Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1530829
MD5:ca4d56abba85c97023f2e236dc82c4aa
SHA1:5c4be7cef4082adae0e187ec140c0f10dd113260
SHA256:7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Found evasive API chain (date check)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 2100 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: CA4D56ABBA85C97023F2E236DC82C4AA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004066B2 FindFirstFileA,FindClose,FindClose,0_2_004066B2
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409F75 FindFirstFileA,FindClose,0_2_00409F75
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406143 lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,VerInstallFileA,GetShortPathNameA,lstrcpyA,FindFirstFileA,FindClose,VerInstallFileA,lstrcpyA,0_2_00406143
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409D0F lstrcpyA,lstrcmpiA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,CharNextA,lstrcpynA,FindFirstFileA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,FindClose,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,0_2_00409D0F
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406623 lstrcatA,FindFirstFileA,GetWindowLongA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindClose,0_2_00406623
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00410B70 lstrcatA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00410B70
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00403794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,GetLastError,wsprintfA,0_2_00403794
Source: C:\Users\user\Desktop\setup.exeFile created: C:\WINDOWS\ST6UNST.000Jump to behavior
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040F8400_2_0040F840
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040D0500_2_0040D050
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040FC200_2_0040FC20
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00414CE00_2_00414CE0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040B8EC0_2_0040B8EC
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040C9A00_2_0040C9A0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040F5B00_2_0040F5B0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040D2F00_2_0040D2F0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004187D00_2_004187D0
Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean3.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00403794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,GetLastError,wsprintfA,0_2_00403794
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040924A lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,GetFileAttributesA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,lstrcatA,GetFileAttributesA,DeleteFileA,CoCreateInstance,lstrcpyA,CharNextA,MultiByteToWideChar,0_2_0040924A
Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00417CA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00417CA0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00412B40 push eax; ret 0_2_00412B6E
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004084E7 GetWindowsDirectoryA,GetSystemDirectoryA,MessageBoxA,SendMessageA,UpdateWindow,GetWindowLongA,GetWindowLongA,GetModuleFileNameA,GetWindowLongA,GetModuleFileNameA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,MessageBoxA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,lstrcatA,CreateDirectoryA,GetPrivateProfileStringA,lstrcpyA,lstrcatA,lstrcpyA,lstrcpynA,CoInitialize,CoUninitialize,ShowWindow,0_2_004084E7
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405885 DefWindowProcA,BeginPaint,GetTextMetricsA,GetClientRect,SetTextColor,SelectObject,GetWindowLongA,GetModuleFileNameA,lstrcpyA,lstrcatA,GetPrivateProfileStringA,GetPrivateProfileStringA,SetWindowTextA,GetPrivateProfileStringA,wsprintfA,wsprintfA,SetBkColor,lstrlenA,lstrlenA,DrawTextA,OffsetRect,lstrlenA,DrawTextA,SetTextColor,SelectObject,EndPaint,SendMessageA,PostQuitMessage,DeleteObject,0_2_00405885
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040746D wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA,wsprintfA,SetFileAttributesA,wsprintfA,wsprintfA,wsprintfA,CreateProcessA,GetLastError,wsprintfA,ShowWindow,GetExitCodeProcess,0_2_0040746D
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00407E75 lstrcpyA,GetPrivateProfileStringA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,SetFileAttributesA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,0_2_00407E75
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00408F7A wsprintfA,wsprintfA,GetPrivateProfileStringA,0_2_00408F7A
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00408FE7 SetFileAttributesA,wsprintfA,GetPrivateProfileStringA,wsprintfA,SetFileAttributesA,DeleteFileA,GetPrivateProfileStringA,wsprintfA,SetFileAttributesA,DeleteFileA,RemoveDirectoryA,0_2_00408FE7
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004066B2 FindFirstFileA,FindClose,FindClose,0_2_004066B2
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409F75 FindFirstFileA,FindClose,0_2_00409F75
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406143 lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,VerInstallFileA,GetShortPathNameA,lstrcpyA,FindFirstFileA,FindClose,VerInstallFileA,lstrcpyA,0_2_00406143
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409D0F lstrcpyA,lstrcmpiA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,CharNextA,lstrcpynA,FindFirstFileA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,FindClose,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,0_2_00409D0F
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406623 lstrcatA,FindFirstFileA,GetWindowLongA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindClose,0_2_00406623
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00410B70 lstrcatA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00410B70
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00417CA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00417CA0
Source: setup.exeBinary or memory string: ProgMan
Source: setup.exeBinary or memory string: PROGMAN
Source: setup.exeBinary or memory string: )(: ACTION: *** CONFIG: NOTE: VB.Mooo.Conv.Child)][CreateGroup(,[AddItem([ReplaceItem(ProgMan[DeleteItem(PROGMAN%s=%s
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00412600 GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_00412600
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00412600 GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_00412600
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00413060 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,KiUserCallbackDispatcher,0_2_00413060

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts21
Native API		Boot or Logon Initialization Scripts1
Process Injection		1
Access Token Manipulation		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
setup.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1530829
Start date and time:2024-10-10 15:36:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:setup.exe
Detection:CLEAN
Classification:clean3.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 17
  • Number of non-executed functions: 93
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
  • VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\ST6UNST.000

Download File
Process:C:\Users\user\Desktop\setup.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):303
Entropy (8bit):4.678844719486963
Encrypted:false
SSDEEP:6:sENVGgA0dO/MKYiRgKRLGiFxl0AA8HLPs/QhOL+xgqNhkE+In:scsgA0dOjYiX4i7eA/0EcrIEI
MD5:4AF08CCBCCE59FDA9C64B29F5B206BEF
SHA1:8C97829EE35421C87AB774617C90A6CF4967C281
SHA-256:035B0A7155BE4C6196A16F06DD21E268B3A5062EA89BCC9A4429E371E34669B8
SHA-512:9BD8756589751781EA87B963F919F2614DDC88E7A7C5A8687D0D58D46FFB9F7A8108041B9B6DADF911500A5FD6FBA2A6A5345F1392950BF0F31AB8FCA4D64E79
Malicious:false
Reputation:moderate, very likely benign file
Preview: %% PLEASE DO NOT MODIFY OR DELETE THIS FILE! %% .. %% This file contains information about the installation of an application. %% .. %% It will be used to automatically remove all application components from your computer if you choose to do so. %% ......NOTE: Beginning of the bootstrapper section....

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.126511930909836
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.72%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • InstallShield setup (43055/19) 0.42%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:setup.exe
File size:139'776 bytes
MD5:ca4d56abba85c97023f2e236dc82c4aa
SHA1:5c4be7cef4082adae0e187ec140c0f10dd113260
SHA256:7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4
SHA512:42b895b8ca244d4a5dc3b662f6379073c8ee893a3a56b0e77b9eca3be4c3242bcbc9f97a2cf2432109c13fdfa842e2d73f14c7d1b328b4f6a000202af8215562
SSDEEP:3072:WARAEzUI3AOGfte0D9P9HjT0rIm7f1dZJZgJIK/J:WARdb3NGfYm9VTwImJdEX/
TLSH:D1D3285672E5C071F5F2277116F16A31AA3A7C356B36C2CBC700DD6A5C306A4A8393AB
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5..A[..A[..A[.hG]..A[..A[..@[.Rich.A[.................PE..L...f}.8............................`0............@................

File Icon

Icon Hash:674e4f45a7297639

Static PE Info

General

Entrypoint:0x413060
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x38CE7D66 [Tue Mar 14 17:56:54 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:8d6f18fdfe290097ec083ff27d192e91

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041A778h
push 004168D8h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
add esp, FFFFFFA8h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0041A0D4h]
xor edx, edx
mov dl, ah
mov dword ptr [00423110h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0042310Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00423108h], ecx
shr eax, 10h
mov dword ptr [00423104h], eax
call 00007FE40CC9EED9h
test eax, eax
jne 00007FE40CC9E0CCh
push 0000001Ch
call 00007FE40CC9E22Eh
add esp, 04h
mov dword ptr [ebp-04h], 00000000h
call 00007FE40CC9E3CFh
call 00007FE40CCA102Ah
call dword ptr [0041A09Ch]
mov dword ptr [00427424h], eax
call 00007FE40CCA165Ah
mov dword ptr [00423188h], eax
test eax, eax
je 00007FE40CC9E0CBh
mov eax, dword ptr [00427424h]
test eax, eax
jne 00007FE40CC9E0CCh
push FFFFFFFFh
call 00007FE40CC9BF51h
add esp, 04h
call 00007FE40CCA1389h
call 00007FE40CCA1294h
call 00007FE40CC9BF0Fh
mov esi, dword ptr [00427424h]
mov dword ptr [ebp-64h], esi
cmp byte ptr [esi], 00000022h
jne 00007FE40CC9E184h

Rich Headers

Programming Language:
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1ab600xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x3cd0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x300.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x189460x18a006402e561ef237f0ae29e041348528e7aFalse0.5565018242385786data6.599939161511523IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1a0000x1b4c0x1c00f379a6fbb3ea192eccd0240f9d08d27dFalse0.4228515625data5.478199383881284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1c0000xb4300x3a00e2f25de8dfe3c3ecb4273fa4af478747False0.20204741379310345data2.451888010679478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x280000x3cd00x3e0010dd306ba561254027beb2f622a6ad2eFalse0.2610887096774194data3.495450025329039IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x283100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4153225806451613
RT_ICON0x285f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5743243243243243
RT_STRING0x29e080x2aMatlab v4 mat-file (little endian) r, numeric, rows 0, columns 0EnglishUnited States0.5714285714285714
RT_STRING0x29e380x604dataEnglishUnited States0.32987012987012987
RT_STRING0x2a4400x3f0dataEnglishUnited States0.3482142857142857
RT_STRING0x2b5200x678dataEnglishUnited States0.37318840579710144
RT_STRING0x2a8300xcf0dataEnglishUnited States0.30585748792270534
RT_STRING0x28bf80x73cdataEnglishUnited States0.3536717062634989
RT_STRING0x2bb980x134dataEnglishUnited States0.5064935064935064
RT_STRING0x293380x128dataEnglishUnited States0.5675675675675675
RT_STRING0x294600x3daMatlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.3671399594320487
RT_STRING0x298400x5c6dataEnglishUnited States0.2347767253044655
RT_GROUP_ICON0x287200x22dataEnglishUnited States1.0
RT_VERSION0x287480x4b0dataEnglishUnited States0.4116666666666667

Imports

DLLImport
GDI32.dllGetStockObject, SetTextColor, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SetBkColor, SelectObject, GetTextMetricsA
SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc
USER32.dllSendMessageA, CreateWindowExA, GetWindowLongA, MessageBoxA, CharNextA, DispatchMessageA, PeekMessageA, PostMessageA, PackDDElParam, DestroyWindow, CharPrevA, UpdateWindow, SetWindowTextA, BeginPaint, GetClientRect, EndPaint, DrawTextA, OffsetRect, IsWindow, PostQuitMessage, FindWindowA, GetSystemMetrics, ShowCursor, GetDC, ShowWindow, MoveWindow, ReleaseDC, BringWindowToTop, GetMessageA, TranslateMessage, LoadCursorA, SetFocus, wvsprintfA, InvalidateRect, LoadIconA, LoadStringA, wsprintfA, ExitWindowsEx, CharUpperA, RegisterClassA, UnpackDDElParam, DefWindowProcA, UnregisterClassA
comdlg32.dllGetOpenFileNameA
ADVAPI32.dllAdjustTokenPrivileges, RegEnumKeyExA, OpenProcessToken, RegCloseKey, LookupPrivilegeValueA, RegSetValueExA, RegCreateKeyA, RegQueryInfoKeyA, RegOpenKeyExA, RegQueryValueExA
ole32.dllCoUninitialize, OleInitialize, OleUninitialize, CoCreateInstance, CoInitialize
OLEAUT32.dllLoadTypeLib, SysAllocStringLen, VariantChangeTypeEx, VariantClear, VariantTimeToDosDateTime, RegisterTypeLib
VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA, VerInstallFileA
KERNEL32.dllSleep, GlobalFree, GlobalAlloc, SetFilePointer, GetACP, CreateFileA, LCMapStringW, LCMapStringA, GetCPInfo, VirtualAlloc, VirtualFree, GetCurrentProcessId, HeapDestroy, SetStdHandle, HeapCreate, SetHandleCount, SetEndOfFile, GetStdHandle, GetStartupInfoA, GetCommandLineA, GetLocalTime, GetSystemTime, GetCurrentDirectoryA, HeapFree, HeapAlloc, GetTimeZoneInformation, ExitProcess, FileTimeToLocalFileTime, TerminateProcess, GetFileType, FileTimeToSystemTime, GetFileAttributesA, GetVersionExA, GetVersion, GetSystemDirectoryA, DosDateTimeToFileTime, HeapReAlloc, LocalFree, GetWindowsDirectoryA, LocalFileTimeToFileTime, SetFileTime, GetModuleHandleA, GetDriveTypeA, SetErrorMode, LoadLibraryA, GetProcAddress, CreateProcessA, FreeLibrary, FlushFileBuffers, SetEnvironmentVariableA, CompareStringW, GetStringTypeW, GetStringTypeA, RtlUnwind, GetEnvironmentStringsW, GlobalAddAtomA, LocalAlloc, GlobalDeleteAtom, _lclose, GetFileSize, GetPrivateProfileStringA, LocalLock, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetOEMCP, lstrcatA, lstrcpyA, lstrlenA, lstrcmpiA, SetFileAttributesA, CopyFileA, GetModuleFileNameA, OpenFile, FindClose, IsDBCSLeadByte, WriteFile, CloseHandle, FindFirstFileA, _lread, _lwrite, LocalUnlock, DeleteFileA, MoveFileA, GetExitCodeProcess, GetFullPathNameA, lstrcpynA, GlobalUnlock, GlobalLock, GlobalFindAtomA, GetShortPathNameA, MoveFileExA, MultiByteToWideChar, WideCharToMultiByte, CompareStringA, ReadFile, GetTempFileNameA, RemoveDirectoryA, GetLastError, CreateDirectoryA, GetTempPathA, GetCurrentProcess

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:37:05
Start date:10/10/2024
Path:C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\setup.exe"
Imagebase:0x400000
File size:139'776 bytes
MD5 hash:CA4D56ABBA85C97023F2E236DC82C4AA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Executed Functions

    Function 004084E7 Relevance: 95.0, APIs: 31, Strings: 23, Instructions: 500windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 4084e7-408536 call 408ae0 3 408543-408557 GetWindowsDirectoryA 0->3 4 408538-40853e 0->4 6 408567-408584 call 412da0 call 409f44 GetSystemDirectoryA 3->6 7 408559-408565 3->7 5 408a95-408aa1 call 40523a 4->5 11 408aa4-408aac call 404ea4 5->11 20 408586-40858d 6->20 21 40859f-4085ba call 412da0 call 409f44 call 4036b4 6->21 9 408592-40859a MessageBoxA 7->9 9->11 18 408ab0-408ab8 11->18 19 408aae 11->19 23 408ac6-408ac9 18->23 24 408aba-408ac1 18->24 19->18 20->9 36 4085cc-4085d6 call 407e03 21->36 37 4085bc-4085c6 SendMessageA 21->37 26 408acb 23->26 27 408acd-408adf call 407bf1 call 410f90 23->27 24->23 26->27 36->11 40 4085dc-408602 UpdateWindow GetWindowLongA GetModuleFileNameA 36->40 37->36 41 408654-40865a 40->41 42 408604-40861f call 406a32 call 404f35 40->42 41->5 47 4088e4-4088e7 42->47 48 408625-408634 call 404eec 42->48 47->11 48->47 51 40863a-408652 GetWindowLongA GetModuleFileNameA 48->51 51->41 52 40865f-4086be call 406a32 * 2 lstrcpyA * 2 lstrcatA * 2 call 4066b2 51->52 59 4086c0-408715 call 403c25 wsprintfA MessageBoxA call 410f90 52->59 60 40871b-408759 wsprintfA * 2 call 405ec5 52->60 68 40871a 59->68 66 40877b-40886e lstrcpyA * 2 GetPrivateProfileStringA lstrcpyA lstrcatA CreateDirectoryA GetPrivateProfileStringA lstrcpyA lstrcatA call 412c40 call 412c50 * 2 call 407e75 60->66 67 40875b-408776 call 40523a 60->67 66->47 79 408870-40888a call 405c7f 66->79 67->11 68->60 82 408894-4088ac call 405c7f 79->82 83 40888c-408892 lstrcpyA 79->83 86 4088b2-4088e2 lstrcpynA call 403bf9 call 404f01 82->86 87 408a8f 82->87 83->82 86->47 92 4088ec-40891e CoInitialize call 403874 86->92 87->5 92->11 95 408924-408943 call 403874 92->95 95->11 98 408949-40894b 95->98 99 408950-408960 98->99 100 40894d 98->100 101 408980-408983 99->101 102 408962-40897a call 403874 99->102 100->99 104 408985-4089a1 call 403874 101->104 105 4089a7-4089aa 101->105 102->11 102->101 104->11 104->105 106 4089b2-4089b5 105->106 107 4089ac CoUninitialize 105->107 110 408a32-408a53 call 40523a 106->110 111 4089b7-4089ba 106->111 107->106 110->11 118 408a55-408a58 110->118 111->110 113 4089bc-4089ea call 40815c call 406c0a call 407720 call 404eec 111->113 113->11 138 4089f0-4089f7 113->138 120 408a67-408a6a 118->120 121 408a5a-408a65 call 406c0a 118->121 124 408a6c-408a7b call 406c0a 120->124 125 408a7d-408a84 call 40322c 120->125 121->11 121->120 124->11 124->125 125->11 133 408a86-408a8d call 403794 125->133 133->11 139 4089f9-408a05 call 40746d 138->139 140 408a0a-408a30 ShowWindow call 40523a 138->140 139->11 140->11
    APIs
    • GetWindowsDirectoryA.KERNEL32(C:\WINDOWS\,00000208), ref: 0040854F
    • MessageBoxA.USER32(00000000,Cannot locate the System folder.Aborting Setup.,Cannot find folder.,00000040), ref: 00408594
      • Part of subcall function 0040523A: wvsprintfA.USER32(?,004055A1,?), ref: 00405253
      • Part of subcall function 0040523A: MessageBoxA.USER32(?,?), ref: 00405283
      • Part of subcall function 0040523A: wsprintfA.USER32 ref: 0040534F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Message$DirectoryWindowswsprintfwvsprintf
    • String ID: ;B$%s$%s%s$%s%s$BootStrap$BootStrap Files$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\$C:\Users\user\Desktop\setup.LST$C:\WINDOWS\$C:\WINDOWS\SYSTEM32\$CabFile$Cannot find folder.$Cannot locate the System folder.Aborting Setup.$Cannot locate the Windows folder.Aborting Setup.$LST$SETUP.LST$ST6UNST.EXE$Setup$Setup1 Files$Spawn$Title$TmpDir
    • API String ID: 2341025521-1201858307
    • Opcode ID: 0126afa5406736b4c3447c4dcf167bd678462b8adce9b112b7e791adc4edcacc
    • Instruction ID: 01ffc4e6f574d24c5587ae239345a647704821fd91bf5c57b80604a0106283fd
    • Opcode Fuzzy Hash: 0126afa5406736b4c3447c4dcf167bd678462b8adce9b112b7e791adc4edcacc
    • Instruction Fuzzy Hash: 33E10532A40214BADB21AB65DD86FEF366CDF44714F20417BF105B11D2DFBC9A818A6D
    Function 00405885 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 253stringwindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 004058B7
    • BeginPaint.USER32(?,?), ref: 004058E6
    • GetTextMetricsA.GDI32(?,?), ref: 004058F6
    • GetClientRect.USER32(?,?), ref: 00405903
    • SetTextColor.GDI32(?,00000000), ref: 0040590D
    • SelectObject.GDI32(?,2C0A0D2A), ref: 00405923
    • GetWindowLongA.USER32(?,000000FA), ref: 0040593C
    • GetModuleFileNameA.KERNEL32(00000000), ref: 00405943
    • lstrcpyA.KERNEL32(C:\Users\user\Desktop\setup.LST,C:\Users\user\Desktop\), ref: 0040595E
    • lstrcatA.KERNEL32(C:\Users\user\Desktop\setup.LST,setup.lst), ref: 0040596A
    • GetPrivateProfileStringA.KERNEL32(BootStrap,SetupTitle,00000000,?,0000040A,C:\Users\user\Desktop\setup.LST), ref: 0040598F
    • SetWindowTextA.USER32(?), ref: 004059A2
    • GetPrivateProfileStringA.KERNEL32(BootStrap,SetupText,00000000,?,0000040A,C:\Users\user\Desktop\setup.LST), ref: 004059BD
    • wsprintfA.USER32 ref: 00405A44
    • SetBkColor.GDI32(?,00C0C0C0), ref: 00405A7D
    • lstrlenA.KERNEL32(?,?,00000401), ref: 00405A99
    • DrawTextA.USER32(?,?,00000000), ref: 00405AA6
    • OffsetRect.USER32(?,?,?), ref: 00405AFC
    • lstrlenA.KERNEL32(?,?,00000001), ref: 00405B0F
    • DrawTextA.USER32(?,?,00000000), ref: 00405B1C
    • SetTextColor.GDI32(?,?), ref: 00405B28
    • SelectObject.GDI32(?,?), ref: 00405B3B
    • EndPaint.USER32(?,?), ref: 00405B48
    • PostQuitMessage.USER32(00000000), ref: 00405B70
    • DeleteObject.GDI32(2C0A0D2A), ref: 00405B80
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Text$ColorObjectWindow$DrawPaintPrivateProfileRectSelectStringlstrlen$BeginClientDeleteFileLongMessageMetricsModuleNameOffsetPostProcQuitlstrcatlstrcpywsprintf
    • String ID: %s $%s%s$*,$BootStrap$C:\Users\user\Desktop\$C:\Users\user\Desktop\setup.LST$SetupText$SetupTitle$setup.lst
    • API String ID: 1500238012-3369323330
    • Opcode ID: 970d27931c2efb999f501d760be0d3e4294fe1797576bdd4b9b5b38da674d956
    • Instruction ID: 7c8ff3b1d4b0d8e6b059af8cd8ecf1037427107b01a63ffa6a6f09735c041a21
    • Opcode Fuzzy Hash: 970d27931c2efb999f501d760be0d3e4294fe1797576bdd4b9b5b38da674d956
    • Instruction Fuzzy Hash: BB917972901119AFDB009FA8DD89EEF7B79FB04301F048176FA05F21A0DA39AA55CF59
    Function 00413060 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 370 413060-4130be GetVersion call 413ed0 373 4130c0-4130c7 call 413230 370->373 374 4130ca-4130f2 call 4133e0 call 416040 GetCommandLineA call 416680 370->374 373->374 383 4130f4-4130fb 374->383 384 4130fd-413104 call 410f90 374->384 383->384 385 413107-413122 call 4163d0 call 4162e0 call 410f60 383->385 384->385 394 4131e6-4131e9 385->394 395 413128-413130 385->395 398 413157-41315b 394->398 399 4131ef-4131f3 394->399 396 413132-413134 395->396 397 41314e-413151 395->397 396->397 400 413136-413146 call 416280 396->400 397->398 401 413153-413154 397->401 402 413167-41317c GetStartupInfoA 398->402 403 41315d-41315f 398->403 399->394 400->395 411 413148-41314c 400->411 401->398 404 413188 402->404 405 41317e-413186 402->405 403->402 407 413161-413165 403->407 408 41318d-41319a GetModuleHandleA call 405557 404->408 405->408 407->398 412 41319f-4131e5 call 410f90 408->412 411->395
    APIs
    • GetVersion.KERNEL32 ref: 00413086
      • Part of subcall function 00413ED0: HeapCreate.KERNELBASE(00000001,00001000,00000000,004130BC), ref: 00413ED9
    • GetCommandLineA.KERNEL32 ref: 004130DB
    • GetStartupInfoA.KERNEL32(?), ref: 00413172
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413193
      • Part of subcall function 00413230: ExitProcess.KERNEL32 ref: 00413250
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CommandCreateExitHandleHeapInfoLineModuleProcessStartupVersion
    • String ID:
    • API String ID: 911431592-0
    • Opcode ID: 82b7b8b85026cc5ed6a0a5b8bf990af22b85dca2ac9ffa6fb1ffc9ccf9a79d41
    • Instruction ID: 1d74e680aef3d75dca29bd4ede4a97e89503111c6e16f9868dd171403daeae44
    • Opcode Fuzzy Hash: 82b7b8b85026cc5ed6a0a5b8bf990af22b85dca2ac9ffa6fb1ffc9ccf9a79d41
    • Instruction Fuzzy Hash: 9D41F5B0D04345ABDB20AFA9CC067EABFE8EB08706F14013BE85597391D77C8A81C759
    Function 00409F75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 416 409f75-409f94 FindFirstFileA 417 409f96-409f9d 416->417 418 409fa9-409fad 416->418 419 409fa2-409fa3 FindClose 417->419 420 409f9f-409fa1 417->420 419->418 420->419
    APIs
    • FindFirstFileA.KERNELBASE(00403389,?,[rename]), ref: 00409F8B
    • FindClose.KERNEL32(00000000), ref: 00409FA3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID: [rename]
    • API String ID: 2295610775-2791824512
    • Opcode ID: 7b224ee356828458b2a7fe41b879744bea6e94f4048cee51b76876aed028c9c3
    • Instruction ID: 345484854a7387f43733b80f59b6d8b827950b34e7577486e522b865aca3e9e4
    • Opcode Fuzzy Hash: 7b224ee356828458b2a7fe41b879744bea6e94f4048cee51b76876aed028c9c3
    • Instruction Fuzzy Hash: 26E08C7150012877CB31666A9C0CBEA7F6C9B05364F408261FE28E21E0D3B88D958695
    Function 004066B2 Relevance: 4.5, APIs: 3, Instructions: 23fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 438 4066b2-4066ce FindFirstFileA 439 4066d0-4066dd 438->439 440 4066e5-4066e8 438->440 441 4066e9-4066f3 FindClose 439->441 442 4066df FindClose 439->442 442->440
    APIs
    • FindFirstFileA.KERNELBASE(?,?), ref: 004066C5
    • FindClose.KERNEL32(00000000), ref: 004066DF
    • FindClose.KERNEL32(00000000), ref: 004066E9
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Find$Close$FileFirst
    • String ID:
    • API String ID: 3046750681-0
    • Opcode ID: dac94524f0a3ff841a4b51c6d1be60e476e499e137034a2b1a9207b6e69f19cf
    • Instruction ID: 75148cf7f45482162284db7964a86e7b30aa1ab6abcea50c59cefc0ad9fc1ba1
    • Opcode Fuzzy Hash: dac94524f0a3ff841a4b51c6d1be60e476e499e137034a2b1a9207b6e69f19cf
    • Instruction Fuzzy Hash: C0E086311000087BDB115BB5DC097FE37A9AB08318F848A65E617D51E0DA79D8A18A56
    Function 00405557 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 277windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 405557-40558a FindWindowA IsWindow 146 405590-405595 145->146 147 40586a-405876 BringWindowToTop SetFocus 145->147 146->147 148 40559b-4055a4 call 403d1c 146->148 149 40587c 147->149 153 4055b0-4055fd call 405372 148->153 154 4055a6-4055ab call 404911 148->154 151 40587e-405882 149->151 159 405618-40561e 153->159 160 4055ff-405613 call 40523a 153->160 154->149 162 405620-405626 159->162 163 40562e-405634 159->163 160->149 162->163 165 405628 162->165 166 405636-405657 call 412600 call 412410 call 4122e0 call 4097c2 163->166 167 405658-405661 call 4051b6 163->167 165->163 166->167 167->149 172 405667-4056f4 ShowCursor CreateWindowExA GetDC call 411ef0 GetDeviceCaps lstrcpyA CreateFontIndirectA 167->172 178 4056f6-4056f8 SelectObject 172->178 179 4056fe-405726 GetTextMetricsA lstrlenA * 2 172->179 178->179 181 405730 179->181 182 405728-40572e 179->182 184 405736-405752 lstrlenA GetSystemMetrics 181->184 182->184 186 405754-40576e lstrlenA * 2 184->186 187 40578c-405794 GetSystemMetrics 184->187 189 405770-405776 186->189 190 405778 186->190 188 405796-4057b1 GetSystemMetrics 187->188 191 4057b3-4057b6 188->191 192 4057b8-4057c2 GetSystemMetrics 188->192 193 40577e-40578a lstrlenA 189->193 190->193 194 4057c5-405841 GetSystemMetrics * 2 MoveWindow GetStockObject SelectObject SetBkColor ReleaseDC GetMessageA 191->194 192->194 193->188 195 405842-405846 KiUserCallbackDispatcher 194->195 196 405865-405868 195->196 197 405848-405863 TranslateMessage DispatchMessageA 195->197 196->151 197->195
    APIs
    • FindWindowA.USER32(GVBSetupInit), ref: 00405578
    • IsWindow.USER32(00000000), ref: 00405582
    • BringWindowToTop.USER32(0041319F), ref: 0040586D
    • SetFocus.USER32(0041319F,?,?), ref: 00405876
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Window$BringFindFocus
    • String ID: *,$GVBSetupInit$YPkA
    • API String ID: 2004074933-1037330768
    • Opcode ID: ddcbaa21606800981cfb626a6fb8eb600b917cdcd5707c907283b46e219abf3c
    • Instruction ID: 923c2d437ea165c14ca8939db3eecbebe7493fd9e85e9ea77b44671c27bd7bbe
    • Opcode Fuzzy Hash: ddcbaa21606800981cfb626a6fb8eb600b917cdcd5707c907283b46e219abf3c
    • Instruction Fuzzy Hash: 5191C471A01208BFDB20AFB0DC89EAF3F6DEB44341F44803AF905E62A1D77999518F59
    Function 00404F35 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 214stringfileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 236 404f35-404f4d 237 404f4f-404fb3 lstrcpyA call 409f44 lstrcatA wsprintfA lstrcatA * 2 call 409f75 236->237 242 404fc0-404ffd lstrcpyA CreateFileA 237->242 243 404fb5-404fbc 237->243 244 405018-405030 call 409e9f 242->244 245 404fff-405013 call 40523a 242->245 243->237 246 404fbe 243->246 252 405126 244->252 253 405036-405049 call 409e9f 244->253 251 405158-40515a 245->251 246->245 255 405163-405167 251->255 254 405129-405155 CloseHandle call 403c25 call 40523a 252->254 253->254 260 40504f-40505d call 409e9f 253->260 254->251 260->254 265 405063-405073 call 409e9f 260->265 265->254 268 405079-405087 call 409e9f 265->268 268->254 271 40508d-40509d call 409e9f 268->271 271->254 274 4050a3-4050b1 call 409e9f 271->274 274->254 277 4050b3-4050be call 409e9f 274->277 277->254 280 4050c0-4050ce call 409e9f 277->280 280->254 283 4050d0-4050e0 call 409e9f 280->283 283->254 286 4050e2-4050f0 call 409e9f 283->286 286->254 289 4050f2-4050fd call 409e9f 286->289 289->254 292 4050ff-40510a call 409e9f 289->292 292->254 295 40510c-405117 call 409e9f 292->295 295->254 298 405119-405122 CloseHandle 295->298 299 405124 298->299 300 40515c-40515d call 404eb4 298->300 299->254 302 405162 300->302 302->255
    APIs
    • lstrcpyA.KERNEL32(?,?), ref: 00404F59
      • Part of subcall function 00409F44: lstrlenA.KERNEL32(00000419,00000419,0000002C,00406C03,0000002C,?,00000000,0000002C), ref: 00409F4B
      • Part of subcall function 00409F44: CharPrevA.USER32(00000419,00000000,?,00000000,0000002C), ref: 00409F57
    • lstrcatA.KERNEL32(?,ST6UNST.), ref: 00404F74
    • wsprintfA.USER32 ref: 00404F80
    • lstrcatA.KERNEL32(?,?), ref: 00404F94
    • lstrcatA.KERNEL32(?,0041FCAC), ref: 00404FA2
      • Part of subcall function 00409F75: FindFirstFileA.KERNELBASE(00403389,?,[rename]), ref: 00409F8B
      • Part of subcall function 00409F75: FindClose.KERNEL32(00000000), ref: 00409FA3
    • lstrcpyA.KERNEL32(C:\WINDOWS\ST6UNST.000,?), ref: 00404FCD
    • CreateFileA.KERNELBASE(C:\WINDOWS\ST6UNST.000,40000000,00000000,?,00000001,80000080,00000000), ref: 00404FF1
    • CloseHandle.KERNEL32(?), ref: 0040512A
      • Part of subcall function 00409E9F: lstrlenA.KERNEL32(,P@, %% ,?,?,0040502C,00000000,?), ref: 00409EA7
      • Part of subcall function 00409E9F: WriteFile.KERNELBASE(?,0000000C,00000000,?,00000000,?,0040502C,00000000,?), ref: 00409EBC
    • CloseHandle.KERNELBASE(?), ref: 0040511A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CloseFilelstrcat$FindHandlelstrcpylstrlen$CharCreateFirstPrevWritewsprintf
    • String ID: %% $%03d$C:\WINDOWS\ST6UNST.000$ST6UNST.
    • API String ID: 4094472129-1665917176
    • Opcode ID: ee4372c8f2afc6d1aabe9d92cbcc9f6efe75d14f5c55ff3bcf698a14d413b7b4
    • Instruction ID: a8b2ddaf3280114ea0c278ee027f66db3d9a22197d4e9fe88c382066e0e29105
    • Opcode Fuzzy Hash: ee4372c8f2afc6d1aabe9d92cbcc9f6efe75d14f5c55ff3bcf698a14d413b7b4
    • Instruction Fuzzy Hash: 5751807690060A7AEB14AAA5EC85EEF376CDF45324F10047FF904F51C1DA3C9E858AA9
    Function 00403B63 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60memorystringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 303 403b63-403b7b LocalAlloc 304 403b7d-403b98 LocalLock LoadStringA 303->304 305 403bdf-403bf2 call 40523a 303->305 306 403ba1-403bab LocalAlloc 304->306 307 403b9a 304->307 313 403bf4-403bf8 305->313 309 403bc2-403bd2 LocalUnlock LocalFree 306->309 310 403bad-403bbc LocalLock lstrcpyA 306->310 307->306 309->305 312 403bd4-403bdd 309->312 310->309 312->313
    APIs
    • LocalAlloc.KERNELBASE(00000002,00000200,0041319F,?,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403B75
    • LocalLock.KERNEL32(00000000,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403B7E
    • LoadStringA.USER32(00421B08,00421B08,00000000,00000200), ref: 00403B90
    • LocalAlloc.KERNEL32(00000002,00000001,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403BA5
    • LocalLock.KERNEL32(00000000,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403BAE
    • lstrcpyA.KERNEL32(00000000,00000000,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403BBC
    • LocalUnlock.KERNEL32(00000000,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403BC3
    • LocalFree.KERNEL32(00000000,?,00000000,00403D36,?,000003E8,00421B08,0042419C,GVBSetupInit,004055A1,0041319F,?,?), ref: 00403BCA
    Strings
    • Insufficient memory available to initialize Setup, xrefs: 00403BDF
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Local$AllocLock$FreeLoadStringUnlocklstrcpy
    • String ID: Insufficient memory available to initialize Setup
    • API String ID: 995929202-2705912131
    • Opcode ID: f75ab4c2667fb1d1030bc8974c748de62e3bc56a30f54bab571346c82b925b78
    • Instruction ID: a696a282c1d06df0986013d879dd086d3afee71d6a366bf59d5bc27334b3140b
    • Opcode Fuzzy Hash: f75ab4c2667fb1d1030bc8974c748de62e3bc56a30f54bab571346c82b925b78
    • Instruction Fuzzy Hash: 2C014E323462147FD3112F549C09FBB7BACEF04719F04043AFA49E6292C6F99C1047A6
    Function 00401F0F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104stringfileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 314 401f0f-401f23 315 401f25-401f28 314->315 316 401f2d-401f68 lstrlenA CreateFileA 314->316 317 40201b-40201f 315->317 318 401f6e-401f7c SetFilePointer 316->318 319 40200f-402011 316->319 318->319 320 401f82-401f87 318->320 319->317 321 401fa2-401fa6 320->321 322 401f89-401f96 lstrlenA call 401ed2 320->322 323 401fa8-401faa 321->323 324 401fac-401fb5 CharNextA 321->324 327 401f9b-401fa0 322->327 323->324 326 401fb7-401fb9 323->326 324->321 329 402002-40200d CloseHandle 326->329 330 401fbb-401fd6 call 401eb4 call 401ed2 326->330 327->321 328 401ffb 327->328 328->329 329->319 331 402013-402018 329->331 330->328 336 401fd8-401fe3 call 401ed2 330->336 331->317 338 401fe8-401fed 336->338 338->328 339 401fef-401ff3 338->339 339->329 340 401ff5-401ff7 339->340 340->329 341 401ff9 340->341 341->320
    APIs
    • lstrlenA.KERNEL32(0041319F,*** ,0041C078,00000000,00000000,0041319F,00000001,00000000), ref: 00401F31
    • CreateFileA.KERNELBASE(40000000,00000000), ref: 00401F5C
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00401F73
    • lstrlenA.KERNEL32(80000080,00000000), ref: 00401F8B
    • CharNextA.USER32(0041319F), ref: 00401FAD
    • CloseHandle.KERNELBASE(00000003), ref: 00402005
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Filelstrlen$CharCloseCreateHandleNextPointer
    • String ID: *** $dS@
    • API String ID: 277593559-2255215331
    • Opcode ID: 78b31a305cf45fe16037366c2a5548d4224dd8141c6ca31394b8328f96ee7a78
    • Instruction ID: 3d21a72b58375e86618003b68ff31b98c34efc4a5cd94eb642d87716ced3cdb1
    • Opcode Fuzzy Hash: 78b31a305cf45fe16037366c2a5548d4224dd8141c6ca31394b8328f96ee7a78
    • Instruction Fuzzy Hash: F4312671900206BEEB201F659D88ABF3B69DF00368F54853BFA14B22E1D77C8D51D769
    Function 004051B6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39registrywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 342 4051b6-40521b GetStockObject LoadCursorA LoadIconA RegisterClassA 343 405221-405235 GetTempPathA 342->343 344 40521d-40521f 342->344 345 405237-405239 343->345 344->345
    APIs
    • GetStockObject.GDI32(00000001), ref: 004051C6
    • LoadCursorA.USER32(00000000,00007F02), ref: 004051EA
    • LoadIconA.USER32(0040565E,000005DC), ref: 004051F9
    • RegisterClassA.USER32(00000003), ref: 00405212
    • GetTempPathA.KERNEL32(000001FF,C:\Users\user\AppData\Local\Temp\), ref: 0040522B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Load$ClassCursorIconObjectPathRegisterStockTemp
    • String ID: C:\Users\user\AppData\Local\Temp\$GVBSetupInit
    • API String ID: 108143610-272667891
    • Opcode ID: a27effd8866969580997cbc572662fa6b9af3386dbc733b6657d55154b7c95c9
    • Instruction ID: 0ab753cf311445e4ca0e000d4d00b98f2f1ada72720799f30a412d4170b7667b
    • Opcode Fuzzy Hash: a27effd8866969580997cbc572662fa6b9af3386dbc733b6657d55154b7c95c9
    • Instruction Fuzzy Hash: 11017C71D41219AFDB009FE0D809BEE7BB8EF08716F00856AE501B6280D7B942548FA9
    Function 00409E9F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22filestringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 346 409e9f-409ec4 lstrlenA WriteFile 347 409ec6-409ecb 346->347 348 409ece-409ed0 346->348 347->348
    APIs
    • lstrlenA.KERNEL32(,P@, %% ,?,?,0040502C,00000000,?), ref: 00409EA7
    • WriteFile.KERNELBASE(?,0000000C,00000000,?,00000000,?,0040502C,00000000,?), ref: 00409EBC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileWritelstrlen
    • String ID: %% $,P@
    • API String ID: 427699356-1158777772
    • Opcode ID: f3e2b5871501798a91f9863c851121d11a3335d94d793aa3dae9b663bbbbe9bb
    • Instruction ID: 544ded86900f95aa6b4c66d6ba9d99bf9877521b10cebc8845073b9ff73b328a
    • Opcode Fuzzy Hash: f3e2b5871501798a91f9863c851121d11a3335d94d793aa3dae9b663bbbbe9bb
    • Instruction Fuzzy Hash: 99E08C32111228BBCF105F61DD09ACB3FACEF006A0F108035B809D50A0E670DE10DA94
    Function 00413F10 Relevance: 6.4, APIs: 5, Instructions: 110memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 349 413f10-413f1b 350 413f24-413f3b HeapAlloc 349->350 351 413f1d-413f22 349->351 352 413f41-413f5b VirtualAlloc 350->352 353 41406c-414071 350->353 351->352 354 413f61-413f72 VirtualAlloc 352->354 355 414055-41405b 352->355 357 414047-41404f VirtualFree 354->357 358 413f78-413f7e 354->358 355->353 356 41405d-414066 HeapFree 355->356 356->353 357->355 359 413f80-413f87 358->359 360 413fa8-413fc1 358->360 361 413f93-413f9a 359->361 362 413f89 359->362 363 413fc3-413fe0 360->363 361->363 364 413f9c-413fa6 361->364 362->361 365 413fe5-414000 363->365 364->363 365->365 366 414002-414017 365->366 367 414041-414046 366->367 368 414019-41401e 366->368 369 414020-41403f 368->369 369->367 369->369
    APIs
    • HeapAlloc.KERNEL32(?,00000000,00002020,?,?,?,00413EEE), ref: 00413F31
    • VirtualAlloc.KERNELBASE(00000000,00400000,00002000,00000004,?,?,?,00413EEE), ref: 00413F55
    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,?,00413EEE), ref: 00413F6E
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00413EEE), ref: 0041404F
    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,00413EEE), ref: 00414066
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: AllocVirtual$FreeHeap
    • String ID:
    • API String ID: 714016831-0
    • Opcode ID: 5231719d612e0b1fe53762e219d40b29f1075e2b4a2ac9d810ecd73db4262c87
    • Instruction ID: a41e6584edd288de8ac9b870dc9a56eefaa0d3e471ad3bccb36c8c973aeebc67
    • Opcode Fuzzy Hash: 5231719d612e0b1fe53762e219d40b29f1075e2b4a2ac9d810ecd73db4262c87
    • Instruction Fuzzy Hash: 1C31F6716803059BC720CF28EC84BD67BA5EB99755F10C53BFA08DB380D7B999818B8C
    Function 00410FD0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 421 410fd0-410fdf 422 410fe1-410fe9 GetCurrentProcess TerminateProcess 421->422 423 410fef-411009 421->423 422->423 424 411049-41105d call 411080 423->424 425 41100b-411013 423->425 433 411070-411073 424->433 434 41105f-41106a ExitProcess 424->434 427 411015-411020 425->427 428 411037-411046 call 411080 425->428 427->428 431 411022-411026 427->431 428->424 435 411030-411035 431->435 436 411028-41102a 431->436 435->428 435->431 436->435
    APIs
    • GetCurrentProcess.KERNEL32(?,?,?,?,00410F9E,?,00000000,00000000,00413104,000000FF), ref: 00410FE2
    • TerminateProcess.KERNEL32(00000000,?,?,?,00410F9E,?,00000000,00000000,00413104,000000FF), ref: 00410FE9
    • ExitProcess.KERNEL32 ref: 0041106A
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 13b1385e57a918d75d3f7aa37324f92508021f5b6d7a9b40b26c2c2ef340165f
    • Instruction ID: e7c9c83e2ac8414cb709457cbfbe94d37a12d4908bee539a3836889e8f38daf5
    • Opcode Fuzzy Hash: 13b1385e57a918d75d3f7aa37324f92508021f5b6d7a9b40b26c2c2ef340165f
    • Instruction Fuzzy Hash: B501BE31B412409FC730DFA9ECC4BDA7F64971C756B40003AEA4593621DB69ADD4876D
    Function 00401ED2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 443 401ed2-401edb 444 401ee0-401ef7 WriteFile 443->444 445 401edd 443->445 446 401ef9-401efe 444->446 447 401f0c-401f0e 444->447 445->444 448 401f00 446->448 449 401f02-401f0a 446->449 448->449 449->447
    APIs
    • WriteFile.KERNELBASE(00000000,00000000,00000003,00401FD1,00000000,00000000,dS@,00401FD1,00000003,00000000,00000000,00000000), ref: 00401EEF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileWrite
    • String ID: dS@
    • API String ID: 3934441357-1473639913
    • Opcode ID: 69ba090508dee29eb665ea91c108965ce53dacc8d91680b9818d21d142e663b0
    • Instruction ID: 396b472d8fd48310c2c845697331ad99a321a121c91c4dad91a0fa988bcdc1a3
    • Opcode Fuzzy Hash: 69ba090508dee29eb665ea91c108965ce53dacc8d91680b9818d21d142e663b0
    • Instruction Fuzzy Hash: F1F0393260121AABCB21CE54DC40BAB77A8EB00B51F040429FD44E7250D731EC208BA5
    Function 00402314 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 450 402314-40231b 451 402321-40233d CreateFileA 450->451 452 40231d-40231f 450->452 454 40234a-40234c 451->454 455 40233f-402348 CloseHandle 451->455 453 40235d-40235f 452->453 454->453 455->454 456 40234e-402359 call 409ede 455->456 459 402360-402375 call 409f06 456->459 460 40235b 456->460 460->453
    APIs
    • CreateFileA.KERNELBASE(00404EBF,80000000,00000000,00000000,00000003,00000080,00000000,0041C05C,00404EBF,?,000000FE,00405162,C:\WINDOWS\ST6UNST.000), ref: 00402334
    • CloseHandle.KERNEL32(00000000), ref: 00402340
      • Part of subcall function 00409F06: LocalFree.KERNEL32(00000000,00402261,00000000,0041319F,00000001), ref: 00409F11
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CloseCreateFileFreeHandleLocal
    • String ID:
    • API String ID: 91504066-0
    • Opcode ID: d99dd74457d39f930bd05f6b4fb5575a3957d248c55a4a670feeb913173c846a
    • Instruction ID: d43e7c1af8c148b3c6a9615dacae296811828584beff28b200d79d2d60ed83dc
    • Opcode Fuzzy Hash: d99dd74457d39f930bd05f6b4fb5575a3957d248c55a4a670feeb913173c846a
    • Instruction Fuzzy Hash: 11F0A73278972176F6311674BD0EF8A23446B01B60F25453BFE08F91E2C6FC6C92028D
    Function 00413ED0 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000001,00001000,00000000,004130BC), ref: 00413ED9
    • HeapDestroy.KERNEL32(?), ref: 00413EF8
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Heap$CreateDestroy
    • String ID:
    • API String ID: 3296620671-0
    • Opcode ID: a6ded3e425f809ce1be8acb7973a9b25c33763ed127a365f7318089e246b026d
    • Instruction ID: 1db3fd901d73b32a997a7b282e224eb9dca8c6f384fe48a6bdbebc9e9335d82b
    • Opcode Fuzzy Hash: a6ded3e425f809ce1be8acb7973a9b25c33763ed127a365f7318089e246b026d
    • Instruction Fuzzy Hash: 96D05E34B403015AEB21DF35AC0ABC63AE4AB08B46FD00471FA04C5191E6AD99C1A60D
    Function 00406A32 Relevance: 3.0, APIs: 2, Instructions: 17stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,?,0040121F,00000000,0000005C), ref: 00406A38
    • CharPrevA.USER32(?,00000000), ref: 00406A4E
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CharPrevlstrlen
    • String ID:
    • API String ID: 2709904686-0
    • Opcode ID: 21af6a3d17d41e860beb97f1861d39bc09d921111b5db3ff594c5e76d5aa4137
    • Instruction ID: 545a573e3bb27a67837e6e72b6d82254b99521d1f59420644be084c51f86e610
    • Opcode Fuzzy Hash: 21af6a3d17d41e860beb97f1861d39bc09d921111b5db3ff594c5e76d5aa4137
    • Instruction Fuzzy Hash: 43D0A7327090706FC2027720AE144EF3BE99D43300B0AD4A2F086F2311C23C5C614BEE

    Non-executed Functions

    Function 0040746D Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 224processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409772: SHGetMalloc.SHELL32(?), ref: 0040977B
      • Part of subcall function 00409772: SHGetSpecialFolderLocation.SHELL32(00000000,00000007,00000001), ref: 00409793
      • Part of subcall function 00409772: SHGetPathFromIDListA.SHELL32(00000001,?), ref: 004097A3
    • wsprintfA.USER32 ref: 004074BF
      • Part of subcall function 00409C74: OleInitialize.OLE32(00000000), ref: 00409CB6
    • GetPrivateProfileStringA.KERNEL32(BootStrap,Spawn,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 00407515
    • wsprintfA.USER32 ref: 0040752E
    • wsprintfA.USER32 ref: 0040754C
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 00407578
    • wsprintfA.USER32 ref: 004075E4
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • wsprintfA.USER32 ref: 00407632
    • wsprintfA.USER32 ref: 00407647
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040767D
    • GetLastError.KERNEL32 ref: 00407687
    • wsprintfA.USER32 ref: 00407697
    • ShowWindow.USER32(00000000), ref: 004076E3
      • Part of subcall function 00407DCE: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00407DE1
      • Part of subcall function 00407DCE: Sleep.KERNEL32(00000000,?,?,00408BC5,76230440,00407C7D,004212E8,000003E8), ref: 00407DE8
      • Part of subcall function 00407DCE: UpdateWindow.USER32 ref: 00407DF7
    • GetExitCodeProcess.KERNEL32(?,?), ref: 004076F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: wsprintf$ProcessWindow$AttributesCharCodeCreateErrorExitFileFolderFromInitializeLastListLocationMallocMessagePathPeekPrevPrivateProfileShowSleepSpecialStringUpdatelstrcpylstrlen
    • String ID: %s%s$%s%s "%s" "%s" "%s"$%s%s /q "%s" "%s" "%s" "%s"$%s%s /s "%s" "%s" "%s" "%s"$%s%s /s "%s" /q "%s" "%s" "%s" "%s"$0x%08lXH$@%s$BootStrap$BootStrap Files$C:\Users\user\Desktop\$C:\Users\user\Desktop\setup.LST$C:\WINDOWS\$C:\WINDOWS\ST6UNST.000$CreateProcess()$Spawn
    • API String ID: 393628554-657165701
    • Opcode ID: d0985d0d4efaf0fbab4e0dc6affb16f80186326814e0eceee2a86bce35a19f2f
    • Instruction ID: bcacf625efb481c3d6777d4c4a6aa8f74bedc184b533834695a676a94573e779
    • Opcode Fuzzy Hash: d0985d0d4efaf0fbab4e0dc6affb16f80186326814e0eceee2a86bce35a19f2f
    • Instruction Fuzzy Hash: 9F6107B2E842187ADB109B94EC86EEB77AC9B44704F640477B105F21D1DA7C6A848A6E
    Function 00406143 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 296stringfileCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00406166
      • Part of subcall function 0040650E: wsprintfA.USER32 ref: 0040653E
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
      • Part of subcall function 00409FEA: lstrcpyA.KERNEL32(?,00000000,00000001,?,00000000,004017D9,00000000,?,76228A60), ref: 00409FF6
      • Part of subcall function 00409FEA: lstrlenA.KERNEL32(?), ref: 00409FFD
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A01F
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A02B
    • wsprintfA.USER32 ref: 004061B4
    • wsprintfA.USER32 ref: 004061C4
      • Part of subcall function 00405C1A: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0041C1CC,76938400,0041C1CC,004061D1,00000000), ref: 00405C26
      • Part of subcall function 00405C1A: CharNextA.USER32(C:\Users\user\AppData\Local\Temp\), ref: 00405C4F
      • Part of subcall function 00405C1A: CharPrevA.USER32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00405C5E
    • lstrcpyA.KERNEL32(004210E0,0041FCAC), ref: 004061F1
    • lstrcpyA.KERNEL32(00423F60,00000000), ref: 00406206
      • Part of subcall function 00409F44: lstrlenA.KERNEL32(00000419,00000419,0000002C,00406C03,0000002C,?,00000000,0000002C), ref: 00409F4B
      • Part of subcall function 00409F44: CharPrevA.USER32(00000419,00000000,?,00000000,0000002C), ref: 00409F57
    • lstrcatA.KERNEL32(00423F60,?), ref: 00406213
    • VerInstallFileA.VERSION(00000000,00000208,?,00000000,00000000,00000000,004210E0,00000208), ref: 00406246
    • GetShortPathNameA.KERNEL32(?,?,00000207), ref: 0040626C
    • lstrcpyA.KERNEL32(?,00000208), ref: 0040627D
    • FindFirstFileA.KERNEL32(?,?), ref: 0040628D
    • FindClose.KERNEL32(00000000), ref: 00406299
    • VerInstallFileA.VERSION(00000000,00000000,?,?,00000000,00000000,004210E0,00000208), ref: 004062D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Charlstrcpy$Prev$wsprintf$Filelstrlen$FindInstall$CloseFirstNameNextPathShortlstrcat
    • String ID: %s%s %s$%s%s$@DB$C:\Users\user\AppData\Local\Temp\$C:\WINDOWS\$ST6UNST.EXE$`?B
    • API String ID: 2158229777-971152
    • Opcode ID: 5f9a57c73493216d41970b9ef50b0da969819cedfad08bbccbc4a8aefcac633d
    • Instruction ID: 44748f6b0a73fcd5f33a31090c46e677a49c4891a0fd0a2cdfc1ef92455fd83f
    • Opcode Fuzzy Hash: 5f9a57c73493216d41970b9ef50b0da969819cedfad08bbccbc4a8aefcac633d
    • Instruction Fuzzy Hash: 5EA1BE31500218AADF259F94DC45BAE7B78AF44314F26407BF902B21E0C73D8AB2DB9D
    Function 0040924A Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 276stringcomfileCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(00000001,00000001,00000001,00000000), ref: 00409333
    • lstrlenA.KERNEL32(?), ref: 0040933E
    • lstrcatA.KERNEL32(?,00000001), ref: 0040935E
    • lstrcatA.KERNEL32(?,0041C030), ref: 0040936C
    • GetFileAttributesA.KERNEL32(?,00000001,00000001,00000000), ref: 00409379
    • lstrlenA.KERNEL32(?,00000001,00000001,00000000), ref: 00409397
    • lstrlenA.KERNEL32(00000000), ref: 0040939E
    • lstrcatA.KERNEL32(?,00000000), ref: 004093BF
    • lstrlenA.KERNEL32(?), ref: 004093C8
    • lstrcatA.KERNEL32(?,.LNK), ref: 004093E1
    • GetFileAttributesA.KERNEL32(?), ref: 004093EA
    • DeleteFileA.KERNEL32(?), ref: 004093FC
    • CoCreateInstance.OLE32(0041A310,00000000,00000001,0041A610,?), ref: 00409415
      • Part of subcall function 004096F3: SHGetMalloc.SHELL32(00000001), ref: 004096FE
      • Part of subcall function 004096F3: SHGetSpecialFolderLocation.SHELL32(00000000,00000016,00000000,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040971A
      • Part of subcall function 004096F3: SHGetPathFromIDListA.SHELL32(00000000,00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040972B
      • Part of subcall function 004096F3: lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409748
      • Part of subcall function 004096F3: lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409752
    • lstrcpyA.KERNEL32(?,?), ref: 0040949E
    • CharNextA.USER32(?), ref: 004094BD
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000105), ref: 00409519
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$lstrcat$File$AttributesChar$ByteCreateDeleteFolderFromInstanceListLocationMallocMultiNextPathSpecialWidelstrcpy
    • String ID: $(Programs)$$(Start Menu)$.LNK
    • API String ID: 16435757-2433586774
    • Opcode ID: 508e44079fbbbc162694ca56a6d2af627b40d9c57780fae64943c64e86291ca3
    • Instruction ID: 0c02b5470a654670146b039965436d26f172126647d4bd5ed0d5c52d8c237c06
    • Opcode Fuzzy Hash: 508e44079fbbbc162694ca56a6d2af627b40d9c57780fae64943c64e86291ca3
    • Instruction Fuzzy Hash: 01914E7190411AAFCF10DFA4CC88ADE77B9AF49314F1444BAE505E72A2D7389E86CF54
    Function 00408FE7 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 138fileCOMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringA.KERNEL32(BootStrap Files,00000000,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 004090BF
    • wsprintfA.USER32 ref: 00409124
    • SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00409135
    • DeleteFileA.KERNEL32(00000000), ref: 0040913E
    • GetPrivateProfileStringA.KERNEL32(BootStrap,Uninstal,00000000,00000000,00000208,C:\Users\user\Desktop\setup.LST), ref: 0040916B
    • wsprintfA.USER32 ref: 00409185
    • SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00409196
    • DeleteFileA.KERNEL32(00000000), ref: 0040919F
    • RemoveDirectoryA.KERNEL32(00423B20), ref: 004091A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: File$AttributesDeletePrivateProfileStringwsprintf$DirectoryRemove
    • String ID: ;B$%s\%s$@$BootStrap$BootStrap Files$C:\Users\user\Desktop\setup.LST$C:\WINDOWS\SYSTEM32\$File$Uninstal
    • API String ID: 1852512017-2674237757
    • Opcode ID: 25da9d4976de3c910fd9add99ed099157586302874e485a59028a12ebf1fe8e2
    • Instruction ID: a52b5db7e064bb7fcc013efa1925ba52b6dd3b4ffcac9c5dc9b26cd96037dad9
    • Opcode Fuzzy Hash: 25da9d4976de3c910fd9add99ed099157586302874e485a59028a12ebf1fe8e2
    • Instruction Fuzzy Hash: 6B418372E4021C6AEF11DAA4DC45FDA77BDAB48300F1444F6E605E2081DAB9ABD48F99
    Function 00407E75 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 108stringCOMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringA.KERNEL32(BootStrap,Uninstal,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 00407E9E
    • wsprintfA.USER32 ref: 00407EC3
    • wsprintfA.USER32 ref: 00407EE1
    • wsprintfA.USER32 ref: 00407EF9
      • Part of subcall function 00408E72: wsprintfA.USER32 ref: 00408E97
      • Part of subcall function 00408E72: wsprintfA.USER32 ref: 00408EA7
      • Part of subcall function 00408E72: wsprintfA.USER32 ref: 00408EBB
      • Part of subcall function 00408E72: wsprintfA.USER32 ref: 00408ECB
      • Part of subcall function 00408E72: wsprintfA.USER32 ref: 00408EDF
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 00407F25
    • wsprintfA.USER32 ref: 00407F38
    • lstrcpyA.KERNEL32(?,ST6UNST.EXE), ref: 00407F50
      • Part of subcall function 00406143: wsprintfA.USER32 ref: 00406166
      • Part of subcall function 00406143: wsprintfA.USER32 ref: 004061B4
      • Part of subcall function 00406143: wsprintfA.USER32 ref: 004061C4
      • Part of subcall function 00406143: lstrcpyA.KERNEL32(004210E0,0041FCAC), ref: 004061F1
      • Part of subcall function 00406143: lstrcpyA.KERNEL32(00423F60,00000000), ref: 00406206
      • Part of subcall function 00406143: lstrcatA.KERNEL32(00423F60,?), ref: 00406213
      • Part of subcall function 00406143: VerInstallFileA.VERSION(00000000,00000208,?,00000000,00000000,00000000,004210E0,00000208), ref: 00406246
      • Part of subcall function 00406143: GetShortPathNameA.KERNEL32(?,?,00000207), ref: 0040626C
    • lstrcpyA.KERNEL32(00421900,?), ref: 00407FAF
      • Part of subcall function 00403C25: lstrcpyA.KERNEL32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,0041C058,0041319F,00000001,00000000), ref: 00403C3F
      • Part of subcall function 0040523A: wvsprintfA.USER32(?,004055A1,?), ref: 00405253
      • Part of subcall function 0040523A: MessageBoxA.USER32(?,?), ref: 00405283
      • Part of subcall function 0040523A: wsprintfA.USER32 ref: 0040534F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: wsprintf$lstrcpy$File$AttributesInstallMessageNamePathPrivateProfileShortStringlstrcatwvsprintf
    • String ID: ;B$%s%s$%s\$%s\%s$@%s$BootStrap$C:\Users\user\Desktop\setup.LST$C:\WINDOWS\$ST6UNST.EXE$Uninstal
    • API String ID: 3952527447-3066447467
    • Opcode ID: c6d527e2f0986121ede10a142263726b13038b7b41bb8e6b252ce0901b6ea549
    • Instruction ID: fd343c62e0e68b1cf7bd3958a6f9158a2884c58250a199cc702b827996dbbd42
    • Opcode Fuzzy Hash: c6d527e2f0986121ede10a142263726b13038b7b41bb8e6b252ce0901b6ea549
    • Instruction Fuzzy Hash: 5C3177B2D8022C7AD720D6949C85FE7776CDB44705F4045B3F908F2181E578AB948EB9
    Function 00403794 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 75shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004037E4
    • OpenProcessToken.ADVAPI32(00000000), ref: 004037EB
    • GetLastError.KERNEL32 ref: 004037F5
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380D
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040382C
    • GetLastError.KERNEL32 ref: 00403836
    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403847
    • GetLastError.KERNEL32 ref: 00403851
    • wsprintfA.USER32 ref: 00403861
    Strings
    • Error ExitWindows Error #%d, xrefs: 00403858
    • AdjustTokenPrivileges Error #%d in fDoReboot, xrefs: 0040383D
    • SeShutdownPrivilege, xrefs: 00403807
    • %s, xrefs: 004037B9
    • OpenProcessToken Error #%d in fDoReboot()., xrefs: 004037FC
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ErrorLast$ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindowswsprintf
    • String ID: %s$AdjustTokenPrivileges Error #%d in fDoReboot$Error ExitWindows Error #%d$OpenProcessToken Error #%d in fDoReboot().$SeShutdownPrivilege
    • API String ID: 556047042-2973278759
    • Opcode ID: 54589238bfda2abfa0213145b34f505b439939a1a1a5c5d6e5309adda6b0495a
    • Instruction ID: 4b167d18007c406b81d6980b9d998522ec72d1160394bea65a87e566e757abf7
    • Opcode Fuzzy Hash: 54589238bfda2abfa0213145b34f505b439939a1a1a5c5d6e5309adda6b0495a
    • Instruction Fuzzy Hash: FE219F72A41214BBD720AFA19C4DFFB3FACEB05746F108476B905E21C1D67886448BAA
    Function 00410B70 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID: ./\
    • API String ID: 0-3176372042
    • Opcode ID: d671d880fcb71d2bf896972d31c5f3f52d8f3272463263e89478865591cf881a
    • Instruction ID: 7d26bf0da05e511fd0b8a890d6c0f10e4b1d5c3d704f81feabe42460f4eef378
    • Opcode Fuzzy Hash: d671d880fcb71d2bf896972d31c5f3f52d8f3272463263e89478865591cf881a
    • Instruction Fuzzy Hash: 7E91A0715083029BD720DF25DC41ABBB7E4EF85314F144A3EF59983380E679E9898B6A
    Function 00409D0F Relevance: 21.1, APIs: 14, Instructions: 117stringfileCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?), ref: 00409D3D
    • lstrcpynA.KERNEL32(?,?,00000003), ref: 00409D8E
    • CharNextA.USER32(?), ref: 00409DAA
    • lstrcpynA.KERNEL32(?,?,?), ref: 00409DDA
    • FindFirstFileA.KERNEL32(?,?), ref: 00409DED
    • lstrlenA.KERNEL32(00000000), ref: 00409E07
    • lstrlenA.KERNEL32(?), ref: 00409E14
    • lstrcatA.KERNEL32(?,0041C030), ref: 00409E33
    • lstrcatA.KERNEL32(?,?), ref: 00409E41
    • FindClose.KERNEL32(7622E800), ref: 00409E47
    • lstrlenA.KERNEL32(?), ref: 00409E5D
    • lstrlenA.KERNEL32(00000000), ref: 00409E73
    • lstrcatA.KERNEL32(00000000,0041C030), ref: 00409E82
    • lstrlenA.KERNEL32(00000000), ref: 00409E8E
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$lstrcat$Findlstrcpyn$CharCloseFileFirstNext
    • String ID:
    • API String ID: 2328953381-0
    • Opcode ID: b9cfc06025bf5fd1c81b8a7afc76a5422979abbf3cd4c4f551d7958f97e87dd5
    • Instruction ID: f4e501ab5030ce37f083815afa02af0b970bcd39c14e3b4a11c7833b1d2dfa24
    • Opcode Fuzzy Hash: b9cfc06025bf5fd1c81b8a7afc76a5422979abbf3cd4c4f551d7958f97e87dd5
    • Instruction Fuzzy Hash: 2441C930049345AADB31DB64DC48BEBBBA5AF86300F54853ED1D8A23D2D7399C46C79E
    Function 004187D0 Relevance: 16.7, Strings: 13, Instructions: 472COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID: 0$0$0$0$0$1$1$9$9$9$9$9$9
    • API String ID: 0-2112215411
    • Opcode ID: fb49805bffac5550c118da91e547f69796c63870ce6444fe04cbb0105f345729
    • Instruction ID: 2bc8f319d89929cfef49ef96f19bb5b57a5bb039dc69cbcd8573d0f92ab35664
    • Opcode Fuzzy Hash: fb49805bffac5550c118da91e547f69796c63870ce6444fe04cbb0105f345729
    • Instruction Fuzzy Hash: CF02C475A1D7818FE714CF28C8503EAB7E2AB85300F18452FE59587352DA78D9C2CB9B
    Function 00417CA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,?,00000006,00416B6F,?,Microsoft Visual C++ Runtime Library,00012010,?,00000000), ref: 00417CB3
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00417CCB
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00417CDC
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00417CE9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: 5e0a8574417e9f56d3690b42d3f50ee6b2fa529abb47ee7ac7d21e981c4d493f
    • Instruction ID: c454a6d1712be6698067adf8a76f9eb1af67234de32ad536a222608f1664f630
    • Opcode Fuzzy Hash: 5e0a8574417e9f56d3690b42d3f50ee6b2fa529abb47ee7ac7d21e981c4d493f
    • Instruction Fuzzy Hash: 4A012D757062166B5331DFA9AD80EAB73FCAB98B52314003AF600D2310D76CD9428669
    Function 00408F7A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00408FAE
    • GetPrivateProfileStringA.KERNEL32(BootStrap,Cabs,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 00408FD0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: PrivateProfileStringwsprintf
    • String ID: BootStrap$C:\Users\user\Desktop\setup.LST$Cabs
    • API String ID: 1475573541-875268416
    • Opcode ID: 7e7f095e955b70c1e39f7fc1233d05618088e60e4b64ca79a446d6a9671a2b43
    • Instruction ID: 5aacdf5e65439ce61d96c746831b4ef5f718b81d28cd5b6a87cb121c2e0e1a55
    • Opcode Fuzzy Hash: 7e7f095e955b70c1e39f7fc1233d05618088e60e4b64ca79a446d6a9671a2b43
    • Instruction Fuzzy Hash: F2F02732B8032836DB506258EC4EFC77B6CDB90714F1000B2B649B21D3DEE829848AED
    Function 00406623 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileA.KERNEL32(00000000,?,76944C70,76228A60), ref: 0040663E
    • FindFirstFileA.KERNEL32(00401538,?), ref: 0040664C
    • FindClose.KERNEL32(00000000), ref: 0040669E
    • FindClose.KERNEL32(000000FF), ref: 004066A9
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: 8578c8467435815bc7d1f20650743d66a9154885dbe15c5e258f97299ccc0ab7
    • Instruction ID: 808c19307164284104dacbc799c838bcf630ffef0967ee02eb3e78162d954532
    • Opcode Fuzzy Hash: 8578c8467435815bc7d1f20650743d66a9154885dbe15c5e258f97299ccc0ab7
    • Instruction Fuzzy Hash: A111E531501018AFCF219F28CC84AED77B9AB45334F1587A2E829A71E0D7369EB58F95
    Function 00412600 Relevance: 4.6, APIs: 3, Instructions: 77timeCOMMON
    Download Yara Rule
    APIs
    • GetLocalTime.KERNEL32(?), ref: 0041260B
    • GetSystemTime.KERNEL32 ref: 00412616
    • GetTimeZoneInformation.KERNEL32(?), ref: 0041266E
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Time$InformationLocalSystemZone
    • String ID:
    • API String ID: 2475273158-0
    • Opcode ID: 2e4603faa85c1d8cf64455c7b753f488ab86b1009a3356dbc46874e4d5c100e1
    • Instruction ID: 7a6d7d2ef0df8aafe94fa0bd8c4a0790727e756a0fc731dedf71a85e505a6f53
    • Opcode Fuzzy Hash: 2e4603faa85c1d8cf64455c7b753f488ab86b1009a3356dbc46874e4d5c100e1
    • Instruction Fuzzy Hash: 4E314B742092029BD724DF14D940AFB77B2AF84710F948A3EF459C63D4E77C89A6CB1A
    Function 00414CE0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID: GVBSetupInit
    • API String ID: 0-463902549
    • Opcode ID: 580118918a127043f65560509961b9dae4cfe67816afa1acb2bb3d3150d7de01
    • Instruction ID: 99dbecdcc0175d3e6c9dc66e786082f384f9b387693ed86e7172b0c971b92771
    • Opcode Fuzzy Hash: 580118918a127043f65560509961b9dae4cfe67816afa1acb2bb3d3150d7de01
    • Instruction Fuzzy Hash: 0561C971344602AAEB38CF19EC41FB733B5EBC8B01F54817EF105DB6D4E6686986862C
    Function 0040C9A0 Relevance: .5, Instructions: 533COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: db236911d8a2ba751831b98957ed8f906525c3592d2dde421f018c18ddaff29c
    • Instruction ID: 509d0cd6d8596a7c1162324d4cc31d8413af388cc6c8513c3b8fac06bd5b4ffc
    • Opcode Fuzzy Hash: db236911d8a2ba751831b98957ed8f906525c3592d2dde421f018c18ddaff29c
    • Instruction Fuzzy Hash: C632E275608341CFC708CF28D090A6ABBE1FF89314F548A6EE5859B391D375E949CB8A
    Function 0040D2F0 Relevance: .5, Instructions: 463COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 096d7a98b018764c7a2cf497fd373bf180b30a6c701a6213458655e5f4fddc73
    • Instruction ID: 091b00d6bc9d7f723f44a59b7fe6cd007bdaa73fef86fc1387b20f6ff2bdb73b
    • Opcode Fuzzy Hash: 096d7a98b018764c7a2cf497fd373bf180b30a6c701a6213458655e5f4fddc73
    • Instruction Fuzzy Hash: 77F1C171A047028BD724CE68D98476BB7E0FB95304F108D3EE496E7681D778E54DCB8A
    Function 0040F840 Relevance: .3, Instructions: 261COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dee4c67fafdc91b9f4ae5833b53344cc56ec23ffa59f486511fd64e0cec70f01
    • Instruction ID: 0f255db0dffe6ccb8d06cf29a6b2f86ed26162895ed9595c36db2a8caf8fd4fe
    • Opcode Fuzzy Hash: dee4c67fafdc91b9f4ae5833b53344cc56ec23ffa59f486511fd64e0cec70f01
    • Instruction Fuzzy Hash: C2B15B751087828FC325CF28C0906ABBBE1FF89354F54096EE4E657752C339AA4ECB56
    Function 0040FC20 Relevance: .3, Instructions: 257COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bc3a747d69f2ce60fa2de056303ae503bd6185622f190253cefea2f882d13552
    • Instruction ID: d85379499997599ce75b051fb160129d0ca30d46b3a3b2314576247811e5daae
    • Opcode Fuzzy Hash: bc3a747d69f2ce60fa2de056303ae503bd6185622f190253cefea2f882d13552
    • Instruction Fuzzy Hash: A5A17B745097828BC325CF28D4A16ABBBE1FF85704F14093EE4E657782C7399A0DCB96
    Function 0040F5B0 Relevance: .2, Instructions: 199COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2f93a67e9aab00ab6373eb63ae005d93dbc032472f84f01f117b8bceda805c7d
    • Instruction ID: d2f34deffcc54ff2873753e9acfe905d06c030a91637a31eca242c5b9d3d72b3
    • Opcode Fuzzy Hash: 2f93a67e9aab00ab6373eb63ae005d93dbc032472f84f01f117b8bceda805c7d
    • Instruction Fuzzy Hash: 1D81E43550CB814BC335CE2CD4A16ABBBE1AFC5704F58897ED8D657782C239990EC792
    Function 0040D050 Relevance: .2, Instructions: 152COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9fc17831e355911f1f9977fab7700874f41626d155847bf24e98fc363b7e51ef
    • Instruction ID: 36a3140227870bc943e2ddaed08278df855ad4e1ba22758fa274e7e92a7ada9c
    • Opcode Fuzzy Hash: 9fc17831e355911f1f9977fab7700874f41626d155847bf24e98fc363b7e51ef
    • Instruction Fuzzy Hash: F251F672A002108FD708CF58D5D496AB7A1FB84334F5AC5BEC8095B7A2C779E84DCB95
    Function 0040B8EC Relevance: .1, Instructions: 58COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a009ba7f61ca2f80a1679c463755f8fb237b57adc86e6e852a805a62e787f96e
    • Instruction ID: 88aac4cef7d8d03754c2fc8727d761249d552d5a1578a5f94352ab4c1376f084
    • Opcode Fuzzy Hash: a009ba7f61ca2f80a1679c463755f8fb237b57adc86e6e852a805a62e787f96e
    • Instruction Fuzzy Hash: 3601B1B12281214BEF1C8A24D9E163F7391DB9A31072484BFDA43E738AC734AC01C2DE
    Function 0040322C Relevance: 72.1, APIs: 32, Strings: 9, Instructions: 358filestringCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 0040327D
    • CreateFileA.KERNEL32(?,40000000,00000000,?,00000004,00000080,00000000), ref: 004032A9
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004032C2
    • lstrlenA.KERNEL32(?,00000000), ref: 004032D9
    • WriteFile.KERNEL32(00000000,00000000), ref: 004032E3
    • lstrlenA.KERNEL32 ref: 004032F7
    • CloseHandle.KERNEL32(000000FF), ref: 0040330D
    • CloseHandle.KERNEL32(000000FF), ref: 0040331C
    • wsprintfA.USER32 ref: 00403374
    • CreateFileA.KERNEL32(?,80000000,00000000,?,00000004,00000080,00000000), ref: 004033B7
    • GetTempFileNameA.KERNEL32(?,WIT,00000000,?), ref: 0040340F
    • CreateFileA.KERNEL32(?,40000000,00000000,?,00000004,00000080,00000000), ref: 00403440
    • wsprintfA.USER32 ref: 0040345D
    • ReadFile.KERNEL32(000000FF,?,00000001,?,00000000), ref: 00403487
    • SetFilePointer.KERNEL32(000000FF,000000FF,00000000,00000001), ref: 004034C2
    • lstrlenA.KERNEL32(?,?,00000000), ref: 004034D0
    • ReadFile.KERNEL32(000000FF,?,00000000), ref: 004034DE
    • CompareStringA.KERNEL32(00000800,00000001,?,00000009,[rename],00000009), ref: 004034FF
    • SetFilePointer.KERNEL32(000000FF,000000FF,00000000,00000001), ref: 00403520
    • WriteFile.KERNEL32(000000FF,0000005B,00000001,?,00000000), ref: 00403534
    • lstrlenA.KERNEL32([rename],?,00000000), ref: 00403565
    • WriteFile.KERNEL32(000000FF,[rename],00000000), ref: 00403570
    • lstrlenA.KERNEL32([rename]), ref: 0040357F
    • lstrlenA.KERNEL32(?,00000000), ref: 00403599
    • WriteFile.KERNEL32(000000FF,00000000), ref: 004035AF
    • lstrlenA.KERNEL32 ref: 004035BF
    • ReadFile.KERNEL32(000000FF,?,00000001,?,00000000), ref: 004035E0
    • WriteFile.KERNEL32(000000FF,?,00000001,?,00000000), ref: 00403601
    • CloseHandle.KERNEL32(000000FF), ref: 00403613
    • CloseHandle.KERNEL32(000000FF), ref: 00403620
    • DeleteFileA.KERNEL32(?), ref: 00403642
    • MoveFileA.KERNEL32(?,?), ref: 0040365A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: File$lstrlen$Write$CloseHandle$CreatePointerReadwsprintf$CompareDeleteMoveNameStringTemp
    • String ID: $%s%s$C:\WINDOWS\$Couldn't create Temp Reboot File: %s$WININIT.INI$WIT$[$[rename]$_MSSETUP.BAT
    • API String ID: 4060179764-921218980
    • Opcode ID: 58eb1f88625458e7554fb31f47eb7abb5689ac77fe90cc85b16d2be89b7207cc
    • Instruction ID: 5b7b377e5252b8825cf68f04bf5f19701d3cb0ad4e491385aab0e3443db0f9d3
    • Opcode Fuzzy Hash: 58eb1f88625458e7554fb31f47eb7abb5689ac77fe90cc85b16d2be89b7207cc
    • Instruction Fuzzy Hash: C5D166B1941219BEEB209FA4DC84AEFBF7DEB04356F104136F604B21A0D7794A518B69
    Function 004098C3 Relevance: 56.3, APIs: 11, Strings: 21, Instructions: 270stringfileCOMMON
    Download Yara Rule
    APIs
    • GetWindowsDirectoryA.KERNEL32(?,00000208,00000000,00000001,00000000), ref: 004098ED
    • lstrcpyA.KERNEL32(00000001,?), ref: 00409922
      • Part of subcall function 00409F44: lstrlenA.KERNEL32(00000419,00000419,0000002C,00406C03,0000002C,?,00000000,0000002C), ref: 00409F4B
      • Part of subcall function 00409F44: CharPrevA.USER32(00000419,00000000,?,00000000,0000002C), ref: 00409F57
    • lstrcatA.KERNEL32(00000001,?), ref: 00409933
    • wsprintfA.USER32 ref: 00409941
    • lstrcatA.KERNEL32(00000001,00420EA0), ref: 0040994F
    • lstrcatA.KERNEL32(00000001,.MIF), ref: 00409957
      • Part of subcall function 00409F75: FindFirstFileA.KERNELBASE(00403389,?,[rename]), ref: 00409F8B
      • Part of subcall function 00409F75: FindClose.KERNEL32(00000000), ref: 00409FA3
    • CreateFileA.KERNEL32(00000001,40000000,00000000,0000000C,00000002,80000080,00000000), ref: 0040998A
    • lstrcpyA.KERNEL32(?,00000000), ref: 004099A5
    • CharNextA.USER32(00000000), ref: 004099C6
    • CloseHandle.KERNEL32(00000000), ref: 00409B9D
    • CloseHandle.KERNEL32(00000000), ref: 00409BA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Closelstrcat$CharFileFindHandlelstrcpy$CreateDirectoryFirstNextPrevWindowslstrlenwsprintf
    • String ID: ID = 1$ID = 2$Name = "Description"$Name = "Status"$Type = String(16)$Type = String(256)$Value = $Class = "MICROSOFT|JOBSTATUS|1.0"$End Attribute$ID = 1$Name = "InstallStatus"$Start Attribute$End Group$Name = "Workstation"$Start Group$"FAILED"$"SUCCESS"$%0d$.MIF$End Component$Start Component
    • API String ID: 1977838281-582453135
    • Opcode ID: f7c94e30253184f76d4309355216746b5e0863d3d75b729ba9f9317e1b0173e7
    • Instruction ID: 51e0888f45f2291209c8f309d3057562609e5b00643fd2835928cab7d625b946
    • Opcode Fuzzy Hash: f7c94e30253184f76d4309355216746b5e0863d3d75b729ba9f9317e1b0173e7
    • Instruction Fuzzy Hash: 70618A76A8661669E625A666EC81FEB276C9F42335F24003FF400F15C3DF3C9E8146AD
    Function 00407720 Relevance: 51.0, APIs: 12, Strings: 17, Instructions: 257librarystringloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040680E: wsprintfA.USER32 ref: 00406835
      • Part of subcall function 0040680E: lstrcpynA.KERNEL32(?,00000000,00000200), ref: 00406869
      • Part of subcall function 0040680E: lstrcpyA.KERNEL32(00000211,00000000), ref: 00406899
      • Part of subcall function 0040680E: lstrcmpiA.KERNEL32(?,$(DLLSELFREGISTER)), ref: 00406916
      • Part of subcall function 0040680E: lstrcmpiA.KERNEL32(?,$(EXESELFREGISTER)), ref: 00406928
    • SetErrorMode.KERNEL32(00008000), ref: 004077C8
    • LoadLibraryA.KERNEL32(VB6STKIT.DLL), ref: 004077D3
    • GetProcAddress.KERNEL32(00000000,DLLSelfRegister), ref: 004077E5
    • GetProcAddress.KERNEL32(00000000,SyncShell), ref: 004077F6
    • lstrcpyA.KERNEL32(00423F60,?,?,?,?,00000000,00000001,?,BootStrap Files), ref: 00407844
    • lstrcatA.KERNEL32(00423F60,?,?,?,?,00000000,00000001,?,BootStrap Files), ref: 0040785A
    • lstrcmpiA.KERNEL32(?,$(DLLSELFREGISTER)), ref: 0040786D
    • FreeLibrary.KERNEL32(00000000), ref: 00407A8B
      • Part of subcall function 00403C25: lstrcpyA.KERNEL32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,0041C058,0041319F,00000001,00000000), ref: 00403C3F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcmpilstrcpy$AddressLibraryProc$ErrorFreeLoadModelstrcatlstrcpynwsprintf
    • String ID: /REGSERVER$$$$(DLLSELFREGISTER)$$(EXESELFREGISTER)$$(TLBREGISTER)$%s%s$@$BootStrap Files$C:\Users\user\AppData\Local\Temp\$DLLSelfRegister$DllSelfRegister$ExeSelfRegister$REGEDIT /S $SyncShell$TLBRegister$VB6STKIT.DLL$`?B
    • API String ID: 976847085-2222654546
    • Opcode ID: 9a2504021a18b67a85eb8000a3b75dd027361ba33d17cedcaa501fce37840db5
    • Instruction ID: b079ffe374c4ac3b088f8b341e7f819a2af5b0aa47b694b62dbc6e0deca02aef
    • Opcode Fuzzy Hash: 9a2504021a18b67a85eb8000a3b75dd027361ba33d17cedcaa501fce37840db5
    • Instruction Fuzzy Hash: 1C81F8B1A093007AD6306B759C49BAF365CAF81324F14463FF515E11D1EB3C9A858A6F
    Function 00402FAE Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 189stringCOMMON
    Download Yara Rule
    APIs
    • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00402FF1
    • lstrcpyA.KERNEL32(00000000,0041C05C), ref: 00403039
    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00403070
    • lstrcatA.KERNEL32(?,?), ref: 00403097
    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004030B9
    • lstrcatA.KERNEL32(?,?), ref: 004030DA
    • lstrcpyA.KERNEL32(?,@echo off), ref: 00403110
    • lstrcatA.KERNEL32(?,attrib -r %s > nul), ref: 00403122
    • lstrcatA.KERNEL32(?,erase %s > nul), ref: 00403131
    • lstrcatA.KERNEL32(?,copy %s %s > nul), ref: 0040313F
    • lstrcatA.KERNEL32(?,erase %s > nul), ref: 00403149
    • lstrcatA.KERNEL32(?,echo on), ref: 00403157
    • wsprintfA.USER32 ref: 0040318A
    • lstrlenA.KERNEL32 ref: 004031C4
    • lstrlenA.KERNEL32(?), ref: 004031CF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcat$NamePathShortlstrcpylstrlen$FileMovewsprintf
    • String ID: %s=%s$@echo off$attrib -r %s > nul$copy %s %s > nul$echo on$erase %s > nul
    • API String ID: 3671028199-4111085147
    • Opcode ID: b6412a18eeed6fcd0a4c9db1e13d7dd0667b6b44a1116dfdba5a15ac602b99b9
    • Instruction ID: c70d45fbbf3c790e924c9d32baa083ab742bddaf26f978d081edd71817886566
    • Opcode Fuzzy Hash: b6412a18eeed6fcd0a4c9db1e13d7dd0667b6b44a1116dfdba5a15ac602b99b9
    • Instruction Fuzzy Hash: 2B61407690411CBADB21DB90DC44EDB7BBCEB08315F0041B7E609E2192DA799B85CF58
    Function 00407FB9 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 157stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(?,0041FCAC,00421900,00000000,?,00000000,00000000,?,00000001), ref: 00407FD0
    • lstrcpyA.KERNEL32(?,0041FCAC,?,00000000,00000000,?,00000001), ref: 00407FD8
    • lstrcpyA.KERNEL32(00000000,0041C36C), ref: 0040801F
    • lstrcatA.KERNEL32(00000000,?), ref: 0040802C
    • lstrcatA.KERNEL32(00000000,0041C36C), ref: 00408045
    • lstrcpyA.KERNEL32(?,0041FCAC), ref: 00408049
    • lstrcatA.KERNEL32(?, -n ), ref: 00408051
    • lstrcpyA.KERNEL32(?,0041C36C), ref: 00408091
    • lstrcatA.KERNEL32(?,?), ref: 00408098
    • lstrcatA.KERNEL32(?,0041C36C), ref: 004080A3
    • lstrcatA.KERNEL32(?, -s ), ref: 004080BD
    • lstrcpyA.KERNEL32(?,0041C36C), ref: 004080F8
    • lstrcatA.KERNEL32(?,?), ref: 004080FF
    • lstrcatA.KERNEL32(?,0041C36C), ref: 0040810A
    • lstrcatA.KERNEL32(?, -q), ref: 00408119
    • wsprintfA.USER32 ref: 0040812E
    • lstrcatA.KERNEL32(?,?,?,?,00000000,00000000,?,00000001), ref: 0040813D
    • lstrcatA.KERNEL32(?, -f), ref: 00408152
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcat$lstrcpy$wsprintf
    • String ID: -e %d$ -f$ -n $ -q$ -s
    • API String ID: 2753062002-2426971959
    • Opcode ID: 5bfe20412557d42e350a6b7864d457c47b2637326fd3934be503f01e81f8f5da
    • Instruction ID: 1aedd91953461f4cba4d9f6dc7a65412e1115a7544ba8634ac492cacda6bac6f
    • Opcode Fuzzy Hash: 5bfe20412557d42e350a6b7864d457c47b2637326fd3934be503f01e81f8f5da
    • Instruction Fuzzy Hash: 6E419E31548305BBD6216A22DE45F5B7BE8AF89729F01193FF084B01D2CBBDD984CA5E
    Function 00405EF4 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 197stringregistryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409C36: lstrcpyA.KERNEL32(00421F28,SOFTWARE\Microsoft\Windows\CurrentVersion,000000FE,00405F10,00000001,000000FE,00423F60), ref: 00409C4B
    • lstrcpyA.KERNEL32(?,00000000,00000001,000000FE,00423F60), ref: 00405F1E
    • lstrcatA.KERNEL32(?,0041C030), ref: 00405F32
    • lstrcatA.KERNEL32(?,SharedDLLs), ref: 00405F41
    • lstrcpyA.KERNEL32(?,"HKEY_LOCAL_MACHINE\), ref: 00405F58
    • lstrcatA.KERNEL32(?,00000000), ref: 00405F67
    • lstrcatA.KERNEL32(?,", "), ref: 00405F75
    • lstrcatA.KERNEL32(?,SharedDLLs), ref: 00405F7F
    • lstrcatA.KERNEL32(?,0041C36C), ref: 00405F8D
    • RegCreateKeyA.ADVAPI32(80000002,?,00406481), ref: 00405FBE
    • RegQueryValueExA.ADVAPI32(?,`?B,00000000,?,?,00000014), ref: 00406010
    • wsprintfA.USER32 ref: 00406098
    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 004060D0
    • RegCloseKey.ADVAPI32(00406481), ref: 00406130
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcat$lstrcpy$Value$CloseCreateQuerywsprintf
    • String ID: ", "$"HKEY_LOCAL_MACHINE\$"HKEY_LOCAL_MACHINE\%s\SharedDlls", "%s"$RegKey$RegValue$SharedDLLs$`?B
    • API String ID: 3461839002-3473399151
    • Opcode ID: 1fbd774bd5e1217de4c2d27eac4c88e4e62b272fd0f1c9d966400106712eed05
    • Instruction ID: fc9fd793490d7f91e71e4a5fd5763f4eeb3049b1eb2ba3f54458350c3e419928
    • Opcode Fuzzy Hash: 1fbd774bd5e1217de4c2d27eac4c88e4e62b272fd0f1c9d966400106712eed05
    • Instruction Fuzzy Hash: 816160B1D4021DABCF21EFA4DC85AEE7BBCEB04354F10407BE206B2191D7785AA58F59
    Function 00402D18 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 190COMMON
    Download Yara Rule
    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 00402FA3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ProcWindow
    • String ID: PROGMAN
    • API String ID: 181713994-601570409
    • Opcode ID: 10afe001eece1365066ca928594b010f2fcf146de9c7bbd65c8b15eebc589151
    • Instruction ID: 73c1737ab2d9f1684abddaf6f3b651548ef76dd60f513ed573516bc2b84ca98d
    • Opcode Fuzzy Hash: 10afe001eece1365066ca928594b010f2fcf146de9c7bbd65c8b15eebc589151
    • Instruction Fuzzy Hash: 33716B7590021AEFDB11AF94DD49AFE7BB4FB08305F004132F910B62E1D3B98A55DB29
    Function 00408BD5 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190registrystringprocessCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409C55: lstrcpyA.KERNEL32(00421EA8,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?,00408BEB), ref: 00409C6A
    • lstrcpyA.KERNEL32(?,00000000), ref: 00408BF3
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00408C0F
    • RegEnumKeyExA.ADVAPI32(?,?,?,0000012C,00000000,00000000,00000000,?), ref: 00408C4D
    • CompareStringA.KERNEL32(00000800,00000000,?,00000004,ST6UNST #,00000004), ref: 00408C7C
    • wsprintfA.USER32 ref: 00408CA1
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00408CC0
    • RegQueryValueExA.ADVAPI32(?,AppToUninstall,00000000,00000000,?,?), ref: 00408CED
    • CompareStringA.KERNEL32(00000800,00000001,00420B90,000000FF,?,000000FF), ref: 00408D0A
    • RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000000,?,00000208), ref: 00408D3F
    • RegCloseKey.ADVAPI32(?), ref: 00408E00
    • RegCloseKey.ADVAPI32(?), ref: 00408D68
      • Part of subcall function 0040523A: wvsprintfA.USER32(?,004055A1,?), ref: 00405253
      • Part of subcall function 0040523A: MessageBoxA.USER32(?,?), ref: 00405283
      • Part of subcall function 0040523A: wsprintfA.USER32 ref: 0040534F
    • lstrcatA.KERNEL32(?, /q), ref: 00408D9D
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00408DD0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CloseCompareOpenQueryStringValuelstrcpywsprintf$CreateEnumMessageProcesslstrcatwvsprintf
    • String ID: /q$%s$%s\%s$AppToUninstall$ST6UNST #$UninstallString
    • API String ID: 3130530876-1650692994
    • Opcode ID: 422a9c69fcf2fb42001147f382720b843f01c92afaae9e47ec9d7c05307b64f7
    • Instruction ID: dc054c0fad876732a148b3fb5377b1e54fa9f77177681284121796dc4c09d63e
    • Opcode Fuzzy Hash: 422a9c69fcf2fb42001147f382720b843f01c92afaae9e47ec9d7c05307b64f7
    • Instruction Fuzzy Hash: 7F5169B1D41218BAEB209F90DC85EEFBB7CEB08344F10417AF614F1191DB785E948EA9
    Function 00406AFA Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 99stringCOMMON
    Download Yara Rule
    APIs
    • CharNextA.USER32(0000002C,00000419,00000001,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B20
    • CharNextA.USER32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B38
    • CharNextA.USER32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B4D
    • lstrcpynA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000002,00000002,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B5D
    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,$(WINPATH)), ref: 00406B6F
    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,$(WINSYSPATH)), ref: 00406B82
    • lstrcpyA.KERNEL32(0000002C,C:\WINDOWS\SYSTEM32\,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B8E
    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,$(WINSYSPATHSYSFILE)), ref: 00406BA4
    • lstrcpyA.KERNEL32(0000002C,C:\WINDOWS\SYSTEM32\,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406BB0
    • lstrlenA.KERNEL32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406BCA
    • lstrlenA.KERNEL32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406BD4
    • lstrcatA.KERNEL32(0000002C,?,00000419,00000001,?,00000000,0000002C), ref: 00406BEA
    • lstrcpyA.KERNEL32(0000002C,?,00000419,00000001,?,00000000,0000002C), ref: 00406BF7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CharNextlstrcmpilstrcpy$lstrlen$lstrcatlstrcpyn
    • String ID: $(WINPATH)$$(WINSYSPATH)$$(WINSYSPATHSYSFILE)$C:\Users\user\AppData\Local\Temp\$C:\WINDOWS\$C:\WINDOWS\SYSTEM32\
    • API String ID: 2955438720-201308903
    • Opcode ID: e5eb93e4ef00ac5ae6dae3eebcb81d61fc3ec50bcee40927a357cebe9fb4dff3
    • Instruction ID: f1d43ede1cbf1bbc1d2f385f0dee27414bff5d3f74195a78f76fbe3e3b617084
    • Opcode Fuzzy Hash: e5eb93e4ef00ac5ae6dae3eebcb81d61fc3ec50bcee40927a357cebe9fb4dff3
    • Instruction Fuzzy Hash: FD31F1711093697FD3019F249C44FAB77B8AF86314F16803AF586E6291C7BCB912872E
    Function 004024C4 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ClassRegister
    • String ID: [AddItem($[ReplaceItem(
    • API String ID: 2764894006-262726208
    • Opcode ID: 9ce81d97fd8953883bf4bacbf06f236d76946cec51a2bfb0f12d7388c5c454d3
    • Instruction ID: 6a0519df77a6b106ae7830e38a187ec1ca92487a3b4440665099360da122bdc3
    • Opcode Fuzzy Hash: 9ce81d97fd8953883bf4bacbf06f236d76946cec51a2bfb0f12d7388c5c454d3
    • Instruction Fuzzy Hash: 5641D932845208FFDB156FA0EE0AAAD7F71EB05311F208176F905B11E1DBB64E60AB49
    Function 0040680E Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 181stringCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00406835
      • Part of subcall function 00405C7F: GetPrivateProfileStringA.KERNEL32(00420780,00420780,00000000,00420780,00000200,?), ref: 00405C99
    • lstrcpynA.KERNEL32(?,00000000,00000200), ref: 00406869
      • Part of subcall function 004067A9: CharNextA.USER32(00000000,?,00000000,00000000,0040687A,00000000,0000002C), ref: 004067DB
      • Part of subcall function 004067A9: CharNextA.USER32(00000000), ref: 004067EC
      • Part of subcall function 004067A9: CharNextA.USER32(00000000,?,00000000,00000000,0040687A,00000000,0000002C), ref: 00406801
      • Part of subcall function 00406AC3: CharNextA.USER32(00000000,?,00000000,0040688D,00000000), ref: 00406ADD
      • Part of subcall function 00406AC3: CharNextA.USER32(00000000), ref: 00406AF1
    • lstrcpyA.KERNEL32(00000211,00000000), ref: 00406899
      • Part of subcall function 004066F4: lstrlenA.KERNEL32(004068A5,00000211,00000001,004068A5,00000211), ref: 004066FB
      • Part of subcall function 004066F4: CharNextA.USER32(004068A5), ref: 00406717
      • Part of subcall function 004066F4: CharNextA.USER32(004068A5), ref: 0040671F
      • Part of subcall function 00406AFA: CharNextA.USER32(0000002C,00000419,00000001,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B20
      • Part of subcall function 00406AFA: CharNextA.USER32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B38
      • Part of subcall function 00406AFA: CharNextA.USER32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B4D
      • Part of subcall function 00406AFA: lstrcpynA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000002,00000002,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B5D
      • Part of subcall function 00406AFA: lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,$(WINPATH)), ref: 00406B6F
      • Part of subcall function 00406AFA: lstrcpyA.KERNEL32(0000002C,C:\WINDOWS\SYSTEM32\,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406B8E
      • Part of subcall function 00406AFA: lstrlenA.KERNEL32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406BCA
      • Part of subcall function 00406AFA: lstrlenA.KERNEL32(0000002C,?,00000000,0000002C,004068DC,00000419,?,?), ref: 00406BD4
      • Part of subcall function 00406AFA: lstrcatA.KERNEL32(0000002C,?,00000419,00000001,?,00000000,0000002C), ref: 00406BEA
      • Part of subcall function 00409F44: lstrlenA.KERNEL32(00000419,00000419,0000002C,00406C03,0000002C,?,00000000,0000002C), ref: 00409F4B
      • Part of subcall function 00409F44: CharPrevA.USER32(00000419,00000000,?,00000000,0000002C), ref: 00409F57
    • lstrcmpiA.KERNEL32(?,$(DLLSELFREGISTER)), ref: 00406916
    • lstrcmpiA.KERNEL32(?,$(EXESELFREGISTER)), ref: 00406928
    • lstrcmpiA.KERNEL32(?,$(TLBREGISTER)), ref: 0040693A
      • Part of subcall function 00406A16: CharNextA.USER32(00000001,00405CAB,00420780,0000003B,?,0040684F,004214F0,?,00000001), ref: 00406A27
    • lstrcpyA.KERNEL32(00000621,00000419), ref: 0040695C
    • lstrcatA.KERNEL32(00000621,?), ref: 00406966
    • lstrcpyA.KERNEL32(00000829,00000000), ref: 004069A8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Char$Next$lstrcmpilstrcpylstrlen$lstrcatlstrcpyn$PrevPrivateProfileStringwsprintf
    • String ID: $(DLLSELFREGISTER)$$(EXESELFREGISTER)$$(TLBREGISTER)$%s%s%s%s%s$%s%d$File$SETUP.LST
    • API String ID: 2633605288-2628777661
    • Opcode ID: 3e77879c9bb699ad95f5830666028f3bd43da712f2a070bca06a5a86ed7c530e
    • Instruction ID: 213fb6976922e3533d13960af108f474d1239f6a0138862d5029e5f1b2a8e219
    • Opcode Fuzzy Hash: 3e77879c9bb699ad95f5830666028f3bd43da712f2a070bca06a5a86ed7c530e
    • Instruction Fuzzy Hash: 41511472545204BEDB21AFA09C85EEF3BB8EF44310F15843FF506B61C1DB789A608B58
    Function 0040129D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 293stringfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401665: lstrlenA.KERNEL32(?,?,?,?,?,004012BF,?,?), ref: 00401693
    • GetWindowLongA.USER32(00000000,000000FA), ref: 0040132A
    • GetModuleFileNameA.KERNEL32(00000000), ref: 00401333
      • Part of subcall function 00406A32: lstrlenA.KERNEL32(?,?,0040121F,00000000,0000005C), ref: 00406A38
      • Part of subcall function 00406A32: CharPrevA.USER32(?,00000000), ref: 00406A4E
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040136E
      • Part of subcall function 00401792: lstrcpyA.KERNEL32(?,?,76228A60), ref: 004017FC
      • Part of subcall function 00401792: lstrcatA.KERNEL32(?,00000000), ref: 0040180C
      • Part of subcall function 00401792: lstrlenA.KERNEL32(?), ref: 0040182B
      • Part of subcall function 00401792: OpenFile.KERNEL32(?,?,00004000), ref: 00401890
    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004013CF
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 004013DD
    • GetWindowLongA.USER32(00000000,000000FA), ref: 004014B1
    • GetModuleFileNameA.KERNEL32(00000000), ref: 004014B4
    • lstrcatA.KERNEL32(00000000,00000000), ref: 004014E9
      • Part of subcall function 00401792: lstrcpyA.KERNEL32(?,00000000,76228A60), ref: 0040181E
    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 0040154A
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 00401558
    • lstrcatA.KERNEL32(?, : ), ref: 00401607
    • lstrcatA.KERNEL32(?,00000000), ref: 00401613
    • lstrlenA.KERNEL32(?), ref: 00401622
      • Part of subcall function 004016FB: lstrlenA.KERNEL32(?,76944C70,76228A60,76230E30), ref: 0040170B
      • Part of subcall function 004016FB: lstrcatA.KERNEL32(-00000001,00000000), ref: 0040177C
      • Part of subcall function 004016FB: lstrcatA.KERNEL32(-00000001,.cab), ref: 00401784
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Filelstrcat$lstrlen$lstrcpy$AttributesCharCopyLongModuleNamePrevWindow$Open
    • String ID: :
    • API String ID: 2061826523-3653984579
    • Opcode ID: 18494599c03aa8858e259ad1529bdda9c50e12cf1b871cb35d7fc0dbde73ff0c
    • Instruction ID: 3a04dad8129204171e8399e358486f7a1d7220976901d6248315f7965869ca38
    • Opcode Fuzzy Hash: 18494599c03aa8858e259ad1529bdda9c50e12cf1b871cb35d7fc0dbde73ff0c
    • Instruction Fuzzy Hash: CBB1A27280021EAEDF119FA0DC45FEA7BB9EB04314F1481B6F509B60E1DB799E948F58
    Function 0040957D Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 88stringfileCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,00000000,00000001,00000000), ref: 004095E6
    • lstrlenA.KERNEL32(?), ref: 004095F1
    • lstrcatA.KERNEL32(?,?), ref: 00409608
    • lstrcatA.KERNEL32(?,0041C030), ref: 00409616
      • Part of subcall function 004096F3: SHGetMalloc.SHELL32(00000001), ref: 004096FE
      • Part of subcall function 004096F3: SHGetSpecialFolderLocation.SHELL32(00000000,00000016,00000000,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040971A
      • Part of subcall function 004096F3: SHGetPathFromIDListA.SHELL32(00000000,00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040972B
      • Part of subcall function 004096F3: lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409748
      • Part of subcall function 004096F3: lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409752
    • lstrlenA.KERNEL32(00409CDB,00000000,00000001,00000000), ref: 0040961B
    • lstrlenA.KERNEL32(?), ref: 00409626
    • lstrcatA.KERNEL32(?,00409CDB), ref: 0040963D
    • lstrcatA.KERNEL32(?,.LNK), ref: 0040964B
    • DeleteFileA.KERNEL32(?), ref: 00409669
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$lstrcat$DeleteFileFolderFromListLocationMallocPathSpecial
    • String ID: $(Programs)$$(Start Menu)$.LNK
    • API String ID: 1553056685-2433586774
    • Opcode ID: ed1551bd25b8ac51cb3669971abbdbc963f989e9ee7c65ff8475f02d5ce45e46
    • Instruction ID: 4862e938bb552e8c942de76809e16a068e12fe8b0e1c72c8b052697f6b6cdbc2
    • Opcode Fuzzy Hash: ed1551bd25b8ac51cb3669971abbdbc963f989e9ee7c65ff8475f02d5ce45e46
    • Instruction Fuzzy Hash: 1321A1B76442197ADF10ABA5DC84ECB77EC9F54310F104877F545E2182EEB8DEC48A58
    Function 004028D8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86registryCOMMON
    Download Yara Rule
    APIs
    • RegisterClassA.USER32(?), ref: 00402913
    • CreateWindowExA.USER32(00000000,VB.Mooo.Conv.Child,0041C078,00000000,00000001,00000001,00000001,00000001,00000000,00000000,0041C098,00000000), ref: 0040294B
    • UnregisterClassA.USER32(VB.Mooo.Conv.Child,0041C098), ref: 00402967
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Class$CreateRegisterUnregisterWindow
    • String ID: &$@$PROGMAN$VB.Mooo.Conv.Child
    • API String ID: 3545770435-2298789221
    • Opcode ID: 3ce353a5e7b12c3a7970e3eb98bd98def78dc810eb6fcee831fba39326473311
    • Instruction ID: b69d7069f3f9fdbd0f486e2d80fe3e8876a0a92af42937332ed42d16cfa56324
    • Opcode Fuzzy Hash: 3ce353a5e7b12c3a7970e3eb98bd98def78dc810eb6fcee831fba39326473311
    • Instruction Fuzzy Hash: 3A316C34780204FBEB208FA4ED49BED3FB0BB08755F604126F505B92E1D7B986959B1D
    Function 00405372 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 176stringmemoryCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,0041319F,GVBSetupInit,00000000,00000208,?,?), ref: 00405396
    • LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 0040539C
    • lstrcpyA.KERNEL32(00000000,?,?,?), ref: 004053B7
    • lstrlenA.KERNEL32(00000000), ref: 00405416
    • lstrlenA.KERNEL32(00000000), ref: 00405423
    • lstrcpyA.KERNEL32(00000000,00000000), ref: 00405440
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$lstrcpy$AllocLocal
    • String ID: GVBSetupInit
    • API String ID: 4154295141-463902549
    • Opcode ID: b2b4c755fbc6c8ec1a4474553b2ddf4867f4a77cc84df907cdbf4af22d2906b6
    • Instruction ID: 85edec148160c69abdeff56e217400ecc6b1a27d33b4420e8e37861e5875b6a2
    • Opcode Fuzzy Hash: b2b4c755fbc6c8ec1a4474553b2ddf4867f4a77cc84df907cdbf4af22d2906b6
    • Instruction Fuzzy Hash: 10514A72905609BADF05DFA4EC41ADF3BA9EF14354F6044BBF808E6190D678DA409F58
    Function 00415930 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 215COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,0041A814,00000001,00000000,00000000,00000001,?,?,?,00415F2E,00000000,00000100,?,00000100,?), ref: 00415955
    • LCMapStringA.KERNEL32(00000000,00000100,0041A810,00000001,00000000,00000000,?,00415F2E,00000000,00000100,?,00000100,?,00000100,000004E4,00000000), ref: 00415978
    • LCMapStringA.KERNEL32(?,?,00000100,00000000,._A,?,00000001,?,?,?,00415F2E,00000000,00000100,?,00000100,?), ref: 004159CA
    • MultiByteToWideChar.KERNEL32(?,?,00000100,00000000,00000000,00000000,00000001,?,?,?,00415F2E), ref: 00415A0A
    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00415A3D
    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00415A5B
    • LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00415A91
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID: ._A
    • API String ID: 352835431-4050289253
    • Opcode ID: 94802f32459b7b9db9115118ce5105cf8807a38ae4d4f28054afb6f8116fef53
    • Instruction ID: 5412a8d2ae8207202d0943059d2c9bcaa3c5f1d5af246366acd71eb92f527299
    • Opcode Fuzzy Hash: 94802f32459b7b9db9115118ce5105cf8807a38ae4d4f28054afb6f8116fef53
    • Instruction Fuzzy Hash: 1551FBB1345300ABD2209B55DC85FEB77ACDFC8BA5F04452AF944E7280D679EC81C76A
    Function 00405D5B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123filememoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040650E: wsprintfA.USER32 ref: 0040653E
    • OpenFile.KERNEL32(00424440,?,00000000), ref: 00405DA8
    • GlobalAlloc.KERNEL32(00000042,0000FC00), ref: 00405DE2
    • _lclose.KERNEL32(000000FF), ref: 00405E68
    • GlobalUnlock.KERNEL32(?), ref: 00405E77
    • GlobalFree.KERNEL32(?), ref: 00405E7E
      • Part of subcall function 00405CFE: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00424440,000000FE,762283C0,00405D94,00424440,SETUP.LST,00000000), ref: 00405D15
      • Part of subcall function 00405CFE: GetFileSize.KERNEL32(00000000,00000000), ref: 00405D24
      • Part of subcall function 00405CFE: CloseHandle.KERNEL32(00000000), ref: 00405D2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileGlobal$AllocCloseCreateFreeHandleOpenSizeUnlock_lclosewsprintf
    • String ID: %s%s$@DB$SETUP.LST
    • API String ID: 1690450256-1722042029
    • Opcode ID: c97ac95f70c0ef62c8b55967683f4d707d0544c6eed101d049b09c50e261ad0a
    • Instruction ID: e4a045b08f763a31a63e0976c799dbcff2382827c36fe0b9062e7597dfa4d0cd
    • Opcode Fuzzy Hash: c97ac95f70c0ef62c8b55967683f4d707d0544c6eed101d049b09c50e261ad0a
    • Instruction Fuzzy Hash: E8312331608B116BD6316F10DC49BBB3A69DB41B61F20093BF995B12E0D37D8E518EEE
    Function 00402645 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004028D8: RegisterClassA.USER32(?), ref: 00402913
    • GlobalAddAtomA.KERNEL32(ProgMan), ref: 0040266D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: AtomClassGlobalRegister
    • String ID: ProgMan
    • API String ID: 1221286971-3949903119
    • Opcode ID: 9a52562c674a23fd0d22522067729c9070afd75482a91d9acfd1c3d1dc765670
    • Instruction ID: 374b5efd41c73d16e9855fd751648f3fc01ba902fc217c14b751bd4e3b3c2c37
    • Opcode Fuzzy Hash: 9a52562c674a23fd0d22522067729c9070afd75482a91d9acfd1c3d1dc765670
    • Instruction Fuzzy Hash: 29317E30944209EFEB109FA0EE8CBAD7BB5BB08315F608136F511B21E1C7B84695DB0E
    Function 00403C25 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,0041C058,0041319F,00000001,00000000), ref: 00403C3F
    • lstrlenA.KERNEL32(00405338,0041319F,00000001,00000000), ref: 00403C72
    • lstrcpynA.KERNEL32(?,Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,005B1929), ref: 00403C9C
    • lstrcmpiA.KERNEL32(?,8S@), ref: 00403CA9
    • CharNextA.USER32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...), ref: 00403CB4
    • lstrcpynA.KERNEL32(?,Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...), ref: 00403CDD
    • lstrcatA.KERNEL32(?,00000000), ref: 00403CED
    • lstrcatA.KERNEL32(?,005B1928), ref: 00403CFC
    • lstrcpyA.KERNEL32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,?), ref: 00403D06
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrcpylstrcpyn$CharNextlstrcmpilstrlen
    • String ID: 8S@$Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...
    • API String ID: 438197541-2299603723
    • Opcode ID: 8e55b24754865cb606c1f6f8529db8777839e7352134d3a0a424c9cdb2bed31b
    • Instruction ID: 7ca3f30f7066f0b0ed5f403c647db289a5a6a24e5543d8c62fae0cb9bcb65b84
    • Opcode Fuzzy Hash: 8e55b24754865cb606c1f6f8529db8777839e7352134d3a0a424c9cdb2bed31b
    • Instruction Fuzzy Hash: CA315272504218BBDB118F65DC48AEB7BBCAF45712F148572F805E3290D778CE51CBA5
    Function 004083F3 Relevance: 18.1, APIs: 12, Instructions: 98timememoryfileCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00403A05,000000FF,00000000,00000000,?,00423F60,76938400), ref: 0040840D
    • SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 00408424
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00403A05,000000FF,00000000,00000000), ref: 0040843E
    • VariantChangeTypeEx.OLEAUT32(00000008,00000008,00000409,00000000,00000007), ref: 00408450
    • VariantClear.OLEAUT32(00000008), ref: 0040845E
    • VariantTimeToDosDateTime.OLEAUT32(?,?,?,?), ref: 00408476
    • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00408486
    • LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00408494
    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?), ref: 004084A3
    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?), ref: 004084BB
    • SetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004084D5
    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004084DC
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Time$File$Variant$ByteCharDateMultiWide$AllocAttributesChangeClearCloseCreateHandleLocalStringType
    • String ID:
    • API String ID: 719669648-0
    • Opcode ID: 75b0e6b696ef755a0e0a4e4cdc57967ee31470630765e9bb5ebfbdbadcaffab2
    • Instruction ID: 497cc02f1d9f8c28b0d39548f1d4addd33d6946f0f1427c4774aba7848f7cc04
    • Opcode Fuzzy Hash: 75b0e6b696ef755a0e0a4e4cdc57967ee31470630765e9bb5ebfbdbadcaffab2
    • Instruction Fuzzy Hash: 8C314D7280202ABBCB119BA1DD48DEF7F7CEF09360F148126F511F2190EB749A558BA9
    Function 00403874 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 137stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040680E: wsprintfA.USER32 ref: 00406835
      • Part of subcall function 0040680E: lstrcpynA.KERNEL32(?,00000000,00000200), ref: 00406869
      • Part of subcall function 0040680E: lstrcpyA.KERNEL32(00000211,00000000), ref: 00406899
      • Part of subcall function 0040680E: lstrcmpiA.KERNEL32(?,$(DLLSELFREGISTER)), ref: 00406916
      • Part of subcall function 0040680E: lstrcmpiA.KERNEL32(?,$(EXESELFREGISTER)), ref: 00406928
    • lstrcpyA.KERNEL32(00423F60,00000024), ref: 0040390E
    • lstrcatA.KERNEL32(00423F60,?), ref: 00403918
    • lstrcatA.KERNEL32(00423F60,00000000), ref: 00403921
    • wsprintfA.USER32 ref: 0040399A
    • wsprintfA.USER32 ref: 004039AC
    • InvalidateRect.USER32(00000000,00000000,00000001), ref: 004039C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: wsprintf$lstrcatlstrcmpilstrcpy$InvalidateRectlstrcpyn
    • String ID: $$%s\%s$@$`?B
    • API String ID: 2057046132-369387566
    • Opcode ID: f3d8fa0bd03d415eb39c35b1e4569203d90960babc11da04cd40e52c803b368a
    • Instruction ID: 24a1e4a4836a000fc176fd766d311a7822a38136bed8ce40186c03ab5f4d8a33
    • Opcode Fuzzy Hash: f3d8fa0bd03d415eb39c35b1e4569203d90960babc11da04cd40e52c803b368a
    • Instruction Fuzzy Hash: CC419071901219BADF10AF61DC49BDE7BB8EF04305F1440BBF909A2181DB799B94CF99
    Function 00407BF1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155stringprocessCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00408FE7: GetPrivateProfileStringA.KERNEL32(BootStrap Files,00000000,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 004090BF
      • Part of subcall function 00408FE7: wsprintfA.USER32 ref: 00409124
    • _lclose.KERNEL32(00000000), ref: 00407C3C
    • lstrlenA.KERNEL32(004212E8,00000000,00000001,C:\WINDOWS\SYSTEM32\), ref: 00407C6C
    • lstrlenA.KERNEL32(00421900), ref: 00407CCB
    • lstrcatA.KERNEL32(?,0041C078), ref: 00407D34
    • lstrcatA.KERNEL32(?,?), ref: 00407D44
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00407D76
    • DestroyWindow.USER32 ref: 00407DC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrlen$CreateDestroyPrivateProcessProfileStringWindow_lclosewsprintf
    • String ID: C:\WINDOWS\ST6UNST.000$C:\WINDOWS\SYSTEM32\
    • API String ID: 2137464261-3998864015
    • Opcode ID: 4f188f6ca7f5d679623b2714aed07e89021af0b9b3f94d84ec898c2e26f33c9a
    • Instruction ID: 11e11936f03a201451541bc0b881b6ed961145fde0170b62c9b91aef34aa650e
    • Opcode Fuzzy Hash: 4f188f6ca7f5d679623b2714aed07e89021af0b9b3f94d84ec898c2e26f33c9a
    • Instruction Fuzzy Hash: BF41F872F44354BADB20ABA1EC81EEB376CDB10714F50007BF604B21D2D678A9C58A6E
    Function 00416680 Relevance: 15.2, APIs: 10, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,004130EB), ref: 0041669D
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,004130EB), ref: 004166AC
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,004130EB), ref: 004166CF
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,004130EB), ref: 0041670A
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00416731
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00416747
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,004130EB), ref: 00416755
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,004130EB), ref: 0041676B
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004167A0
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004167C2
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
    • String ID:
    • API String ID: 158306478-0
    • Opcode ID: 32f0a71997ed0d90976bf632f15878c150fc8d080aec18547fd885097de89592
    • Instruction ID: 54c9a421fc7e2e3d1af1e4c4fcd19fab0f99d5eb4dee957cdf6e540113ec3895
    • Opcode Fuzzy Hash: 32f0a71997ed0d90976bf632f15878c150fc8d080aec18547fd885097de89592
    • Instruction Fuzzy Hash: 584126327016152BE7312BA96C95BFB73D8CB51B6AF160077FA01C7380EA9ACC85429D
    Function 004097C2 Relevance: 15.1, APIs: 10, Instructions: 84stringfilememoryCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(00000000,76230460,00000001,00000000), ref: 004097E4
    • LocalAlloc.KERNEL32(00000040,00000000), ref: 004097EB
    • lstrlenA.KERNEL32(00000000), ref: 00409819
    • lstrcatA.KERNEL32(00000000,0041C05C), ref: 00409828
    • CreateFileA.KERNEL32(00420988,40000000,00000000,0000000C,00000004,00000080,00000000), ref: 0040984F
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00409863
    • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00409877
    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040987E
    • LocalFree.KERNEL32(00000000), ref: 00409885
    • CloseHandle.KERNEL32(00000000), ref: 00409891
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Filelstrlen$Local$AllocCloseCreateFreeHandlePointerWritelstrcat
    • String ID:
    • API String ID: 4183482768-0
    • Opcode ID: 9eefa8e98dd7645919a81e437ce1adf80e524a5858b0c0c0213f349eb8bd830b
    • Instruction ID: 057347431cb6a4f94ccc2052d3f57e0e401130bd48eaf14aea29dcbba1df0b31
    • Opcode Fuzzy Hash: 9eefa8e98dd7645919a81e437ce1adf80e524a5858b0c0c0213f349eb8bd830b
    • Instruction Fuzzy Hash: DC212772A00344BFE7115F68CC88FBA3FA8AB47324F14C166F601A62E3C7B84C458729
    Function 0040815C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00407FB9: lstrcpyA.KERNEL32(?,0041FCAC,00421900,00000000,?,00000000,00000000,?,00000001), ref: 00407FD0
      • Part of subcall function 00407FB9: lstrcpyA.KERNEL32(?,0041FCAC,?,00000000,00000000,?,00000001), ref: 00407FD8
      • Part of subcall function 00407FB9: lstrcpyA.KERNEL32(00000000,0041C36C), ref: 0040801F
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(00000000,?), ref: 0040802C
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(00000000,0041C36C), ref: 00408045
      • Part of subcall function 00407FB9: lstrcpyA.KERNEL32(?,0041FCAC), ref: 00408049
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(?, -n ), ref: 00408051
      • Part of subcall function 00407FB9: lstrcpyA.KERNEL32(?,0041C36C), ref: 00408091
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(?,?), ref: 00408098
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(?,0041C36C), ref: 004080A3
      • Part of subcall function 00407FB9: lstrcatA.KERNEL32(?, -s ), ref: 004080BD
    • SHGetSpecialFolderLocation.SHELL32(00000018,004089CA,?,?,?,?,?,?,00000000,BootStrap Files), ref: 004081AD
    • SHGetPathFromIDListA.SHELL32(004089CA,?,?,?,?,?,?,?,00000000,BootStrap Files), ref: 004081C5
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • OleInitialize.OLE32(00000000), ref: 004081E5
    • OleUninitialize.OLE32(?,?,?,?,?,?,00000000,BootStrap Files), ref: 0040823F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrcpy$CharFolderFromInitializeListLocationPathPrevSpecialUninitializelstrlen
    • String ID: $(Programs)$BootStrap Files$C:\WINDOWS\ST6UNST.000$ST6UNST Uninstaller
    • API String ID: 770128423-786161295
    • Opcode ID: db8f5f1be52c8c69bbb2de5cf83acdc2a52ca4492213091d95fbe26b521211ff
    • Instruction ID: e00725e1274b88b0197aa7add525f24ef6050f87d389b767838f3cc20e117083
    • Opcode Fuzzy Hash: db8f5f1be52c8c69bbb2de5cf83acdc2a52ca4492213091d95fbe26b521211ff
    • Instruction Fuzzy Hash: 5E31B8B264020DAADB20DAA1CD85FEF736CAB04740F1041FBB605F10C1EEB9DA854A6D
    Function 00403AB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00412290: GetFileAttributesA.KERNEL32(00000000,004115BC,0041C030,00000000), ref: 00412295
      • Part of subcall function 00412290: GetLastError.KERNEL32 ref: 004122A0
    • wsprintfA.USER32 ref: 00403ADE
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00403AFC
    • LoadTypeLib.OLEAUT32(?,?), ref: 00403B0D
    • wsprintfA.USER32 ref: 00403B4F
    Strings
    • RegisterTypeLib of %s failed : %lx, xrefs: 00403B43
    • Cannot access file: %s in fRegisterTypeLib., xrefs: 00403AD8
    • LoadTypeLib of %s failed : %lx, xrefs: 00403B19
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: wsprintf$AttributesByteCharErrorFileLastLoadMultiTypeWide
    • String ID: Cannot access file: %s in fRegisterTypeLib.$LoadTypeLib of %s failed : %lx$RegisterTypeLib of %s failed : %lx
    • API String ID: 1185679037-1428097456
    • Opcode ID: 7a5d96bccb2fc8308a522b0f3f2fadd65ae68aa6f34d6c4ad11577d1603568ff
    • Instruction ID: 8b0ef477447aab4067cea3297e9ab1cb6607763bf0e94c1b255ab77d4fd82eea
    • Opcode Fuzzy Hash: 7a5d96bccb2fc8308a522b0f3f2fadd65ae68aa6f34d6c4ad11577d1603568ff
    • Instruction Fuzzy Hash: 32110471200208BBDB109B94DC89FEB3B7CAB04719F1041B6B615E60D1D6B8AAC58A2D
    Function 00417FD0 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000000,0041A814,00000001,0041A814,00000001,?,?,00413AF7,021E0230,00414A1E,00413AF7,0041319F,GVBSetupInit,?,00000000), ref: 00417FF8
    • CompareStringA.KERNEL32(00000000,00000000,0041A810,00000001,0041A810,00000001,?,00000000,00412715,?,?,?,?,?,?,00000000), ref: 00418020
    • CompareStringA.KERNEL32(?,?,?,?,?,?,?,?,00413AF7,021E0230,00414A1E,00413AF7,0041319F,GVBSetupInit,?,00000000), ref: 0041808A
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CompareString
    • String ID:
    • API String ID: 1825529933-0
    • Opcode ID: b05a94fe7877084b5dc06770a134a612a8767f27ea85fc1740e4d3c97e9a39e8
    • Instruction ID: 3b8dd9f15728dfd73acfea9472eb0597b49b5cf361503be790e1f98fcbf7b5c3
    • Opcode Fuzzy Hash: b05a94fe7877084b5dc06770a134a612a8767f27ea85fc1740e4d3c97e9a39e8
    • Instruction Fuzzy Hash: 6F813B377443042BD620AB189C81BEB77A4EBC5761F94046FFD4487341DA6FDC8983AA
    Function 004169F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 161fileCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000000), ref: 00416A5B
    • GetStdHandle.KERNEL32(000000F4,?,00000000), ref: 00416B90
    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000000), ref: 00416BB5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-4022980321
    • Opcode ID: 80ed33236b775245bf4d4b96b790d07c30dad9b871a96b6f5c93ca3b7288db1c
    • Instruction ID: adae7536b6319fc6d07fa0d39adc0080f357a26aa6e8efdcec2b53f7671b3dd0
    • Opcode Fuzzy Hash: 80ed33236b775245bf4d4b96b790d07c30dad9b871a96b6f5c93ca3b7288db1c
    • Instruction Fuzzy Hash: BA4117326006040BD728CA7499916BB3392EBC1370F55473EFA7B972D1DFB9AD49C249
    Function 00402793 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ClassDestroyUnregisterWindow
    • String ID: [DeleteItem(
    • API String ID: 3182838500-526750370
    • Opcode ID: f7ccc842d5ac8ae5aeaf91cee201a7fa709c565fdbb68928151ec0d4e2983c8b
    • Instruction ID: c2deed81ded0b3398222e55d4124ea572e2dd824c79250aaa4ee492a9f0d769c
    • Opcode Fuzzy Hash: f7ccc842d5ac8ae5aeaf91cee201a7fa709c565fdbb68928151ec0d4e2983c8b
    • Instruction Fuzzy Hash: 69310936804208FFDF156FA1DE09AAD7BB5AB04355F10C17AE812B11E0D7B94A95AF09
    Function 0040240B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID: [CreateGroup(
    • API String ID: 0-930935552
    • Opcode ID: eb468b802d73b3b43fed6c41750e446213f7d335e1883e808efd9b4c472c61d3
    • Instruction ID: 009094dde0f68b5323f65f7fd79fcbe0f3565b94aaf7712e15126cabfcd37531
    • Opcode Fuzzy Hash: eb468b802d73b3b43fed6c41750e446213f7d335e1883e808efd9b4c472c61d3
    • Instruction Fuzzy Hash: 23113D31904108FFDF11EFA4EE09AAD7BB0EB04315F20C07AF905B51E1CBB94A51AB09
    Function 00409674 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54stringCOMMON
    Download Yara Rule
    APIs
    • SHGetMalloc.SHELL32(00000001), ref: 0040967F
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000017,00000000,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 0040969B
    • SHGetPathFromIDListA.SHELL32(00000000,00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096AC
    • lstrlenA.KERNEL32(00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096C9
    • lstrlenA.KERNEL32(00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096D3
    • lstrcatA.KERNEL32(00000001,0041C030,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096E6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$FolderFromListLocationMallocPathSpeciallstrcat
    • String ID: $(Start Menu)
    • API String ID: 991518715-952028696
    • Opcode ID: 54cb7a61bb768a315a3e7e33fc49613b429eb4dadc703f8120153b7f1032bc1d
    • Instruction ID: 26c8f7b13c5911e212c39a30ab64abac5392eb3bf0bb03225a7a76623367ef72
    • Opcode Fuzzy Hash: 54cb7a61bb768a315a3e7e33fc49613b429eb4dadc703f8120153b7f1032bc1d
    • Instruction Fuzzy Hash: 6F018071601208BFDB008BA1DC09EEF3BBCEB45701F10487AB505E6292D779DD41DB69
    Function 004096F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54stringCOMMON
    Download Yara Rule
    APIs
    • SHGetMalloc.SHELL32(00000001), ref: 004096FE
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000016,00000000,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040971A
    • SHGetPathFromIDListA.SHELL32(00000000,00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 0040972B
    • lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409748
    • lstrlenA.KERNEL32(00000001,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409752
    • lstrcatA.KERNEL32(00000001,0041C030,?,004095BC,?,00000001,00000000,00000001,00000000), ref: 00409765
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$FolderFromListLocationMallocPathSpeciallstrcat
    • String ID: $(Start Menu)
    • API String ID: 991518715-952028696
    • Opcode ID: ab2d371ce97626fe36d06d0c4d5a98370f41f5a31a9668bf81ef45575bc94e03
    • Instruction ID: f2c503451b93cd6b570a4389704df2fcb49ae2bfd2099fc0f4cbf21563494b3f
    • Opcode Fuzzy Hash: ab2d371ce97626fe36d06d0c4d5a98370f41f5a31a9668bf81ef45575bc94e03
    • Instruction Fuzzy Hash: 15018076610204FBDB04AFA1DD49EAF3B7CAB85704F10407AF501E7292D7B8DE419B69
    Function 00402A57 Relevance: 12.1, APIs: 8, Instructions: 66stringmemorywindowCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?), ref: 00402A64
    • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00402A71
    • lstrcpyA.KERNEL32(00000000,?), ref: 00402A8F
    • PostMessageA.USER32(000003E8,00000000), ref: 00402AB8
    • GlobalFree.KERNEL32(00000000), ref: 00402AC4
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Global$AllocFreeMessagePostlstrcpylstrlen
    • String ID:
    • API String ID: 2218441134-0
    • Opcode ID: 58ca1fd4d0990b463a81f1d238eb610153c41ded7e06d0b987fe0b5c27dafc9d
    • Instruction ID: f69d42870308f74386745bb277e767c7980da7abecc1845f1f6b66ecb54d7d47
    • Opcode Fuzzy Hash: 58ca1fd4d0990b463a81f1d238eb610153c41ded7e06d0b987fe0b5c27dafc9d
    • Instruction Fuzzy Hash: C6212C30A01208EFDB159FA0ED4CBAE7BB5FB09315F508176E411B22E1C7B85556DF0A
    Function 004133E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 00413445
    • GetFileType.KERNEL32(?), ref: 00413513
    • GetStdHandle.KERNEL32(-000000F6), ref: 0041357C
    • GetFileType.KERNEL32(00000000), ref: 00413586
    • SetHandleCount.KERNEL32(?), ref: 004135CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID: $sB
    • API String ID: 1710529072-1556430247
    • Opcode ID: 3e04678e8334d2f6dfd188d89c5067f2aadc03e20146846157230b5dc01f1d5c
    • Instruction ID: 7050cd67e230ff243c80e9691af3492bfc496353ae711ae258c88b140bc138f6
    • Opcode Fuzzy Hash: 3e04678e8334d2f6dfd188d89c5067f2aadc03e20146846157230b5dc01f1d5c
    • Instruction Fuzzy Hash: 44515B306043418BC721CF28DC406E37BE2BB55715F44466EE9E68B3A1C738EA8ACB5D
    Function 0040117C Relevance: 10.6, APIs: 7, Instructions: 93stringfileCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(?,?), ref: 004011CB
    • lstrcatA.KERNEL32(?,?), ref: 004011DD
      • Part of subcall function 004066B2: FindFirstFileA.KERNELBASE(?,?), ref: 004066C5
      • Part of subcall function 004066B2: FindClose.KERNEL32(00000000), ref: 004066DF
    • GetWindowLongA.USER32(00000000,000000FA), ref: 00401204
    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040120B
      • Part of subcall function 00406A32: lstrlenA.KERNEL32(?,?,0040121F,00000000,0000005C), ref: 00406A38
      • Part of subcall function 00406A32: CharPrevA.USER32(?,00000000), ref: 00406A4E
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • lstrcatA.KERNEL32(00000000,00000000), ref: 00401244
      • Part of subcall function 00401792: lstrcpyA.KERNEL32(?,?,76228A60), ref: 004017FC
      • Part of subcall function 00401792: lstrcatA.KERNEL32(?,00000000), ref: 0040180C
      • Part of subcall function 00401792: lstrlenA.KERNEL32(?), ref: 0040182B
      • Part of subcall function 00401792: OpenFile.KERNEL32(?,?,00004000), ref: 00401890
    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00401282
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 00401290
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: File$lstrcatlstrcpylstrlen$CharFindPrev$AttributesCloseCopyFirstLongModuleNameOpenWindow
    • String ID:
    • API String ID: 2072892542-0
    • Opcode ID: fd588c25401f8305c693faf5525f57f5b5ad276010a6f9e39650292fddf1a8e2
    • Instruction ID: ac1bfc851ee477100e7b7b2585c4ac877d4554bf2d58d5d7a7533d1a3ff462ee
    • Opcode Fuzzy Hash: fd588c25401f8305c693faf5525f57f5b5ad276010a6f9e39650292fddf1a8e2
    • Instruction Fuzzy Hash: FB31C172500208AFDB219BA0DC09FDB77A9BF04314F1085BAF656E60A1DBB5AA948B04
    Function 00407A9F Relevance: 10.6, APIs: 7, Instructions: 60memoryCOMMON
    Download Yara Rule
    APIs
    • GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,00423F60,76938400,0040393E,?), ref: 00407AB3
    • LocalAlloc.KERNEL32(00000002,00000000,00000000,?,00000000,00423F60,76938400,0040393E,?), ref: 00407AC5
    • LocalLock.KERNEL32(00000000), ref: 00407AD2
    • GetFileVersionInfoA.VERSION(00000000,00000000,?,00000000), ref: 00407AE4
    • VerQueryValueA.VERSION(00000000,0041C030,?,?,00000000,00000000,?,00000000), ref: 00407AFB
    • LocalUnlock.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00407B1A
    • LocalFree.KERNEL32(00000000), ref: 00407B21
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Local$FileInfoVersion$AllocFreeLockQuerySizeUnlockValue
    • String ID:
    • API String ID: 1790718254-0
    • Opcode ID: f84fbd2ac8ed5f7434c59ed3210a760efb52c2ee1088abfd618d3e08210b0fa5
    • Instruction ID: 87264d868677575d1ff0824f8574d1d8798fb5594aea960befc92371a587e8cf
    • Opcode Fuzzy Hash: f84fbd2ac8ed5f7434c59ed3210a760efb52c2ee1088abfd618d3e08210b0fa5
    • Instruction Fuzzy Hash: 43112B75A01209BFDB109FA5CD84EAEBBFCEF48355F00847AEA41E2251D738E950CB55
    Function 00417070 Relevance: 9.1, APIs: 6, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,0041A814,00000001,?,00000001,?,?,?,?,00415EFC,00000001,?,00000100,?,000004E4,00000000), ref: 00417094
    • GetStringTypeA.KERNEL32(?,00000020,00000020,00000020,?,00000001,?,?,?,?,00415EFC,00000001,?,00000100,?,000004E4), ref: 004170D3
    • MultiByteToWideChar.KERNEL32(?,?,?,00000020,00000000,00000000,00000001,?,?,?,?,00415EFC,00000001,?,00000100,?), ref: 00417110
    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000020,00000000,00000000,00000001), ref: 00417138
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0041714E
    • GetStringTypeA.KERNEL32(00000000,00000001,0041A810,00000001,?,?,?,00415EFC,00000001,?,00000100,?,000004E4,00000000,00000000), ref: 0041718B
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: 3eab39cf2cb682f525d2a9048f586d30b6bdc344822dbfd0bfb43e6b43e90355
    • Instruction ID: 70da73083353905f5182034c23fbde7485dbfab20df57f660617ec292359fdc0
    • Opcode Fuzzy Hash: 3eab39cf2cb682f525d2a9048f586d30b6bdc344822dbfd0bfb43e6b43e90355
    • Instruction Fuzzy Hash: C531BF723092007FD210CB65EC85EBBB7B8EBC8765F14462EF545D3340D669DC428769
    Function 00401071 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrlen$lstrcmpilstrcpy
    • String ID:
    • API String ID: 2480230941-0
    • Opcode ID: 1cec846d5dfee80bcadec96af30420bd3dbc1edc94fb91db404561531dd9ad2b
    • Instruction ID: 504370a7c535be1c8b2eef50849de025aa7bc2ff2bb39d2c9caccd227866366b
    • Opcode Fuzzy Hash: 1cec846d5dfee80bcadec96af30420bd3dbc1edc94fb91db404561531dd9ad2b
    • Instruction Fuzzy Hash: F721CE31010304AFCB359F24DC44DA6BBB5FF49328B144A2AF896A66F1C775EC99CB48
    Function 0040194E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(-0000003A,00000000), ref: 00401989
      • Part of subcall function 00401AEB: Sleep.KERNEL32(00000000,?,0041C04C,00000001), ref: 00401B04
    • lstrcpyA.KERNEL32(-0000003A,00000000), ref: 00401A34
    • lstrcatA.KERNEL32(-0000003A,0041C030), ref: 00401A44
    • lstrcatA.KERNEL32(-0000003A,sfXXXXXX), ref: 00401A54
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrcpy$Sleep
    • String ID: sfXXXXXX
    • API String ID: 499210199-1021405322
    • Opcode ID: 67e575deca7a459650839c258be4a8f522dd56cee8101b7160f72559cd8b1887
    • Instruction ID: 33bc153ee28ea7a87f519df7ccedbe50a23697cc2aa3f6999e039cd4b9d02ccc
    • Opcode Fuzzy Hash: 67e575deca7a459650839c258be4a8f522dd56cee8101b7160f72559cd8b1887
    • Instruction Fuzzy Hash: 2531C2B5712200AFD214E7A9EC86FA63394FB44328F19813AF518A73F1D678D8168A5C
    Function 004082BC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • GetOpenFileNameA.COMDLG32(?,%s%s,00000132,0041C1CC), ref: 0040839D
    • lstrcpyA.KERNEL32(004065A6,?,?,%s%s,00000132,0041C1CC), ref: 004083E1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcpy$CharFileNameOpenPrevlstrlen
    • String ID: %s%s$Browse for $L
    • API String ID: 3931530447-2242553435
    • Opcode ID: fd6df58eea12bec1961cb56b3f3f7d7f84be9e2661d1fb68b4444b7e0e1a3143
    • Instruction ID: 8633285bb314e2065c4d9a7dfdf93437e340f818443b6aeb72af50aa3460120e
    • Opcode Fuzzy Hash: fd6df58eea12bec1961cb56b3f3f7d7f84be9e2661d1fb68b4444b7e0e1a3143
    • Instruction Fuzzy Hash: F0314F72900219AEDF14DFA5DD80ADEBBB9FB48310F1040ABE604E3281DA755A898F58
    Function 00406730 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46fileCOMMON
    Download Yara Rule
    APIs
    • OpenFile.KERNEL32(00423F60,?,00001000), ref: 00406752
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileOpen
    • String ID: %s%s%s$C:\Users\user\Desktop\setup.LST$SETUP.LST$`?B
    • API String ID: 2669468079-2837409692
    • Opcode ID: 9e6facdd4ccd984d1258ec8a857b82a574ebc9f8146afbd5f5672d260e17f4f6
    • Instruction ID: 7f0bd37a5ebe9ce71bc3df4de895576ac8d4157a0cf33c466bd55bed6ad89b07
    • Opcode Fuzzy Hash: 9e6facdd4ccd984d1258ec8a857b82a574ebc9f8146afbd5f5672d260e17f4f6
    • Instruction Fuzzy Hash: 3EF0463224421039E2212D286C41FE33698CF85379F650337F93AF31D0C9BC58A1517E
    Function 00410650 Relevance: 7.8, APIs: 5, Instructions: 288fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000000,00000001,00000005,00000080,00000000), ref: 00410815
    • GetLastError.KERNEL32 ref: 00410822
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CreateErrorFileLast
    • String ID:
    • API String ID: 1214770103-0
    • Opcode ID: fa6d1319ce1d69f19f0cecb60eb19b4837d90b4461831d748f525ef19cb384ed
    • Instruction ID: be964d9a5926db2a24559d45cd6f5be03d92260f0ffb3345229b1f39b659c387
    • Opcode Fuzzy Hash: fa6d1319ce1d69f19f0cecb60eb19b4837d90b4461831d748f525ef19cb384ed
    • Instruction Fuzzy Hash: 72917E716182004BF7205A28AC557EB7B409782375F54062BEEA4833D2D6EDD9C987AF
    Function 004171B0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000220,?,?,?,?,00000000,?,00000000,00000001,00000000,?,00000000,00414B06,0041F0D0,004231D4), ref: 0041724E
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID:
    • API String ID: 626452242-0
    • Opcode ID: 08006f478d306adf13a8eb91c745ab60b03dbedb6cf3a5042de28ca557914a5f
    • Instruction ID: 6ceb3501a0c7abf3b4cd3fcac4c175df799059d679ef73bb37827cd9d3952705
    • Opcode Fuzzy Hash: 08006f478d306adf13a8eb91c745ab60b03dbedb6cf3a5042de28ca557914a5f
    • Instruction Fuzzy Hash: 0851E47230930A5BD720CE54AC80FBBB3B9EB81766F24466EFD6187281DB29D845D358
    Function 00401792 Relevance: 7.6, APIs: 5, Instructions: 127stringfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409FEA: lstrcpyA.KERNEL32(?,00000000,00000001,?,00000000,004017D9,00000000,?,76228A60), ref: 00409FF6
      • Part of subcall function 00409FEA: lstrlenA.KERNEL32(?), ref: 00409FFD
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A01F
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A02B
    • lstrcpyA.KERNEL32(?,?,76228A60), ref: 004017FC
    • lstrcatA.KERNEL32(?,00000000), ref: 0040180C
      • Part of subcall function 00401BA9: MessageBoxA.USER32(00000000,0000000A,00000000,?), ref: 00401C01
    • lstrcpyA.KERNEL32(?,00000000,76228A60), ref: 0040181E
    • lstrlenA.KERNEL32(?), ref: 0040182B
    • OpenFile.KERNEL32(?,?,00004000), ref: 00401890
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcpy$CharPrevlstrlen$FileMessageOpenlstrcat
    • String ID:
    • API String ID: 1570888098-0
    • Opcode ID: d83fb0ab4753b4756c70088de7f12971bd4ab90890c9be60f547131e2af21a68
    • Instruction ID: 9f5380bae8f4de6d9a65a42efa5649908af50d43f9740c52a42fc3e463553902
    • Opcode Fuzzy Hash: d83fb0ab4753b4756c70088de7f12971bd4ab90890c9be60f547131e2af21a68
    • Instruction Fuzzy Hash: B041D03390024DAFEF11AAA4DC45FEB776CFB04354F5485B7F205E60E0E6789A858B25
    Function 00402B3F Relevance: 7.6, APIs: 6, Instructions: 83stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$CharNextlstrcmpilstrcpyn
    • String ID:
    • API String ID: 3503197448-0
    • Opcode ID: 5a44977a8ea4acd8a76b036e4724c18db04f4ef25ee7bfc6a08a36f1d1d1c08f
    • Instruction ID: da0d2493fbe073ffbee87ebfb047ee60abc8c24ccbe2478d864777e7baf611dc
    • Opcode Fuzzy Hash: 5a44977a8ea4acd8a76b036e4724c18db04f4ef25ee7bfc6a08a36f1d1d1c08f
    • Instruction Fuzzy Hash: DF310D30904118AFDB25CF64CA896EDBBF4AB05301F1444E2E849F6290D7B8EF819F55
    Function 004091C9 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409674: SHGetMalloc.SHELL32(00000001), ref: 0040967F
      • Part of subcall function 00409674: SHGetSpecialFolderLocation.SHELL32(00000000,00000017,00000000,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 0040969B
      • Part of subcall function 00409674: SHGetPathFromIDListA.SHELL32(00000000,00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096AC
      • Part of subcall function 00409674: lstrlenA.KERNEL32(00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096C9
      • Part of subcall function 00409674: lstrlenA.KERNEL32(00000001,?,004095CE,?,00000001,00000000,00000001,00000000), ref: 004096D3
    • lstrlenA.KERNEL32(?,00000001,00000001), ref: 004091F5
    • lstrlenA.KERNEL32(00408206), ref: 004091FC
    • lstrcatA.KERNEL32(?,00408206), ref: 00409216
    • GetFileAttributesA.KERNEL32(?), ref: 00409223
    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00409240
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrlen$AttributesCreateDirectoryFileFolderFromListLocationMallocPathSpeciallstrcat
    • String ID:
    • API String ID: 3125234182-0
    • Opcode ID: 5c3c1005288ce9a3a51e12214f894139d38adb20d158fc23ecfd363c8bd6e5a7
    • Instruction ID: fce71ffb1ea5725f1ff17214d9cbbe6a11aeb583c93ecff5677380f13c5de27a
    • Opcode Fuzzy Hash: 5c3c1005288ce9a3a51e12214f894139d38adb20d158fc23ecfd363c8bd6e5a7
    • Instruction Fuzzy Hash: EF012676A00219BACF209B74DC4CBCA3B6D9B45364F1009B6F585F31D1DAB8DEC18B18
    Function 00414A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 224timeCOMMON
    Download Yara Rule
    APIs
    • GetTimeZoneInformation.KERNEL32(004231D0,00000000,00412715,?,?,?,?,?,?,00000000), ref: 00414A70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: InformationTimeZone
    • String ID: :$:$GVBSetupInit
    • API String ID: 565725191-2180776209
    • Opcode ID: ddaba8ce5fd868ad2d1afdc29c323e7bac097f4c43d03794daac156fab70b499
    • Instruction ID: 533369c18939005278681c8a9924fd1879c2c331ac1925499641bd776656dcaa
    • Opcode Fuzzy Hash: ddaba8ce5fd868ad2d1afdc29c323e7bac097f4c43d03794daac156fab70b499
    • Instruction Fuzzy Hash: F87149746051449BC720CF28EC417E63BA5FB86310F5542BFE459873A2E779998BC78C
    Function 0040523A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Messagewsprintfwvsprintf
    • String ID: %s(%s)
    • API String ID: 4012126874-3803890449
    • Opcode ID: 71049c56108df8b197eabbdef0455aaa1d52ad33565e6ad6c71eb93087b59a9a
    • Instruction ID: df75e0f108145dbb77b05d351bfd75189f592b39521b757bf8d362ab2c7ed4be
    • Opcode Fuzzy Hash: 71049c56108df8b197eabbdef0455aaa1d52ad33565e6ad6c71eb93087b59a9a
    • Instruction Fuzzy Hash: 8B316672A1090A9BCB21DF40FC449AB73A8FB54781B944077F901E62A0D6B8DE86CF5D
    Function 00416CA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameA.KERNEL32(?,?,?,?,?,00000104,?,?,00000000), ref: 00416D09
    • GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,?,00000000), ref: 00416D1B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CurrentDirectoryFullNamePath
    • String ID: .$:
    • API String ID: 2420862269-4202072812
    • Opcode ID: 254d17d112443337ecef26c382ef1c50855373232bd571b68a96c7ed60b01bf3
    • Instruction ID: 2272ea245c5f9f668fe324e697c99b2d63c8c38876a6d9e828f8cce3e5ee587e
    • Opcode Fuzzy Hash: 254d17d112443337ecef26c382ef1c50855373232bd571b68a96c7ed60b01bf3
    • Instruction Fuzzy Hash: E721F7723042014BE720DA69FC85BE77794EBC0325F58453EE998C2285E6BDC58D87AB
    Function 004016FB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,76944C70,76228A60,76230E30), ref: 0040170B
    • lstrcatA.KERNEL32(-00000001,00000000), ref: 0040177C
    • lstrcatA.KERNEL32(-00000001,.cab), ref: 00401784
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcat$lstrlen
    • String ID: .cab
    • API String ID: 751011610-4100073722
    • Opcode ID: 92b649d8fb088f628e2ee5bbc04f2a081192544b3cef8a6d03af592b757592ab
    • Instruction ID: d7e245480cb0ec16ff0b45c45e5462480e1a20504d1aae5a1d31f3ec9b2e4a41
    • Opcode Fuzzy Hash: 92b649d8fb088f628e2ee5bbc04f2a081192544b3cef8a6d03af592b757592ab
    • Instruction Fuzzy Hash: B4116B325403687BD731AF28DC44FE77BA8AB45300F044472E998E71E2DAB85D82CB99
    Function 00403A37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001,?), ref: 00403A77
    • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00403A92
    • RegCloseKey.ADVAPI32(?), ref: 00403AA7
    Strings
    • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00403A43
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CloseInfoOpenQuery
    • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • API String ID: 2142960691-2256017818
    • Opcode ID: c54e2db966b564ba4dc50b4df8b66a11194a6923bfbb9ce5525af26964c37291
    • Instruction ID: 9618f0712472da09e342d1870a3d63a5e76d3ec6baee80f0f88d7971f1c1b3cd
    • Opcode Fuzzy Hash: c54e2db966b564ba4dc50b4df8b66a11194a6923bfbb9ce5525af26964c37291
    • Instruction Fuzzy Hash: 7A010872A01208FFEB109F999C85EEBBBACFB08349F50407AF540A62A0D3744E41DA65
    Function 00405B96 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryA.KERNEL32(000000FE,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,000000FE,00405C6F,C:\Users\user\AppData\Local\Temp\), ref: 00405BA3
    • GetLastError.KERNEL32 ref: 00405BAD
      • Part of subcall function 00403C25: lstrcpyA.KERNEL32(Setup cannot find 'C:\Users\user\Desktop\setup.LST'. Setup is aborting...,0041C058,0041319F,00000001,00000000), ref: 00403C3F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLastlstrcpy
    • String ID: C:\Users\user\AppData\Local\Temp\$CreateDir
    • API String ID: 4023647179-1098307174
    • Opcode ID: 911f4f4670473a06f3990cd0be081643aa9ee4ca50840059782bf476cf1a7cd9
    • Instruction ID: 38decb92e8b233ca8ea3f6df3130dc99ce5d61a9476c9e2787c7c30fcfeb9c18
    • Opcode Fuzzy Hash: 911f4f4670473a06f3990cd0be081643aa9ee4ca50840059782bf476cf1a7cd9
    • Instruction Fuzzy Hash: 38F0D66234D6106AFA203A5A6C8AA6F2718DBC1325F30043FF200F61C1DA7DAD86496E
    Function 00401E56 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,*** ,0041C078,dS@,00000000,00402245,?,00000003,0041319F,00000001,00000000), ref: 00401E77
    • lstrcatA.KERNEL32(00000000,?,*** ,0041C078,dS@,00000000,00402245,?,00000003,0041319F,00000001,00000000), ref: 00401EA1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: lstrcatlstrlen
    • String ID: *** $dS@
    • API String ID: 1475610065-2255215331
    • Opcode ID: afe67e75d161c2c63b820c52df6680a67af08bd823c4bbc27014b44a9d118d96
    • Instruction ID: 4750822a1712e047b29c5c621e06e2123e779af797df70cb9165ef1c9bf3373e
    • Opcode Fuzzy Hash: afe67e75d161c2c63b820c52df6680a67af08bd823c4bbc27014b44a9d118d96
    • Instruction Fuzzy Hash: C3F0F6725002065BD3205F55D840A2BB7A5EFC1360F19043EED84A3361EB799C01C7A5
    Function 00405C1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0041C1CC,76938400,0041C1CC,004061D1,00000000), ref: 00405C26
    • CharNextA.USER32(C:\Users\user\AppData\Local\Temp\), ref: 00405C4F
      • Part of subcall function 00405B96: CreateDirectoryA.KERNEL32(000000FE,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,000000FE,00405C6F,C:\Users\user\AppData\Local\Temp\), ref: 00405BA3
      • Part of subcall function 00405B96: GetLastError.KERNEL32 ref: 00405BAD
    • CharPrevA.USER32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00405C5E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Char$CreateDirectoryErrorLastNextPrevlstrcpy
    • String ID: C:\Users\user\AppData\Local\Temp\
    • API String ID: 2448762514-3936084776
    • Opcode ID: 9a5a47d07d4ec7b88b1ea5f1db5cabb156772bafcf8be5594bd1591b4446acd6
    • Instruction ID: 3119e9d690cdb4f724e86aec1ca5e2b7d6da1c5336f51eee50bdb130892eb793
    • Opcode Fuzzy Hash: 9a5a47d07d4ec7b88b1ea5f1db5cabb156772bafcf8be5594bd1591b4446acd6
    • Instruction Fuzzy Hash: 3AF0312140DA5479F7321A346C48B6B7FA4DB83331F25466FF091612D1D77D08814A5A
    Function 00405CFE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00424440,000000FE,762283C0,00405D94,00424440,SETUP.LST,00000000), ref: 00405D15
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00405D24
    • CloseHandle.KERNEL32(00000000), ref: 00405D2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: File$CloseCreateHandleSize
    • String ID: %s%s
    • API String ID: 1378416451-2598448556
    • Opcode ID: f7826e77e5cac2305db80c7a1e410264aa25472443469db311169a6b36cf4edc
    • Instruction ID: 035fdd116119776ed798427f41ec6fb3e12aa2d261362f08168381b80bfe96a2
    • Opcode Fuzzy Hash: f7826e77e5cac2305db80c7a1e410264aa25472443469db311169a6b36cf4edc
    • Instruction Fuzzy Hash: B8F0E9312412503BD32026666C4DF873E6DDFCA734F104739F674610E0C26504508569
    Function 0040A042 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,`?B,00000003,80000080,00000000), ref: 0040A06C
    • GetLastError.KERNEL32 ref: 0040A077
    • CloseHandle.KERNEL32(00000000), ref: 0040A088
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast
    • String ID: `?B
    • API String ID: 2528220319-2006587570
    • Opcode ID: 55a8fc887e914258975d978fb953cb809a3e3581ec813afe90648c609ca0108f
    • Instruction ID: c3e36511d33a8960074c45ffcd4296127251746848a3d866e2cee612380d583b
    • Opcode Fuzzy Hash: 55a8fc887e914258975d978fb953cb809a3e3581ec813afe90648c609ca0108f
    • Instruction Fuzzy Hash: 23F06DB1910208BEEB115FB4ED0DBAE7BA8AB04218F108764F952E21C0EA7496148B5A
    Function 004153C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,00412D3A), ref: 004153C5
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004153D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: 6e676e9bb4f0d9bbf1c025685c7957601a1ccf485ee5b789069ef398f23a10a2
    • Instruction ID: 2eb4c78e18e5962a6eab56b4a85c421d94b2225c8cadb215e8ce3d950e040f4e
    • Opcode Fuzzy Hash: 6e676e9bb4f0d9bbf1c025685c7957601a1ccf485ee5b789069ef398f23a10a2
    • Instruction Fuzzy Hash: 5EC01230382606A7DA201BA00D89BD624AC8B88B83F1040236839E60C1DA9CC2E0952F
    Function 00408E72 Relevance: 6.3, APIs: 5, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 00408E97
    • wsprintfA.USER32 ref: 00408EA7
    • wsprintfA.USER32 ref: 00408EBB
    • wsprintfA.USER32 ref: 00408ECB
    • wsprintfA.USER32 ref: 00408EDF
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
      • Part of subcall function 00409FEA: lstrcpyA.KERNEL32(?,00000000,00000001,?,00000000,004017D9,00000000,?,76228A60), ref: 00409FF6
      • Part of subcall function 00409FEA: lstrlenA.KERNEL32(?), ref: 00409FFD
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A01F
      • Part of subcall function 00409FEA: CharPrevA.USER32(?,-00000001), ref: 0040A02B
      • Part of subcall function 00408F7A: wsprintfA.USER32 ref: 00408FAE
      • Part of subcall function 00408F7A: GetPrivateProfileStringA.KERNEL32(BootStrap,Cabs,00000000,?,00000208,C:\Users\user\Desktop\setup.LST), ref: 00408FD0
      • Part of subcall function 00408E30: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00408E49
      • Part of subcall function 00408E30: TranslateMessage.USER32(?), ref: 00408E53
      • Part of subcall function 00408E30: DispatchMessageA.USER32(?), ref: 00408E5D
      • Part of subcall function 0040129D: GetWindowLongA.USER32(00000000,000000FA), ref: 0040132A
      • Part of subcall function 0040129D: GetModuleFileNameA.KERNEL32(00000000), ref: 00401333
      • Part of subcall function 0040129D: lstrcatA.KERNEL32(00000000,00000000), ref: 0040136E
      • Part of subcall function 0040129D: CopyFileA.KERNEL32(00000000,?,00000000), ref: 004013CF
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: wsprintf$CharMessagePrev$Filelstrcpylstrlen$CopyDispatchLongModuleNamePeekPrivateProfileStringTranslateWindowlstrcat
    • String ID:
    • API String ID: 3329070104-0
    • Opcode ID: 3ce9df98e67e81b07811d5bc0d937f7a8625674119b4cf73caa54bccdea89023
    • Instruction ID: aea374cb7dd5a4fdbf4f0bdcfb117f95e61124bb773b9c3d5d2c13951f4553af
    • Opcode Fuzzy Hash: 3ce9df98e67e81b07811d5bc0d937f7a8625674119b4cf73caa54bccdea89023
    • Instruction Fuzzy Hash: 8E2101B380012CAACB11EA95DC85EDB77BCAB48214F0405ABF649E3051EE75DBD48FE4
    Function 00401C74 Relevance: 6.3, APIs: 5, Instructions: 79stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401C09: IsDBCSLeadByte.KERNEL32(00000000,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C2D
      • Part of subcall function 00401C09: CharNextA.USER32(762283C0,?,?), ref: 00401C34
      • Part of subcall function 00401C09: lstrlenA.KERNEL32(762283C0,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C43
      • Part of subcall function 00401C09: IsDBCSLeadByte.KERNEL32(00000000,?,?), ref: 00401C64
    • CharNextA.USER32(76230440,76230440,762283C0,?,00000001,004054DB,?,?,?,?), ref: 00401C9F
    • CharNextA.USER32(?,?,00000001,004054DB,?,?,?,?), ref: 00401CB7
    • CharNextA.USER32(76230440,76230440,762283C0,?,00000001,004054DB,?,?,?,?), ref: 00401CE0
    • CharNextA.USER32(76230440,76230440,762283C0,?,00000001,004054DB,?,?,?,?), ref: 00401CF1
    • lstrlenA.KERNEL32(00000000,?,00000001,004054DB,?,?,?,?), ref: 00401D09
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CharNext$ByteLeadlstrlen
    • String ID:
    • API String ID: 3619429372-0
    • Opcode ID: 6d42c8434c067eda9feee8a1e5e4847d8cf6dd16973e628bb0457c709993623e
    • Instruction ID: 054772a5d6899a08bb1daa733d0c0c1763b7ee27c0d2ed10cf2e85e1c712d49a
    • Opcode Fuzzy Hash: 6d42c8434c067eda9feee8a1e5e4847d8cf6dd16973e628bb0457c709993623e
    • Instruction Fuzzy Hash: 8821B071148242AEFB218F649880B66BBE5AF55359F24443FE4C4A33A2D739C8529719
    Function 004117D0 Relevance: 6.2, APIs: 4, Instructions: 223fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000001), ref: 00411867
    • GetLastError.KERNEL32(?,?,?,?,?,00008302,00000180), ref: 00411871
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID:
    • API String ID: 1948546556-0
    • Opcode ID: 3fa495f73b9bd6bbb2556e8ad82534a77f918cd87edbe2f42721541bbb05de18
    • Instruction ID: 48de9a9ddda3bc477481ca1984d12121a06a00815255a4d2c9a18e81c93fb4ce
    • Opcode Fuzzy Hash: 3fa495f73b9bd6bbb2556e8ad82534a77f918cd87edbe2f42721541bbb05de18
    • Instruction Fuzzy Hash: 7D714D713183454BC720CF5CE880BF6BBE0EB86314F58466FDAD487361D769988AC76A
    Function 00411A30 Relevance: 6.2, APIs: 4, Instructions: 178fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00411B2D
    • GetLastError.KERNEL32 ref: 00411BFF
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: 6566b9097b4e57b892272f527f864b7db8ed8826db4c42374d2406f7df86346b
    • Instruction ID: 88f2665614eb1a25477471ef68026503b22a16f7e32085f51c1908e366ea1532
    • Opcode Fuzzy Hash: 6566b9097b4e57b892272f527f864b7db8ed8826db4c42374d2406f7df86346b
    • Instruction Fuzzy Hash: 1251FA717083054FC710CF28D8847ABBBE4EB85364F544A6EEA55C33A0E778E949C79A
    Function 00404D87 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 86COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID:
    • String ID: %ld$C:\WINDOWS\ST6UNST.000$N@
    • API String ID: 0-1244441256
    • Opcode ID: c5a0a0529dec7384a95dd183d6d8d64bcaa4110ae03ba51df142f822ab5c9a02
    • Instruction ID: 6344d510ff01acdf79b167e22cb582a397a43bf4dd2af629e7eba0dd2acc4b8c
    • Opcode Fuzzy Hash: c5a0a0529dec7384a95dd183d6d8d64bcaa4110ae03ba51df142f822ab5c9a02
    • Instruction Fuzzy Hash: 9A2126B03801056BEF24A6689C46ABB3208EB90314F20423BFB12F62D0E6BCDD85468D
    Function 00401C09 Relevance: 6.0, APIs: 4, Instructions: 48stringCOMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByte.KERNEL32(00000000,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C2D
    • CharNextA.USER32(762283C0,?,?), ref: 00401C34
    • lstrlenA.KERNEL32(762283C0,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C43
    • IsDBCSLeadByte.KERNEL32(00000000,?,?), ref: 00401C64
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ByteLead$CharNextlstrlen
    • String ID:
    • API String ID: 2961243130-0
    • Opcode ID: e3d89bc9ddf3554797a8c404522c7d1cd1420cb5a2f28308a2a6a58acb73a4e7
    • Instruction ID: c118713138a03b68404242b51b7ccade8f6f951a2c7400600dfb66b15c90e00f
    • Opcode Fuzzy Hash: e3d89bc9ddf3554797a8c404522c7d1cd1420cb5a2f28308a2a6a58acb73a4e7
    • Instruction Fuzzy Hash: 3401A43964D3521AEB209FF52C545FBAB9C5E5535131804BBFDC0E32A2D63DC802472D
    Function 00409FEA Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyA.KERNEL32(?,00000000,00000001,?,00000000,004017D9,00000000,?,76228A60), ref: 00409FF6
    • lstrlenA.KERNEL32(?), ref: 00409FFD
    • CharPrevA.USER32(?,-00000001), ref: 0040A01F
    • CharPrevA.USER32(?,-00000001), ref: 0040A02B
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CharPrev$lstrcpylstrlen
    • String ID:
    • API String ID: 1054898384-0
    • Opcode ID: b2a108d8418d7fd29716b703814ab039e09784b867222a7dd68c58d9f5e4b1ce
    • Instruction ID: 46a485e11fb4fff889dac3e16ca84caa5bbfd9c45ca876c9dd4944239bd84875
    • Opcode Fuzzy Hash: b2a108d8418d7fd29716b703814ab039e09784b867222a7dd68c58d9f5e4b1ce
    • Instruction Fuzzy Hash: FAF0F6324053981BC7300F295C88BD7BF9D9B8B350F48186AE0D463262C2780857876A
    Function 00415E60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(000004E4,?), ref: 00415E73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: ba5fbfa608368a193414d887c03bb2019d405f039f4e5c1f02861fe95c5e52b4
    • Instruction ID: 35522b52c90e9ba03c0050155e979816b4ff41538774387906cc2836f5507f3f
    • Opcode Fuzzy Hash: ba5fbfa608368a193414d887c03bb2019d405f039f4e5c1f02861fe95c5e52b4
    • Instruction Fuzzy Hash: 8C4148313083809FF316CB249855BF77BE5AB89704F9809DDE0C4CB293C6AD6686876D
    Function 00408AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409BB3: GetVersion.KERNEL32(?,?,00409BFF,00402FDC), ref: 00409BB9
    • GetVersionExA.KERNEL32(?), ref: 00408B16
      • Part of subcall function 00401C09: IsDBCSLeadByte.KERNEL32(00000000,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C2D
      • Part of subcall function 00401C09: CharNextA.USER32(762283C0,?,?), ref: 00401C34
      • Part of subcall function 00401C09: lstrlenA.KERNEL32(762283C0,76230440,762283C0,00000000,00401D3B,762283C0,762283C0,004053D2,?,?,?), ref: 00401C43
      • Part of subcall function 00401C09: IsDBCSLeadByte.KERNEL32(00000000,?,?), ref: 00401C64
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ByteLeadVersion$CharNextlstrlen
    • String ID: SERVICE PACK 1$SERVICE PACK 2
    • API String ID: 184039440-2056519470
    • Opcode ID: 0b8ec942f8a625d199f351590d64249673453605d2b32d61f6ce253857de331c
    • Instruction ID: 481e19bd82951642eb06a2d57d3d4f926b4122b99240e08b90ac8a3441c24090
    • Opcode Fuzzy Hash: 0b8ec942f8a625d199f351590d64249673453605d2b32d61f6ce253857de331c
    • Instruction Fuzzy Hash: 1A115472A4031955DF259AA5DE86BDB37BC6B00718F10047FF245E61C1EFB8E584495C
    Function 00409C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409772: SHGetMalloc.SHELL32(?), ref: 0040977B
      • Part of subcall function 00409772: SHGetSpecialFolderLocation.SHELL32(00000000,00000007,00000001), ref: 00409793
      • Part of subcall function 00409772: SHGetPathFromIDListA.SHELL32(00000001,?), ref: 004097A3
    • OleUninitialize.OLE32(004212E8,76230440), ref: 00409CE8
      • Part of subcall function 00409FAE: lstrlenA.KERNEL32(?,?,00401234,?,00000000), ref: 00409FB4
      • Part of subcall function 00409FAE: CharPrevA.USER32(?,?), ref: 00409FD0
      • Part of subcall function 00409FAE: lstrcpyA.KERNEL32(?,?), ref: 00409FE2
    • OleInitialize.OLE32(00000000), ref: 00409CB6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: CharFolderFromInitializeListLocationMallocPathPrevSpecialUninitializelstrcpylstrlen
    • String ID: ST6UNST Uninstaller
    • API String ID: 1941444920-3037695860
    • Opcode ID: c29ee9aa26375d36f0f8f93c2a149312a3b5682b8d6d0e9a99a0f0cc9e3e7108
    • Instruction ID: 354fcd7d0b30b910875d6183df3842038ac71bbd491b9f981a484652dba5a68d
    • Opcode Fuzzy Hash: c29ee9aa26375d36f0f8f93c2a149312a3b5682b8d6d0e9a99a0f0cc9e3e7108
    • Instruction Fuzzy Hash: A7014573A4821A26EB20AA75AC45BFB339CAB40714F00407BF906F62C2EA7DCDC1465C
    Function 00407E03 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(004085D1,00000208,?,C:\WINDOWS\SYSTEM32\,004085D1), ref: 00407E38
      • Part of subcall function 0040523A: wvsprintfA.USER32(?,004055A1,?), ref: 00405253
      • Part of subcall function 0040523A: MessageBoxA.USER32(?,?), ref: 00405283
      • Part of subcall function 0040523A: wsprintfA.USER32 ref: 0040534F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: HandleMessageModulewsprintfwvsprintf
    • String ID: C:\WINDOWS\SYSTEM32\$MSVBVM50.DLL
    • API String ID: 1341235186-489124690
    • Opcode ID: fa0b4b8775faee1ce7f5aae3086d78e3b76c84de8a24d5dbb5205fe98971f7f0
    • Instruction ID: dda54b17d16514ceefe161a1db7b8589c0856db214931ffcbe8693c463d0acbe
    • Opcode Fuzzy Hash: fa0b4b8775faee1ce7f5aae3086d78e3b76c84de8a24d5dbb5205fe98971f7f0
    • Instruction Fuzzy Hash: 8001DB71E01208AEDB049FA59C857DE77A4AB44704F5084BAE600BB2C1D3B96D818B95
    Function 00405EC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00406730: OpenFile.KERNEL32(00423F60,?,00001000), ref: 00406752
      • Part of subcall function 00405D5B: OpenFile.KERNEL32(00424440,?,00000000), ref: 00405DA8
      • Part of subcall function 00405D5B: _lclose.KERNEL32(000000FF), ref: 00405E68
      • Part of subcall function 00405D5B: GlobalUnlock.KERNEL32(?), ref: 00405E77
      • Part of subcall function 00405D5B: GlobalFree.KERNEL32(?), ref: 00405E7E
    • _lclose.KERNEL32(00000000), ref: 00405EE4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: FileGlobalOpen_lclose$FreeUnlock
    • String ID: C:\Users\user\Desktop\setup.LST$SETUP.LST
    • API String ID: 4204257395-453981240
    • Opcode ID: f8b3c6529afa74453ff2961f4bd0041bb278a27ea1fd5cd2ea11a0eee549dd22
    • Instruction ID: 6e0dc45c420d58afdd58cb56d61ae632774ffaa2bf77f64d866e87741585d11a
    • Opcode Fuzzy Hash: f8b3c6529afa74453ff2961f4bd0041bb278a27ea1fd5cd2ea11a0eee549dd22
    • Instruction Fuzzy Hash: 3ED0173210A83066D525322DBC489AF0244CB823B4B260337F8A6F62E0DA280D8359EE
    Function 00416DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
    Download Yara Rule
    APIs
    • GetDriveTypeA.KERNEL32(00000000,00416CBA,?,00000000,?,00000000), ref: 00416DF8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: DriveType
    • String ID: :$\
    • API String ID: 338552980-1166558509
    • Opcode ID: 3487ce55882f0945caddb25541c0df55b98ab3165761245413782c32c3d8c203
    • Instruction ID: 770af8235960dc720605371c0257412d9a2c403e025222d8600fbda09fc812f6
    • Opcode Fuzzy Hash: 3487ce55882f0945caddb25541c0df55b98ab3165761245413782c32c3d8c203
    • Instruction Fuzzy Hash: F7E04F3430C3809AE7128A28C84478B7BC89B91B45F89C8AEF08CCA641D279C885D717
    Function 00402A16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,004024BA,00000000), ref: 00402A33
    • UnregisterClassA.USER32(VB.Mooo.Conv.Child,004024BA), ref: 00402A41
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: ClassDestroyUnregisterWindow
    • String ID: VB.Mooo.Conv.Child
    • API String ID: 3182838500-2900688896
    • Opcode ID: 4cd19b205e172c649c30a07bb19f3cd5fee8623c98f76d74ebbe4cb6762fa579
    • Instruction ID: cc3715032b9c4302004171251cde76c783bfc8f321c92bf2d33b3223dc8aea3a
    • Opcode Fuzzy Hash: 4cd19b205e172c649c30a07bb19f3cd5fee8623c98f76d74ebbe4cb6762fa579
    • Instruction Fuzzy Hash: 07E0EC31610244DFE720AF54FC0CB593FE4F309396F804075E105512B2C77994568F1D
    Function 00404D6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • LocalUnlock.KERNEL32(?,GVBSetupInit,0040491C,004055AB,?,?), ref: 00404D78
    • LocalFree.KERNEL32(?,?,?), ref: 00404D7F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247758367.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2247735853.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247802007.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247820921.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247932975.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
    Similarity
    • API ID: Local$FreeUnlock
    • String ID: GVBSetupInit
    • API String ID: 2607536575-463902549
    • Opcode ID: 40c6d8c52b127bc1ef952b37c0f6ea1ea5f05c622cf4937b5a6bc2a03bba15bb
    • Instruction ID: 1cce1bae36e6741d4bc8e86db8c0242427385927fdc11971adc7d881660f362d
    • Opcode Fuzzy Hash: 40c6d8c52b127bc1ef952b37c0f6ea1ea5f05c622cf4937b5a6bc2a03bba15bb
    • Instruction Fuzzy Hash: D5C04C32517530A785135B14B8089DF7B589E896117068156FA0562118C729595196DA