruction Fuzzy Hash: FD511875A002089FCB11DFA9C891AAEBBF5FF49700F11846AF504EB390D7789D40CBA8

Function 0041B958 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B9CE
GetDC.USER32(?), ref: 0041B9DA
GetDeviceCaps.GDI32(?,00000068), ref: 0041B9F6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA13
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA2A
ReleaseDC.USER32(?,?), ref: 0041BA76

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
Instruction ID: 59801f7e5fcc4ac8ef53bb63f5e7b2fd9dc64a74171921ba3453a8653c00992f
Opcode Fuzzy Hash: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
Instruction Fuzzy Hash: A941C371A042189FCB10DFB9C885A9FBBB4EF49740F1484AAF940EB351D2389D11CBA5

Function 0045D848 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D980,?,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8F2

Strings

MACHINE, xrefs: 0045D896
CURRENT_USER, xrefs: 0045D887
USERS, xrefs: 0045D8A5
CLASSES_ROOT, xrefs: 0045D878

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
Instruction ID: 7ee2480e64cf5dcc37247868779a06df4fe5ff89f2b42202383772de8024ccfa
Opcode Fuzzy Hash: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
Instruction Fuzzy Hash: 4811BB75A04204AFE731EBE1C941B9E76ADDF44306F604077AD0496383D67C5F0A952D

Function 0041C1DC Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C225
GetSystemMetrics.USER32(0000000C), ref: 0041C22F
GetDC.USER32(00000000), ref: 0041C239
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C260
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C26D
ReleaseDC.USER32(00000000,00000000), ref: 0041C2A6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
Instruction ID: bd62dbbe377736d475eb9c8390e540ebf9edbe2df99a0055a8dbd9c6863756d8
Opcode Fuzzy Hash: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
Instruction Fuzzy Hash: CA214A74E44608AFEB00EFE9C942BEEB7B4EB48700F10806AF514B7381D6785940CB69

Function 00474770 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D848: SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3

GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 004747FD
GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 00474813

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 00474807
Setting permissions on registry key: %s\%s, xrefs: 004747C2
I, xrefs: 00474785
Failed to set permissions on registry key (%d)., xrefs: 00474824

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s$I
API String ID: 1452528299-1959139981
Opcode ID: 40002a2b523bad2bc16d082c9118fd55218ee378fda0ce6c738a3dac2472acc1
Instruction ID: 89f83d431bb9d789a293ecef52b9ab2aae7d8ed3921fa29d9781309811a141fd
Opcode Fuzzy Hash: 40002a2b523bad2bc16d082c9118fd55218ee378fda0ce6c738a3dac2472acc1
Instruction Fuzzy Hash: 15217774A042485FDB00EBA9C8416FEBBE8DB89314F51817BE414E7392DB785D058BAA

Function 00413A8C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413AB4
GetWindowLongA.USER32(?,000000F0), ref: 00413ABF
GetWindowLongA.USER32(?,000000F4), ref: 00413AD1
SetWindowLongA.USER32(?,000000F4,?), ref: 00413AE4
SetPropA.USER32(?,00000000,00000000), ref: 00413AFB
SetPropA.USER32(?,00000000,00000000), ref: 00413B12

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
Instruction ID: a594f7604add2a8bfce9427623ad02c9736cb33a5a72341fbb506abd62de3718
Opcode Fuzzy Hash: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
Instruction Fuzzy Hash: 0811CC75500244BFDF00DF99ED88E9A3BE8EB09364F104276B914DB2E1D739D990CB94

Function 0047FA5C Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047FA6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046DA09), ref: 0047FA90
GetWindowLongA.USER32(?,000000EC), ref: 0047FAA0
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047FAC1
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047FAD5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047FAF1

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
Instruction ID: ffd9c37a1d4b3a018da72acb707aca8a1d598a80d0625303fdebb2ead6bb840a
Opcode Fuzzy Hash: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
Instruction Fuzzy Hash: D301E9B6A54210ABD600DB78CD41F6637E8AB0C310F0A4776FA5DDF3E3C679D8048A08

Function 0041B6C0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041AB30: CreateBrushIndirect.GDI32 ref: 0041AB9B

UnrealizeObject.GDI32(00000000), ref: 0041B6CC
SelectObject.GDI32(?,00000000), ref: 0041B6DE
SetBkColor.GDI32(?,00000000), ref: 0041B701
SetBkMode.GDI32(?,00000002), ref: 0041B70C
SetBkColor.GDI32(?,00000000), ref: 0041B727
SetBkMode.GDI32(?,00000001), ref: 0041B732

Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
Instruction ID: 4060aa1d5abe481981ad85160ceff6bfe730d60da31349b060da60163fdb8f1a
Opcode Fuzzy Hash: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
Instruction Fuzzy Hash: AAF0CD75601100ABDE04FFBADACAE4B77989F043097048057B908DF197CA7CE8A08B3A

Function 004730AC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 00473259
FindClose.KERNEL32(000000FF,00473284,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473277
FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 0047337B
FindClose.KERNEL32(000000FF,004733A6,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473399

Strings

I, xrefs: 004730E9, 00473123, 004732E0

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: I
API String ID: 2066263336-1966777607
Opcode ID: a31a6a5648234e5cb0923a032fe52309569a1865c7db3c93c70807436b28b198
Instruction ID: 1af051264105f0c3ac5173717805306f181c97d1b343904b0a5707565e1f6f82
Opcode Fuzzy Hash: a31a6a5648234e5cb0923a032fe52309569a1865c7db3c93c70807436b28b198
Instruction Fuzzy Hash: F2C13C7490425DAFCF11DFA5C881ADEBBB9FF49304F5081AAE808A3351D7399A46CF54

Function 00455E74 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045600B,?,00000000,0045604B), ref: 00455F51

Strings

WININIT.INI, xrefs: 00455F80
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455ED4
PendingFileRenameOperations, xrefs: 00455EF0
PendingFileRenameOperations2, xrefs: 00455F20

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 679b7e238b747a900a1d78574552d21c233e10934bd7a42400cae956030b9349
Instruction ID: cd3286cbb97796e9ecd700c4ab963dac99c65abdd87cbf21601b40f17af9d083
Opcode Fuzzy Hash: 679b7e238b747a900a1d78574552d21c233e10934bd7a42400cae956030b9349
Instruction Fuzzy Hash: 1551B930E001089FDB11EF61DC51ADEB7B9EF44705F5085BBE804A72D2DB39AE45CA58

Function 00499644 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

ShowWindow.USER32(?,00000005,00000000,004998A9,?,?,00000000), ref: 0049967A

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 004076F8: SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703

Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1

Strings

.msg, xrefs: 004996E0
IMsg, xrefs: 0049974E
.dat, xrefs: 004996C1
Uninstall, xrefs: 00499660

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 8960146029bae1e099bb11d562e02c400649e9705784a1803d45dcdeac2d7493
Instruction ID: 4da38b6a349b60b5a60df07f01633cb26419001f7db46277bbb3aa66fc0d4d29
Opcode Fuzzy Hash: 8960146029bae1e099bb11d562e02c400649e9705784a1803d45dcdeac2d7493
Instruction Fuzzy Hash: A1313074A10114AFCB01FFAACC5295E7B75FB49318B51887AF800A7352EB39AD04CB59

Function 0042EEF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF2A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF30
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF59

Strings

ShutdownBlockReasonCreate, xrefs: 0042EF20
user32.dll, xrefs: 0042EF25

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 4909e3a44c9574a33af1a6d6175f83ff597f9852c03ec5bbf872ce4ad15676b8
Instruction ID: 50bd107db23699165094570332042a9a2090c4fb9dd7a9a9ac1c8e9692f1be1d
Opcode Fuzzy Hash: 4909e3a44c9574a33af1a6d6175f83ff597f9852c03ec5bbf872ce4ad15676b8
Instruction Fuzzy Hash: D7F0F0E134062237E620B27FAC86F7F55CC8F94729F150036B608EA2C2EA7C9905426F

Function 004587F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458824
GetExitCodeProcess.KERNEL32(?,?), ref: 00458845
CloseHandle.KERNEL32(?,00458878), ref: 0045886B

Strings

GetExitCodeProcess, xrefs: 0045884E
MsgWaitForMultipleObjects, xrefs: 00458831

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
Instruction ID: 4c05e8df3edacc9d455a33c3a45c96e3e51f685ffe720196e50d624f784124f1
Opcode Fuzzy Hash: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
Instruction Fuzzy Hash: 3E01A274A00204AFDB10FBA98C52A1E73A8EB45715FA0057AFD10F73D2DE39AD048A28

Function 0042E294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2A0
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E43B,00000000,0042E453,?,?,?,?,00000006,?,00000000,00499145), ref: 0042E2BB
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E2C1

Strings

RegDeleteKeyExA, xrefs: 0042E2B1
advapi32.dll, xrefs: 0042E2B6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: ca0444e3bc953f0923e60f390370d63413f52414311339a67af6d41f50ed8dcb
Instruction ID: a3ecee3a08e4bdafa542c89306e26d0a5ab5c090d3d5ae483566a3001d088d92
Opcode Fuzzy Hash: ca0444e3bc953f0923e60f390370d63413f52414311339a67af6d41f50ed8dcb
Instruction Fuzzy Hash: B8E065B0740234EAD7142A66BC4AFA7260CEB54726F940877F10A661D187BC1C40D66C

Function 0042EE6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,00482671), ref: 0042EE85
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE8B
InterlockedExchange.KERNEL32(0049D66C,00000001), ref: 0042EE9C

Part of subcall function 0042EDFC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
Part of subcall function 0042EDFC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
Part of subcall function 0042EDFC: InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29

Strings

ChangeWindowMessageFilterEx, xrefs: 0042EE7B
user32.dll, xrefs: 0042EE80

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 3478007392-2676053874
Opcode ID: a3d955b5560f8b4c6289ef72ce3cb66c17517e36b964d74717be9c5fdcb5fa2d
Instruction ID: d923442659e3b0e51499426f76f6993fec2ee5a704375d7ef0c30b5e995126c2
Opcode Fuzzy Hash: a3d955b5560f8b4c6289ef72ce3cb66c17517e36b964d74717be9c5fdcb5fa2d
Instruction Fuzzy Hash: 1AE06DF1B40724AAEF107B766C86B9B2668EB50769F55003BF104A61E1C7FD0C408A6C

Function 0042EDFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29

Strings

user32.dll, xrefs: 0042EE0D
ChangeWindowMessageFilter, xrefs: 0042EE08

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 4de3487d94fd114c3b2bb058bfcb274bcbe27e7359df3e53473647ae16ccabd6
Instruction ID: 37ab6c1781d9ace597be808b0f82a5ae7151ca86b9dce60fc565c366ef428a29
Opcode Fuzzy Hash: 4de3487d94fd114c3b2bb058bfcb274bcbe27e7359df3e53473647ae16ccabd6
Instruction Fuzzy Hash: 76E0ECB1B41320AAEA1137726C8AF5726559B2471DF950437F108671E2C6FC1C84C91D

Function 00478DDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD

Strings

AllowSetForegroundWindow, xrefs: 00478DED
user32.dll, xrefs: 00478DF2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 039e6950e57f331d16d5f4eb2fccd4f1736c1480a787f4a3666a96763cbb7aae
Instruction ID: c95bb4f0dd120990503e7052118a19d741abdcedadff55ee9c16c600a1fe714f
Opcode Fuzzy Hash: 039e6950e57f331d16d5f4eb2fccd4f1736c1480a787f4a3666a96763cbb7aae
Instruction Fuzzy Hash: EFD09EB168060165E910B3B69D4AE9B235C89847647248C3FB458E2586DF7CD894457D

Function 0041707C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004170A2
SaveDC.GDI32(?), ref: 004170D3
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00417195), ref: 00417134
RestoreDC.GDI32(?,?), ref: 0041715B
EndPaint.USER32(00000000,?,0041719C,00000000,00417195), ref: 0041718F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
Instruction ID: 2d0e89e5730252ba578d2efb55dda1d595b63161fefa896777b830b1b9f6ffa1
Opcode Fuzzy Hash: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
Instruction Fuzzy Hash: 9B412170A08204AFDB04DFA5C985FAA77F9FF48314F1544AEE4059B362C7789D85CB18

Function 00414C50 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414C86
MulDiv.KERNEL32(?,?,?), ref: 00414CA0
MulDiv.KERNEL32(?,?,?), ref: 00414CC9
MulDiv.KERNEL32(?,?,?), ref: 00414CF4
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414D3C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
Instruction ID: f067b59d413d1c4671d71e094a7f62e666ee1dcd53ee7561759f320ec3b01eff
Opcode Fuzzy Hash: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
Instruction Fuzzy Hash: 6F314F70605740AFC720EF69D984BABB7E8AF89314F04891EF9D5C7751D638EC808B59

Function 0041C008 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C01A
GetSystemMetrics.USER32(0000000C), ref: 0041C024
GetDC.USER32(00000000), ref: 0041C062
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0A9
DeleteObject.GDI32(00000000), ref: 0041C0EA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
Instruction ID: f919feb2cfdf9cb53746996a9db251afb7e4286801c3fccb61a5d2ca1bdc7bf1
Opcode Fuzzy Hash: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
Instruction Fuzzy Hash: A3313E74A40205EFDB04DFA5C981AAEB7F5EB48704F11856AF510AB381D7789E80DB98

Function 00429C1C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C58
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C87
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CA3
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429CCE
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429CEC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
Instruction ID: 0478e77fbb77d274a7bfb783d11adee83c5a4069cdde94f0426c34ba09fc350e
Opcode Fuzzy Hash: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
Instruction Fuzzy Hash: 222190707107147AE710AFA7DC82F4B76EC9B40704F90443E7906AB2D2DAB8ED41861D

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 00414830 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414869
RealizePalette.GDI32(00000000), ref: 00414871
SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414885
RealizePalette.GDI32(00000000), ref: 0041488B
ReleaseDC.USER32(00000000,00000000), ref: 00414896

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
Instruction ID: aeb03e62d8ddadf83c94429ec28f403801e3a8d1cb621d3e7bfc21001d019430
Opcode Fuzzy Hash: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
Instruction Fuzzy Hash: 3201DF7520C3806AD600B63D8C85A9F6BEC9FCA314F15946EF484DB3C2CA7AC8018761

Function 0046C7D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

NextButtonClick, xrefs: 0046C90C
PrepareToInstall failed: %s, xrefs: 0046CB2E
Need to restart Windows? %s, xrefs: 0046CB55

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 7995bdfdbdd3e32e782b8c0e5ba75bf3895e757cd3822a1da008895215e1baaf
Instruction ID: 93777efb9077a0228fe374709ad1741880755db4a3f7640889f56f3bdeecc4c5
Opcode Fuzzy Hash: 7995bdfdbdd3e32e782b8c0e5ba75bf3895e757cd3822a1da008895215e1baaf
Instruction Fuzzy Hash: 9CD17F34A00108DFCB10EFA9C585AED7BF5EF49304F6444BAE444AB352E738AE45DB5A

Function 00484470 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004847C1), ref: 00484594
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00484632

Strings

Need to restart Windows? %s, xrefs: 0048466F
, xrefs: 004846EF

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 01432450a53447772db983c2a16f0375cc0bb0169f9e3e9a68e40412bc744ea7
Instruction ID: cbf7044c9224e5df34f4324165486d78489046a6efa1a602e4c0c9b5677eb74d
Opcode Fuzzy Hash: 01432450a53447772db983c2a16f0375cc0bb0169f9e3e9a68e40412bc744ea7
Instruction Fuzzy Hash: C591A334A042459FDB10FB66D885B9D77E0AF5A308F1444BBE800973A2D77CAD45CB5E

Function 00470938 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

GetLastError.KERNEL32(00000000,00470B35,?,?,0049E1E4,00000000), ref: 00470A12
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00470A8C
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00470AB1

Strings

Creating directory: %s, xrefs: 004709FA

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 142c4ae56cb069a727c0f936144b10c711126b3f859f6c1206bb5652110a1900
Instruction ID: 27f0dcb835b35bf1686b0556d16ec1317b7bae4cbab61287d01ee882f408922b
Opcode Fuzzy Hash: 142c4ae56cb069a727c0f936144b10c711126b3f859f6c1206bb5652110a1900
Instruction Fuzzy Hash: 0251FE74E01248ABDB01DFA5C982BDEB7F5AF48308F50856AE844B7382D7785F04CB59

Function 004073F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407453
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 004074CD
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407525

Strings

Z, xrefs: 0040748C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
Instruction ID: 2310e9831ee7c99a0a8649866770d0a98cc310fb2cf5807583ec8a4e9daa3455
Opcode Fuzzy Hash: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
Instruction Fuzzy Hash: 41519070E04208AFDB11DF99C845A9EBBB9EB49314F1448BAE400B72D1D778AE418B5A

Function 0044D598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D626
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D651
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D6D9

Strings

, xrefs: 0044D60B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
Instruction ID: 5f00bac91b28cdab45bfb944687f04cfacea2c0ae70fe3b1c590f7ffbabf3d5b
Opcode Fuzzy Hash: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
Instruction Fuzzy Hash: 7C517271E00248AFDB11DFA9C885BDEBBF8AF49304F15847AE805EB252D7389944CB64

Function 0042F400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042F42A

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(?,00000000), ref: 0042F44D
ReleaseDC.USER32(00000000,?), ref: 0042F52C

Strings

...\, xrefs: 0042F4DE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
Instruction ID: 21909acc4746510f695b318a8719c62c66087a48e53e42bcbae852ee139bb065
Opcode Fuzzy Hash: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
Instruction Fuzzy Hash: E1314270B00229ABDB11EF9AD851BAEB7F9EB48308F90447BF410A7291C7785E45CA59

Function 0045553C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004555EA
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004556B0), ref: 00455654

Strings

sfc.dll, xrefs: 004555AC
SfcIsFileProtected, xrefs: 004555E4

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 250a850b541f85dbc24e948d1e5368daa5a96329426638f56c6792f2477b35ea
Instruction ID: f46810b5b314b431af4f43299c3fabe32507941823b9175d405aae5aeba4d308
Opcode Fuzzy Hash: 250a850b541f85dbc24e948d1e5368daa5a96329426638f56c6792f2477b35ea
Instruction Fuzzy Hash: 9141A470A00618AFEB20DF55DC95BAD77B8AB04319F5080B7E90CA7292D7789F48CE1D

Function 00454024 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123

Strings

.tmp, xrefs: 004540C7
_iu, xrefs: 004540B5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 1e958ac9ca82f2540afc274f5c3ae46c394e0d0502f96882d1574f7e3d60b294
Instruction ID: 59545500d2eeb09234598e35ee9a1648d273934097dc79d2b475452d37d3be57
Opcode Fuzzy Hash: 1e958ac9ca82f2540afc274f5c3ae46c394e0d0502f96882d1574f7e3d60b294
Instruction Fuzzy Hash: 8431C570E00209ABCF11EB95C942BEEBBB5AF54309F20452AF900BB3D2D7385F459759

Function 00416860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
UnregisterClassA.USER32(?,00400000), ref: 004168FB
RegisterClassA.USER32(?), ref: 0041691E

Strings

@, xrefs: 00416879

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 53826ed8cc08f36af38aca4d869988c5d0e43ce7ef9905a0ccb02d39044ed56c
Instruction ID: c7ae62685634f2feb307fa6559a912500e41153472d9d2bb59c10c8b55fc2cbc
Opcode Fuzzy Hash: 53826ed8cc08f36af38aca4d869988c5d0e43ce7ef9905a0ccb02d39044ed56c
Instruction Fuzzy Hash: C6318E706043008BDB10EF68C885B9B77E9AB89308F00457FF985DB392DB39DD458B5A

Function 00499AF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B68
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B91
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00499BAA

Strings

isRS-%.3u.tmp, xrefs: 00499B47

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
Instruction ID: 0b841a000e743cb9e8da0cfb8565bc532e10ded45a2cf007f5af54a585f9ef1c
Opcode Fuzzy Hash: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
Instruction Fuzzy Hash: 54212171D14119ABCF00EBA9D881AAFBBB8BB58314F11457EA814B72D1D63C6E018A59

Function 00457398 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004573EC
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00457419

Strings

LoadTypeLib, xrefs: 004573F7
RegisterTypeLib, xrefs: 00457424

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMulusermePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
Instruction ID: 195147ed2e8b8ae7ced7006412bb8845aee82bd7b9f018cfdf51d436bcb33606
Opcode Fuzzy Hash: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
Instruction Fuzzy Hash: C911D630B04204BFDB01DFA6DC51A4EBBADEB4A305F108076FD04D3652DA389E04C618

Function 00457950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045796A
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A07

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457996
Failed to create DebugClientWnd, xrefs: 004579D0

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
Instruction ID: b12cfe17c44d9b7297a0742d7ace06ebf4c30bfebd2037bde928bbf0dce3c7c1
Opcode Fuzzy Hash: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
Instruction Fuzzy Hash: 1311C4B16082509BE310AB299C81B5F77949B54319F04443BF9849F383D3B99C18C7AE

Function 00450390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 004503F8
LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 0045043E

Part of subcall function 00450360: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450378

Strings

RICHED20.DLL, xrefs: 004503E5
RICHED32.DLL, xrefs: 0045042B

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: RICHED20.DLL$RICHED32.DLL
API String ID: 2630572097-740611112
Opcode ID: 5e1bf6021b3481a23a3e3d17d6b39bdb08e5b40a8b952fdaeccbb9226eb12265
Instruction ID: 45d93e0d121fe09c7a50066aca23a685df4873c559958f5edeb39e7b45036801
Opcode Fuzzy Hash: 5e1bf6021b3481a23a3e3d17d6b39bdb08e5b40a8b952fdaeccbb9226eb12265
Instruction Fuzzy Hash: EB216374900108EFDB10FF61E846B5D77F8EB55319F50447BE500A6162D7785A49CF5C

Function 00479934 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

GetFocus.USER32 ref: 0047999F
GetKeyState.USER32(0000007A), ref: 004799B1
WaitMessage.USER32(?,00000000,004799D8,?,00000000,004799FF,?,?,00000001,00000000,?,?,0048174F,00000000,00482671), ref: 004799BB

Strings

Wnd=$%x, xrefs: 00479983

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
Instruction ID: 0ce6ec70c77c992717eb959f135b56f98f7128e6f958ad4e09c8363bf76ba6b5
Opcode Fuzzy Hash: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
Instruction Fuzzy Hash: 0511A3B0604244AFDB00FF69D842ADEB7B8EB49704B51C5BBF508E7381D738AD00CA69

Function 0046F428 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046F430
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046F43F

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046F4B4
(invalid), xrefs: 0046F4C2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
Instruction ID: b1f3f51ab816b97a6d4fd488e4796d5760ecc8acc51059d8482d4647201c4143
Opcode Fuzzy Hash: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
Instruction Fuzzy Hash: F111F5A040C3919AD340DF2AC44072BBAE4AB99708F44896FF9C8D6381E779C948DB67

Function 004546DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004546EB

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

MoveFileA.KERNEL32(00000000,00000000), ref: 00454710

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

MoveFile, xrefs: 00454719
DeleteFile, xrefs: 004546FC

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: af00f34ed831d62b5344ce60fd570c4cdc70e55e4aa6ab9d38df2d08c8719917
Instruction ID: 274a2e09890dd6abd1f20e60e4879b25532b4b8e44e7f96c1dbb1ac345d4d7c6
Opcode Fuzzy Hash: af00f34ed831d62b5344ce60fd570c4cdc70e55e4aa6ab9d38df2d08c8719917
Instruction Fuzzy Hash: 53F08B746141445BE701FBA5D94265FA7ECEB8431EF50403BB800BB6C3DB3C9D08492D

Function 004561AC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,00456217,?,00000001,00000000), ref: 0045620A

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004561B8
PendingFileRenameOperations, xrefs: 004561DC
PendingFileRenameOperations2, xrefs: 004561EB

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: cb4d608d90d086dddd01c71022c1131e03e9143acd707505d6602a412a17223b
Instruction ID: 13f9a8dc2762523c9d5034016e8e0e4cf56d15ba7b570f5b98feacd54ef34b89
Opcode Fuzzy Hash: cb4d608d90d086dddd01c71022c1131e03e9143acd707505d6602a412a17223b
Instruction Fuzzy Hash: F2F06271348204ABD714E6E69C13B5B739CD784B15FE284A6F80487982EA79AD14962C

Function 00484FB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00484FF1
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485014

Strings

CSDVersion, xrefs: 00484FE8
System\CurrentControlSet\Control\Windows, xrefs: 00484FBE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 4b665f957098d454cc4f87012a57c885ca2e41c4723a9aa776dd986535a9d71b
Instruction ID: 3d9820a6fde95d05ac542d305ffe0a0e534a7c1f4e1b62a11fb8fb702f882c01
Opcode Fuzzy Hash: 4b665f957098d454cc4f87012a57c885ca2e41c4723a9aa776dd986535a9d71b
Instruction Fuzzy Hash: E7F04975A40608E6DF10FAD18C55BDF73BCAB05704F604967E510E7281E7399A049BAE

Function 00465214 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BB28: LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A

Part of subcall function 004651E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004651FB

LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265

Strings

SHPathPrepareForWriteA, xrefs: 00465231
shell32.dll, xrefs: 0046524C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 1442766254-2683653824
Opcode ID: 10236025bafb7d6f0aa3addd02fc095e47ad8509b9aaccb06964bd85ddd17aa9
Instruction ID: 415eb7409d81aa8454bb2dd4c72fa8b3e514a75415032da6adba06dceafb32ff
Opcode Fuzzy Hash: 10236025bafb7d6f0aa3addd02fc095e47ad8509b9aaccb06964bd85ddd17aa9
Instruction Fuzzy Hash: F5F04470640A08BFD700FB62DC53F5E7BACEB45718FA044B7B400B6591EA7C9E04892D

Function 00459B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD

Strings

.NET Framework not found, xrefs: 00459BBC
SOFTWARE\Microsoft\.NETFramework, xrefs: 00459B80
InstallRoot, xrefs: 00459B9C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 3437d7d9c7e44ebaf3ffa80765e4cd1ae07bdecd6187d079bae80e56862ae9fa
Instruction ID: 9ff5366a1843594bb80037a440052cb9e88b760eaf161db27522a6c9f4c26c6f
Opcode Fuzzy Hash: 3437d7d9c7e44ebaf3ffa80765e4cd1ae07bdecd6187d079bae80e56862ae9fa
Instruction Fuzzy Hash: 2AF0AF31300121EBEB10EB17AC41B5E6789DB91316F18443BFA81C7253F6BCDC46862E

Function 0046FC5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F

Strings

Inno Setup: Setup Version, xrefs: 0046FC7D
I, xrefs: 0046FC89, 0046FC8F
VtG, xrefs: 0046FC61

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version$VtG$I
API String ID: 3702945584-29442299
Opcode ID: 9cfc1267c42f3b8636753967eeba7108215bdc4daa84a66296ead8935528fa31
Instruction ID: 298cf4f1533d54ab550fd3d15e19e6a926ba71f9f01c0afe6301adb1283b93e4
Opcode Fuzzy Hash: 9cfc1267c42f3b8636753967eeba7108215bdc4daa84a66296ead8935528fa31
Instruction Fuzzy Hash: E7E06D713013043BD710AA2BAC85F5BAADCDF987A5F00403AB948DB392D578ED0542A8

Function 0042DD40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60

Strings

GetSystemWow64DirectoryA, xrefs: 0042DD50
kernel32.dll, xrefs: 0042DD55

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 3cc0000837a877f001cb3f739844429a2e52c12d92d282452e6f6e81f811750a
Instruction ID: 2c7f72bc3db4c40d16b1b765d912767d34fa58fe4c646cc18e222b4ed7f6fe44
Opcode Fuzzy Hash: 3cc0000837a877f001cb3f739844429a2e52c12d92d282452e6f6e81f811750a
Instruction Fuzzy Hash: 0FE02660B60F1113D70071BA5C8379B208D4B84718F90043F3984F52C6DDBDD9490A6E

Function 0042EFA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF20), ref: 0042EFB2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFB8

Strings

ShutdownBlockReasonDestroy, xrefs: 0042EFA8
user32.dll, xrefs: 0042EFAD

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 17ffa76a40c206e2b50517d12cb18fe3ec79ffaeacc524793963cec9a7ba4fd6
Instruction ID: 02ec898c6c75b1ba26151a3eebd585b8454ae7040b346800783755fde70e6890
Opcode Fuzzy Hash: 17ffa76a40c206e2b50517d12cb18fe3ec79ffaeacc524793963cec9a7ba4fd6
Instruction Fuzzy Hash: 01D0A993302B3332AA1071FB3DC19BB02CC8D202AA3670033F600E2280EA8CCC4012AC

Function 0044FD1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D

Strings

user32.dll, xrefs: 0044FD52
NotifyWinEvent, xrefs: 0044FD4D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 2274661943a66c5dc8613e9b1b7ddea2e397b8425983515d1bf7fbb50e31bf31
Instruction ID: af032255d430417ffea63134fe83afc5c4b4dbba1536058c56e775f9f11b8dd5
Opcode Fuzzy Hash: 2274661943a66c5dc8613e9b1b7ddea2e397b8425983515d1bf7fbb50e31bf31
Instruction Fuzzy Hash: B2E012E0E417449AFB00BBB96D467193AD0EF6471DF10007FB540A6291C77C44489B1D

Function 0049A250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260

Strings

DisableProcessWindowsGhosting, xrefs: 0049A250
user32.dll, xrefs: 0049A255

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 91cbd31055528a59df4ea05e83c9b1bcc8a0530ddf8f664031b5b98c9f3009da
Instruction ID: dac1c8ebddd32ae9bf6a035aad1c8d1f3cf840f271d0053423bdda14aa0d062e
Opcode Fuzzy Hash: 91cbd31055528a59df4ea05e83c9b1bcc8a0530ddf8f664031b5b98c9f3009da
Instruction Fuzzy Hash: 09B09281686A01509C4033F20C06A1B0E08484171871800B73400F12C6CE6E842404FF

Function 00481008 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00481201), ref: 004810AE
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00481201), ref: 004810BB
FindNextFileA.KERNEL32(000000FF,?,00000000,004811D4,?,?,?,?,00000000,00481201), ref: 004811B0
FindClose.KERNEL32(000000FF,004811DB,004811D4,?,?,?,?,00000000,00481201), ref: 004811CE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 1306abb92dd669325521cb5f074d3ba8a60c582de1b22fb1d47fbf41f988a0f3
Instruction ID: 32ce0b593b226a8a495a7b16ec3f8c392e3281c2b0d16565a73bd1b48714ff7d
Opcode Fuzzy Hash: 1306abb92dd669325521cb5f074d3ba8a60c582de1b22fb1d47fbf41f988a0f3
Instruction Fuzzy Hash: 95515E75A006489FCB10EF65CC45ADEB7BCEB89315F1045ABA808E7351D6389F86CF58

Function 004216C4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 004217B1
SetMenu.USER32(00000000,00000000), ref: 004217CE
SetMenu.USER32(00000000,00000000), ref: 00421803
SetMenu.USER32(00000000,00000000), ref: 0042181F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
Instruction ID: 73b485f7b17ee0b128820b03b0310e3fef403fa1ec291b42cca88d6787b8c394
Opcode Fuzzy Hash: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
Instruction Fuzzy Hash: 44419E3070426407DB21BF3AA98579B66D55FA0308F4811BFE8458F3A3CA7CCC4A82AD

Function 00476744 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042F2BC: GetTickCount.KERNEL32 ref: 0042F2C2

Part of subcall function 0042F0D8: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F10D

GetLastError.KERNEL32(00000000,004768B9,?,?,0049E1E4,00000000), ref: 004767A2

Strings

MoveFileEx, xrefs: 00476807
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 00476877
, xrefs: 004767DA, 004767F5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: b295b087cbccb7c0b0a2fd57bc67c0996bda5e81bfe7167737e760368e0a1d32
Instruction ID: 03a236e7dc5f504d91790a0ce298dd5dba96fa6117a2cc3ee4ad00c9fc2b7c38
Opcode Fuzzy Hash: b295b087cbccb7c0b0a2fd57bc67c0996bda5e81bfe7167737e760368e0a1d32
Instruction Fuzzy Hash: 53418474A006098BCB00EFA5D882ADE77B9EF48314F52853BE414B7391D7389E05CBAD

Function 00414148 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00414196
GetDesktopWindow.USER32 ref: 0041424E

Part of subcall function 00419310: 6FBCC6F0.COMCTL32(00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 0041932C
Part of subcall function 00419310: ShowCursor.USER32(00000001,00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 00419349

SetCursor.USER32(00000000,?,?,?,?,00413F43,00000000,00413F56), ref: 0041428C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
Instruction ID: 6a264f145c0982e92da272f414c83554030b66ece25ea6070dcdf00fca6814f6
Opcode Fuzzy Hash: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
Instruction Fuzzy Hash: 30414170A10151AFC710EF6DDD89B5677E5ABA9318B05807BE409CB366C738DC81CB1D

Function 00408EA4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408EC5
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F34
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408FCF
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040900E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
Instruction ID: d606a76aa49eec759d07c5becdfef17a6c6b9766ea912d15a143196380f0994c
Opcode Fuzzy Hash: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
Instruction Fuzzy Hash: C73162706083815AD330EB65C945BDBB7D99F8A304F00483FB6C8D72D2DB799904876B

Function 0044EE9C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EEE5

Part of subcall function 0044D528: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D55A

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EF69

Part of subcall function 0042C004: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C018

IsRectEmpty.USER32(?), ref: 0044EF2B
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EF4E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
Instruction ID: 5be5a2c99a49a2f339bd726f9f517b743d06364a043e5a66e7e3b57b404dc1d6
Opcode Fuzzy Hash: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
Instruction Fuzzy Hash: 5B118C3170031027E610BA7E8C82B5F66C99B88748F01483FB60AEB387DDB8DC09835E

Function 0049720C Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00497270
OffsetRect.USER32(?,00000000,?), ref: 0049728B
OffsetRect.USER32(?,?,00000000), ref: 004972A5
OffsetRect.USER32(?,00000000,?), ref: 004972C0

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
Instruction ID: e718e50738441f611e1ccbf74e0cde98489d487b8bfa6672397ae6e260ffa509
Opcode Fuzzy Hash: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
Instruction Fuzzy Hash: BE214FB67142016BCB00DF69CD85E5BB7EEEBD4340F14CA2AF544C728AD634E9448796

Function 00417668 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004176B0
SetCursor.USER32(00000000), ref: 004176F3
GetLastActivePopup.USER32(?), ref: 0041771D
GetForegroundWindow.USER32(?), ref: 00417724

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
Instruction ID: dbcb3e4d6cdf237ebd373b45723c7518e1d79ef9827cdcdbbe1e0fb97faef126
Opcode Fuzzy Hash: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
Instruction Fuzzy Hash: 8121CF303086018BC710EF29D980ADB73B1AB44768F52447BE8688B392D73DEC81CA8D

Function 00416F92 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416FD4
SetTextColor.GDI32(?,00000000), ref: 00416FEE
SetBkColor.GDI32(?,00000000), ref: 00417008
CallWindowProcA.USER32(?,?,?,?,?), ref: 00417030

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 4ce7c4006bfc0e61fcdce8fe115ad4c73528d98afabcd796622ae120d2b9eda4
Instruction ID: 97657bf4431c68cea31458eff6611b8cbcc4ca9acdd3171e17da9912607f4e93
Opcode Fuzzy Hash: 4ce7c4006bfc0e61fcdce8fe115ad4c73528d98afabcd796622ae120d2b9eda4
Instruction Fuzzy Hash: CE114CB1604600AFD710EE6ECD84E87B7ECDF48310B14882AB55ADB612C62CE8818B69

Function 00496EC4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 00496ED9
MulDiv.KERNEL32(50142444,00000008,?), ref: 00496EED
MulDiv.KERNEL32(F6E65FE8,00000008,?), ref: 00496F01
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00496F1F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
Instruction ID: e3308cc84e827548128d2b2e4dd5895a6eb2c6c5d9673f95432de963ba277a10
Opcode Fuzzy Hash: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
Instruction Fuzzy Hash: CB113372604204AFCF40DFA9D8C4D9B7BECEF4D324B15516AF918DB24AD634ED408BA4

Function 0041F8D0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F8C0,?), ref: 0041F8F1
UnregisterClassA.USER32(0041F8C0,00400000), ref: 0041F91A
RegisterClassA.USER32(0049B598), ref: 0041F924
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F95F

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
Instruction ID: 2f8fb42507e3cd1bc96778dfed7eead12d65e2047fb8f4462c71738803dd6c65
Opcode Fuzzy Hash: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
Instruction Fuzzy Hash: B7012DB16141047BCB10FBA8ED81E9A379CD719318B11423BB505E72A1D739D8168BAC

Function 0040D460 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D477
LoadResource.KERNEL32(00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64,0000000A,00000000), ref: 0040D491
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64), ref: 0040D4AB
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?), ref: 0040D4B5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 5ead9b113cfd5614d36e08cf149f6ccc86a415bd6e4f69995d9dff1ce3cc408d
Instruction ID: 736189130eb46f944708fe8ab0dcf7c2da2e7d83e7efdb8d5663637d3260b2f8
Opcode Fuzzy Hash: 5ead9b113cfd5614d36e08cf149f6ccc86a415bd6e4f69995d9dff1ce3cc408d
Instruction Fuzzy Hash: FCF04FB3A005046F8B04EE9DA881D5B76DCDE88364310013AFD08EB282DA38DD018B78

Function 00456538 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000,0045BFD1), ref: 00456574
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000), ref: 0045657D
RemoveFontResourceA.GDI32(00000000), ref: 0045658A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045659E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 4caac74e08e20da0d2c06c48f8ee0446ebda1c210aac02dd0b08997c90b4ebd3
Instruction ID: 60fc6220e6421739c6cddc48edde2e304ed69df2a150d613f8e8855ad9854c81
Opcode Fuzzy Hash: 4caac74e08e20da0d2c06c48f8ee0446ebda1c210aac02dd0b08997c90b4ebd3
Instruction Fuzzy Hash: 27F054B174531076EA10B6B6AC47F5B22CC8F54749F54483A7604EB2C3D57CDD04966D

Function 00470C50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 00470CA1

Strings

Failed to set NTFS compression state (%d)., xrefs: 00470CB2
Setting NTFS compression on directory: %s, xrefs: 00470C6F
Unsetting NTFS compression on directory: %s, xrefs: 00470C87

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 6adb48c12a6d143138f10185ab69c53d0360da0583768978ff12b3266c1200ad
Instruction ID: 2f8c6a7a6e35e8588bbb9e762321129d74c961a1f58895d436786832a4f1a68a
Opcode Fuzzy Hash: 6adb48c12a6d143138f10185ab69c53d0360da0583768978ff12b3266c1200ad
Instruction Fuzzy Hash: 04018B30D09248AACB15D7ED94812DDFBE89F0D305F54C1EFA459E7342DF790A08879A

Function 004713FC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0047144D

Strings

Failed to set NTFS compression state (%d)., xrefs: 0047145E
Setting NTFS compression on file: %s, xrefs: 0047141B
Unsetting NTFS compression on file: %s, xrefs: 00471433

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: ab6543f0e7bef128f58b552de59364dcc0235075ba4368e15f33245e46e5f5df
Instruction ID: a30ff693f52cd42e459b797e94763e7277481e0955e0c4e592f957c66b82d28b
Opcode Fuzzy Hash: ab6543f0e7bef128f58b552de59364dcc0235075ba4368e15f33245e46e5f5df
Instruction Fuzzy Hash: 41016730D0424866CB1497AD64422DDBBE89F4D315F94C1EFA458E7352DE790A0887AA

Function 0047944C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000,0049A5EB), ref: 00479455
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000), ref: 0047945B
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047947D
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047948E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
Instruction ID: 6505384fcc0360b3c734b71afb4e1a1a4ab6f9baee95e57f14d901b11eacad59
Opcode Fuzzy Hash: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
Instruction Fuzzy Hash: 90F030716447006BD600EAB58D82E9B73DCEB44354F04883EBE98CB2C1D678DC08AB76

Function 00424690 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042469C
IsWindowVisible.USER32(?), ref: 004246AD
IsWindowEnabled.USER32(?), ref: 004246B7
SetForegroundWindow.USER32(?), ref: 004246C1

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
Instruction ID: 92c4e0b2622c21c1aafdf32b5a5e60d634be871c9bac48645995030a32fad986
Opcode Fuzzy Hash: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
Instruction Fuzzy Hash: BBE01261B0293157AA31FA7AA885A9F118CDD47BC43460277BC41F7297DB2CDC1045FD

Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040627F
GlobalUnlock.KERNEL32(00000000), ref: 00406286
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
GlobalLock.KERNEL32(00000000), ref: 00406291

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A

Function 0047B524 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047CE0D,?,00000000,00000000,00000001,00000000,0047B7C1,?,00000000), ref: 0047B785

Strings

Failed to parse "reg" constant, xrefs: 0047B78C
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047B5F9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: f3efe0bf92a2f40a4dc3dc2e799273e463fc0dbb7f1219b13f72ddd9139161f6
Instruction ID: f1421b174eee6fc7f54e6f8e7a43c19df08b7389384ab18ee26f4796af10067b
Opcode Fuzzy Hash: f3efe0bf92a2f40a4dc3dc2e799273e463fc0dbb7f1219b13f72ddd9139161f6
Instruction Fuzzy Hash: 89815175E00208AFCB10DFA5D481BDEBBF9EF48354F50816AE454A7391DB38AE05CB99

Function 0045CA60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077

FlushFileBuffers.KERNEL32(?), ref: 0045CC95

Strings

NumRecs range exceeded, xrefs: 0045CB92
EndOffset range exceeded, xrefs: 0045CBC9

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 98d39f62b2baeb0f0dec741049dfb73ffaf15e0d689818ff3631373a68726cff
Instruction ID: 609741d3f79eabe780872f94ce4b5bf90fe53003262008b9b2f446b63576a9fa
Opcode Fuzzy Hash: 98d39f62b2baeb0f0dec741049dfb73ffaf15e0d689818ff3631373a68726cff
Instruction Fuzzy Hash: 6E615234A002588FDB25DF25D881BDAB7B5EF49305F0084DAED899B352D6B4AEC8CF54

Function 00484978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849B1
SetActiveWindow.USER32(?,00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849C3

Strings

Will not restart Windows automatically., xrefs: 00484AE2

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
Instruction ID: e3ffbfa0a86cb08642d5b37a1a1eca219a4b332c0ee086946791bcc458de558f
Opcode Fuzzy Hash: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
Instruction Fuzzy Hash: 64415930644245EFD714FFA6EC05B6E7BE4D795308F1948B7E8405B392E2BC9800971E

Function 004775F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 004776F8
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 0047770C

Strings

Extracting temporary file: , xrefs: 00477634

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: eb98cc0d1cdcf9865969dbb50bdf079376187bc28a35bda05ac22d4fc5ce8059
Instruction ID: 13e9f88ccb8282ea38195536ff5c63a907cbb836f3d7a61bc1ee4cb3f854d839
Opcode Fuzzy Hash: eb98cc0d1cdcf9865969dbb50bdf079376187bc28a35bda05ac22d4fc5ce8059
Instruction Fuzzy Hash: 4041B774A04649AFCB01DF65CC91AEFBBB8EB09304F51847AF910A7391D678A901CB98

Function 0046D8CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046D9E4
Failed to proceed to next wizard page; showing wizard., xrefs: 0046D9F8

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: ea26bf9637c1ba0bfb2d6f1d7c002821e5ffe9644d54683e76b46f4e62d921a4
Instruction ID: 84e2974eb34e4f2dda2b8c8cb2eefec3d4715c8d151fead2dfc4afe0ae77ca03
Opcode Fuzzy Hash: ea26bf9637c1ba0bfb2d6f1d7c002821e5ffe9644d54683e76b46f4e62d921a4
Instruction Fuzzy Hash: 4D319E70F04204EFD711EB69D989BA977F5EB05304F6500BBE408AB3A2D7786E44CB1A

Function 0047A0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,0047A1C6,?,?,00000001,00000000,00000000,0047A1E1), ref: 0047A1AF

Strings

%s\%s_is1, xrefs: 0047A158
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047A13A

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 6f6a57914aa4067f96efd10dca847e3b9be0d2eccfabac7fb81a31423b256b48
Instruction ID: 0d63d1a050f55a8da938840af3d9f6bfa62d29ba12cdbe4796c61ae60ad15f2e
Opcode Fuzzy Hash: 6f6a57914aa4067f96efd10dca847e3b9be0d2eccfabac7fb81a31423b256b48
Instruction Fuzzy Hash: 8E216474B042449FEB01DFA9CC516EEBBF8EB89704F90847AE404E7381D7789E158B59

Function 0045080C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004508A1
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004508D2

Strings

open, xrefs: 004508C5

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
Instruction ID: f57ce05e9eba324e121f638db0535f08eb0d68243c76b72727f5d658c61a4d86
Opcode Fuzzy Hash: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
Instruction Fuzzy Hash: 4C216075E00604BFDB00EFA9C981E9EB7F8EB44705F10817AB904F7292D7789A45CB88

Function 004559F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00455A94
GetLastError.KERNEL32(0000003C,00000000,00455ADD,?,?,?), ref: 00455AA5

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Strings

<, xrefs: 00455A4E

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 43feb11e9db7b730235ecc85ca7dd059247b9c3467fc029a3a8c252ac057d8c1
Instruction ID: 1dd1e4a4b05f96b02f6cdc30b2026c57645841094811f513de853399c4f5318c
Opcode Fuzzy Hash: 43feb11e9db7b730235ecc85ca7dd059247b9c3467fc029a3a8c252ac057d8c1
Instruction Fuzzy Hash: 482151B0A00649AFDB00DF65D8926AE7BE8EF08345F50413BF844E7281E7789E49CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049D420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049D420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,02202B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
Instruction ID: 570f99ef1d3d95e4b4d80a2adc1962b98f522b57bc72750d6ce688ebb538822c
Opcode Fuzzy Hash: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
Instruction Fuzzy Hash: CE110131B042046FEB25AF799F1A62AAAD4D79575CB64087FF404F32D2D9BD9C02826C

Function 00498416 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00498451

Strings

/INITPROCWND=$%x , xrefs: 0049847C
@, xrefs: 0049841C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
Instruction ID: a9318bdce5e824465d4436be78f64917a5ae5ef5b8220d929174e0d313b11457
Opcode Fuzzy Hash: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
Instruction Fuzzy Hash: EF119370A082059FDB01DBA9D851BAEBBE8EF49314F11847BE504E7292EA3C99058B58

Function 004478B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00447966

Strings

Unknown Method, xrefs: 0044793F
NIL Interface Exception, xrefs: 00447908

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
Instruction ID: 10ddd43a001eab7360299ad3f405319ab988bcee1c7d5b08318f9ee426dd8228
Opcode Fuzzy Hash: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
Instruction Fuzzy Hash: 9211E9716042089FEB10EFA58D51A6FBBBDEB09304F91403AF500F7281C7789D01C769

Function 00497C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000,00497D2B), ref: 00497CF6
CloseHandle.KERNEL32(00497D90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000), ref: 00497D0D

Part of subcall function 00497BE0: GetLastError.KERNEL32(00000000,00497C78,?,?,?,?), ref: 00497C04

Strings

D, xrefs: 00497CD0

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
Instruction ID: a89f5070db7a5e6d261d16ca7c1b7ea99db6432e353ebe52f8e4aa70fd7af1a9
Opcode Fuzzy Hash: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
Instruction Fuzzy Hash: 1001A1B0608248AFDB00DBA5DC42FAF7BACDF09704F60013BF504E72C1E6785E008668

Function 0042E1B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E1C8
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E208

Strings

Inno Setup: No Icons, xrefs: 0042E1C6

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
Instruction ID: e7333c3f072e055346127a6a42ec618886ffe365ff3054ef7f5207155727e60c
Opcode Fuzzy Hash: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
Instruction Fuzzy Hash: 3C01DB32745371A9F73145137D41B7B65CC8B42B60F64057BF941FA2C1DA68AC0592BE

Function 0042F188 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4

Strings

shlwapi.dll, xrefs: 0042F1C1
SHAutoComplete, xrefs: 0042F1DE

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 2552568031-1506664499
Opcode ID: fb07ec50570effe9fb27e1689c136128c3aaffa3ed3d7639c4a8456e04d5f888
Instruction ID: f8fd25663858203a515409cfb2833324ac242db414aae85ffba9c986139a78a3
Opcode Fuzzy Hash: fb07ec50570effe9fb27e1689c136128c3aaffa3ed3d7639c4a8456e04d5f888
Instruction Fuzzy Hash: 9701D274B00718EBE711DB65EC42B5E7BFCDB99704FE000B7B404A2291DAB99E48C62C

Function 004535CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 00453607
GetLastError.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 0045360F

Strings

@8H, xrefs: 0045363D

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: @8H
API String ID: 1799206407-3762495883
Opcode ID: e51d2d5a64d0818d1847fbb95d225efede478a4be5bb01e29063d0704820aebd
Instruction ID: 2a718f5fbeded0ca4f0ca1a684ecb9b724474f3cd93569f9f0dcaab09f3de9c7
Opcode Fuzzy Hash: e51d2d5a64d0818d1847fbb95d225efede478a4be5bb01e29063d0704820aebd
Instruction Fuzzy Hash: 49F0F971A04204BBCB10DF7AAC4249EF7ECDB49362711457BFC14D3342E6784E088598

Function 004998EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047E3D0: FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6

Part of subcall function 0047E0A8: GetTickCount.KERNEL32 ref: 0047E0F2

Part of subcall function 00457A90: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457AAF

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049A243), ref: 00499941
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049A243), ref: 00499947

Strings

Detected restart. Removing temporary directory., xrefs: 004998FB

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
Instruction ID: 3ff60914118e938cb0b4ccf38de38d34f2fcffefe5e82e60aedbfe03ba6cc694
Opcode Fuzzy Hash: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
Instruction Fuzzy Hash: 7DE0E5B12086446EDE1277AB6C1796B3F8CD74A76CB11447FF80491652E82D4C108A3D

Function 004763E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476409
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476420

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

CreateFile, xrefs: 00476415

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 49d63fbd6f5fa712f52ce53229c2f792f734722ce0c98ad86c4030682624aac4
Instruction ID: 7bcc5fcb2fff494360280e2963ad1350d0a4ff74aab44489db68ce07f01780cc
Opcode Fuzzy Hash: 49d63fbd6f5fa712f52ce53229c2f792f734722ce0c98ad86c4030682624aac4
Instruction Fuzzy Hash: CDE06D302403447BEA20EB69DCC6F4A77D89B04738F108161FA48AF3E2C6B9EC408A5C

Function 0046FCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0047034A,?,?,00000000,00470532,?,_is1,?), ref: 0046FCDF

Strings

NoModify, xrefs: 0046FCDD
I, xrefs: 0046FCE9, 0046FCEF

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID: NoModify$I
API String ID: 3702945584-1047506205
Opcode ID: 73fdcae3ba9d18a103afebde5dc2ca47e69f96c0885cedc9c810f6db9bfe17db
Instruction ID: 74656710be1799963dacf24c43606be2f52e229709c8467fcc2139d849b5a3c3
Opcode Fuzzy Hash: 73fdcae3ba9d18a103afebde5dc2ca47e69f96c0885cedc9c810f6db9bfe17db
Instruction Fuzzy Hash: 1AE04FB0640308BFEB04DB55DD4AF6BB7ACDB48750F104059BA44DB381EA74FE008658

Function 00455E10 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00455E2F
Sleep.KERNEL32(?), ref: 00455E3F
GetLastError.KERNEL32 ref: 00455E52
GetLastError.KERNEL32 ref: 00455E5C

Memory Dump Source

Source File: 00000001.00000002.1467518916.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1467504590.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467565257.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467579753.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467593726.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1467606769.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 7805a43f88a235992633b9d37c21eb6baea5f58c58a25dbaaf87ceedd4d3a719
Instruction ID: 0e0098d5c51f6c3332c54b3c49cab550602dc5c9badc8da443834b62d3c24bba
Opcode Fuzzy Hash: 7805a43f88a235992633b9d37c21eb6baea5f58c58a25dbaaf87ceedd4d3a719
Instruction Fuzzy Hash: BCF02B32F00914E74F30A76AA88393F628CDA417A6720012BFC04DB303D53CDE0586A8

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exePID: 432, Parent PID: 3504

General

Chronological Activities

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmpPID: 3360, Parent PID: 432

Windows Analysis Report
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
COMMON

Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117
windowCOMMON

Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
windowCOMMON

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON