Edit tour

Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
Analysis ID:	1532473
MD5:	8c18150421977fe4528204b8095469d1
SHA1:	f69137f7558d0953879378b91b58914507df75a8
SHA256:	c45f5f52bbcfbb3540aab96ecf76b14df72f3c82f917cb368c23cbf0a92eaaca
Tags:	exe
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	32
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe" MD5: 8C18150421977FE4528204B8095469D1)

setup.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 76954D7DBF005D6DB5E38D64F25A8C20)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Perma Link

Cryptography

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000000.1719627148.00000000013F4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_18794f72-a

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

Spreading

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Networking

Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

String found in binary or memory: ping -n 1 -w 400 www.yahoo.comonlineno connection equals www.yahoo.com (Yahoo)

Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOL/MasterCRL.crl0
Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOLMSPKI/aolCodeSign.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://dev.winamp.com/wiki/Main_Page
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exed3dx9_31.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/dxwebsetup.exed3dx9_42.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/wm/wmfdist95.exe3287http://download.nullsoft.com/redist/wm/wmfdi
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://forums.winamp.comURLUpdateInfo5.66
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://lyricsplugin.com
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://mp3licensing.com
Source: setup.exe, 00000001.00000000.1750300204.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.web.aol.com:80/ocsp0
Source: setup.exe.0.dr	String found in binary or memory: http://pki-info.aol.com/AOLMSPKI/index.html0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe.0.dr	String found in binary or memory: http://www.winamp.com
Source: setup.exe, 00000001.00000000.1750690873.0000000000678000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, setup.exe.0.dr, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/download
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/cloud
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pc0x3FF0x02
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pcopen
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/privacy
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/open
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.comPublisherVersionMajorVersionMinorNoRepairNoModifyModifyPathInstallLocationDispl
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: setup.exe.0.dr	String found in binary or memory: https://pki-info.aol.com/AOL/index.html05
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040522D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040522D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_00404605 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404605

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_004039E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

1_2_004039E3

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_00DE1170	0_2_00DE1170
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_0040761C	1_2_0040761C
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00407033	1_2_00407033
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00404ADC	1_2_00404ADC

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\setup.exe

Code function: String function: 00406404 appears 57 times

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@3/7@0/0

Source: C:\Users\user\Desktop\setup.exe

1_2_00404605

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_004024FB CoCreateInstance,

1_2_004024FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\AppData\Local\Temp\7zS4AA59CC2

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msls31.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

PE file has a big code size

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static file information: File size 69456728 > 1048576

PE file has a big raw section

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x613000

PE file contains a mix of data directories often seen in goodware

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

PE file contains a valid data directory to section mapping

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137A5E0 push ecx; ret

0_2_0137A5F3

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	File created: C:\Users\user\Desktop\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000002.1752589497.0000000003710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000003.1751240027.0000000000C85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Cm

Source: C:\Users\user\Desktop\setup.exe

API call chain: ExitProcess graph end node

graph_1-5388

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013D2EAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D73A0 mov eax, dword ptr fs:[00000030h]

0_2_013D73A0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_6CEB188A CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,CreateWindowExW,SetPropW,SendMessageW,SendMessageW,SendMessageW,SetWindowLongW,GetProcessHeap,RtlFreeHeap,

1_2_6CEB188A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_013D2EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_0137A955 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0137A955

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137B767 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0137B767

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_00406966 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406966

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Search Order Hijacking	1 DLL Side-Loading	11 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	0%	Virustotal	Browse
C:\Users\user\Desktop\setup.exe	3%	ReversingLabs
C:\Users\user\Desktop\setup.exe	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://download.nullsoft.com/redist/wm/wmfdist95.exe3287http://download.nullsoft.com/redist/wm/wmfdi	1%	Virustotal		Browse
http://download.nullsoft.com/redist/dx/dxwebsetup.exed3dx9_42.dll	1%	Virustotal		Browse
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	Virustotal		Browse
https://curl.se/docs/http-cookies.html	0%	Virustotal		Browse
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	Virustotal		Browse
http://crl.aol.com/AOLMSPKI/aolCodeSign.crl0	0%	Virustotal		Browse
https://pki-info.aol.com/AOL/index.html05	0%	Virustotal		Browse
http://www.winamp.com/legal/cloud	0%	Virustotal		Browse
http://ocsp.web.aol.com:80/ocsp0	0%	Virustotal		Browse
https://curl.se/docs/alt-svc.html	0%	Virustotal		Browse
http://pki-info.aol.com/AOLMSPKI/index.html0	0%	Virustotal		Browse
http://www.winamp.com/download	0%	Virustotal		Browse
http://mp3licensing.com	0%	Virustotal		Browse
http://www.winamp.com/open	0%	Virustotal		Browse
http://www.winamp.com/legal/eula/pc0x3FF0x02	0%	Virustotal		Browse
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
http://dev.winamp.com/wiki/Main_Page	1%	Virustotal		Browse
http://www.winamp.com/	0%	Virustotal		Browse
http://www.winamp.com	0%	Virustotal		Browse
http://www.winamp.com/legal/eula/pcopen	0%	Virustotal		Browse
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exed3dx9_31.dll	1%	Virustotal		Browse
http://crl.aol.com/AOL/MasterCRL.crl0	0%	Virustotal		Browse
http://lyricsplugin.com	0%	Virustotal		Browse
http://www.winamp.com/legal/privacy	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	0%, Virustotal, Browse	unknown
https://pki-info.aol.com/AOL/index.html05	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://download.nullsoft.com/redist/wm/wmfdist95.exe3287http://download.nullsoft.com/redist/wm/wmfdi	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	1%, Virustotal, Browse	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
http://download.nullsoft.com/redist/dx/dxwebsetup.exed3dx9_42.dll	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	1%, Virustotal, Browse	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	0%, Virustotal, Browse	unknown
http://mp3licensing.com	nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://ocsp.thawte.com0	setup.exe.0.dr	false	URL Reputation: safe	unknown
http://www.winamp.com/legal/cloud	nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	0%, Virustotal, Browse	unknown
http://www.winamp.comPublisherVersionMajorVersionMinorNoRepairNoModifyModifyPathInstallLocationDispl	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false		unknown
http://crl.aol.com/AOLMSPKI/aolCodeSign.crl0	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	setup.exe, 00000001.00000000.1750300204.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.web.aol.com:80/ocsp0	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
https://curl.se/docs/alt-svc.html	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	0%, Virustotal, Browse	unknown
http://www.winamp.com/download	nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://pki-info.aol.com/AOLMSPKI/index.html0	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://www.winamp.com/open	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.winamp.com/	setup.exe, 00000001.00000000.1750690873.0000000000678000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, setup.exe.0.dr, nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://dev.winamp.com/wiki/Main_Page	nsiB2D7.tmp.1.dr	false	1%, Virustotal, Browse	unknown
https://curl.se/docs/hsts.html	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	0%, Virustotal, Browse	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
http://www.winamp.com/legal/eula/pc0x3FF0x02	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://forums.winamp.comURLUpdateInfo5.66	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false		unknown
http://ocsp.sectigo.com0M	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	setup.exe.0.dr	false	URL Reputation: safe	unknown
http://www.winamp.com	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exed3dx9_31.dll	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	1%, Virustotal, Browse	unknown
http://www.winamp.com/legal/eula/pcopen	setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	false	URL Reputation: safe	unknown
http://crl.aol.com/AOL/MasterCRL.crl0	setup.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://lyricsplugin.com	nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.winamp.com/legal/privacy	nsiB2D7.tmp.1.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532473
Start date and time:	2024-10-13 10:26:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
Detection:	SUS
Classification:	sus36.winEXE@3/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Setup_10024.exe	Get hash	malicious	Unknown	Browse
	http://cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com/waybill-print/cainiao-x-print/prod/win/cainiao-x-print-win-86.exe	Get hash	malicious	Unknown	Browse
	Air.Live.Drive.v1.4.1.exe	Get hash	malicious	Supreme Botnet	Browse
	3DP_Chip_Lite_v2002.exe	Get hash	malicious	Unknown	Browse
	3DP_Chip_v1611.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	file.exe	Get hash	malicious	Unknown	Browse
	Setup_10024.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Riskware.Application.5189.31489.exe	Get hash	malicious	Unknown	Browse
	LWZyUFvVh1.exe	Get hash	malicious	DCRat	Browse
	sVfXReO3QI.exe	Get hash	malicious	Unknown	Browse
	HolyTom980.exe	Get hash	malicious	Unknown	Browse
	https://xiuxiu.dl.meitu.com/pc_channel64/xiuxiu64_pc.exe	Get hash	malicious	Unknown	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsiB2D7.tmp

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2252864
Entropy (8bit):	1.7047412749682476
Encrypted:	false
SSDEEP:	6144:KzGXwO9nJuDv7MhZ/0qPuegGToy2U4YD86lx+WLP5qm/T:KiXwO9nJlxuegCoyHJnYWz53r
MD5:	14AEBB95BCE1952D28BA8C3EBF04FC6E
SHA1:	B0EA2C60EB27F11EEB67BBC58ACE7913EBDFAFE9
SHA-256:	6ADD93FC77E790D583378B34A0EDE261A4CAEA5D53BFEDBFB0310B62731DF086
SHA-512:	5CBFE670C55B5653FC1896B8D04A9093F05863F942BF33F96D185636B8E2A044B3FEB33D763BE8CC58228C693F64BF53AFC81134594DF63A0352D855F34427A3
Malicious:	false
Reputation:	low
Preview:	0.......,.......,...b...l........Z..........................................Q...........................n...............................\.......w...........................................................................................................................................G...J...............................+...............................................f.......,...0...7.......Y.......................[...............g.......9...=...F.......Y.......................................h.......H...L...[.......Y...............................................b.......................................................j.......=...@...F.......Y...............................................................................................................W.......=.......Y...................................................w...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.173096436101749
Encrypted:	false
SSDEEP:	48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V
MD5:	A1CD3F159EF78D9ACE162F067B544FD9
SHA1:	72671FDF4BFEEB99B392685BF01081B4A0B3AE66
SHA-256:	47B9E251C9C90F43E3524965AECC07BD53C8E09C5B9F9862B44C306667E2B0B6
SHA-512:	CCC70166C7D7746CD42CD0CEC322B2ADF4A478FF67C35D465F0F0F5B2B369C996A95557B678C09CB21B8311D8A91EED4196DDC218EA7D510F81464669B911362
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Setup_10024.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Air.Live.Drive.v1.4.1.exe, Detection: malicious, Browse Filename: 3DP_Chip_Lite_v2002.exe, Detection: malicious, Browse Filename: 3DP_Chip_v1611.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................M.....M.....M.....M.....Rich............................PE..L.....GO...........!........."......E........ ...............................p............@.........................."..I.... ..P....P..`....................`....................................................... ..\............................text...F........................... ..`.rdata....... ......................@..@.data...P....0......................@....rsrc...`....P......................@..@.reloc..^....`......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.729426875863261
Encrypted:	false
SSDEEP:	192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
MD5:	BF712F32249029466FA86756F5546950
SHA1:	75AC4DC4808AC148DDD78F6B89A51AFBD4091C2E
SHA-256:	7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
SHA-512:	13F69959B28416E0B8811C962A49309DCA3F048A165457051A28A3EB51377DCAF99A15E86D7EEE8F867A9E25ECF8C44DA370AC8F530EEAE7B5252EABA64B96F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Setup_10024.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Riskware.Application.5189.31489.exe, Detection: malicious, Browse Filename: LWZyUFvVh1.exe, Detection: malicious, Browse Filename: sVfXReO3QI.exe, Detection: malicious, Browse Filename: HolyTom980.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..............]..............XP......Xd......XU......XS.....Rich............PE..L.....GO...........!................('.......0...............................`............@..........................3.......1..P............................P.......................................................0..\............................text...1........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-header.bmp

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PC bitmap, Windows 3.x format, 150 x 57 x 24, image size 25766, resolution 2834 x 2834 px/m, cbSize 25820, bits offset 54
Category:	dropped
Size (bytes):	25820
Entropy (8bit):	6.2110665043409785
Encrypted:	false
SSDEEP:	192:eCaZM20xGzX29rAO0hCrM9G2QKf3FQ3i8Xo0q++ZsITZJGp:eY2eGYgYv2pf3FQb8+yTw
MD5:	827358320DD8861C44EAC1E220047C29
SHA1:	F31677B280A72C6B2EB87FA206F0586194F2029B
SHA-256:	88E8A05BE9CFB8DAEC31872C8322B7313B66CEAA45C361F8EFEDA53809F46910
SHA-512:	AC27F720A9BF69DDB5821730558AD1B838DCAD6CF9EAE9990A8051339321AE912E4DC7751238CE3CCD9A1F615AB60B622E3C3248FD808FEE63F39B7A38986FC7
Malicious:	false
Reputation:	low
Preview:	BM.d......6...(.......9............d....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154490, resolution 2834 x 2834 px/m, cbSize 154544, bits offset 54
Category:	dropped
Size (bytes):	154544
Entropy (8bit):	4.9456550766606
Encrypted:	false
SSDEEP:	1536:Q8PkKxrHvI+HzF+xBIrVWDWca1dE0/UTH7P2WmPW+:Q8lv8MADDJ+Wm
MD5:	2D63E33FA1CF672338A22C88FA45E6A0
SHA1:	86C510009D6C71D05EB2707FE6A10039DF525192
SHA-256:	7AE875CFCB6E3B1F4A06460FBDA99D8014DC4674EE256B0B79EC656777C7E292
SHA-512:	D42A7401C1D0D77D517D2F8086286BD6CF487CF5400CD8B8D720BCAF15149727751677F444FD9A8E340072DEABAD51347956894C1C034DD81DF793B3B8087252
Malicious:	false
Preview:	BM.[......6...(.......:...........z[....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.115973604853638
Encrypted:	false
SSDEEP:	192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
MD5:	4CCC4A742D4423F2F0ED744FD9C81F63
SHA1:	704F00A1ACC327FD879CF75FC90D0B8F927C36BC
SHA-256:	416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6
SHA-512:	790C5EB1F8B297E45054C855B66DFC18E9F3F1B1870559014DBEFA3B9D5B6D33A993A9E089202E70F51A55D859B74E8605C6F633386FD9189B6F78941BF1BFDB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q+.v.J.%.J.%.J.%.2.%.J.%.J.%"J.%..5%.J.%...%.J.%...%.J.%...%.J.%Rich.J.%........PE..L.....GO...........!.........................0...............................p............@......................... 7..k....2.......P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data...0....@......................@....rsrc........P....... ..............@..@.reloc..N....`......."..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12886456
Entropy (8bit):	7.995227292198888
Encrypted:	true
SSDEEP:	196608:UNxQRuR6vMEQO4voQ0HrBGQIPvunb5VVAc6ysyl/8gl32tVT2rZ7MibIZDey1Iju:+QuRAJrlXbPVcysyl/8osIrZVil71
MD5:	76954D7DBF005D6DB5E38D64F25A8C20
SHA1:	054AD10803AA95F512A2C56293BE7D1A287696F7
SHA-256:	E9E2EB114941F9F9157B4FB139E5588665FB89B709DF82D4A8346AE66CCF03E1
SHA-512:	49E77880255470096830059BDA1BAF1D955F7F33659118995495AA6A6E090E32C798A8568504F213A90C4D3C3C81DB41C22C54359D0689ADB7B233C96C4FFF4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@.................................K....@.................................d.........'.............P...h............................................................................................text....o.......p.................. ..`.rdata..........,...t..............@..@.data....~..........................@....ndata...P ..0...........................rsrc.........'.....................@..@.reloc........*.....................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.672869770313839
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
File size:	69'456'728 bytes
MD5:	8c18150421977fe4528204b8095469d1
SHA1:	f69137f7558d0953879378b91b58914507df75a8
SHA256:	c45f5f52bbcfbb3540aab96ecf76b14df72f3c82f917cb368c23cbf0a92eaaca
SHA512:	bc958762323b135326d9a76627bd3db5fde898abc299a4ca42602e95999d5c59a3d71bb204cc9fd93513db0f0f102087d59f364705b41f7eef33ef3cd4a5b1af
SSDEEP:	786432:Mmrq6Y07kDDboJeEO+D9ouNRVMJ89h3ivhdS+9Ix5rUV5:MUNhYtIxG5
TLSH:	23E77A8BB211F977A3650CA0161873D046425635FB24D9B97FC277DDD62C08AAEB0B3B
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........Lz,W-..W-..W-......V-......_-..W-..T,...b..T-...b..V-...b..[-...b..S-..t}..T-..t}..V-..t}..V-..W-..V-..t}..V-..RichW-.........

File Icon


Icon Hash:	878fd7f3b9353593

Static PE Info

General

Entrypoint:	0x99b00c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66537734 [Sun May 26 17:53:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a2e9338565484e434757597c46f1629d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2023 20:00:00 17/08/2024 19:59:59
Subject Chain	CN=Cyber Holding Partners LLC, O=Cyber Holding Partners LLC, S=New Jersey, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=New Jersey, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0450768115
Version:	3
Thumbprint MD5:	9F6024222A122AF737C6E696FF357C9E
Thumbprint SHA-1:	F08E233859A8F79ADD05BA4A96FF5FFB1FD28057
Thumbprint SHA-256:	CFB460E5E314F4E6D78210E59B1A00C578395DDEB11CB7EBF5C9671C6C84A189
Serial:	00F14C5E6AB968284264F1B070B99D3C70

Entrypoint Preview

Instruction
call 00007F34CCC59288h
jmp 00007F34CCC5895Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
push ebx
xor edi, edi
mov eax, dword ptr [esp+14h]
or eax, eax
jnl 00007F34CCC58AF6h
inc edi
mov edx, dword ptr [esp+10h]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+14h], eax
mov dword ptr [esp+10h], edx
mov eax, dword ptr [esp+1Ch]
or eax, eax
jnl 00007F34CCC58AF6h
inc edi
mov edx, dword ptr [esp+18h]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+1Ch], eax
mov dword ptr [esp+18h], edx
or eax, eax
jne 00007F34CCC58AFAh
mov ecx, dword ptr [esp+18h]
mov eax, dword ptr [esp+14h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+10h]
div ecx
mov edx, ebx
jmp 00007F34CCC58B23h
mov ebx, eax
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
shr ebx, 1
rcr ecx, 1
shr edx, 1
rcr eax, 1
or ebx, ebx
jne 00007F34CCC58AD6h
div ecx
mov esi, eax
mul dword ptr [esp+1Ch]
mov ecx, eax
mov eax, dword ptr [esp+18h]
mul esi
add edx, ecx
jc 00007F34CCC58AF0h
cmp edx, dword ptr [esp+14h]
jnbe 00007F34CCC58AEAh
jc 00007F34CCC58AE9h
cmp eax, dword ptr [esp+10h]
jbe 00007F34CCC58AE3h
dec esi
xor edx, edx
mov eax, esi
dec edi
jne 00007F34CCC58AE9h
neg edx
neg eax
sbb edx, 00000000h
pop ebx
pop esi
pop edi
retn 0010h
int3
int3
int3
int3
int3
int3
push edi
push esi
push ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x64498c	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64b000	0xc38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1280140	0x2fbd218
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64c000	0x11f68	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63def0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x63de30	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x614000	0x434	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x612e69	0x613000	ff32538c62a6a6dd5a675a3963a8de4f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x614000	0x31efc	0x32000	410aa139e2be98d33fbe6ecb1e26f21b	False	0.4121337890625	data	5.73243670783337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x646000	0x4f48	0x1e00	a0a29a656e77184070b7114d316fe2f3	False	0.23268229166666668	data	4.250105816437091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64b000	0xc38	0xe00	5a1b41f0b6ee4aefd6b7abcf2f465bd8	False	0.3431919642857143	data	3.6894837610535043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64c000	0x11f68	0x12000	efb13c90c3bf8bde2cd69406d86b2ffb	False	0.6414388020833334	data	6.523286137568852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x64b500	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.37231182795698925
RT_ICON	0x64b7e8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_DIALOG	0x64b938	0x90	data	English	United States	0.6666666666666666
RT_STRING	0x64b9c8	0x60	data	English	United States	0.6979166666666666
RT_STRING	0x64ba28	0x54	data	English	United States	0.6904761904761905
RT_STRING	0x64ba80	0x34	data	English	United States	0.6538461538461539
RT_GROUP_ICON	0x64b910	0x22	data	English	United States	1.0
RT_VERSION	0x64b250	0x2ac	data	English	United States	0.4342105263157895
RT_MANIFEST	0x64bab8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
SHLWAPI.dll	PathFileExistsW
KERNEL32.dll	WaitForSingleObjectEx, FindFirstFileA, WriteConsoleW, AreFileApisANSI, IsProcessorFeaturePresent, InitializeCriticalSectionEx, FindFirstFileExA, SetFilePointer, SetEndOfFile, FindNextFileW, IsValidLocale, GetConsoleMode, CreateDirectoryA, GetUserDefaultLCID, FindClose, GetCurrentDirectoryA, GetProcessAffinityMask, VirtualFree, CreateSemaphoreA, TlsGetValue, lstrcatA, SetEnvironmentVariableA, GetFileAttributesW, GetCurrentProcess, ReleaseSRWLockExclusive, GetSystemTimeAsFileTime, CreateFileW, SetStdHandle, GetStartupInfoW, SetFileTime, LCMapStringEx, GetFullPathNameW, GetEnvironmentStringsW, GetCurrentThreadId, MultiByteToWideChar, VerifyVersionInfoW, FileTimeToSystemTime, GetEnvironmentVariableA, IsDebuggerPresent, GetDateFormatW, GetFinalPathNameByHandleW, FreeLibrary, WaitForSingleObject, RtlUnwind, EnumSystemLocalesW, GetLastError, LoadLibraryExW, GetTempPathW, CreateDirectoryW, SetLastError, QueryPerformanceFrequency, LoadLibraryW, GetModuleFileNameA, FreeLibraryAndExitThread, GetFileSize, LeaveCriticalSection, GetTempPathA, RaiseException, GetFileSizeEx, GetCommandLineA, HeapReAlloc, GetCurrentDirectoryW, GetFileAttributesExW, DeleteCriticalSection, RemoveDirectoryA, GetLocaleInfoW, GetTimeFormatW, GetModuleHandleExW, GetSystemDirectoryW, GetModuleHandleA, GetTimeZoneInformation, GetProcAddress, AcquireSRWLockExclusive, ReleaseSemaphore, GetCPInfo, GetDriveTypeW, FlushFileBuffers, SystemTimeToTzSpecificLocalTime, ResetEvent, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcessId, GetOEMCP, GetStdHandle, SleepEx, FindNextFileA, CreateFileA, GetTickCount64, HeapFree, CreateEventA, EncodePointer, LocalFree, IsValidCodePage, GetFileType, WaitForMultipleObjects, DecodePointer, GetStringTypeW, SetFilePointerEx, WriteFile, InitializeCriticalSection, lstrlenA, GetCommandLineW, HeapAlloc, ExitThread, GetConsoleCP, SetFileAttributesW, ExitProcess, VirtualAlloc, FormatMessageW, TryAcquireSRWLockExclusive, GlobalMemoryStatus, DeleteFileA, GetProcessHeap, FreeEnvironmentStringsW, GetACP, QueryPerformanceCounter, TlsSetValue, HeapSize, DeleteFileW, FindFirstFileW, GetFileInformationByHandle, GetModuleFileNameW, LoadLibraryA, SetCurrentDirectoryW, CreateThread, WideCharToMultiByte, PeekNamedPipe, GetVersionExA, SetEvent, CloseHandle, InitializeSListHead, GetLocaleInfoEx, VerSetConditionMask, ReadConsoleW, GetSystemInfo, GetVersion, TlsAlloc, TerminateProcess, ReadFile, TlsFree, LCMapStringW, EnterCriticalSection, SetCurrentDirectoryA, WakeAllConditionVariable, Sleep, GetTickCount, CompareStringW, UnhandledExceptionFilter, GetFileAttributesA, GetModuleHandleW, SetFileAttributesA, MoveFileExW, FormatMessageA, RemoveDirectoryW
USER32.dll	LoadIconA, SetWindowTextW, SetTimer, wsprintfA, CharUpperW, MessageBoxW, ShowWindow, GetWindowLongA, DialogBoxParamW, GetDlgItem, DestroyWindow, EndDialog, SendMessageA, DialogBoxParamA, PostMessageA, SetWindowTextA, LoadStringW, MessageBoxA, SetWindowLongA, LoadStringA, KillTimer, CharUpperA
SHELL32.dll	ShellExecuteExA
OLEAUT32.dll	VariantClear, SysAllocStringLen, SysStringLen
bcrypt.dll	BCryptGenRandom
ADVAPI32.dll	CryptEncrypt, CryptGetHashParam, CryptCreateHash, CryptDestroyKey, CryptAcquireContextW, CryptDestroyHash, CryptReleaseContext, CryptImportKey, CryptHashData
CRYPT32.dll	CertGetCertificateChain, CertGetNameStringW, CertCloseStore, CertAddCertificateContextToStore, CertFreeCertificateChainEngine, CertOpenStore, CertFreeCertificateChain, CertEnumCertificatesInStore, CertCreateCertificateChainEngine, CryptStringToBinaryW, CertFindCertificateInStore, CryptQueryObject, CryptDecodeObjectEx, CertFindExtension, PFXImportCertStore, CertFreeCertificateContext
WLDAP32.dll
WS2_32.dll	gethostname, htons, getsockopt, send, WSAWaitForMultipleEvents, getaddrinfo, WSAEventSelect, freeaddrinfo, WSACloseEvent, WSAIoctl, closesocket, WSAGetLastError, ntohs, WSASetLastError, WSAStartup, WSACleanup, ioctlsocket, setsockopt, WSAEnumNetworkEvents, __WSAFDIsSet, select, accept, bind, connect, getsockname, htonl, listen, recv, socket, WSAResetEvent, WSACreateEvent, recvfrom, sendto, getpeername

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 10:27:27.068234921 CEST	53	54108	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	04:27:06
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe"
Imagebase:	0xde0000
File size:	69'456'728 bytes
MD5 hash:	8C18150421977FE4528204B8095469D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:27:10
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	12'886'456 bytes
MD5 hash:	76954D7DBF005D6DB5E38D64F25A8C20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	267
Total number of Limit Nodes:	8

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 013D73A0 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,013D7376,00000003,014243A0,0000000C,013D74CD,00000003,00000002,00000000,?,013D9195,00000003), ref: 013D73C1
TerminateProcess.KERNEL32(00000000,?,013D7376,00000003,014243A0,0000000C,013D74CD,00000003,00000002,00000000,?,013D9195,00000003), ref: 013D73C8
ExitProcess.KERNEL32 ref: 013D73DA

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7f71a15d3fac48cd22554ad63c0ff555192a5b870794d4248555c5e075048780
Instruction ID: f77e4bfbeb2cbcabe91373df7cb67802de6488d4dd87a3d23ee8cf5f195331c3
Opcode Fuzzy Hash: 7f71a15d3fac48cd22554ad63c0ff555192a5b870794d4248555c5e075048780
Instruction Fuzzy Hash: 46E0EC32140609AFCF226F68E909A997F7DEF44349F10542CFD099B125CB35DD92DB90

Function 013E3846 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,013D2B5C,01424340,00000010), ref: 013E384A
_free.LIBCMT ref: 013E387D
_free.LIBCMT ref: 013E38A5
SetLastError.KERNEL32(00000000), ref: 013E38B2
SetLastError.KERNEL32(00000000), ref: 013E38BE
_abort.LIBCMT ref: 013E38C4

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 28151840aa126d12b5dfc279bdf30392e76f559ea9d523b13f71c49ffc683f35
Instruction ID: 32ad6e7dac3695af2bc395e86026ba1d879f8fbe1ff412a0e0037acc5b6ea8aa
Opcode Fuzzy Hash: 28151840aa126d12b5dfc279bdf30392e76f559ea9d523b13f71c49ffc683f35
Instruction Fuzzy Hash: 5EF0813A24572276D622263D7C0CE6B2EE9BBE176AF250138F918932D4EE3584098611

Function 013D2BEB Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013E38CA: GetLastError.KERNEL32(?,?,?,013D996D,013E34C9,?,013E3874,00000001,00000364,?,013D2B5C,01424340,00000010), ref: 013E38CF
Part of subcall function 013E38CA: _free.LIBCMT ref: 013E3904
Part of subcall function 013E38CA: SetLastError.KERNEL32(00000000), ref: 013E3938

ExitThread.KERNEL32 ref: 013D2BFD
CloseHandle.KERNEL32(?,?,?,013D2D1D,?,?,013D2B94,00000000), ref: 013D2C25
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,013D2D1D,?,?,013D2B94,00000000), ref: 013D2C3B
_free.LIBCMT ref: 013D2C56
GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 013D2C74

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExitHandleLastThread_free$CloseFreeLibraryModule
String ID:
API String ID: 333161861-0
Opcode ID: e342ba3cd7c424e35a1abc5bd5d81b5a46bd9ddd9f51ebe2cd3636f89786cff9
Instruction ID: 6299a0273aad209add9e0a1951d40f14cb8135bcadf47b1eb19873c5c4433ba6
Opcode Fuzzy Hash: e342ba3cd7c424e35a1abc5bd5d81b5a46bd9ddd9f51ebe2cd3636f89786cff9
Instruction Fuzzy Hash: 6411BF325003146BEB35ABA8E808B9B7FA8AF00728F044658FA55872D0DB71E9008790

Function 013E3B3D Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,013E3AE4,?,00000000,00000000,00000000,?,013E3E10,00000006,FlsSetValue), ref: 013E3B6F
GetLastError.KERNEL32(?,013E3AE4,?,00000000,00000000,00000000,?,013E3E10,00000006,FlsSetValue,01419D38,FlsSetValue,00000000,00000364,?,013E3918), ref: 013E3B7B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013E3AE4,?,00000000,00000000,00000000,?,013E3E10,00000006,FlsSetValue,01419D38,FlsSetValue,00000000), ref: 013E3B89

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e269ce690b57f58eaabe53ba0b9cb5d71590d7847344cc8a0139ac2dfc678f9d
Instruction ID: 1cfd054fc65fab618ee8d233554bc6facc4d88fa7576968ddb2a75e8404c9e4e
Opcode Fuzzy Hash: e269ce690b57f58eaabe53ba0b9cb5d71590d7847344cc8a0139ac2dfc678f9d
Instruction Fuzzy Hash: FD017132615337ABDF324A69AC4DA577BDCBF45765B110624E917D7281DA20D5008BE0

Function 013D2B37 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(01424340,00000010), ref: 013D2B4A
ExitThread.KERNEL32 ref: 013D2B51

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 6773e35f678e9c97fab8f38e3197273b880f679f671bcaad3261c849a0877f2f
Instruction ID: ba6c64abe62a38eb9c56f16bd4a8901946f9f1c53a64ea5bbbc5e257e0780446
Opcode Fuzzy Hash: 6773e35f678e9c97fab8f38e3197273b880f679f671bcaad3261c849a0877f2f
Instruction Fuzzy Hash: 5FF0F671A00315AFDF01AFB8E849AAF3FB4FF18704F10014DE401AB291CB71A941DB60

Function 013E3AA1 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 013E3B01

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 63d94b948c71d65f5f661e2e245aae395ef4ed6c7c89f860cfa666aca82b8a78
Instruction ID: eed4cfb7c882e28c14427e01fa8a38ced2549204d8f27ec3b633222a93e57ae0
Opcode Fuzzy Hash: 63d94b948c71d65f5f661e2e245aae395ef4ed6c7c89f860cfa666aca82b8a78
Instruction Fuzzy Hash: 6F11E733A003769BEF35DD1CDC5496A77E9BF842287460220FD16AB2C8D631EC4187D1

Function 013E3477 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,013E3874,00000001,00000364,?,013D2B5C,01424340,00000010), ref: 013E34B8

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b3b8dcaca0254e4891dfc4f1887251419e2d7863692454f3f8d33e69aba0beb9
Instruction ID: 9b2ec66ac03b05433cc7831c521d740ab51929766c7f6927d00ea5189fd60729
Opcode Fuzzy Hash: b3b8dcaca0254e4891dfc4f1887251419e2d7863692454f3f8d33e69aba0beb9
Instruction Fuzzy Hash: FCF0543A60433A66FB236A2A9D0DB5B7BCCBF4167CB158125ED18B72D0DB70D4008AE0

Non-executed Functions

Function 013D2EAC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 013D2FA4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 013D2FAE
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 013D2FBB

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c617b4781159c4831956d8b0ef3d5883e53f111fc986e80f5858f08f0dc2b157
Instruction ID: 87a01465d2ee777ba1d5c3f50694cb9eb8e4a040c5f77b0187d919c2558ff41b
Opcode Fuzzy Hash: c617b4781159c4831956d8b0ef3d5883e53f111fc986e80f5858f08f0dc2b157
Instruction Fuzzy Hash: 9B31C57590121DABCB61DF68D888B8DBBB8BF18714F5045EAE80CA7250E7349BC5CF44

Function 00DE1170 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021a92b14dfa77c8e179fb2b85306cb1d10b34f6f6001ecb8844a991a8867def
Instruction ID: 82cb46b0f71dde85b2a974cbb0c8b744347315c0d1c105cc3bc871c9406ce0a7
Opcode Fuzzy Hash: 021a92b14dfa77c8e179fb2b85306cb1d10b34f6f6001ecb8844a991a8867def
Instruction Fuzzy Hash: A121FD30A101665BC706DE1EC8C05BAB7A0FB49305F86826AEE41DB384C638FD25D7E0

Function 013E7EB5 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 013E7EF9

Part of subcall function 013E7170: _free.LIBCMT ref: 013E718D
Part of subcall function 013E7170: _free.LIBCMT ref: 013E719F
Part of subcall function 013E7170: _free.LIBCMT ref: 013E71B1
Part of subcall function 013E7170: _free.LIBCMT ref: 013E71C3
Part of subcall function 013E7170: _free.LIBCMT ref: 013E71D5
Part of subcall function 013E7170: _free.LIBCMT ref: 013E71E7
Part of subcall function 013E7170: _free.LIBCMT ref: 013E71F9
Part of subcall function 013E7170: _free.LIBCMT ref: 013E720B
Part of subcall function 013E7170: _free.LIBCMT ref: 013E721D
Part of subcall function 013E7170: _free.LIBCMT ref: 013E722F
Part of subcall function 013E7170: _free.LIBCMT ref: 013E7241
Part of subcall function 013E7170: _free.LIBCMT ref: 013E7253
Part of subcall function 013E7170: _free.LIBCMT ref: 013E7265

_free.LIBCMT ref: 013E7EEE

Part of subcall function 013E3386: RtlFreeHeap.NTDLL(00000000,00000000,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?), ref: 013E339C
Part of subcall function 013E3386: GetLastError.KERNEL32(?,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?,?), ref: 013E33AE

_free.LIBCMT ref: 013E7F10
_free.LIBCMT ref: 013E7F25
_free.LIBCMT ref: 013E7F30
_free.LIBCMT ref: 013E7F52
_free.LIBCMT ref: 013E7F65
_free.LIBCMT ref: 013E7F73
_free.LIBCMT ref: 013E7F7E
_free.LIBCMT ref: 013E7FB6
_free.LIBCMT ref: 013E7FBD
_free.LIBCMT ref: 013E7FDA
_free.LIBCMT ref: 013E7FF2

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d4995b04d72519c718bf5342e79fab25fdc663b936444dcfbfc45c92f77aa304
Instruction ID: 5341361e0b969f2876f048dbb72eade2c87bd64fe752754c318b1e81047135f4
Opcode Fuzzy Hash: d4995b04d72519c718bf5342e79fab25fdc663b936444dcfbfc45c92f77aa304
Instruction Fuzzy Hash: 18312C31A08721AFEB31AA3CE848F9A77E9FF00258F25451DE548D72D0DF31A89586A4

Function 013E7B68 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013E78AF: _free.LIBCMT ref: 013E78D8

_free.LIBCMT ref: 013E7BB6

Part of subcall function 013E3386: RtlFreeHeap.NTDLL(00000000,00000000,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?), ref: 013E339C
Part of subcall function 013E3386: GetLastError.KERNEL32(?,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?,?), ref: 013E33AE

_free.LIBCMT ref: 013E7BC1
_free.LIBCMT ref: 013E7BCC
_free.LIBCMT ref: 013E7C20
_free.LIBCMT ref: 013E7C2B
_free.LIBCMT ref: 013E7C36
_free.LIBCMT ref: 013E7C41

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 135fda3bc3557ad49c123b58d75b07371077b008e0b9b336b431d6201a92d847
Instruction ID: 7d98407e41b7adbe6da07bf101853126231cbd5326a721ab62d17ac01626da63
Opcode Fuzzy Hash: 135fda3bc3557ad49c123b58d75b07371077b008e0b9b336b431d6201a92d847
Instruction Fuzzy Hash: E6115171940B25AAE670BBB4CC4EFCB7BDCAF20744F404A19A299671D0EB65F9058690

Function 013D7425 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,013D73D6,00000003,?,013D7376,00000003,014243A0,0000000C,013D74CD,00000003,00000002), ref: 013D7445
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 013D7458
FreeLibrary.KERNEL32(00000000,?,?,?,013D73D6,00000003,?,013D7376,00000003,014243A0,0000000C,013D74CD,00000003,00000002,00000000), ref: 013D747B

Strings

mscoree.dll, xrefs: 013D743E
CorExitProcess, xrefs: 013D7450

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4b77e132fd01412afab84d158483e9c1dc8745ef725f8ec7b7c7e9a7d3e57328
Instruction ID: 6a5591b604c40319f79b3d9191fa253035a92ad402e478dc1a7506dedcd0321a
Opcode Fuzzy Hash: 4b77e132fd01412afab84d158483e9c1dc8745ef725f8ec7b7c7e9a7d3e57328
Instruction Fuzzy Hash: 4AF04F31A00218BBDB219FA5EC59BAEBFB8EF4471AF454069E905A2154DB349980DB90

Function 013E38CA Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,013D996D,013E34C9,?,013E3874,00000001,00000364,?,013D2B5C,01424340,00000010), ref: 013E38CF
_free.LIBCMT ref: 013E3904
_free.LIBCMT ref: 013E392B
SetLastError.KERNEL32(00000000), ref: 013E3938
SetLastError.KERNEL32(00000000), ref: 013E3941

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2135c844579595e3268202d69c08bb8cfbdf01a15c6c9103519d6a229f874a3b
Instruction ID: b3a6b396e1ea5f388f667910749628a20945d953922161f14aacb6a48163d0ec
Opcode Fuzzy Hash: 2135c844579595e3268202d69c08bb8cfbdf01a15c6c9103519d6a229f874a3b
Instruction Fuzzy Hash: 0101D17620572626C322262E6C8CF7B2ADDBBE067DB220128F905A32C5EF7588014621

Function 013E762A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 013E7642

Part of subcall function 013E3386: RtlFreeHeap.NTDLL(00000000,00000000,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?), ref: 013E339C
Part of subcall function 013E3386: GetLastError.KERNEL32(?,?,013E78DD,?,00000000,?,00000000,?,013E7B81,?,00000007,?,?,013E804D,?,?), ref: 013E33AE

_free.LIBCMT ref: 013E7654
_free.LIBCMT ref: 013E7666
_free.LIBCMT ref: 013E7678
_free.LIBCMT ref: 013E768A

Memory Dump Source

Source File: 00000000.00000002.1751818674.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.1751805850.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752184177.00000000013F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752214599.0000000001426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752229905.000000000142B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9e2e3aabf9318f3ab4b215858bea287409297e56d44eeaab325038116d398976
Instruction ID: 4d3098ca2c0121f4f9d424317441233f9fc71b61eeba2d08496a8ebe0880f1e8
Opcode Fuzzy Hash: 9e2e3aabf9318f3ab4b215858bea287409297e56d44eeaab325038116d398976
Instruction Fuzzy Hash: 11F0FF72509321A7DA30EE5CF489C5677D9FB107297A60909F609D77C0CB30F8C04B98

Analysis Process: setup.exePID: 7080, Parent PID: 6820COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	1243
Total number of Limit Nodes:	56

Executed Functions

Function 004039E3 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403A02
SetErrorMode.KERNEL32(00008001), ref: 00403A0D
OleInitialize.OLE32(00000000), ref: 00403A14

Part of subcall function 0040645D: GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
Part of subcall function 0040645D: LoadLibraryA.KERNEL32(?,?,?,00000020,00403A26,00000008), ref: 00406476
Part of subcall function 0040645D: GetProcAddress.KERNEL32(00000000), ref: 00406488

SHGetFileInfoW.SHELL32(0040931C,00000000,?,000002B4,00000000), ref: 00403A3C

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 00403A51
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403A64
CharNextW.USER32(00000000,004C30A0,00000020), ref: 00403A8B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403B60
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403B75
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403B81
DeleteFileW.KERNEL32(004D30C0), ref: 00403B98
OleUninitialize.OLE32(?), ref: 00403C31
ExitProcess.KERNEL32 ref: 00403C51
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403C5D
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403C69
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403C75
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403C7C
DeleteFileW.KERNEL32(004331F8,004331F8,?,00477008,004092BC,00473000,?), ref: 00403CCD
CopyFileW.KERNEL32(004DF0D8,004331F8,00000001), ref: 00403CE1
CloseHandle.KERNEL32(00000000,004331F8,004331F8,?,004331F8,00000000), ref: 00403D0E
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403D64
ExitWindowsEx.USER32(00000002,00000000), ref: 00403DA0

Strings

_?=, xrefs: 00403BC4
/D=, xrefs: 00403B06
NCRC, xrefs: 00403ADC
NSIS Error, xrefs: 00403A42
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004039F6
~nsu.tmp, xrefs: 00403C57
SeShutdownPrivilege, xrefs: 00403D76
\Temp, xrefs: 00403B7B
Error launching installer, xrefs: 00403BDD

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-730752810
Opcode ID: e95be0038be380c7e2517e2a2a9c89e6addf01deae001849d6bc04820bf084a3
Instruction ID: 4e18f5f1af3a7f331e2e544c63ade91685479340742a394c6c2d6f2448785750
Opcode Fuzzy Hash: e95be0038be380c7e2517e2a2a9c89e6addf01deae001849d6bc04820bf084a3
Instruction Fuzzy Hash: FEA1B571504301BBD6207F629D0AE1B7EACAF4075AF11483FF585B61D2DBBC8A448B6E

Function 6CEB188A Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 6CEB18A4
HeapAlloc.KERNEL32(00000000), ref: 6CEB18A7
GetProcessHeap.KERNEL32(00000000,00000000,error,?,00000000,?,?,?,?,00000000,00000000), ref: 6CEB18E9
RtlFreeHeap.NTDLL(00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 6CEB1B4E

Part of subcall function 6CEB1E83: GlobalAlloc.KERNEL32(00000040,?,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1E99
Part of subcall function 6CEB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1EAF

Strings

RICHEDIT_CLASS, xrefs: 6CEB1A15
NSIS: nsControl pointer property, xrefs: 6CEB1AEA
EDIT, xrefs: 6CEB197C
BUTTON, xrefs: 6CEB1950, 6CEB1AA8, 6CEB1AD6
LINK, xrefs: 6CEB1A5D, 6CEB1A9C
LISTBOX, xrefs: 6CEB19CA
error, xrefs: 6CEB18C1, 6CEB18DC
STATIC, xrefs: 6CEB1A39
COMBOBOX, xrefs: 6CEB19A3
RichEdit, xrefs: 6CEB19F1

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Heap$AllocProcess$FreeGloballstrcpyn
String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
API String ID: 1913068523-3375361224
Opcode ID: 2d3ee0755a4dd01b754fdb35576ebea4d81efbd8f60d6c597b47533cd0d585b1
Instruction ID: a6381e170e47fcd5257cd04ad9e4c6d86fa39e5830feadf96f4f2dda563d6043
Opcode Fuzzy Hash: 2d3ee0755a4dd01b754fdb35576ebea4d81efbd8f60d6c597b47533cd0d585b1
Instruction Fuzzy Hash: 008172B3A04208EBDB219B95CF45FBABBBCEF09314F114526F909B7640DB34E9058B95

Function 00406DFC Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406E19
lstrcatW.KERNEL32(0045C928,\*.*,0045C928,?,74DF2EE0,004D70C8,?,004C30A0), ref: 00406E6A
lstrcatW.KERNEL32(?,00408838,?,0045C928,?,74DF2EE0,004D70C8,?,004C30A0), ref: 00406E8A
lstrlenW.KERNEL32(?), ref: 00406E8D
FindFirstFileW.KERNEL32(0045C928,?), ref: 00406EA1
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406F83
FindClose.KERNEL32(?), ref: 00406F94

Strings

RMDir: RemoveDirectory failed("%s"), xrefs: 00407011
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406FB9
\*.*, xrefs: 00406E64
Delete: DeleteFile on Reboot("%s"), xrefs: 00406F41
Delete: DeleteFile failed("%s"), xrefs: 00406F5E
RMDir: RemoveDirectory("%s"), xrefs: 00406FD0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406FF4
Delete: DeleteFile("%s"), xrefs: 00406F1D

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: e25bf17fa5cd8a8754a82c370ef333a2a3ae489cf446f822b8942f902ad3cb12
Instruction ID: 065701ca96279c828ad8c0a907823cf62f9bd73eb8e14a3183d43afd793dd255
Opcode Fuzzy Hash: e25bf17fa5cd8a8754a82c370ef333a2a3ae489cf446f822b8942f902ad3cb12
Instruction Fuzzy Hash: 8951F332404306AADB206B71DC45AAF37B8DF41724B21813FF902721C2DB7C5DA2DA6E

Function 00406966 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37
GetSystemDirectoryW.KERNEL32(Show,00002004), ref: 00406AB9

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GetWindowsDirectoryW.KERNEL32(Show,00002004), ref: 00406ACC
lstrcatW.KERNEL32(Show,\Microsoft\Internet Explorer\Quick Launch), ref: 00406B46
lstrlenW.KERNEL32(Show,0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406BA8

Strings

Show, xrefs: 0040698D, 00406A79, 00406A7F, 00406AA3, 00406AB8, 00406ACB, 00406AE7, 00406B12, 00406B45, 00406B64, 00406B79, 00406B7A, 00406B88, 00406BA1, 00406BA7, 00406BB4, 00406BED
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406B40
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406A87

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: Show$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-2066119300
Opcode ID: 349b504904d19e27fd4f4c91fd092aa9198956906fd02c1d1d814161a489649c
Instruction ID: e48cded74d6947d59e8abd59105747811bc68a9d38b3ce97ffc5bdd505d2dbd5
Opcode Fuzzy Hash: 349b504904d19e27fd4f4c91fd092aa9198956906fd02c1d1d814161a489649c
Instruction Fuzzy Hash: 4171E5B1A00121ABDF20AF68CD44A7A33B5AF55314F12803BE947F62D0E77C99A1CB4D

Function 0040761C Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08b0311c7b190f70b7f6b66510179fe2aae7c875dcf9b09b9f207b7722ad9ec
Instruction ID: 6d9a96506c23ada9e0f5992c1433d3039d4b40deeb0cc045ecd6cd6b38dbc2b7
Opcode Fuzzy Hash: f08b0311c7b190f70b7f6b66510179fe2aae7c875dcf9b09b9f207b7722ad9ec
Instruction Fuzzy Hash: DCF15971908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D378E986CF86

Function 0040645D Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
LoadLibraryA.KERNEL32(?,?,?,00000020,00403A26,00000008), ref: 00406476
GetProcAddress.KERNEL32(00000000), ref: 00406488

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 834e98854e3cd4bdbc26171f75450eebe3d36459cd124193f5d9cd80cd5e6d51
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 97D012312001059BC6001B65AF08A5F776DEF95611707C03EF546F3131EB34D415A6AD

Function 00406436 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(004572D0,0045BED8,004572D0,0040692F,004572D0), ref: 00406441
FindClose.KERNEL32(00000000), ref: 0040644D

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cabe7cd0e8d0c42d8893e3e2e2c087770211128cd55027c92275192456ad2468
Instruction ID: 304157284c36da419ef03f6d9f2c23ccabbefed464cde17f37dc78c4e58848de
Opcode Fuzzy Hash: cabe7cd0e8d0c42d8893e3e2e2c087770211128cd55027c92275192456ad2468
Instruction Fuzzy Hash: 37D01271504120AFC34027786E0C89B7A599F16331725CA3AB5EAF21E1C7748C3287EC

Function 004055D9 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00405615
ShowWindow.USER32(?), ref: 00405632
DestroyWindow.USER32 ref: 00405646
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405662
GetDlgItem.USER32(?,?), ref: 00405683
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405697
IsWindowEnabled.USER32(00000000), ref: 0040569E
GetDlgItem.USER32(?,00000001), ref: 0040574D
GetDlgItem.USER32(?,00000002), ref: 00405757
SetClassLongW.USER32(?,000000F2,?), ref: 00405771
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004057C2
GetDlgItem.USER32(?,00000003), ref: 00405868
ShowWindow.USER32(00000000,?), ref: 0040588A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040589C
EnableWindow.USER32(?,?), ref: 004058B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004058CD
EnableMenuItem.USER32(00000000), ref: 004058D4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004058EC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004058FF
lstrlenW.KERNEL32(00447250,?,00447250,0046ADC0), ref: 00405928
SetWindowTextW.USER32(?,00447250), ref: 0040593C
ShowWindow.USER32(?,0000000A), ref: 00405A70

Strings

PrD, xrefs: 00405919

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: PrD
API String ID: 3282139019-4282739039
Opcode ID: a563f3c2c599501beef882c1b7706b334ab1ef7dde5fcc94fc7aa6df061418cd
Instruction ID: e32f65a829e85eadb9633a2d0af490baa2bc81b7fdf0bb2ead4b0685e6b50708
Opcode Fuzzy Hash: a563f3c2c599501beef882c1b7706b334ab1ef7dde5fcc94fc7aa6df061418cd
Instruction Fuzzy Hash: 87C1AF71500B04EBDB216F61EE89E2B3BA9FB45346F00053EF545B21F0DA799891AF1E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNEL32(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNEL32(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNEL32(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Jump: %d, xrefs: 00401602
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
SetFileAttributes: "%s":%08X, xrefs: 0040177B
BringToFront, xrefs: 004016BD
Aborting: "%s", xrefs: 0040161D
Sleep(%d), xrefs: 0040169D
SetFileAttributes failed., xrefs: 004017A1
detailprint: %s, xrefs: 00401679
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" created, xrefs: 00401849
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename: %s, xrefs: 004018F8
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename failed: %s, xrefs: 0040194B

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 611249c6fe28ac30e173d2c2d54e1f8656526d7f35572165d03d3fddfa6d8981
Instruction ID: 6970006c80b2daef1e7dd2d9cca72418e9fe59065d0b28f5efb0bef5c027f317
Opcode Fuzzy Hash: 611249c6fe28ac30e173d2c2d54e1f8656526d7f35572165d03d3fddfa6d8981
Instruction Fuzzy Hash: 67B10431A00214EBDB106F61DD459AE3BA9EF04314B25813FF546B61E2DA7D4E41CAAE

Function 6D101000 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 216
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6D101089
SendDlgItemMessageW.USER32(?,000003EA,00000143,00000000,?), ref: 6D1010C7
SendDlgItemMessageW.USER32(?,000003EA,00000151,00000000,?), ref: 6D1010DB
lstrcmpW.KERNEL32(?,00000000,00000018), ref: 6D1010EE
SendDlgItemMessageW.USER32(?,000003EA,0000014E,00000000,00000000), ref: 6D101131
SetDlgItemTextW.USER32(?,000003EF,6D103020), ref: 6D10113E
SetWindowTextW.USER32(?,6D103820), ref: 6D10114A
GetModuleHandleW.KERNEL32(00000000,00000067,00000000), ref: 6D101156
LoadIconW.USER32(00000000), ref: 6D10115D
SendDlgItemMessageW.USER32(?,000003F0,00000170,00000000), ref: 6D10116F
lstrcmpW.KERNEL32(6D104040,MS Shell Dlg), ref: 6D1011C2
GetDC.USER32(?), ref: 6D1011D5
GetDeviceCaps.GDI32(00000000), ref: 6D1011DC
DeleteObject.GDI32(?), ref: 6D10126D

Strings

MS Shell Dlg, xrefs: 6D1011BC
cancel, xrefs: 6D101038, 6D10107C

Memory Dump Source

Source File: 00000001.00000002.2963717010.000000006D101000.00000020.00000001.01000000.00000008.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000001.00000002.2963700646.000000006D100000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963733206.000000006D102000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963749509.000000006D105000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d100000_setup.jbxd

Similarity

API ID: Item$MessageSend$Textlstrcmp$CallbackCapsDeleteDeviceDispatcherHandleIconLoadModuleObjectUserWindow
String ID: MS Shell Dlg$cancel
API String ID: 234226461-2163976771
Opcode ID: cad4a9f598bc03d360a271224d71d9c6cc4eb8fc8d551ff3c68f0f1ec337eaa4
Instruction ID: 01142b60a618b1d2335e4e3547068d2b12bc9690b2c27c592e47838b6929490d
Opcode Fuzzy Hash: cad4a9f598bc03d360a271224d71d9c6cc4eb8fc8d551ff3c68f0f1ec337eaa4
Instruction Fuzzy Hash: 20617C70544309BBEB217BA1DC89F3B7ABCEB46749F008419F705E5098DFE89481CA21

Function 00405A8C Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040645D: GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
Part of subcall function 0040645D: LoadLibraryA.KERNEL32(?,?,?,00000020,00403A26,00000008), ref: 00406476
Part of subcall function 0040645D: GetProcAddress.KERNEL32(00000000), ref: 00406488

lstrcatW.KERNEL32(004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403C21,?), ref: 00405B0E
lstrlenW.KERNEL32(Show,?,?,?,Show,00000000,004C70A8,004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000,00000006,004C30A0), ref: 00405B90
lstrcmpiW.KERNEL32(?,.exe,Show,?,?,?,Show,00000000,004C70A8,004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000), ref: 00405BA3
GetFileAttributesW.KERNEL32(Show), ref: 00405BAE

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405C17
RegisterClassW.USER32(0046AD60), ref: 00405C6A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C82
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405CBB

Part of subcall function 00403FF5: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00404090

ShowWindow.USER32(00000005,00000000), ref: 00405CF1
LoadLibraryW.KERNEL32(RichEd20), ref: 00405D02
LoadLibraryW.KERNEL32(RichEd32), ref: 00405D0D
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405D1D
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405D2A
RegisterClassW.USER32(0046AD60), ref: 00405D33
DialogBoxParamW.USER32(?,00000000,004055D9,00000000), ref: 00405D52

Strings

RichEd32, xrefs: 00405D08
.exe, xrefs: 00405B9D
Show, xrefs: 00405B56, 00405B5B, 00405B6C, 00405BBD, 00405BC3
PrD, xrefs: 00405AC5
Control Panel\Desktop\ResourceLocale, xrefs: 00405AD2
RichEd20, xrefs: 00405CFD
RichEdit20A, xrefs: 00405D16, 00405D1B
.DEFAULT\Control Panel\International, xrefs: 00405AF9
_Nb, xrefs: 00405C31
RichEdit, xrefs: 00405D24

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$PrD$RichEd20$RichEd32$RichEdit$RichEdit20A$Show$_Nb
API String ID: 608394941-3818575660
Opcode ID: 80ca71923c634680d402ef98f9edd294887f2eac5f8585db4802c5967787b579
Instruction ID: 3a6a227fec416dc0362735230570460a00d436347f4cd54f675a02b01ae67812
Opcode Fuzzy Hash: 80ca71923c634680d402ef98f9edd294887f2eac5f8585db4802c5967787b579
Instruction Fuzzy Hash: 1271A071104B00AED720AB65AE45E2737ACEB44745F40443FF945B62E2EBB8AC518F2E

Function 6F951C1B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 559stringmemorylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F951581: GlobalAlloc.KERNEL32(00000040,?,6F9515BA,?,?,6F95185F,?,6F951017), ref: 6F95158B

Part of subcall function 6F9515A3: lstrcpyW.KERNEL32(00000000,?,?,?,6F95185F,?,6F951017), ref: 6F9515C1
Part of subcall function 6F9515A3: GlobalFree.KERNEL32 ref: 6F9515D2

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6F951D0B
lstrcpyW.KERNEL32(00000008,?), ref: 6F951D59
lstrcpyW.KERNEL32(00000808,?), ref: 6F951D63
GlobalFree.KERNEL32(00000000), ref: 6F951D7D
GlobalFree.KERNEL32(?), ref: 6F951E69
GlobalFree.KERNELBASE(?), ref: 6F951E6E
GlobalFree.KERNEL32(?), ref: 6F951E73
GlobalFree.KERNEL32(00000000), ref: 6F95201A
lstrcpyW.KERNEL32(?,?), ref: 6F95217A
GetModuleHandleW.KERNEL32(00000008), ref: 6F9521EE
LoadLibraryW.KERNEL32(00000008), ref: 6F9521FF
lstrcmpiW.KERNEL32(kernel32,00000008), ref: 6F95221B
lstrcmpiW.KERNEL32(kernel32.dll,00000008), ref: 6F952227
lstrlenW.KERNEL32(00000808), ref: 6F952258
lstrcatW.KERNEL32(00000808,6F9530C8), ref: 6F95227C
lstrcpyW.KERNEL32(?,00000808), ref: 6F9522C7
lstrcatW.KERNEL32(?,00000057), ref: 6F9522DE
lstrcatW.KERNEL32(00000808,00000057), ref: 6F952307

Strings

kernel32.dll, xrefs: 6F952222
W, xrefs: 6F9522C0
kernel32, xrefs: 6F952216

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: Global$Free$lstrcpy$lstrcat$Alloclstrcmpi$HandleLibraryLoadModulelstrlen
String ID: W$kernel32$kernel32.dll
API String ID: 2496820534-4093004423
Opcode ID: 419cac719a9e4dc39c8d947ce9c675112c844857bd0a6f6f916ae80eac10bde9
Instruction ID: 82a4574e5e9ae6934ed0f91982289f8c6635e47f7dce8ca3642e17b8988368c1
Opcode Fuzzy Hash: 419cac719a9e4dc39c8d947ce9c675112c844857bd0a6f6f916ae80eac10bde9
Instruction Fuzzy Hash: A9128B71904706DADB21CFB8C980AEEBBB9FF0A314F10452AD166E61C0D774E6E8CB54

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

lstrcatW.KERNEL32(00000000,00000000,Show,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,Show,Show,00000000,00000000,Show,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Strings

File: error, user cancel, xrefs: 00401B93
Show, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$Show
API String ID: 4286501637-2784701388
Opcode ID: 14717d050078586d048810e81c1f23feeacbf18b7ebb4633121e82710f30be1d
Instruction ID: 08d878c9e80d9a323f30b4f94fb3bca26633bf48a784620ab852fc75793eaf31
Opcode Fuzzy Hash: 14717d050078586d048810e81c1f23feeacbf18b7ebb4633121e82710f30be1d
Instruction Fuzzy Hash: 88511771901114BADB107BB1CD46EAF3A68DF05369F21423FF516B10D3DB7C4A528AAD

Function 00403679 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040368D
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004), ref: 004036A9

Part of subcall function 00405FB0: GetFileAttributesW.KERNEL32(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
Part of subcall function 00405FB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003), ref: 004036F2

Strings

Null, xrefs: 00403770
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403877
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403889
XqB, xrefs: 00403834
soft, xrefs: 00403767
Inst, xrefs: 0040375E
Error launching installer, xrefs: 004036C9

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$XqB$soft
API String ID: 4283519449-2120965091
Opcode ID: a3e47155d5d3e7cfce9060ec4b179857a2ef80f4b34add79b0c4c44f1ba8f5ae
Instruction ID: f4150b5e2bf86fa70e64154ff4a6ed510d3eaad87e9a8afd50ffd73de6b30a99
Opcode Fuzzy Hash: a3e47155d5d3e7cfce9060ec4b179857a2ef80f4b34add79b0c4c44f1ba8f5ae
Instruction Fuzzy Hash: EE71C3B1900204AFDB11AFB5DD85BAE7AACAB04755F10807FFA05B72D1CB789E448B5C

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.KERNEL32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.KERNEL32(?), ref: 004029E4

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 82f7777af25b21072d9d61eb9cc9595a332ce28b3e617f2132309cd39d519d54
Instruction ID: 5079a85d00332eb89b956210b0bf8ab3b344c965529248026cf182ae6f79859d
Opcode Fuzzy Hash: 82f7777af25b21072d9d61eb9cc9595a332ce28b3e617f2132309cd39d519d54
Instruction Fuzzy Hash: B741AEB2D00208FFDF11AF91CE46EAEBBB9EB04704F21403BF605721A2D6794B519B59

Function 6D10127F Relevance: 16.7, APIs: 11, Instructions: 213
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D101582: lstrcpyW.KERNEL32(?,?,?,6D1012B7,6D103820), ref: 6D10159B
Part of subcall function 6D101582: GlobalFree.KERNEL32 ref: 6D1015AC

GlobalAlloc.KERNEL32(00000040,00000000,6D104040,6D104040,?,6D103020,6D103820), ref: 6D10139F
lstrlenW.KERNEL32(6D104040,6D104040,?,?,6D103020,6D103820), ref: 6D1013DA
GlobalAlloc.KERNEL32(00000040,?,?,?,6D103020,6D103820), ref: 6D1013E3
lstrcpyW.KERNEL32(?,6D104040,?,?,6D103020,6D103820), ref: 6D101412
lstrlenW.KERNEL32(6D104040,6D104040,?,?,6D103020,6D103820), ref: 6D101423
GlobalAlloc.KERNEL32(00000040,?,?,?,6D103020,6D103820), ref: 6D10142C
lstrcpyW.KERNEL32(?,6D104040,?,?,6D103020,6D103820), ref: 6D101459
DialogBoxParamW.USER32(00000065,00000000,6D101000,00000000), ref: 6D1014DB
GlobalFree.KERNEL32(?), ref: 6D10151A
GlobalFree.KERNEL32(?), ref: 6D10152A
GlobalFree.KERNEL32(?), ref: 6D10153E

Memory Dump Source

Source File: 00000001.00000002.2963717010.000000006D101000.00000020.00000001.01000000.00000008.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000001.00000002.2963700646.000000006D100000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963733206.000000006D102000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963749509.000000006D105000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d100000_setup.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$lstrlen$DialogParam
String ID:
API String ID: 4207030468-0
Opcode ID: adc452ed561c73320e9bf06032183d251cd7ce1e3d2e22078d465f28ba80a2c6
Instruction ID: 2d1f2843b7615eefed97a2f7f45929b8385c9af428d580a0d607ad620010965c
Opcode Fuzzy Hash: adc452ed561c73320e9bf06032183d251cd7ce1e3d2e22078d465f28ba80a2c6
Instruction Fuzzy Hash: 0B7192716052029BCB14FF95E980F26BBF8AB56318B01C42DE606DB21DDFF8D986CB15

Function 6CEB1791 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000000), ref: 6CEB17D8
GetWindowRect.USER32(00000000,?), ref: 6CEB17E3
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 6CEB17F3
CreateDialogParamW.USER32(00000001,?,6CEB14FC,00000000), ref: 6CEB1808
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 6CEB183B
SetWindowLongW.USER32(?,00000004,6CEB142D), ref: 6CEB1849
GetProcessHeap.KERNEL32(00000008,00000000), ref: 6CEB1863
HeapAlloc.KERNEL32(00000000), ref: 6CEB186A

Part of subcall function 6CEB1E83: GlobalAlloc.KERNEL32(00000040,?,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1E99
Part of subcall function 6CEB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1EAF

Strings

error, xrefs: 6CEB1817

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
String ID: error
API String ID: 1928716940-1574812785
Opcode ID: 97a66189096ae11339c0b9a767fec8f0c2498c0dd650b99e0206bf602d72d7aa
Instruction ID: be98db6e31a0095a41b07628531665951f24b4f2c3dc316242512a2d23304411
Opcode Fuzzy Hash: 97a66189096ae11339c0b9a767fec8f0c2498c0dd650b99e0206bf602d72d7aa
Instruction Fuzzy Hash: B3212BB1A00219EFCF12DFA5DA49DBE7BB9FB4A311B10441AF605A3240DB709504DB6A

Function 6F9528A3 Relevance: 13.6, APIs: 9, Instructions: 147
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?), ref: 6F952958
GlobalAlloc.KERNEL32(00000040,?), ref: 6F952985
lstrcpynW.KERNEL32(00000000,?), ref: 6F952998
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6F9529B4
CLSIDFromString.OLE32(00000000,00000000), ref: 6F9529C1
GlobalFree.KERNEL32(00000000), ref: 6F9529C8
GlobalAlloc.KERNEL32(00000040), ref: 6F9529D8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F9529EF
GlobalFree.KERNELBASE(00000000), ref: 6F952A19

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringWidelstrcpynlstrlen
String ID:
API String ID: 916651646-0
Opcode ID: 3e876ff800af75e58e2a559d1f6f366aeed590134c889fe575416fd2505727c6
Instruction ID: 4006e292df1972aee6b3d404d24a3f841df3edf44532779ba96872249562a8fd
Opcode Fuzzy Hash: 3e876ff800af75e58e2a559d1f6f366aeed590134c889fe575416fd2505727c6
Instruction Fuzzy Hash: C541AA71108301AFE764CF788944A6A7BF8FF46321F100A1AE61ADA2D1D730E4B9CF61

Function 004023F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
KiUserCallbackDispatcher.NTDLL(?,00002004,00473000,0040B0C0,0040B000,?,?,?,00000008,00000001,000000F0), ref: 00402485

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$CallbackDispatcherFreeHandleLoadModuleTextUserWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 2832544771-945480824
Opcode ID: deda522cecc8a5779823603240008b0faca4c76850106b13635e3c04ff52d226
Instruction ID: d8831ef82082564af9a2e195be03e9e7495047a885a7848ebc2eed903ecf7a42
Opcode Fuzzy Hash: deda522cecc8a5779823603240008b0faca4c76850106b13635e3c04ff52d226
Instruction Fuzzy Hash: 0B219F35A00208BBCF206FA1CE49A9E7A70AF00314F30813FF512761E1D7BD4A919A5D

Function 6CEB1C7C Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000), ref: 6CEB1C94
ShowWindow.USER32(00000008), ref: 6CEB1CA2
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6CEB1CBE
IsDialogMessageW.USER32(?), ref: 6CEB1CCE
IsDialogMessageW.USER32(?), ref: 6CEB1CDE
TranslateMessage.USER32(?), ref: 6CEB1CE8
DispatchMessageW.USER32(?), ref: 6CEB1CF2
SetWindowLongW.USER32(?,00000004), ref: 6CEB1D0C

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
String ID:
API String ID: 4159918924-0
Opcode ID: ced51948e744e30fd42157f0d6cf04f1ae0db4228e0cf32e8ba25bccd90afafc
Instruction ID: c7297475da430f796b600091943cf710f1316bb0a08dce6ec98d96f122d40691
Opcode Fuzzy Hash: ced51948e744e30fd42157f0d6cf04f1ae0db4228e0cf32e8ba25bccd90afafc
Instruction Fuzzy Hash: 05112D31A0050AFFCF029BA5EE09EBB3F7EFB46715B104126FA10A2150DB319406CB69

Function 004033D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004033E7

Part of subcall function 004033BB: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040389E,?), ref: 004033C9

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403583,00000004,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000), ref: 0040341A
WriteFile.KERNEL32(004271E0,0042B879,000000FF,00000000,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000,?,?), ref: 004034D8
SetFilePointer.KERNEL32(001F1E3C,00000000,00000000,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000,?,?,?,004038C5), ref: 0040352A

Strings

qB, xrefs: 0040342C
XqB, xrefs: 0040349E

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: XqB$qB
API String ID: 2146148272-2352303668
Opcode ID: 979a132689fdd3b66ddc975673b61f2c520d6a21d2f47b68d5318fd2806375dd
Instruction ID: 352f119b9731fba5dc1d5d47024dbf085b4ecca43a18aeda97e8958449c38e74
Opcode Fuzzy Hash: 979a132689fdd3b66ddc975673b61f2c520d6a21d2f47b68d5318fd2806375dd
Instruction Fuzzy Hash: F841A372604211AFCB209F29EE4593A3F6CFB1435A784027FE511A23B0CB399E55CB5D

Function 00403550 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(-00069C40,00000000,00000000,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 00403574
ReadFile.KERNEL32(004091D8,00000004,?,00000000,00000000,00000004,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000,004091D8), ref: 004035A2
ReadFile.KERNEL32(0042F1E8,00004000,?,00000000,004091D8,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 004035FC
WriteFile.KERNEL32(00000000,0042F1E8,?,000000FF,00000000,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 00403614

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID:
API String ID: 2113905535-0
Opcode ID: 7052c420235308e1a53cecd41fbf7afbbe8e53aab26b08745c9ca0e470065494
Instruction ID: a63153eef40669f0ed7c1800638863e54a14cc79a46bc24bc920c3bc8af84b95
Opcode Fuzzy Hash: 7052c420235308e1a53cecd41fbf7afbbe8e53aab26b08745c9ca0e470065494
Instruction Fuzzy Hash: 5E31F971500108FBDB21CFA9ED44EAE3BBCEB44351F60483AF904E6290D6359B51DB69

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GlobalFree.KERNEL32(008FD7C8), ref: 00402387

Strings

Show, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$Show
API String ID: 1459762280-1347343861
Opcode ID: 86046051319aa6f15320f2f89dd1da973ef8906580a437cab40d105fcf93cf09
Instruction ID: 00a269db9d122ce218cb6369f3e7d31d5b123713c6f27ce8ba71e52fe8ccb839
Opcode Fuzzy Hash: 86046051319aa6f15320f2f89dd1da973ef8906580a437cab40d105fcf93cf09
Instruction Fuzzy Hash: 6F21D476601105EBD710AB64DD81A6F77A4EF04318721403FF542B72D2E7789C1186AD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

GlobalFree.KERNEL32(008FD7C8), ref: 00402387

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 04190a5ec73ef904f848c902adff7444c08b120d91b8cbbfd7be8fc87318c9d7
Instruction ID: d706dadd873a054bb948c0373b183cc18cdaf107e69ff1aff3bcb7a8f3beee4c
Opcode Fuzzy Hash: 04190a5ec73ef904f848c902adff7444c08b120d91b8cbbfd7be8fc87318c9d7
Instruction Fuzzy Hash: 6E114C72900109AFCF01EFA1DD459AE7BB8EF04344F10407AF606F62A0D7799A51DB59

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 55ad496edc2af256c0c88f76fcaffcca9168ec20f4bf31ffebe7fcfc10bf5179
Instruction ID: 2b6f9eedf6ae11cfe1e36f0213f8387d72ebb0b879c85407db03f4e9eb7306d9
Opcode Fuzzy Hash: 55ad496edc2af256c0c88f76fcaffcca9168ec20f4bf31ffebe7fcfc10bf5179
Instruction Fuzzy Hash: A7016171500204BBDB14AF60DE49D9E3B78EF05359F10443AF646BA1E1D6798982DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 6F952A4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 6F951C1B: GlobalFree.KERNEL32(?), ref: 6F951E69
Part of subcall function 6F951C1B: GlobalFree.KERNELBASE(?), ref: 6F951E6E
Part of subcall function 6F951C1B: GlobalFree.KERNEL32(?), ref: 6F951E73

GlobalFree.KERNEL32(00000000), ref: 6F952AFA
FreeLibrary.KERNEL32(?), ref: 6F952B71
GlobalFree.KERNEL32(00000000), ref: 6F952B96

Part of subcall function 6F9523C1: GlobalAlloc.KERNEL32(00000040,00000000), ref: 6F9523F3

Part of subcall function 6F9525B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,6F952ACB,00000000), ref: 6F952611

Part of subcall function 6F951904: lstrcpyW.KERNEL32(00000000,error,00000000,6F95287B,00000000), ref: 6F951929

Part of subcall function 6F952445: wsprintfW.USER32 ref: 6F9524E8
Part of subcall function 6F952445: GlobalFree.KERNEL32(?), ref: 6F952516
Part of subcall function 6F952445: GlobalFree.KERNEL32(00000000), ref: 6F95253F

Strings

, xrefs: 6F952B77

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 11ee72a18cce88ff89d727e2c1c84fd7b8f11ac8665c8ac79dfda2c4faab9bdb
Instruction ID: ee4c0d908d72fa17a4f66c8bd660878bc7153d5a32f497799ee112715a492d1e
Opcode Fuzzy Hash: 11ee72a18cce88ff89d727e2c1c84fd7b8f11ac8665c8ac79dfda2c4faab9bdb
Instruction Fuzzy Hash: 7631B3714043459ADF54DFB898C4B963BACAF16328F144426E919AE0D7DBB4E0B5CA60

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e9a18080beffe971bb15df4a8f5444ede2e1f7f3a5df9d200604b6a011215d0a
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 32219171900209ABDF15AFB4D986ABD7BB9AF00348F14413EF602F60E2D6798A80D758

Function 00405FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405FFE
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403946,004D30C0,004D70C8), ref: 00406019

Strings

nsa, xrefs: 00405FED

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4c34e6a0a90932f4b551cf1a0ac55fda76427712b032f8561b8497f4a2d6824a
Instruction ID: be25c3b17c8933440b05da9cd673d95fc9e669a54b60c2a7ae19a21696f833e6
Opcode Fuzzy Hash: 4c34e6a0a90932f4b551cf1a0ac55fda76427712b032f8561b8497f4a2d6824a
Instruction Fuzzy Hash: 03F06776600208ABDB10CF59DD09A9EBBADEF94710F00803FFA45E7290E6B09A54C768

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: d6a52e45258e13aa606ad2b2b5c1a00533a470e73934100eb5490deb1737a6ec
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: 02E09232A05111DBCB08BBB5A7495AE76B4EA5532A725007FE243F20D1DA7D8D01C62D

Function 00407A26 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36cb06954edc7335e9d92b109141cbd09c7a7193fbcbb3a0e0d18f944b47e5e
Instruction ID: 7372baf4ca72983a720edb26d3aa8eb56cdb2bb7098e1cb2460684513cc098eb
Opcode Fuzzy Hash: c36cb06954edc7335e9d92b109141cbd09c7a7193fbcbb3a0e0d18f944b47e5e
Instruction Fuzzy Hash: 38A14671914248EBDB18CF18C8946ED3BE1FF44355F10912AFD5AAB290D738E981CF85

Function 00407C24 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f400c994127adfbf61058f0df631bf6e0d69df8ab50e85f6c29bef2e618aba5
Instruction ID: 19be9bd041eb831dc497f9eed389fffc0b40ebad8130cd8a8cc9c73c743c8dd7
Opcode Fuzzy Hash: 1f400c994127adfbf61058f0df631bf6e0d69df8ab50e85f6c29bef2e618aba5
Instruction Fuzzy Hash: FC913471904248EBDF18CF18C8947E93BA1FF44399F10912AFC5AAB291C738E985CF85

Function 00407473 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb3c0e8f84787af47df7413a68d2a7b57c255642fcd00871c8e2605327e1244
Instruction ID: 7f7ee5045e18535129bde91f801cc5c524a8174eb8871a5b0dc4d7b8e610d919
Opcode Fuzzy Hash: 0eb3c0e8f84787af47df7413a68d2a7b57c255642fcd00871c8e2605327e1244
Instruction Fuzzy Hash: 40814871918248EBDB14CF29C8447ED3BA1FF44355F10812AFD6AAB290D778E985CF85

Function 004078B3 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf24dacc8478a35d58cb1e451b5f07b4fbd3d5e90387a27a31f51ce211858d9
Instruction ID: 0b2195dfed2d2eaf31799a866d23b30a47b9bddfdc78d95a245e633d29955650
Opcode Fuzzy Hash: dcf24dacc8478a35d58cb1e451b5f07b4fbd3d5e90387a27a31f51ce211858d9
Instruction Fuzzy Hash: 41711271914248EBDF28CF18C844AE93BE1FF48355F10812AFD5AAB291D738E985CF85

Function 004079B5 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1648e0811c9f97d55a3022652a548649fa1c26b9f6cb7626f8a21e4732b448f
Instruction ID: e9ed1edde03ce079a1eac7925ffd26eceee2e589c91d04c2349d82a358760cac
Opcode Fuzzy Hash: b1648e0811c9f97d55a3022652a548649fa1c26b9f6cb7626f8a21e4732b448f
Instruction Fuzzy Hash: 51713471918248EBDF18CF18C844BE93BB1FF44345F10812AFD5AAA291C738E985CF86

Function 00407913 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231398222cbd9f561c647f948b9b3d3c6184bd44b9bf4c4e3e1677bf7cb27c81
Instruction ID: 372954581a63a42c771a5a1ecf6877848c3696302c905df1bb59de476e0b08a4
Opcode Fuzzy Hash: 231398222cbd9f561c647f948b9b3d3c6184bd44b9bf4c4e3e1677bf7cb27c81
Instruction Fuzzy Hash: FB613671904248EBEB28CF18C844BAD3BB1FF44345F10912AFD56AA291D778E985CF86

Function 00407DC0 Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 00407526
GlobalAlloc.KERNEL32(00000040,?,00000000,00004000,0042F1E8), ref: 0040752F
GlobalFree.KERNEL32(?), ref: 0040759E
GlobalAlloc.KERNEL32(00000040,?,00000000,00004000,0042F1E8), ref: 004075A9

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: 6fc4b81007277366271f5ed8f4823a6fbaedd18a17911aa1f8adf1f3d20f8d2f
Instruction ID: 69d61f3c28aa3c4651f1fcdc65fbd76dba6520ab561f69162c86fd3f3c29a3b1
Opcode Fuzzy Hash: 6fc4b81007277366271f5ed8f4823a6fbaedd18a17911aa1f8adf1f3d20f8d2f
Instruction Fuzzy Hash: C9514471914248EBDB28CF19C854AAD3BE1FF44355F10812AFD5AAA291C738E981CF85

Function 00402A84 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.KERNEL32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.KERNEL32(?), ref: 004029E4
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00002003), ref: 00402AB6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402AC9

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 71ecbc242c05244eee09d6688f759a3b78646090920a111b31f6a68a443b0d85
Instruction ID: 95ee22d97734955972c485d9abb9d084f4b44991137fab2cec59741c3fa91784
Opcode Fuzzy Hash: 71ecbc242c05244eee09d6688f759a3b78646090920a111b31f6a68a443b0d85
Instruction Fuzzy Hash: 02014471604104BBE7149F64EE89A7B766CEB40358F10443FF546B61D0EAB84A419A69

Function 00406034 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,00000002,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 0040605E
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 00406080
RegCloseKey.KERNEL32(?,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 004060A7

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
Instruction ID: 98a2f5c40708be4a22a19e2b3dffd551e29741b81bdf7905c269ac5831645af6
Opcode Fuzzy Hash: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
Instruction Fuzzy Hash: F301487125020AAADF21CF64ED05BDB3BE9EF18354F014426FA05E2160E335E964DBA9

Function 6F95124C Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000), ref: 6F95130B
GetLastError.KERNEL32 ref: 6F951412

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: ErrorImageLastLoad
String ID:
API String ID: 2189606529-0
Opcode ID: 47c6e2a55ff88f4abad91d69f21c64c254611c6d394fab2ceb1002b6fb32cd3e
Instruction ID: b2b95f15d7a9a8758c2a7720b2ab57bc783bab6d9b8d4ac30d8de2ed798c5a83
Opcode Fuzzy Hash: 47c6e2a55ff88f4abad91d69f21c64c254611c6d394fab2ceb1002b6fb32cd3e
Instruction Fuzzy Hash: 0F517B768087049FEB60DF78D9A0B5937A8FB47328F20452AE404CA2C1DB34E5F9DE95

Function 004029FF Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.KERNEL32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.KERNEL32(?), ref: 004029E4
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00402A32

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e94bd00db104d0a2cf1578d6cca9940a8e39714a5f0dfa19380a7ad9a90a7e54
Instruction ID: d7a97197237819f4b7492ca0bf04413f91ee399627d725b97b5ce9e5d01a5032
Opcode Fuzzy Hash: e94bd00db104d0a2cf1578d6cca9940a8e39714a5f0dfa19380a7ad9a90a7e54
Instruction Fuzzy Hash: 03116371A10204EFDF24DFA4DA495AE76B4EF44344B21843FE446F32D0E6B45B41DB19

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 004030A9 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,?), ref: 004030B7
InvalidateRect.USER32(?), ref: 004030C7

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 6221ef138abef0cc7f02eb51ea7237b8e00d2cdf30ab43c4de82fd491b7554a6
Instruction ID: a2afc3cdb4025c47ae200eb0ee8b495955aac6ae4429a00b614700c75c4af1b0
Opcode Fuzzy Hash: 6221ef138abef0cc7f02eb51ea7237b8e00d2cdf30ab43c4de82fd491b7554a6
Instruction Fuzzy Hash: 8FE04672A00109EFDB40DF98FE809AE7B79EB40306B1480BAF102F1060C37A8E00DB28

Function 00405FB0 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bb163b9fe6ad53c4c24c626dc6eb2012a5604aa560a8fbe1d65a356919806daf
Instruction ID: 0718ebe39a3ec8d134d715fe04010489d3ea4afa24b2ee2dc260a56d563539cd
Opcode Fuzzy Hash: bb163b9fe6ad53c4c24c626dc6eb2012a5604aa560a8fbe1d65a356919806daf
Instruction Fuzzy Hash: C9D09E71654202EFEF098F60DE1AF6EBBA2EB94B00F01852CB396540F0DA725819DB15

Function 00405F90 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00406FE2,?,?,?), ref: 00405F94
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FA7

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: 105455ff1efcd328e2e9ce2036d03e870e7956c14fbc8a42dfb904e2d669a030
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: D1C012B1404801AAD6000B34DF0881A7B62AB90330B268739B0BAE00F0CB3888A99A19

Function 6CEB1E34 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,6CEB1053,?,6CEB1053,?), ref: 6CEB1E62
GlobalFree.KERNELBASE ref: 6CEB1E72

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: 32eb3d240f1aa0ee9ab99f5dab5dc4293f8ce28f4668a216e8ba739ac79efe95
Instruction ID: a56aa23add12f3806dc3cb4eabf67ae28e3c2ab791757c2724998747b8df06f8
Opcode Fuzzy Hash: 32eb3d240f1aa0ee9ab99f5dab5dc4293f8ce28f4668a216e8ba739ac79efe95
Instruction Fuzzy Hash: FBF0D432316210DFDB11CEA4CA44B66B3F8BF0A719F20482AF595D7650D730E800CB65

Function 6D101582 Relevance: 2.5, APIs: 2, Instructions: 22stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,?,6D1012B7,6D103820), ref: 6D10159B
GlobalFree.KERNEL32 ref: 6D1015AC

Memory Dump Source

Source File: 00000001.00000002.2963717010.000000006D101000.00000020.00000001.01000000.00000008.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000001.00000002.2963700646.000000006D100000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963733206.000000006D102000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2963749509.000000006D105000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d100000_setup.jbxd

Similarity

API ID: FreeGloballstrcpy
String ID:
API String ID: 1709915452-0
Opcode ID: e35a0743984ed89f2c992002b3a7b89bc8a1a4c8c0a43ae879c9298a27dc3f75
Instruction ID: 926defa7fe8d03c77bc72d682c0927aaaad52ccd7e89e817e9d4007427936b0b
Opcode Fuzzy Hash: e35a0743984ed89f2c992002b3a7b89bc8a1a4c8c0a43ae879c9298a27dc3f75
Instruction Fuzzy Hash: 69E01A356102019FDB12AFA4D884B6677F8FF6F315B00892AE456C7254DFB49840CF50

Function 00401553 Relevance: 1.5, APIs: 1, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,00000022,00000000,?,?), ref: 0040158B

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 152b3ead9943045a115202606b4aa47f0bb9bcdc92ab0ec0580d088b3e521770
Instruction ID: 320ffdfbdc2962e817d17244dae4d4ae4c6b2856982d8e6d6ae96c218de63f7b
Opcode Fuzzy Hash: 152b3ead9943045a115202606b4aa47f0bb9bcdc92ab0ec0580d088b3e521770
Instruction Fuzzy Hash: 40F0AC76650115ABD700DB94DE42EA637DCEB04794F054021BA09EB2A1D675E94087AD

Function 00403389 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(004091D8,00000000,00000000,00000000,0042F1E8,004271E0,00403453,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000), ref: 004033A0

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: c6c40d3f4f7261540deed743693c79d8b23b6d840c968e3368c6ef78f45d931b
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: B0E08C32114118BBCB119E929C40AE77B5CEB043A2F008432BE54E9290DA30DA04DBA8

Function 6F952728 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(6F954020,00000004,00000040,6F954028), ref: 6F952746

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 03069635955d140c0ddf2036d2fa3eb24a82ed4efe604fb25fbfd9511b65f147
Instruction ID: fff53f7ca423a7b0522e56333c4449c2e58f2c1976fee1a18332db34d7d71eb7
Opcode Fuzzy Hash: 03069635955d140c0ddf2036d2fa3eb24a82ed4efe604fb25fbfd9511b65f147
Instruction Fuzzy Hash: 8EE0AEB190DB409EEBD0CF3CD864B023AF0B75B326F21452AE248D62C0E230913CAF19

Function 00403914 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406199: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
Part of subcall function 00406199: CharNextW.USER32(?,?,?,00000000), ref: 0040620B
Part of subcall function 00406199: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
Part of subcall function 00406199: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

CreateDirectoryW.KERNEL32(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403B6B), ref: 00403935

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: f4befcb6106095d9d06c1b39d32d6196981096d2805c3ce9a3ed86820828cee4
Instruction ID: 5ea94fba79f3f21d5ad716e498331d560289176cc766b9bc92f8e515fc4ca6d3
Opcode Fuzzy Hash: f4befcb6106095d9d06c1b39d32d6196981096d2805c3ce9a3ed86820828cee4
Instruction Fuzzy Hash: 14D0C922147D3136C592376A7D06FCF090D8F0279AB0A407BF949B91CA5FAC4B8285FE

Function 00403E9F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

SetDlgItemTextW.USER32(?,?,00000000), ref: 00403EB9

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: ItemTextVersion
String ID:
API String ID: 1287519508-0
Opcode ID: f2b4361e4d7c3881d6a85ce52f9b05fc3d04f2b44ca1c8ee376b4dc84f376a48
Instruction ID: 6a48e5d75812bfa7c4a09cce31339b59d49678da8d37b8d2777bd432dc215d8f
Opcode Fuzzy Hash: f2b4361e4d7c3881d6a85ce52f9b05fc3d04f2b44ca1c8ee376b4dc84f376a48
Instruction Fuzzy Hash: BCC08C71008300BFD241AB14CC02F0FB39CEF90315F00C42EB05CA01D1C63584208A26

Function 00403EF8 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405914), ref: 00403F06

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 004033BB Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,0040389E,?), ref: 004033C9

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Non-executed Functions

Function 0040522D Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040528F
GetDlgItem.USER32(?,000003EE), ref: 0040529E
GetClientRect.USER32(?,?), ref: 004052F6
GetSystemMetrics.USER32(00000015), ref: 004052FE
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040531F
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405330
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405343
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405351
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405364
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405386
ShowWindow.USER32(?,00000008), ref: 0040539A
GetDlgItem.USER32(?,000003EC), ref: 004053BB
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004053CB
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004053E0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004053EC
GetDlgItem.USER32(?,000003F8), ref: 004052AD

Part of subcall function 00403EF8: SendMessageW.USER32(00000028,?,00000001,00405914), ref: 00403F06

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

GetDlgItem.USER32(?,000003EC), ref: 0040540B
CreateThread.KERNEL32(00000000,00000000,Function_000051A7,00000000), ref: 00405419
CloseHandle.KERNEL32(00000000), ref: 00405420
ShowWindow.USER32(00000000), ref: 00405447
ShowWindow.USER32(?,00000008), ref: 0040544C
ShowWindow.USER32(00000008), ref: 00405493
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054C5
CreatePopupMenu.USER32 ref: 004054D6
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004054EB
GetWindowRect.USER32(?,?), ref: 004054FE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405520
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040555B
OpenClipboard.USER32(00000000), ref: 0040556B
EmptyClipboard.USER32 ref: 00405571
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040557D
GlobalLock.KERNEL32(00000000), ref: 00405587
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040559B
GlobalUnlock.KERNEL32(00000000), ref: 004055BD
SetClipboardData.USER32(0000000D,00000000), ref: 004055C8
CloseClipboard.USER32 ref: 004055CE

Strings

PrD, xrefs: 00405537
New install of "%s" to "%s", xrefs: 004052E2
{, xrefs: 004054B2

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"$PrD${
API String ID: 2110491804-2508554099
Opcode ID: 11dd572734fdcc9cd5cd232e0012044d14f9f12b4c407c8bff242ac5f06050a0
Instruction ID: 894ce410e52ba77d1203c8417793cf84406b50b5a57a64d435ed06079733cfed
Opcode Fuzzy Hash: 11dd572734fdcc9cd5cd232e0012044d14f9f12b4c407c8bff242ac5f06050a0
Instruction Fuzzy Hash: 25B15B70800608FFDB119F60DE85EAE7B79FB44355F00813AFA45BA1A0CBB98A519F59

Function 00404ADC Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404AF3
GetDlgItem.USER32(?,00000408), ref: 00404B00
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B4F
LoadBitmapW.USER32(0000006E), ref: 00404B62
SetWindowLongW.USER32(?,000000FC,Function_00004A2C), ref: 00404B7C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B8E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404BA2
SendMessageW.USER32(?,00001109,00000002), ref: 00404BB8
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BC4
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BD4
DeleteObject.GDI32(?), ref: 00404BD9
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C04
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C10
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CB1
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404CD4
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CE5
GetWindowLongW.USER32(?,000000F0), ref: 00404D0F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D1E
ShowWindow.USER32(?,00000005), ref: 00404D2F
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E2D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404E88
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E9D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EC1
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404EE7
ImageList_Destroy.COMCTL32(?), ref: 00404EFC
GlobalFree.KERNEL32(?), ref: 00404F0C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F7C
SendMessageW.USER32(?,00001102,?,?), ref: 0040502A
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405039
InvalidateRect.USER32(?,00000000,00000001), ref: 00405059
ShowWindow.USER32(?,00000000), ref: 004050A9
GetDlgItem.USER32(?,000003FE), ref: 004050B4
ShowWindow.USER32(00000000), ref: 004050BB

Strings

N, xrefs: 00404D66
M, xrefs: 00404CA3
@, xrefs: 00404CF0
, xrefs: 00405099

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d727e73693a3646156034d8b388d51c81f548d2c458721deff1c8d70a90ce4be
Instruction ID: ce2321f3f297f3fbf41fbef512ec3ccbffa26c3bd4bbee077dcac70070df60a7
Opcode Fuzzy Hash: d727e73693a3646156034d8b388d51c81f548d2c458721deff1c8d70a90ce4be
Instruction Fuzzy Hash: CC025AB0900209AFDF209FA4DD45AAE7BB5FB84314F10413AF615B62E1D7B88E91DF58

Function 00404605 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404659
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404667
GetDlgItem.USER32(?,000003FB), ref: 00404687
GetAsyncKeyState.USER32(00000010), ref: 0040468E
GetDlgItem.USER32(?,000003F0), ref: 004046A3
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 004046B4
SetWindowTextW.USER32(?,?), ref: 004046E3
SHBrowseForFolderW.SHELL32(?), ref: 0040479D
lstrcmpiW.KERNEL32(Show,00447250,00000000,?,?), ref: 004047DA
lstrcatW.KERNEL32(?,Show), ref: 004047E6
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047F6
CoTaskMemFree.OLE32(00000000), ref: 004047A8

Part of subcall function 00405DE4: GetDlgItemTextW.USER32(00000001,00000001,00002004,004040E1), ref: 00405DF7

Part of subcall function 00406199: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
Part of subcall function 00406199: CharNextW.USER32(?,?,?,00000000), ref: 0040620B
Part of subcall function 00406199: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
Part of subcall function 00406199: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

Part of subcall function 00403FD4: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405BFC,004C70A8,004C70A8,004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000,00000006), ref: 00403FEF

GetDiskFreeSpaceW.KERNEL32(00443248,?,?,0000040F,?,00443248,00443248,?,00000000,00443248,?,?,000003FB,?), ref: 004048B9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004048D4

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

SetDlgItemTextW.USER32(00000000,00000400,0040931C), ref: 0040494D

Strings

Show, xrefs: 004047D4, 004047D9, 004047E4
PrD, xrefs: 00404770
A, xrefs: 00404796
H2D, xrefs: 0040483B

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: A$H2D$PrD$Show
API String ID: 3347642858-1305367516
Opcode ID: 563870873e52b2e0a3cdb2865a86a3a579f559fabb233f753f9e034d7750c1c3
Instruction ID: b0b3c754d12335248bfc7248cfd16ee1359f8a3788a1353c85d9a997a926ad80
Opcode Fuzzy Hash: 563870873e52b2e0a3cdb2865a86a3a579f559fabb233f753f9e034d7750c1c3
Instruction Fuzzy Hash: A9B184B1900205ABDF11AFA1CD85AAF7BB8EF84315F10843BF705B72D1D7789A418B69

Function 00407033 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000080,80000000,00000001,00000000,00000003,00000080,00000000,00000000), ref: 00407057
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00407091
ReadFile.KERNEL32(00000080,?,00000010,?,00000000), ref: 0040710A
lstrcpynA.KERNEL32(ys@,?,00000005), ref: 00407116
lstrcmpA.KERNEL32(name,ys@), ref: 00407128
CloseHandle.KERNEL32(00000080), ref: 00407347

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

%s: failed opening file "%s", xrefs: 0040706D
GetTTFNameString, xrefs: 00407068
ys@, xrefs: 00407112, 0040711C, 00407115, 0040711F
name, xrefs: 00407120

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name$ys@
API String ID: 1916479912-237794762
Opcode ID: 0715d5e28a72504c5accadc8c16e1503c0709497f081ba3703715ed6f8973fce
Instruction ID: a1a783c1589cc2114d60951c227a61dfc271eaab027b45fbce8ea6a895ba6447
Opcode Fuzzy Hash: 0715d5e28a72504c5accadc8c16e1503c0709497f081ba3703715ed6f8973fce
Instruction Fuzzy Hash: DC91C170D1412DAADF04EBE5C9909FEBBB9EF48301F00406AF592F7290E6385A05EB75

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B54,?,00000001,00409B34,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 72f94041dc772d4d9adb032695cde8a813159a995c234bec806880be495e7e30
Instruction ID: 8d6901ad6a64056badc23f129c971549208a59aeacbb917aec9ee0bd4eb55a7e
Opcode Fuzzy Hash: 72f94041dc772d4d9adb032695cde8a813159a995c234bec806880be495e7e30
Instruction Fuzzy Hash: F9414E74A00205AFCB04EFA0CC99EAE7B79EF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5d3f04000a08ab209f02e52df63f4d3c88daa36f7871475c2abf4056f963e15b
Instruction ID: 0be6497265b52c9a603a3734c231496b9e64610ba4981580ad79d755a9c283ef
Opcode Fuzzy Hash: 5d3f04000a08ab209f02e52df63f4d3c88daa36f7871475c2abf4056f963e15b
Instruction Fuzzy Hash: D1E06D36600200ABC700EBB49D85ABE736C9F01329F20457BF146F20D1D6B88A51976E

Function 0040650D Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00406520
lstrlenW.KERNEL32(?), ref: 0040652D
GetVersionExW.KERNEL32(?), ref: 0040658B

Part of subcall function 0040618C: CharUpperW.USER32(?,00406562,?), ref: 00406192

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 004065CA
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004065E9
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004065F3
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004065FE
FreeLibrary.KERNEL32(00000000), ref: 00406635
GlobalFree.KERNEL32(?), ref: 0040663E

Strings

Kernel32.DLL, xrefs: 004066FC
EnumProcessModules, xrefs: 004065EB
Process32NextW, xrefs: 00406729
PSAPI.DLL, xrefs: 004065C5
Unknown, xrefs: 0040665D
Module32FirstW, xrefs: 00406734
EnumProcesses, xrefs: 004065E3
CreateToolhelp32Snapshot, xrefs: 00406716
GetModuleBaseNameW, xrefs: 004065F5
Module32NextW, xrefs: 0040673F
Process32FirstW, xrefs: 0040671E

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: 40333aef454c47322eec6f7f9158de98af9d91ef9b06c0be04974d32da86a69b
Instruction ID: 8cac56bd889a6922fafa0e84fcbe499284ae1ad590ea9cc90dd23bfef8a88dc9
Opcode Fuzzy Hash: 40333aef454c47322eec6f7f9158de98af9d91ef9b06c0be04974d32da86a69b
Instruction Fuzzy Hash: 18918671900219EBDF10AFA5CD88AAE7AB8FF45341F11807AE546F2290DB788A55CF58

Function 00404218 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004042CD
GetDlgItem.USER32(?,000003E8), ref: 004042E1
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004042FE
GetSysColor.USER32(?), ref: 0040430F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040431D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040432B
lstrlenW.KERNEL32(?), ref: 00404336
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404343
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404352

Part of subcall function 0040412A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00404141
Part of subcall function 0040412A: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404150
Part of subcall function 0040412A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00404164

GetDlgItem.USER32(?,0000040A), ref: 004043AA
SendMessageW.USER32(00000000), ref: 004043B1
GetDlgItem.USER32(?,000003E8), ref: 004043DE
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00404421
LoadCursorW.USER32(00000000,00007F02), ref: 0040442F
SetCursor.USER32(00000000), ref: 00404432
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 00404447
LoadCursorW.USER32(00000000,00007F00), ref: 00404453
SetCursor.USER32(00000000), ref: 00404456
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404485
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404497

Strings

@%F, xrefs: 00404407
open, xrefs: 0040443F
N, xrefs: 004043CC

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: 4ce468f3699d88ed665c706f7775ee9aa6dc059267c0d14d93e3607c8b30f664
Instruction ID: 5e7a78df94721a13c93f88c26dc0e1e940185c2092e6ea244a57a3ff362b188b
Opcode Fuzzy Hash: 4ce468f3699d88ed665c706f7775ee9aa6dc059267c0d14d93e3607c8b30f664
Instruction Fuzzy Hash: 9D71B1B1900609BFDF109F60DD85E6A7B69FB84315F00813AFA04B62D1C778A991CF99

Function 6CEB10FB Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 142memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000800), ref: 6CEB1126
GlobalAlloc.KERNEL32(00000040,00000800), ref: 6CEB112D
GlobalAlloc.KERNEL32(00000040,00000800), ref: 6CEB1135
GlobalAlloc.KERNEL32(00000040,00000800), ref: 6CEB113D

Part of subcall function 6CEB1E34: lstrcpynW.KERNEL32(?,?,6CEB1053,?,6CEB1053,?), ref: 6CEB1E62
Part of subcall function 6CEB1E34: GlobalFree.KERNELBASE ref: 6CEB1E72

lstrcmpiW.KERNEL32(?,save,?,00000400,00000000,00000400,?,00000400), ref: 6CEB11A0
GetFileAttributesW.KERNEL32(00000000), ref: 6CEB11AC
lstrcpyW.KERNEL32(?,00000000), ref: 6CEB11BF
lstrcpyW.KERNEL32(?,All Files|*.*), ref: 6CEB11DC
CharNextW.USER32(?), ref: 6CEB11FB
GetCurrentDirectoryW.KERNEL32(00000004,?), ref: 6CEB1212
GetSaveFileNameW.COMDLG32(00000058), ref: 6CEB1220
GetOpenFileNameW.COMDLG32(00000058), ref: 6CEB1228
CommDlgExtendedError.COMDLG32 ref: 6CEB1235
GetSaveFileNameW.COMDLG32(00000058), ref: 6CEB124F
GetOpenFileNameW.COMDLG32(00000058), ref: 6CEB1257
SetCurrentDirectoryW.KERNEL32(?,6CEB30FC), ref: 6CEB126E
GlobalFree.KERNEL32(00000000), ref: 6CEB127B
GlobalFree.KERNEL32(?), ref: 6CEB127E
GlobalFree.KERNEL32(?), ref: 6CEB1283
GlobalFree.KERNEL32(?), ref: 6CEB1288

Strings

save, xrefs: 6CEB1197
X, xrefs: 6CEB116D
All Files|*.*, xrefs: 6CEB11D6

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Global$FileFree$AllocName$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedNextlstrcmpilstrcpyn
String ID: All Files|*.*$X$save
API String ID: 406688562-3147001704
Opcode ID: b4115f3a2c9d1593f5ae35e4dc97ebba4e01851dc9463f6e7995f3085ebb7f27
Instruction ID: 805a4f59ec2a811441010f764844e74d453a4618751bb4c916108e53ec3a0431
Opcode Fuzzy Hash: b4115f3a2c9d1593f5ae35e4dc97ebba4e01851dc9463f6e7995f3085ebb7f27
Instruction Fuzzy Hash: 47415E71E00618ABCB119FE5CE4AAAE7FB8EF06725F204019F509F7280DB34D945DBA5

Function 00406BFA Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2D8,NUL,?,00000000,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F,?,00000000,000000F1,?), ref: 00406C0A
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F,?,00000000,000000F1,?), ref: 00406C29
GetShortPathNameW.KERNEL32(000000F1,0045B2D8,00000400), ref: 00406C32

Part of subcall function 00405F16: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406D34,00000000,[Rename]), ref: 00405F26
Part of subcall function 00405F16: lstrlenA.KERNEL32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F58

GetShortPathNameW.KERNEL32(000000F1,00460930,00000400), ref: 00406C53
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2D8,000000FF,0045BAD8,00000400,00000000,00000000,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F), ref: 00406C7C
WideCharToMultiByte.KERNEL32(00000000,00000000,00460930,000000FF,0045C128,00000400,00000000,00000000,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F), ref: 00406C94
wsprintfA.USER32 ref: 00406CAE
GetFileSize.KERNEL32(00000000,00000000,00460930,C0000000,00000004,00460930,?,?,00000000,000000F1,?), ref: 00406CE6
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406CF5
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406D11
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406D41
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C528,00000000,-0000000A,004098AC,00000000,[Rename]), ref: 00406D98

Part of subcall function 00405FB0: GetFileAttributesW.KERNEL32(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
Part of subcall function 00405FB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406DAC
GlobalFree.KERNEL32(00000000), ref: 00406DB3
CloseHandle.KERNEL32(?), ref: 00406DBD

Strings

NUL, xrefs: 00406BFF
[Rename], xrefs: 00406D29, 00406D38
0F, xrefs: 00406C49
%s=%s, xrefs: 00406CA4

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %s=%s$0F$NUL$[Rename]
API String ID: 565278875-2063020953
Opcode ID: e0014d3f174d201f701c5d3f5aee3fb449f0ed8f00eb016f1380403eef9c3722
Instruction ID: 01698a087521ae3c061db779a59327618d621d7377b5f04441123a8e0743360b
Opcode Fuzzy Hash: e0014d3f174d201f701c5d3f5aee3fb449f0ed8f00eb016f1380403eef9c3722
Instruction Fuzzy Hash: B6413732204209BFC2202BA1DD88D6F3AACDF86764B16043EF546F22D1DA3DD819867D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 6CEB14FC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 204windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?), ref: 6CEB1558
GetDlgItem.USER32(?,?), ref: 6CEB156B
GetWindowTextW.USER32(?,?,00000400), ref: 6CEB1693
DrawTextW.USER32(?,?,000000FF,?,00000414), ref: 6CEB16B4
GetWindowLongW.USER32(?,000000EB), ref: 6CEB16FF
SetTextColor.GDI32(?,00FF0000), ref: 6CEB1711
DrawTextW.USER32(?,?,000000FF,00000000,?), ref: 6CEB172B
DrawFocusRect.USER32(?,00000010), ref: 6CEB174C
RemovePropW.USER32(00000000,NSIS: nsControl pointer property), ref: 6CEB1770

Strings

NSIS: nsControl pointer property, xrefs: 6CEB1768

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
String ID: NSIS: nsControl pointer property
API String ID: 2331901045-1714965683
Opcode ID: e5b129a8899fa837c13c8d8bb7e0655ea4a4f962bc19f9191adfe6b9e37971aa
Instruction ID: 4477cc54e3e12478ea19617248d51b1cb60ef4430f94cd64486ee80827543c2d
Opcode Fuzzy Hash: e5b129a8899fa837c13c8d8bb7e0655ea4a4f962bc19f9191adfe6b9e37971aa
Instruction Fuzzy Hash: 0B71DC715002199BDF118F94CF84BBA3BB9FF02328F348569E861B76A5E770D881CB91

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 0a618a7d4b0e64108f75f3258fcb03e0fd23d7f93013cef41cd65d9edaf2d68b
Instruction ID: 57b2aa6120a879797d080cb9b9733de2ac9adc2ca39637b5dc0b79c3231e6313
Opcode Fuzzy Hash: 0a618a7d4b0e64108f75f3258fcb03e0fd23d7f93013cef41cd65d9edaf2d68b
Instruction Fuzzy Hash: BA31C272800115BBCB11AFA8CE45DAF7FB8EF08324F10023AF655B61E1DB794E419B98

Function 00406248 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406435,00000000), ref: 0040625F
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,00406435,00000000), ref: 0040629D
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 004062D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 004062E2
lstrcatW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),004096A8,?,00000000,00000000,?,?,00406435,00000000), ref: 004062FC
lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),?,?,00406435,00000000), ref: 00406303
WriteFile.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00000000,00406435,00000000,?,?,00406435,00000000), ref: 00406318

Strings

File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1), xrefs: 004062F6, 004062FB, 00406302, 00406311

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1)
API String ID: 3734993849-3833766187
Opcode ID: 9fa50d1adb4a17e963d4e637509519975a2aeadd9521b9408314cb2d14ea49f5
Instruction ID: e74be36d315582b52cf8810fbf669e52dd667146d2b91da865e79faa34e4d15c
Opcode Fuzzy Hash: 9fa50d1adb4a17e963d4e637509519975a2aeadd9521b9408314cb2d14ea49f5
Instruction Fuzzy Hash: 1A21C271500240FBD710AFA4DD88DA73728EB41374B25C33AFA26B61E0E7784995CBAD

Function 00403F2A Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403F44
GetSysColor.USER32(00000000), ref: 00403F60
SetTextColor.GDI32(?,00000000), ref: 00403F6C
SetBkMode.GDI32(?,?), ref: 00403F78
GetSysColor.USER32(?), ref: 00403F8B
SetBkColor.GDI32(?,?), ref: 00403F9B
DeleteObject.GDI32(?), ref: 00403FB5
CreateBrushIndirect.GDI32(?), ref: 00403FBF

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: d1251e89d25211f29e22ed1568f44ff950bb01ff11d0b068515cddd17a3a0421
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 26115171904705ABC7219F78DE08B5BBFF8AF01715B05893DE886E22A0D738EA488B54

Function 6F952445 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,6F952B4A,00000000), ref: 6F952499

Part of subcall function 6F95164F: lstrcpyW.KERNEL32(00000018,00000000,?,6F9511CD,-0000002E,00000000), ref: 6F951674

wsprintfW.USER32 ref: 6F9524E8
GlobalFree.KERNEL32(?), ref: 6F952516
GlobalFree.KERNEL32(00000000), ref: 6F95253F

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID:
API String ID: 2435812281-0
Opcode ID: 823c930d612151a78f766b6447548f1a8828d8accf2fd89adf7ef31d03aa968f
Instruction ID: 560acae36e457f2707ccaac3fe4a634f1855311bae93c2096d8cf911c55e0734
Opcode Fuzzy Hash: 823c930d612151a78f766b6447548f1a8828d8accf2fd89adf7ef31d03aa968f
Instruction Fuzzy Hash: D531AD71208605ABEB20DF788D44C66B7BEFF86364B110615FA51D61D0DB32E879DF20

Function 004050D2 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 5e5d700da742a3d6d340dab77f0fdb3d38b9a8a0b9685d170e55f73d5ea00312
Instruction ID: 8b6ba25b3567668a3d709078441474e2f94ee86325c17f48cbe0efe0ef4ad692
Opcode Fuzzy Hash: 5e5d700da742a3d6d340dab77f0fdb3d38b9a8a0b9685d170e55f73d5ea00312
Instruction Fuzzy Hash: 2021AF71C00618BECF129FA5DD84A9FBFB5EF48314F10813AF908BA290D7784A509F99

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00405D9F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457288,Error launching installer), ref: 00405DC4
Part of subcall function 00405D9F: CloseHandle.KERNEL32(?), ref: 00405DD1

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 404b34b6f9a5d66614f209ce3f2e21ed740509744429fc0c4a3a0e9cd81617b9
Instruction ID: e2ade92b8e8beb45c5288a0de0c91049ee5acc48a81ea59d75a15a872706837f
Opcode Fuzzy Hash: 404b34b6f9a5d66614f209ce3f2e21ed740509744429fc0c4a3a0e9cd81617b9
Instruction Fuzzy Hash: 6E11C232504115EBDB11AFE0DE4AAAE3AA5EF00324B24807FF502B50D1CABC4952DBAD

Function 004032E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00403302
GetTickCount.KERNEL32 ref: 00403320
wsprintfW.USER32 ref: 0040334E

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

CreateDialogParamW.USER32(0000006F,00000000,00403268,00000000), ref: 00403372
ShowWindow.USER32(00000000,00000005), ref: 00403380

Part of subcall function 0040324C: MulDiv.KERNEL32(0000EE0D,00000064,00011746), ref: 00403261

Strings

... %d%%, xrefs: 00403348

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 96c2a724128113feeb2dba6851438288d590ea99915262e15a0359641590fb8d
Instruction ID: 7cd9398b14f8ade0b0fcf895a8ee56c548843aa05ddcd0bd44aa2535a42f6e46
Opcode Fuzzy Hash: 96c2a724128113feeb2dba6851438288d590ea99915262e15a0359641590fb8d
Instruction Fuzzy Hash: 5C011E30445610EBC721AFA4EE89A9E7E6CEB05706B14413FFE45B11E0CB785A858BAD

Function 004049AE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004049C9
GetMessagePos.USER32 ref: 004049D1
ScreenToClient.USER32(?,?), ref: 004049E9
SendMessageW.USER32(?,00001111,00000000,?), ref: 004049FB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A21

Strings

f, xrefs: 004049FD

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 27f0785cdc5f68d0066a8e7a1d7e71ccbf55bb55bf6eb3414b3d297d9b41ad7b
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: 81015271A4021CBADB00DB94DD85BEEBBB8AF54711F10412ABA50B61D0D7B45A058BA5

Function 00403268 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403286
wsprintfW.USER32 ref: 004032BA
SetWindowTextW.USER32(?,?), ref: 004032CA
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032DC

Strings

verifying installer: %d%%, xrefs: 004032AF
unpacking data: %d%%, xrefs: 004032A8, 004032B5

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: dee786f0fd9cdd3f8c0fb31302e7a2050583a55b44ce5b4915f07339fad65024
Instruction ID: bfe6641e6ef7cc7b54ecc28104225e3c2b90f8d7ad59e83b9ab1f1d0914f92a4
Opcode Fuzzy Hash: dee786f0fd9cdd3f8c0fb31302e7a2050583a55b44ce5b4915f07339fad65024
Instruction Fuzzy Hash: CAF0317050010DABDF209F61DD4ABAA3B69EB10349F00807EFA46B91D1CBB986598F99

Function 0040450D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447250,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447250,?), ref: 004045AA
wsprintfW.USER32 ref: 004045B7
SetDlgItemTextW.USER32(?,00447250,000000DF), ref: 004045CA

Strings

PrD, xrefs: 00404562
%u.%u%s%s, xrefs: 004045A4

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PrD
API String ID: 3540041739-1882686053
Opcode ID: 737b4354604b69ed49da521882824f7eacafb09e8a5ec505cdcd8fffed629745
Instruction ID: 7880dc7fd7a5c0d30aad69498be6142e37c8297d3eb74307a1111cd8f0787a4b
Opcode Fuzzy Hash: 737b4354604b69ed49da521882824f7eacafb09e8a5ec505cdcd8fffed629745
Instruction Fuzzy Hash: B211BD72B002043BCB10AA799D45E9E725EEBC5374F10423BF619F30E0E6788B268669

Function 00406199 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
CharNextW.USER32(?,?,?,00000000), ref: 0040620B
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

Strings

*?|<>/":, xrefs: 004061EB

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 1d09d8738e5602742b586041446eac83eeb7776b51f76f2679a8714e99ae6001
Instruction ID: 45f9d4f3dcf6299a058aa2101cc88fb20adbc263b608899fab4a560a17f1b311
Opcode Fuzzy Hash: 1d09d8738e5602742b586041446eac83eeb7776b51f76f2679a8714e99ae6001
Instruction Fuzzy Hash: 0E11C82580062195CB307B698C4097B76E8AE55790756443FECC6F72C2EB7C9CA1C2AD

Function 6CEB1021 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB1E34: lstrcpynW.KERNEL32(?,?,6CEB1053,?,6CEB1053,?), ref: 6CEB1E62
Part of subcall function 6CEB1E34: GlobalFree.KERNELBASE ref: 6CEB1E72

SHBrowseForFolderW.SHELL32(?), ref: 6CEB10B4

Part of subcall function 6CEB1E83: GlobalAlloc.KERNEL32(00000040,?,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1E99
Part of subcall function 6CEB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6CEB1061,error,?,00000104,?,00000400), ref: 6CEB1EAF

Strings

error, xrefs: 6CEB1057, 6CEB10C0, 6CEB10E7
E, xrefs: 6CEB10A6

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Globallstrcpyn$AllocBrowseFolderFree
String ID: E$error
API String ID: 1025582028-2359134700
Opcode ID: dcff8f47313ef6cc832419fc907acd8f69dbebdcd4e84f8d18c1920692ba4dc3
Instruction ID: 7acf966266b1db8b8b301f73c3c2a5091e016cf54e3737eab8e4cd6f5a0161c9
Opcode Fuzzy Hash: dcff8f47313ef6cc832419fc907acd8f69dbebdcd4e84f8d18c1920692ba4dc3
Instruction Fuzzy Hash: 2B211A729012199BDB11DFE4DA45AFE77B8AF09329F20415AE904F2640DB34DB488FA5

Function 004020F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

Strings

MS Shell Dlg, xrefs: 00402149

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID: MS Shell Dlg
API String ID: 1599320355-76309092
Opcode ID: 600f7a39d98bd087a3fa73ce05d1baab7dfc82f361ba09517c53b02978263ded
Instruction ID: b852d753667c04f7f8403c46551348dceb61737b9063f8de5ee225c6b1b91025
Opcode Fuzzy Hash: 600f7a39d98bd087a3fa73ce05d1baab7dfc82f361ba09517c53b02978263ded
Instruction Fuzzy Hash: B6018472A44650EFE701DBB4ED46BDA3FA4A725315F10C43AF541F61E3C678444A8B2D

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b0e9a248c90bc4b219d82b224dbd9c03938a54c8e2e96de430ad7f277ae3d019
Instruction ID: 926a3fd6ba00d5bb97a34cee5b023bebcb5cad9bd68352020a6bff24d96e3699
Opcode Fuzzy Hash: b0e9a248c90bc4b219d82b224dbd9c03938a54c8e2e96de430ad7f277ae3d019
Instruction Fuzzy Hash: C3114972500008FFDF119F90EE85DAA3B7AFB54348F00403AFA06B5170D7759E549A29

Function 6F95194F Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000808,6F9522A8,?,00000808), ref: 6F951967
GlobalAlloc.KERNEL32(00000040,00000000,?,00000808,6F9522A8,?,00000808), ref: 6F95196E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000808,6F9522A8,?,00000808), ref: 6F951982
GetProcAddress.KERNEL32(6F9522A8,00000000), ref: 6F951989
GlobalFree.KERNEL32(00000000), ref: 6F951992

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 741c5c2255eeea481356ab8b2fc802dd06dc9de8519a549a3447fbae579d8253
Instruction ID: f9b2c96d3378c016b695fe3bdbf6488b2e54c0c821fd0ebb3d28d1d3b9834e68
Opcode Fuzzy Hash: 741c5c2255eeea481356ab8b2fc802dd06dc9de8519a549a3447fbae579d8253
Instruction Fuzzy Hash: 4DF0127210A6347BDA2116B78C4DC9BFF9DDF4B2F5B110211F2189119086615C25DAF1

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.KERNEL32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: aaf22d11741691a3bc273f426292239cee4cbca831d097ea8dede634d4dfb8ac
Instruction ID: 374c3c3b6278fb1c2beb817405795feef458ca782ed8724690096ffa3588498b
Opcode Fuzzy Hash: aaf22d11741691a3bc273f426292239cee4cbca831d097ea8dede634d4dfb8ac
Instruction Fuzzy Hash: BA11C472A00111ABDB10BFA5DD4AABE3AA4EB00354F10443FF50AB61D2D6788A50869D

Function 00404A2C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404A62
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404AD0

Part of subcall function 00403F0F: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403F21

Strings

, xrefs: 00404A3A
PrD, xrefs: 00404A94

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $PrD
API String ID: 3748168415-683102269
Opcode ID: ce2b7f03bb1297be540aa9391ce969a8123c951ec3d3b567541a8540a2105a5e
Instruction ID: 796ae977d962bd2fb4eacbf10a92dd87c42d9844f52e2d7c2fef9845d3ca3dba
Opcode Fuzzy Hash: ce2b7f03bb1297be540aa9391ce969a8123c951ec3d3b567541a8540a2105a5e
Instruction Fuzzy Hash: 5C118FB1684208ABDF219F61DC40E9B3668BF84369F00803BFA0579192C37C8D519FAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 00406436: FindFirstFileW.KERNEL32(004572D0,0045BED8,004572D0,0040692F,004572D0), ref: 00406441
Part of subcall function 00406436: FindClose.KERNEL32(00000000), ref: 0040644D

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 882c708a540b1b6e40822fa95cd5da4fbfff49ab246fdf6d56c9b4995ea32088
Instruction ID: c5bc72853f8421da741d5617367b4824c82a14243d7aff776d7bb0801c040b7d
Opcode Fuzzy Hash: 882c708a540b1b6e40822fa95cd5da4fbfff49ab246fdf6d56c9b4995ea32088
Instruction Fuzzy Hash: 94114F71D00214AACB10BBBA994699FBBBCEF04314F10843FE506F7292E6B985118B59

Function 00406385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004063D9
lstrcatW.KERNEL32(00000000,...,?,?,?,00402991,?,00000100,004130D8,00000000,?,?,004130D8,0000C018), ref: 004063FC

Strings

..., xrefs: 004063F4
%02x%c, xrefs: 004063D1

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: 85df159639746478037a26c2e7b04b1779f54c746bce4477c4c8f2341ae68883
Instruction ID: 49b15afb37c1c3cbf89587828b9fbcb2b479192470e11d1a121134da54663489
Opcode Fuzzy Hash: 85df159639746478037a26c2e7b04b1779f54c746bce4477c4c8f2341ae68883
Instruction Fuzzy Hash: 1201D232510219AFCB01CF58CD85A9EBBB9EB44704F218136F856F3280D6749EA48BA8

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

Show, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$Show$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2407876207
Opcode ID: 76e29fefa2fcb51dbbedf7035b1aedb250ed7f53bb72e54dbf76baee11489292
Instruction ID: 42bd81ef3d59a899a4afa764d38de83c0885f73ff342ba6e601af17a918a1269
Opcode Fuzzy Hash: 76e29fefa2fcb51dbbedf7035b1aedb250ed7f53bb72e54dbf76baee11489292
Instruction Fuzzy Hash: D301FF75D00319BACB107FA58D859AF7978AF09345F10403FF11A761E3D7B84A508BAD

Function 004051A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004051B7

Part of subcall function 00403F0F: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403F21

OleUninitialize.OLE32(00000404,00000000), ref: 00405205

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

Section: "%s", xrefs: 004051D9
Skipping section: "%s", xrefs: 00405215

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 9faf3df30d8341890c428f77cd47873b5149034e1ce4e1928ca9eebd2d14ad04
Instruction ID: b096c94640e0452ae870d043d7677ea343cceb766e7301fd1a80b39db48c4c93
Opcode Fuzzy Hash: 9faf3df30d8341890c428f77cd47873b5149034e1ce4e1928ca9eebd2d14ad04
Instruction Fuzzy Hash: 54F0D6329047009BE2106754AD02B5777A4DF84714F14003FFE44721E2DAF848418A1D

Function 6F951904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6F951581: GlobalAlloc.KERNEL32(00000040,?,6F9515BA,?,?,6F95185F,?,6F951017), ref: 6F95158B

lstrcpyW.KERNEL32(00000000,error,00000000,6F95287B,00000000), ref: 6F951929
wsprintfW.USER32 ref: 6F951942

Strings

callback%d, xrefs: 6F95193C
error, xrefs: 6F951923

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: AllocGloballstrcpywsprintf
String ID: callback%d$error
API String ID: 2689062267-1307476583
Opcode ID: 9c263bdf6e1f7c93364d5ce8f93764716ea2bee38dc5fd1dbcd5f8fbffd07099
Instruction ID: e299194c8e17fa5ce1e9e87d789b3ecc787d4e5690344645c752c4e203f06571
Opcode Fuzzy Hash: 9c263bdf6e1f7c93364d5ce8f93764716ea2bee38dc5fd1dbcd5f8fbffd07099
Instruction Fuzzy Hash: D2E04F30608610A78621DE38ADA5D8A777A6F4333CB100665F719DA1D1C722D5FA8A86

Function 6CEB14B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB13F8: GetPropW.USER32(?,NSIS: nsControl pointer property), ref: 6CEB1401

LoadCursorW.USER32(00000000,00007F89), ref: 6CEB14CE
SetCursor.USER32(00000000,?,?,?), ref: 6CEB14D5
CallWindowProcW.USER32(?,?,00000020,?,?), ref: 6CEB14F2

Strings

, xrefs: 6CEB14C1

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: Cursor$CallLoadProcPropWindow
String ID:
API String ID: 1635134901-3916222277
Opcode ID: 111cc8c592568a91baf559c8e089258f47f67e6ed2d4d6a023b882c52a608928
Instruction ID: a72ccf35e1e2da35f9bf136470379711b3d2bfd5c62962428269db35b047c230
Opcode Fuzzy Hash: 111cc8c592568a91baf559c8e089258f47f67e6ed2d4d6a023b882c52a608928
Instruction Fuzzy Hash: FCE0653214424ABBCF011FD0CE09AB93B75FF09356F108030F95999550CB71C0209B61

Function 6F951108 Relevance: 6.4, APIs: 5, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F9515A3: lstrcpyW.KERNEL32(00000000,?,?,?,6F95185F,?,6F951017), ref: 6F9515C1
Part of subcall function 6F9515A3: GlobalFree.KERNEL32 ref: 6F9515D2

GlobalAlloc.KERNEL32(00000040,?), ref: 6F95118F
GlobalFree.KERNEL32(00000000), ref: 6F9511D0
GlobalFree.KERNEL32(00000000), ref: 6F9511F0
GlobalFree.KERNEL32(00000000), ref: 6F951204
GlobalFree.KERNEL32(?), ref: 6F95122E

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 82087f7781fe3d296ff3312cd44e44a3a04f5410752ae22d7bcc630598470b4b
Instruction ID: 316d472b779a79e379fd7571b5abf471de0850da898e216005dd7db4de5b653f
Opcode Fuzzy Hash: 82087f7781fe3d296ff3312cd44e44a3a04f5410752ae22d7bcc630598470b4b
Instruction Fuzzy Hash: 1C31C3B28082009FEB60CF7CCC44A6A7BF8FB47264B200556E854D76D0E735E8B49E20

Function 6F95199F Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 6F9515A3: lstrcpyW.KERNEL32(00000000,?,?,?,6F95185F,?,6F951017), ref: 6F9515C1
Part of subcall function 6F9515A3: GlobalFree.KERNEL32 ref: 6F9515D2

GlobalFree.KERNEL32(?), ref: 6F951A04
GlobalFree.KERNEL32(?), ref: 6F951A9C
GlobalFree.KERNEL32(?), ref: 6F951AA1
__alldvrm.LIBCMT ref: 6F951ACB

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: FreeGlobal$__alldvrmlstrcpy
String ID:
API String ID: 1811517867-0
Opcode ID: 30f89d33481757dd4014b647400f95ccd9f521134b74788e087700d2097ea101
Instruction ID: a642c6a6be5a80771a78e6cedf304b59059f2247557daba0f8f8837f28aae8c7
Opcode Fuzzy Hash: 30f89d33481757dd4014b647400f95ccd9f521134b74788e087700d2097ea101
Instruction Fuzzy Hash: 6C512331D04208AB9BA2DFF8C5809ADB7B9EF87354B118257D818971D4E735EFF08A51

Function 6CEB128F Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000400,?,00000400,?,74DEF380), ref: 6CEB129A
CharPrevW.USER32(?,00000000,?,74DEF380), ref: 6CEB12A5
MulDiv.KERNEL32(00000000,00000000,00000064), ref: 6CEB12C6
MapDialogRect.USER32(?,?), ref: 6CEB12EB

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: CharDialogPrevRectlstrlen
String ID:
API String ID: 3411278111-0
Opcode ID: ecceb995367189cd757dc8ca8a1d32b810f02145516abab2c89cfab4c19b6b7b
Instruction ID: 8aa5f0766edfcf5643907a88fbd365f8218049bfc14191b6f9d223836c558895
Opcode Fuzzy Hash: ecceb995367189cd757dc8ca8a1d32b810f02145516abab2c89cfab4c19b6b7b
Instruction Fuzzy Hash: B101C871D00A25DBCB119F99CE44ABEBBFCEF46325B110116F801F3600E730D901CA94

Function 6F952800 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6F951C1B: GlobalFree.KERNEL32(?), ref: 6F951E69
Part of subcall function 6F951C1B: GlobalFree.KERNELBASE(?), ref: 6F951E6E
Part of subcall function 6F951C1B: GlobalFree.KERNEL32(?), ref: 6F951E73

GlobalFree.KERNEL32(00000000), ref: 6F952868

Part of subcall function 6F9515E0: GlobalAlloc.KERNEL32(00000040,?,?,6F9518AA,?), ref: 6F9515F6
Part of subcall function 6F9515E0: lstrcpynW.KERNEL32(00000004,?,?,6F9518AA,?), ref: 6F95160C

Strings

error, xrefs: 6F95283D

Memory Dump Source

Source File: 00000001.00000002.2963785421.000000006F951000.00000020.00000001.01000000.00000007.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000001.00000002.2963768599.000000006F950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963801682.000000006F953000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2963817695.000000006F955000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f950000_setup.jbxd

Similarity

API ID: Global$Free$Alloclstrcpyn
String ID: error
API String ID: 4250884139-1574812785
Opcode ID: 60e10450fc4c4e8d87e150fb883463678494fbb0559c5f7c2db204f1b3cf254d
Instruction ID: 94c860814ed71601deade4170bbe406d724e495d6311dc8494d31e9e68ecb8a4
Opcode Fuzzy Hash: 60e10450fc4c4e8d87e150fb883463678494fbb0559c5f7c2db204f1b3cf254d
Instruction Fuzzy Hash: 2901A17240C700ABD768DFB8D844B4A7BE8AF533B8F10051AE3449A1D1DB70E4B58E62

Function 6CEB142D Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?), ref: 6CEB146D
DestroyWindow.USER32 ref: 6CEB1484
GetProcessHeap.KERNEL32(00000000), ref: 6CEB1491
HeapFree.KERNEL32(00000000), ref: 6CEB1498

Memory Dump Source

Source File: 00000001.00000002.2963579894.000000006CEB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000001.00000002.2963521789.000000006CEB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963612925.000000006CEB3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2963671204.000000006CEB6000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ceb0000_setup.jbxd

Similarity

API ID: HeapWindow$CallDestroyFreeProcProcess
String ID:
API String ID: 1278960361-0
Opcode ID: c3a61fe784675a362b653c08bc999b4187401ea447230f0955d6c2c366213f1b
Instruction ID: cc5dd87b96e1075ada01958642e9d69951d2b1998ce8cbd8738d3a0401b1e1c3
Opcode Fuzzy Hash: c3a61fe784675a362b653c08bc999b4187401ea447230f0955d6c2c366213f1b
Instruction Fuzzy Hash: 3E017C32704209EFCF128F95DE08AB97B79FB4A336B218126FA1A92250C730C415DB99

Function 00407359 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407033: CreateFileW.KERNEL32(00000080,80000000,00000001,00000000,00000003,00000080,00000000,00000000), ref: 00407057

lstrcpynW.KERNEL32(?,?,00000009,00000000), ref: 0040739A
lstrcmpW.KERNEL32(?,Version ), ref: 004073AB
lstrcpynW.KERNEL32(?,?,?), ref: 004073C2

Strings

Version , xrefs: 004073A2

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 5b254390c235843b3cd14036e60a35d0405450d943fe7c22a996b54282ed20ac
Instruction ID: be0c1bc54e1f5d3dac358994bef49e147f417753078ca6f75dbba3536d9e97a2
Opcode Fuzzy Hash: 5b254390c235843b3cd14036e60a35d0405450d943fe7c22a996b54282ed20ac
Instruction Fuzzy Hash: 68F08172A0021CABDB109AA49D46EDA777CEB44700F000076FA00F6180E6B5AE058BA5

Function 004064C6 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 004064D1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004064E7
GetProcAddress.KERNEL32(?,00000000), ref: 004064F6
GlobalFree.KERNEL32(00000000), ref: 004064FF

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: cca72bce24a91bf59807d1cc254d6b8728fe87be69838ce7ea74a844989b610b
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 68E0D8312001107BE2101B269E8CD677EADDFCA7B2B05013EF685F11A0CE308C11D638

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361,00403361,0043B238,00000000,00000000,00000000), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 00406404: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: d319e8e5f0c4e342665e30996792c29846561ab42c4375d59b2148f7763d891f
Instruction ID: 385da8b202b2a045014f9446d3cad8c85c99a9e265c35722db0b8e87639932c1
Opcode Fuzzy Hash: d319e8e5f0c4e342665e30996792c29846561ab42c4375d59b2148f7763d891f
Instruction Fuzzy Hash: C5018FB2B40214B6D72077B69C87F7B2A9CDB41758B20443BF642F60E3E5BD8851927D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457288,Error launching installer), ref: 00405DC4
CloseHandle.KERNEL32(?), ref: 00405DD1

Strings

Error launching installer, xrefs: 00405DA8

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 2afcd463f825584facbc8802dab800c5bb1591f62b8a6ee26e2c87f99b5cd2cd
Instruction ID: 382474dafc83c3ab62cfa3b3aa405e4b9d7c85dbe04cfe36e17f81e43d348e98
Opcode Fuzzy Hash: 2afcd463f825584facbc8802dab800c5bb1591f62b8a6ee26e2c87f99b5cd2cd
Instruction Fuzzy Hash: 6BE0EC70510309AFEB009B64ED0997B7BBCFB00305F508576BD51E2661D779D9148A68

Function 00406404 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 00406248: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406435,00000000), ref: 0040625F

Strings

File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1), xrefs: 00406406, 0040640B

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll" (overwriteflag=1)
API String ID: 3509786178-3833766187
Opcode ID: 1d2697fad80eb9d0b70210806a91cde17483bf3f8fbb3d9bc72772a253d3c35e
Instruction ID: 2283ea6708b2d64b9e6789b455a10468216e6ae22039c90fe2b3791cf276606a
Opcode Fuzzy Hash: 1d2697fad80eb9d0b70210806a91cde17483bf3f8fbb3d9bc72772a253d3c35e
Instruction Fuzzy Hash: 3ED05E34060316BACA006BA0DD09A997764FBE0384F50052EF443C2070FA748004C70A

Function 00405F16 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406D34,00000000,[Rename]), ref: 00405F26
lstrcmpiA.KERNEL32(?,?), ref: 00405F3E
CharNextA.USER32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F4F
lstrlenA.KERNEL32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F58

Memory Dump Source

Source File: 00000001.00000002.2961628258.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2961592171.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961742545.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2961944869.0000000000678000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 1c7a2535a4787e8fd3488feaed5d2e4763c3f1a0d20cb74bb0a69d7059b13449
Instruction ID: 33cf2896678c50374ca0d6f3786bc4b10779684cabbb7c7083e1740f3960db9f
Opcode Fuzzy Hash: 1c7a2535a4787e8fd3488feaed5d2e4763c3f1a0d20cb74bb0a69d7059b13449
Instruction Fuzzy Hash: E5F0C231105944AFCB019FA4CD04D9F7BA8EF5A350B2540AAE840E7210D634DE01DBA4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsiB2D7.tmp

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-header.bmp

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll

C:\Users\user\Desktop\setup.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Function 013D73A0 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 013E3846 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Function 013D2BEB Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Function 013E3B3D Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Function 013D2B37 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 013E3AA1 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Function 013E3477 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 013E7EB5 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 013E7B68 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 013D7425 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Function 013E38CA Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Function 004039E3 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Function 6CEB188A Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215
memoryCOMMON

Function 00406DFC Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190
filestringCOMMON

Function 00406966 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 212
stringCOMMON

Function 004055D9 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Function 6D101000 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 216
windowstringCOMMON

Function 00405A8C Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 233
stringregistrylibraryCOMMON