Edit tour

Windows Analysis Report
Setup_v1.29.exe

Overview

General Information

Sample name:	Setup_v1.29.exe
Analysis ID:	1541475
MD5:	e38b4faeaf253cd6652941a56d542487
SHA1:	92611ecf179b54c5763b12ba4b2f582ee6016024
SHA256:	3e3e1c5b65b0141c99f48942ea0090c89524dffe5ae9e24ae783c53500145ec0
Tags:	exeuser-aachum
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup_v1.29.exe (PID: 2792 cmdline: "C:\Users\user\Desktop\Setup_v1.29.exe" MD5: E38B4FAEAF253CD6652941A56D542487)

conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 1276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://95.217.125.57/2f571d994666c8cb.php", "Botnet": "36495972654"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Setup_v1.29.exe PID: 2792	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Setup_v1.29.exe PID: 2792	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 764	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 764	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.aspnet_regiis.exe.3100000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.aspnet_regiis.exe.3100000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.Setup_v1.29.exe.6cfc5000.6.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.Setup_v1.29.exe.6cfc5000.6.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.Setup_v1.29.exe.6cf80000.4.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://95.217.125.57/2f571d994666c8cb.php", "Botnet": "36495972654"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: Setup_v1.29.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Setup_v1.29.exe

Joe Sandbox ML: detected

Source: Setup_v1.29.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup_v1.29.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log

Jump to behavior

Source: Setup_v1.29.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFB5DC4 FindFirstFileExW,

0_2_6CFB5DC4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://95.217.125.57/2f571d994666c8cb.php

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown	DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 200.163.202.172.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.000000000363C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.000000000363C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/4Q
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

System Summary

PE file has nameless sections

Source: Setup_v1.29.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF91870 GetModuleHandleW,NtQueryInformationProcess,		0_2_6CF91870
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF95900 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,CreateProcessW,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,		0_2_6CF95900

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF8F7B0	0_2_6CF8F7B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF91870	0_2_6CF91870
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF95900	0_2_6CF95900
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAE4D0	0_2_6CFAE4D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9ECB0	0_2_6CF9ECB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9F4B0	0_2_6CF9F4B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAA470	0_2_6CFAA470
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA8440	0_2_6CFA8440
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9DC10	0_2_6CF9DC10
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA4400	0_2_6CFA4400
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9CD60	0_2_6CF9CD60
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA1D50	0_2_6CFA1D50
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF90EC0	0_2_6CF90EC0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9BEC0	0_2_6CF9BEC0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA4EB0	0_2_6CFA4EB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAEEB0	0_2_6CFAEEB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA2E70	0_2_6CFA2E70
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAAE40	0_2_6CFAAE40
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA0E00	0_2_6CFA0E00
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9B7E0	0_2_6CF9B7E0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA57D0	0_2_6CFA57D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9E7B0	0_2_6CF9E7B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA77B0	0_2_6CFA77B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA7F70	0_2_6CFA7F70
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAB700	0_2_6CFAB700
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAA0D0	0_2_6CFAA0D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9E070	0_2_6CF9E070
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAD050	0_2_6CFAD050
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAD850	0_2_6CFAD850
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA0040	0_2_6CFA0040
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9C820	0_2_6CF9C820
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA9820	0_2_6CFA9820
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9D800	0_2_6CF9D800
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAD1F0	0_2_6CFAD1F0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA9180	0_2_6CFA9180
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAB150	0_2_6CFAB150
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF8E130	0_2_6CF8E130
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF93130	0_2_6CF93130
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA1AF0	0_2_6CFA1AF0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9D2B0	0_2_6CF9D2B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFADA70	0_2_6CFADA70
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9EA50	0_2_6CF9EA50
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA3A50	0_2_6CFA3A50
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFBC235	0_2_6CFBC235
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF9FA10	0_2_6CF9FA10
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA33E0	0_2_6CFA33E0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA63D0	0_2_6CFA63D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF93BA0	0_2_6CF93BA0
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA2B80	0_2_6CFA2B80
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CF86350	0_2_6CF86350
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAC350	0_2_6CFAC350
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAB340	0_2_6CFAB340
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFA8B20	0_2_6CFA8B20

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: String function: 6CFAFF00 appears 34 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280

Source: Setup_v1.29.exe, 00000000.00000000.2059251717.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUlyssesYvonne.cGdP vs Setup_v1.29.exe
Source: Setup_v1.29.exe, 00000000.00000002.2074903630.000000000164E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Setup_v1.29.exe
Source: Setup_v1.29.exe	Binary or memory string: OriginalFilenameUlyssesYvonne.cGdP vs Setup_v1.29.exe

Source: Setup_v1.29.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Setup_v1.29.exe

Static PE information: Section: w.Aif ZLIB complexity 1.0003296675955413

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/7@2/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_03118680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_03118680

Source: C:\Users\user\Desktop\Setup_v1.29.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\106ddd24-d855-4c70-8f42-8f94d4e2117d

Jump to behavior

Source: Setup_v1.29.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup_v1.29.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\Setup_v1.29.exe "C:\Users\user\Desktop\Setup_v1.29.exe"
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Setup_v1.29.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Setup_v1.29.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Unpacked PE file: 0.2.Setup_v1.29.exe.ea0000.0.unpack w.Aif:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Setup_v1.29.exe	Static PE information: section name: w.Aif
Source: Setup_v1.29.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFBC941 push ecx; ret		0_2_6CFBC954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0311B035 push ecx; ret		3_2_0311B048

Source: Setup_v1.29.exe

Static PE information: section name: w.Aif entropy: 7.999509079649383

Source: C:\Users\user\Desktop\Setup_v1.29.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Setup_v1.29.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Setup_v1.29.exe PID: 2792, type: MEMORYSTR

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 51B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 6830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 6960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 7CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory allocated: 8CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Setup_v1.29.exe TID: 2472

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFB5DC4 FindFirstFileExW,

0_2_6CFB5DC4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_03117ED0 GetSystemInfo,

3_2_03117ED0

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.0000000003652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.0000000003625000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFAFDD7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CFAFDD7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031045C0 VirtualProtect ?,00000004,00000100,00000000

3_2_031045C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_03119750 mov eax, dword ptr fs:[00000030h]

3_2_03119750

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFB74EA GetProcessHeap,

0_2_6CFB74EA

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAFDD7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFAFDD7
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFB3D1D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFB3D1D
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Code function: 0_2_6CFAFAD1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CFAFAD1

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: Setup_v1.29.exe PID: 2792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3101000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 311E000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 312B000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 335C000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FB7008	Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFAFBF3 cpuid

0_2_6CFAFBF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: GetLocaleInfoA,

3_2_03117B90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe	Queries volume information: C:\Users\user\Desktop\Setup_v1.29.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup_v1.29.exe

Code function: 0_2_6CFAFF9A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CFAFF9A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_03117850 GetUserNameA,

3_2_03117850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_03117A30 GetTimeZoneInformation,

3_2_03117A30

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 3.2.aspnet_regiis.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cfc5000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cfc5000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cf80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 3.2.aspnet_regiis.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cfc5000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cfc5000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Setup_v1.29.exe.6cf80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	43 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup_v1.29.exe	50%	ReversingLabs	Win32.Dropper.Jalapeno
Setup_v1.29.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\msvcp110.dll	79%	ReversingLabs	Win32.Trojan.Tedy

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown
200.163.202.172.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://95.217.125.57/	true		unknown
http://95.217.125.57/2f571d994666c8cb.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
http://95.217.125.57/4Q	aspnet_regiis.exe, 00000003.00000002.2544451166.000000000363C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57	aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.217.125.57	unknown	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541475
Start date and time:	2024-10-24 21:44:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup_v1.29.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/7@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 34 Number of non-executed functions: 70
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Setup_v1.29.exe

Simulations

Behavior and APIs

Time	Type	Description
15:45:46	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.217.125.57	L0ad3r.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	Loader.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	Installer.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	AVSicb6epR.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	94.130.253.79
	https://tronlkam8s2.z13.web.core.windows.net	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	http://tronlkam8s2.z13.web.core.windows.net	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	195.201.57.90
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse	144.76.38.184
	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	94.130.241.80
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	95.217.66.133
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	49.12.72.134
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	95.217.66.190
	https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#	Get hash	malicious	TechSupportScam	Browse	195.201.57.90

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_09f1d501-70d8-4950-b861-5593f5fb2d0e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9591812051537861
Encrypted:	false
SSDEEP:	192:0u4nP18C0BU/4ju0ZrVZSzuiFQZ24IO8CBHw:Z4d8JBU/4jP8zuiFQY4IO8CBH
MD5:	65789678E6A1B7FCEFBDF18F9538244D
SHA1:	95FB53B9BCF16BD3641A053D6BA4AD9A5E59747F
SHA-256:	EF9F0AB714AC446CA6F653A0D51A21F696C9BB522A9DB26D2BB5257B6D82C73E
SHA-512:	B229B32C2573B981611FF2F21C4950030EEC298AB5A8619BECB87CE183B9EE8E4B1A36D9DAC8F64E3007CCDCF385324C05214074AE06D52395ADA7568FE0B3A8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.1.4.7.2.6.8.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.2.3.4.7.6.6.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.f.1.d.5.0.1.-.7.0.d.8.-.4.9.5.0.-.b.8.6.1.-.5.5.9.3.f.5.f.b.2.d.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.1.8.7.8.2.8.-.5.0.f.6.-.4.6.8.5.-.9.b.b.e.-.6.6.0.8.9.3.2.1.f.8.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.f.c.-.0.0.0.1.-.0.0.1.4.-.9.a.3.f.-.a.d.3.5.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3B8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 24 19:45:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	109562
Entropy (8bit):	1.643177281890072
Encrypted:	false
SSDEEP:	384:egY2duSEuT/MTelTQQWenlVS/wRJbM4a/KuuKW:el2duSEuT/MT3iW/uMAT
MD5:	DB141114B3DE9AEF19B1E44ED6C2ED52
SHA1:	38EE4DF98CCA95AA4F477614913FF34F6E54C275
SHA-256:	B9513C20AEFDF613BBDF08829F80ECE61EE236BB48D965F33F4E179A0572C7D6
SHA-512:	96113A70318D1E1E7DEE71F82949EF5400B9A897F4126A14DF6EF3BF29FF410A6E2D40FC93FAE8AAD6AAB9F6DFB2E9B41C9760A80B64461409EFBF328EAC7202
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g.........................................>..........T.......8...........T........... 1...z..........<...........(...............................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8318
Entropy (8bit):	3.6912024798533087
Encrypted:	false
SSDEEP:	192:R6l7wVeJtI6u6Ysr69gmfuHyrpr+89bAUsfpjgm:R6lXJS6u6YI69gmfuHyRAHfph
MD5:	673E948DF904198BB13B1CF3074C9BC2
SHA1:	41EB7A9595C97386C60B1D20AE70EF001FFC5A18
SHA-256:	D5F38D5E5943D3BA87D8F35BA86DFB5B6C9556A8F1ECD68CD33ECD12E0B028E3
SHA-512:	B7A19A4A625F858844B1D67FC12E48BA8F5DAE320C7FD249A06D03F7EFAEF66266677E847E0FB8DD4AA3F57707971DF3F130DF4422A58BA76F2DD839D79113BE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE699.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4675
Entropy (8bit):	4.458444297796704
Encrypted:	false
SSDEEP:	48:cvIwWl8zsWJg77aI9rYWpW8VYXmYm8M4JhqeFN+q8b3Q0SaraiMd:uIjfsI7NR7VWPJh5gg0SaraiMd
MD5:	7CCF4BD67A318A0C49D1FE92AEF16298
SHA1:	21052A2BEEC43D4065FB23E1FB6B94DA5D56DBE0
SHA-256:	5543785BC377357CBE931C7709D3FEF760460847C04A329BA0CCB667F5381517
SHA-512:	5F9E150122B61E1FEC30E4567B81F6462057EF15B0AB7651F392C621CA6CE64882A1E6DC2D716AEA1E356DC424E2464D4034E6EE8CFDBB08059CAA9BCD439B08
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log

Download File

Process:	C:\Users\user\Desktop\Setup_v1.29.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\msvcp110.dll

Download File

Process:	C:\Users\user\Desktop\Setup_v1.29.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601088
Entropy (8bit):	6.928739021633009
Encrypted:	false
SSDEEP:	12288:UVi4BszD+DZslByhHwrZz1vb2MW4hPuH5A5ItioxaNi2iU:aBsG2l06rrCwSig9
MD5:	740C3417929730C4AE20E0165AA94B7C
SHA1:	D03CEBC7B1172149F65B06F15B0FBB11512F5B88
SHA-256:	8E200E4ACA363CC2BE03121815EC03525F1D983F717F67B63241028C59CB0BDE
SHA-512:	4BCCF661986C98635319AE86C394022E9E4BF1A944A759176A69916B33E64EB910BEB027FAA55F66322754715A772D0EC693DDF6C3CB07A611F026F678390E7F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.vkp}.8p}.8p}.8;..9\|}.8;..9.}.8;..9d}.8;..9v}.8W.c8s}.8p}.8.}.8v..9Q}.8v..9`}.8v..9d}.8p}.8q}.8...9q}.8...9q}.8Richp}.8........................PE..L......g...........!...&.....z...............................................p............@.........................@:..x....:..d............................@...!...-...............................-..@...............t............................text...c........................... ..`.rdata...s.......t..................@..@.data........P.......4..............@....reloc...!...@..."..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422377916498679
Encrypted:	false
SSDEEP:	6144:XSvfpi6ceLP/9skLmb0OTbWSPHaJG8nAgeMZMMhA2fX4WABlEnN60uhiTw:CvloTbW+EZMM6DFyU03w
MD5:	FF323492A0A32A8779F28E93B1F9FB7B
SHA1:	22CE6EC24D46FFE8D1F9B2343DCD09C6536839EE
SHA-256:	88CAC232982389308039DA0092DADD2ED5BEEF31991635FE63B7659A44755D38
SHA-512:	1EC9E23A94FA5B5EC65D2B9AD29FFC9CE21F4881A056F9C4AD7B52F9E90EC708A52CCE8FFB9436671A28D17609740FAD3D5DAF986C2065E8423A73B24D72DC5E
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.K.BM&..............................................................................................................................................................................................................................................................................................................................................Y..v........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.892073464210032
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Setup_v1.29.exe
File size:	362'496 bytes
MD5:	e38b4faeaf253cd6652941a56d542487
SHA1:	92611ecf179b54c5763b12ba4b2f582ee6016024
SHA256:	3e3e1c5b65b0141c99f48942ea0090c89524dffe5ae9e24ae783c53500145ec0
SHA512:	56f46256ffbf6418a349130302fee443b392d602110fdc6c5acde8208bac0f2ef146aecd5c531f9403d9e7d4b62c65c8793c1f24aae0bde003a8774fe3a1f899
SSDEEP:	6144:bUMP0Kv6quFmD9dsvV5Efry44cDtAhBtdfvMMgrr7mFE5XlxJm64Fgn4inC:bfP0Kv1imDvAV5ui9hdfEPrrEE5Nm2nK
TLSH:	7174CFAD726072DFC867D472DAA82CA8FB20387A531F4113A05715EDEA5C987DF184F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46000a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671803AA [Tue Oct 22 19:57:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00460000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5281c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x6f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x60000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x52000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
w.Aif	0x2000	0x4e734	0x4e800	50fa1d51810a9a12612ad8076bcd24ce	False	1.0003296675955413	data	7.999509079649383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x52000	0x8eb8	0x9000	9a8fe18e805f6ed310530139b071d384	False	0.3885362413194444	data	4.726387246486074	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x6f8	0x800	e5504b62cff4127ff34ead00cc072871	False	0.392578125	data	3.7582597045507127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	1e37c0bd08615c8250069f61ab34fa51	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x60000	0x10	0x200	2d5d017719c4001c0fe740220e9b96c2	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x46c	data			0.4452296819787986
RT_MANIFEST	0x5c50c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:45:00.398514032 CEST	49704	80	192.168.2.5	95.217.125.57
Oct 24, 2024 21:45:00.404139996 CEST	80	49704	95.217.125.57	192.168.2.5
Oct 24, 2024 21:45:00.404215097 CEST	49704	80	192.168.2.5	95.217.125.57
Oct 24, 2024 21:45:00.404380083 CEST	49704	80	192.168.2.5	95.217.125.57
Oct 24, 2024 21:45:00.410526991 CEST	80	49704	95.217.125.57	192.168.2.5
Oct 24, 2024 21:45:08.962641954 CEST	80	49704	95.217.125.57	192.168.2.5
Oct 24, 2024 21:45:08.962724924 CEST	49704	80	192.168.2.5	95.217.125.57
Oct 24, 2024 21:45:08.963188887 CEST	49704	80	192.168.2.5	95.217.125.57
Oct 24, 2024 21:45:08.968537092 CEST	80	49704	95.217.125.57	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:45:33.325664997 CEST	53	64906	162.159.36.2	192.168.2.5
Oct 24, 2024 21:45:33.950161934 CEST	60845	53	192.168.2.5	1.1.1.1
Oct 24, 2024 21:45:33.958476067 CEST	53	60845	1.1.1.1	192.168.2.5
Oct 24, 2024 21:45:35.843966961 CEST	49289	53	192.168.2.5	1.1.1.1
Oct 24, 2024 21:45:35.853511095 CEST	53	49289	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 21:45:33.950161934 CEST	192.168.2.5	1.1.1.1	0x3ae	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 24, 2024 21:45:35.843966961 CEST	192.168.2.5	1.1.1.1	0x6c4d	Standard query (0)	200.163.202.172.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 21:45:33.958476067 CEST	1.1.1.1	192.168.2.5	0x3ae	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 24, 2024 21:45:35.853511095 CEST	1.1.1.1	192.168.2.5	0x6c4d	Name error (3)	200.163.202.172.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

95.217.125.57

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	95.217.125.57	80	764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:45:00.404380083 CEST	88	OUT	GET / HTTP/1.1 Host: 95.217.125.57 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	15:44:58
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Setup_v1.29.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup_v1.29.exe"
Imagebase:	0xea0000
File size:	362'496 bytes
MD5 hash:	E38B4FAEAF253CD6652941A56D542487
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:44:58
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:44:59
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x6f0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:45:21
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280
Imagebase:	0x390000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	976
Total number of Limit Nodes:	14

Executed Functions

Function 6CF95900 Relevance: 86.3, APIs: 20, Strings: 26, Instructions: 5770nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CF9A176
ShowWindow.USER32 ref: 6CF9A18C
VirtualAlloc.KERNELBASE ref: 6CF9A309
CreateProcessW.KERNELBASE ref: 6CF9A5A5
NtGetContextThread.NTDLL ref: 6CF9A6AC
NtAllocateVirtualMemory.NTDLL ref: 6CF9A8CC
NtAllocateVirtualMemory.NTDLL ref: 6CF9AA23
NtWriteVirtualMemory.NTDLL ref: 6CF9AAD1
NtWriteVirtualMemory.NTDLL ref: 6CF9AC71
NtCreateThreadEx.NTDLL ref: 6CF9B04E
NtSetContextThread.NTDLL ref: 6CF9B1C9
NtResumeThread.NTDLL ref: 6CF9B1E1
CloseHandle.KERNEL32 ref: 6CF9B20D
VirtualAlloc.KERNEL32 ref: 6CF9B5A1
CreateProcessW.KERNEL32 ref: 6CF9B671
NtGetContextThread.NTDLL ref: 6CF9B699
NtWriteVirtualMemory.NTDLL ref: 6CF9B725
NtWriteVirtualMemory.NTDLL ref: 6CF9B79D

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CF9A40C
V!", xrefs: 6CF9A608
R"P, xrefs: 6CF9A47F
^+F, xrefs: 6CF9AF43
4NWV, xrefs: 6CF9903D
GSS, xrefs: 6CF98EC2
+!eH, xrefs: 6CF99219
D[, xrefs: 6CF99DD3
D, xrefs: 6CF9B5EF
#jx, xrefs: 6CF976C5
ntdll.dll, xrefs: 6CF9A1A6
@, xrefs: 6CF9AA1B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CF9A3DF
>6Q, xrefs: 6CF95920
@Cq, xrefs: 6CF9971D
#jx, xrefs: 6CF9766D
ou0T, xrefs: 6CF99538
^+F, xrefs: 6CF9AEC8
'jb, xrefs: 6CF97547
Zr^X, xrefs: 6CF9AF70
4NWV, xrefs: 6CF98FF4
K@}, xrefs: 6CF97542
ou0T, xrefs: 6CF994D2
@Cq, xrefs: 6CF996A7
kernel32.dll, xrefs: 6CF9A192
K@}, xrefs: 6CF975D6

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: Virtual$Memory$Thread$Write$ContextCreate$AllocAllocateProcessWindow$CloseConsoleHandleResumeShow
String ID: #jx$#jx$'jb$+!eH$4NWV$4NWV$@$@Cq$@Cq$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$D[$GSS$K@}$K@}$R"P$V!"$Zr^X$^+F$^+F$kernel32.dll$ntdll.dll$ou0T$ou0T$>6Q
API String ID: 2165972277-1034515867
Opcode ID: 02f2da9070bf3b23cb80ff8901c844fa622866cdb4a1d92c94c3fd367c06f623
Instruction ID: 0f97b4ed70c4f4a43fb6fc5ce4fc764f0561d0610033e62975bfb5c82849af9a
Opcode Fuzzy Hash: 02f2da9070bf3b23cb80ff8901c844fa622866cdb4a1d92c94c3fd367c06f623
Instruction Fuzzy Hash: D3A33436A44614CFEF14CE7CCD993CA7BF2AB86355F105699D418DBB94C33A8A888F41

Function 6CF8F7B0 Relevance: 32.9, APIs: 14, Strings: 4, Instructions: 1359memoryfileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CF8F7C8
GetModuleHandleA.KERNEL32 ref: 6CF8FDBB
GetModuleFileNameA.KERNEL32 ref: 6CF8FF75
CreateFileA.KERNELBASE ref: 6CF8FFB9
CreateFileMappingA.KERNEL32 ref: 6CF90107
CloseHandle.KERNEL32 ref: 6CF9022C
VirtualProtect.KERNELBASE ref: 6CF909FB
VirtualProtect.KERNEL32 ref: 6CF90E32

Strings

i, xrefs: 6CF9086B
YO>S, xrefs: 6CF9037D
i, xrefs: 6CF9096B
@, xrefs: 6CF90E26

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: File$CreateHandleModuleProtectVirtual$CloseCurrentMappingNameProcess
String ID: i$ i$@$YO>S
API String ID: 3382675095-2381544164
Opcode ID: 2b05203464e846fd63a3311ec0fe625d67506fe08e1e36ebc7eee997f5a08693
Instruction ID: 6afe4cebec5df3a2778f39870beb06a24bf059e29918e96a0a3ca585bb3d032d
Opcode Fuzzy Hash: 2b05203464e846fd63a3311ec0fe625d67506fe08e1e36ebc7eee997f5a08693
Instruction Fuzzy Hash: 6BB2F032A062158FEF18CF6CC9953DEBBF1AF4A310F10819AD458EB755C6758E898F42

Function 6CF91870 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 405
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CF9188E
NtQueryInformationProcess.NTDLL ref: 6CF918FB

Strings

NtQueryInformationProcess, xrefs: 6CF91899
ntdll.dll, xrefs: 6CF91885
uBH^, xrefs: 6CF91C18
p:{L, xrefs: 6CF91DE4
Z)k, xrefs: 6CF91C13

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID: NtQueryInformationProcess$Z)k$ntdll.dll$p:{L$uBH^
API String ID: 2776635927-1553518823
Opcode ID: 620459e1f1d8ad4d4f14930bd6be44247de63a7e9c109f32b99fab55fa4ab1ff
Instruction ID: d44514d76591c2c0237a99d29a421a4d9a8452f1d92ce10cdd9dc30fdb4c1ef3
Opcode Fuzzy Hash: 620459e1f1d8ad4d4f14930bd6be44247de63a7e9c109f32b99fab55fa4ab1ff
Instruction Fuzzy Hash: A3E10336A452058FEF08DFBCC5913CEBBFAAF46354F208129D425E7B54C63AD94A8B41

Function 6CFAF8C8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CFAF90F
___scrt_uninitialize_crt.LIBCMT ref: 6CFAF929

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: df09fe234e42a3971a6e36264e626ea210ef5c5f8eff8f5a0023555861ef27ae
Instruction ID: cae993bb429e09dc916befa03a99ae8d15f6894633be82aced5ed232108bb3a8
Opcode Fuzzy Hash: df09fe234e42a3971a6e36264e626ea210ef5c5f8eff8f5a0023555861ef27ae
Instruction Fuzzy Hash: D941E272E01214EFDBA18FE9CC41BDEBAB4EF45BA8F114119E8146FA50D77049079BA0

Function 6CFAF978 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CFAF9B5
dllmain_crt_dispatch.LIBCMT ref: 6CFAF9CC
dllmain_raw.LIBCMT ref: 6CFAFA14
dllmain_crt_dispatch.LIBCMT ref: 6CFAFA27
dllmain_raw.LIBCMT ref: 6CFAFA3A

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: c68349687f8d83fb2d125a57d45bfa15f7067214bfc320533343faf40f97c13e
Instruction ID: bf3029db8a7c8f9e0ba4394b48ef5a22ca32c3adaebf33f9618c5bda28bc53b5
Opcode Fuzzy Hash: c68349687f8d83fb2d125a57d45bfa15f7067214bfc320533343faf40f97c13e
Instruction Fuzzy Hash: AC216B72E01219EEDBA58E99CC40BEFBA79EB85B98F114115F8146EA10D3308D039BE0

Function 6CFB6FBE Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CFB6FC6

Part of subcall function 6CFB6F18: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CFB90BF,?,00000000,-00000008), ref: 6CFB6F79

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CFB6FFE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CFB701E

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 958f70fc8d6652e3dde188284a0dc305a5c5137616a985ce52c5111a28a81ed0
Instruction ID: 10b8c2cd6a6ff4e74fe7a36ddc1e731d3ecdecedd25a6c0fadfdae2bb3ceb333
Opcode Fuzzy Hash: 958f70fc8d6652e3dde188284a0dc305a5c5137616a985ce52c5111a28a81ed0
Instruction Fuzzy Hash: E911EDE2A156097EAB1617778CC9CAF7A6CEF866D87040026F401F1640FB34DE0582B1

Function 6CFAF7C1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CFAF80E

Part of subcall function 6CFB0032: InitializeSListHead.KERNEL32(6D0128F8,6CFAF818,6CFC3430,00000010,6CFAF7A9,?,?,?,6CFAF9D1,?,00000001,?,?,00000001,?,6CFC3478), ref: 6CFB0037

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CFAF878

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: bf4e8d0ba2fbdde64514db122d9262bd445b5682c64b187992ac84c4055e503f
Instruction ID: 628794ed0a2d772984373e1be495ff0294169a72a76e8e530413d0c1b1049a45
Opcode Fuzzy Hash: bf4e8d0ba2fbdde64514db122d9262bd445b5682c64b187992ac84c4055e503f
Instruction Fuzzy Hash: EC210F7264A341DEEB99ABF589027DDB7609F023ADF200919C4A43FEC1CB72054AC766

Function 6CFB75BB Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CFB7607
GetFileType.KERNELBASE(00000000), ref: 6CFB7619

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 096a357b4be58dd7035699c34f8a19af7e8a360e22d6cf5f02c4e3eda41a4062
Instruction ID: f70562b359938bcaf24b521585b5137b1aca93141f069e0b3949fe5507a8c1c8
Opcode Fuzzy Hash: 096a357b4be58dd7035699c34f8a19af7e8a360e22d6cf5f02c4e3eda41a4062
Instruction Fuzzy Hash: 0811D33260875246DB304E3F8CC8713BAB6A747238B35071FD0B6A6DE1C330E486E665

Function 6CFB7EE7 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,6CFB68C3,?,?,6CFB68C3,00000220,?,00000000,?), ref: 6CFB7F19

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6928d9080850ac986b3960da83bf712c0e168d0c4497cb6efb9411eb88c9cfb7
Instruction ID: 05d5aee9a0962ef84f3612ee206e2774d6e93e3579ba2e66b67366387bd07429
Opcode Fuzzy Hash: 6928d9080850ac986b3960da83bf712c0e168d0c4497cb6efb9411eb88c9cfb7
Instruction Fuzzy Hash: 63E0653264521557EA11277B8C057877A5C9F423B4F214163BC54B6D94DB30D800C2F9

Non-executed Functions

Function 6CF8E130 Relevance: 18.7, Strings: 14, Instructions: 1172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zcqfqqnntuelfghyrwojvxbgpqreqdylyo, xrefs: 6CF8E3FA
9@, xrefs: 6CF8F05B
@G@, xrefs: 6CF8EECD
xqzcuglyapbnihbg, xrefs: 6CF8ED0F, 6CF8F4EC
`;@, xrefs: 6CF8F38A
xwajvyrnfulohgozenarroarrrowosfjvvivgplvhffoebidlqgaylskvyikefsepfszjvrqmyx, xrefs: 6CF8ED43, 6CF8F520
wqaiosmifyaaqakduqebfudtlrjisxhkvthfguphpuqqgyqacuy, xrefs: 6CF8ECF5, 6CF8F4D2
c@, xrefs: 6CF8F23E
uxsscjlytmxqvoswtotwbefomblgynufjcrvtasgkoaeqwigkbz, xrefs: 6CF8E42B
zpgoamdtvdksltzhcsdeahaetomglmbhuhlbpgijwoxywmwzqhbktexvwycbqwyswoqvzuzibkpvhdlbhhnv, xrefs: 6CF8ED29, 6CF8F506
cuhodurk, xrefs: 6CF8E414
@, xrefs: 6CF8F48A
bhhzeys, xrefs: 6CF8E905, 6CF8F1C7
eykgeeloljfhiuotxnrinwdtzdupdsnabbqeqstrehlgssbidqqzqlyv, xrefs: 6CF8ED5D, 6CF8F53A

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: @G@$`;@$bhhzeys$cuhodurk$eykgeeloljfhiuotxnrinwdtzdupdsnabbqeqstrehlgssbidqqzqlyv$uxsscjlytmxqvoswtotwbefomblgynufjcrvtasgkoaeqwigkbz$wqaiosmifyaaqakduqebfudtlrjisxhkvthfguphpuqqgyqacuy$xqzcuglyapbnihbg$xwajvyrnfulohgozenarroarrrowosfjvvivgplvhffoebidlqgaylskvyikefsepfszjvrqmyx$zcqfqqnntuelfghyrwojvxbgpqreqdylyo$zpgoamdtvdksltzhcsdeahaetomglmbhuhlbpgijwoxywmwzqhbktexvwycbqwyswoqvzuzibkpvhdlbhhnv$9@$c@$@
API String ID: 0-796465288
Opcode ID: 57f3f00ff9deeaef95640a15d97ce2af029b2016051e3268afab1007c62dd03b
Instruction ID: 894646637c877a7fbe8935ccf7e8cac79512d9a332735fbb487b346d243bb06e
Opcode Fuzzy Hash: 57f3f00ff9deeaef95640a15d97ce2af029b2016051e3268afab1007c62dd03b
Instruction Fuzzy Hash: CEC21CB0A112548FEB14EF28C996B9A7BF0AF45304F0281D8D4099F765DB759D88CF92

Function 6CF93BA0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Game Over!, xrefs: 6CF941BE, 6CF942DD
);0}, xrefs: 6CF93BBE

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: );0}$Game Over!
API String ID: 0-1869261878
Opcode ID: 8fffa93c51ff5cdb7f00fa964f8bac69d593606855c2b54d755abca90c226267
Instruction ID: b2049b501ee122c8f9bd66a485681edb2670122dd2c9d2160142f98803d30906
Opcode Fuzzy Hash: 8fffa93c51ff5cdb7f00fa964f8bac69d593606855c2b54d755abca90c226267
Instruction Fuzzy Hash: 4A02FF76A042058FEF08CFBCD5D57DEBBF2AB5A308F208519E42597BA4C73599099F01

Function 6CFAFDD7 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CFAFDE3
IsDebuggerPresent.KERNEL32 ref: 6CFAFEAF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CFAFEC8
UnhandledExceptionFilter.KERNEL32(?), ref: 6CFAFED2

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e8a67b6c9a1cfb0315083f154cf3e7bc3968ba3edd65ee902018723d8cc2802e
Instruction ID: adb6858638557f0348e5b3643b9e2c148a75988c725b5cf212d9f97dfb818c5c
Opcode Fuzzy Hash: e8a67b6c9a1cfb0315083f154cf3e7bc3968ba3edd65ee902018723d8cc2802e
Instruction Fuzzy Hash: CC3128B5D05218DBDF61DFA4D9897CDBBB8BF08304F1041AAE40DAB240EBB09A85CF45

Function 6CFA0E00 Relevance: 5.8, Strings: 4, Instructions: 831COMMON

Download Yara Rule

Strings

|ym, xrefs: 6CFA14A9
a5, xrefs: 6CFA1259
a5, xrefs: 6CFA11BA
|ym, xrefs: 6CFA1587

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: a5$a5$|ym$|ym
API String ID: 0-2035916800
Opcode ID: ac0b6b4903e0f3c9bae346a417e6af6f6f035f52b93589bdc39280b4fda1e69e
Instruction ID: 9c1e8f3a3ed15a5b93ac8e9b2c59fc3a10d7bd7be1d6b1c9719a8b629196effc
Opcode Fuzzy Hash: ac0b6b4903e0f3c9bae346a417e6af6f6f035f52b93589bdc39280b4fda1e69e
Instruction Fuzzy Hash: 97628AB6A04244CFCB04CFECD9956DEBBF1AF4A314F118129E816EB764D635E90ACB11

Function 6CFA4EB0 Relevance: 5.6, Strings: 4, Instructions: 627COMMON

Download Yara Rule

Strings

Ft5, xrefs: 6CFA5755
LSfl, xrefs: 6CFA5511
Ft5, xrefs: 6CFA5499
Z}S-, xrefs: 6CFA5325

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: Ft5$Ft5$LSfl$Z}S-
API String ID: 0-2061360852
Opcode ID: 3a19732ae954280a8757bc5082dbe54715d27852f355da0f834127bf76cb80cf
Instruction ID: 58ea9f29a8279e71848cc658a20252ee2f745205221ef2b19ff292285e8b2ada
Opcode Fuzzy Hash: 3a19732ae954280a8757bc5082dbe54715d27852f355da0f834127bf76cb80cf
Instruction Fuzzy Hash: 2E22E476A14605CFCF04CEFCD9D53DEBBF2AB4B364F208619E422E7B94C62599068B01

Function 6CFB3D1D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CFB3E15
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CFB3E1F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CFB3E2C

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 88dbdece7557483a9a6a9437b381f6ff9ca78d5d02cb8636bbfb4b27fb3a7c33
Instruction ID: 1fce79840886cbd14e92c6df65abbf7373ce8dd6bb963ffa38b93ebade747e16
Opcode Fuzzy Hash: 88dbdece7557483a9a6a9437b381f6ff9ca78d5d02cb8636bbfb4b27fb3a7c33
Instruction Fuzzy Hash: 2031E6B494121DABCB61DF65D8887CDBBB8BF08314F5041DAE41CA7250EB709B89CF45

Function 6CF93130 Relevance: 4.5, Strings: 3, Instructions: 752COMMON

Download Yara Rule

Strings

w}, xrefs: 6CF93599
S, xrefs: 6CF937B6
S, xrefs: 6CF93B46

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: w}$S$S
API String ID: 0-117279510
Opcode ID: 713498fbba12c643f80b347aba861b4dc8c77fc3a8d9eab5de66291528ede333
Instruction ID: 6b6ea1c0e1dca5f07832f3eb3bdacaa9662434ba0b807422d4e5e1edcb1aed5f
Opcode Fuzzy Hash: 713498fbba12c643f80b347aba861b4dc8c77fc3a8d9eab5de66291528ede333
Instruction Fuzzy Hash: CB42DD76E442048FDF04CFACC5957DEBBF2AB4A314F209519D829EBB94D636990ACF01

Function 6CFAC350 Relevance: 4.3, Strings: 3, Instructions: 562COMMON

Download Yara Rule

Strings

QU|, xrefs: 6CFAC967
Y.`G, xrefs: 6CFAC638
QU|, xrefs: 6CFACA7D

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: QU|$QU|$Y.`G
API String ID: 0-3762515504
Opcode ID: f28fc7ed0f2a901e6cb4f9f3c0b367680275b5d00f72e37c72f858b628d33ace
Instruction ID: 213adeadc379b7e045bd309a8504b38ee6b2de7845a10c3ba299d07c04b64c4d
Opcode Fuzzy Hash: f28fc7ed0f2a901e6cb4f9f3c0b367680275b5d00f72e37c72f858b628d33ace
Instruction Fuzzy Hash: 02226976E04245CFCB08DFECC5A1ADEBBF6EB4A354F204119E815EB764C636A806CB45

Function 6CFA77B0 Relevance: 3.2, APIs: 2, Instructions: 217COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 6CFA78EF

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: d04d7cd86f95a710087b6384f5da4281edcc00731a8cde8655f7f2d05197b483
Instruction ID: 92d2389f874f0b153ac887b996307dd0fd4c3baabe7b7f3e90e87a307289af2c
Opcode Fuzzy Hash: d04d7cd86f95a710087b6384f5da4281edcc00731a8cde8655f7f2d05197b483
Instruction Fuzzy Hash: 2861F977A415018FDF08CEFCC5A67DF7BF69747361F20921AC921DBBA8C226850A8750

Function 6CFA4400 Relevance: 3.2, Strings: 2, Instructions: 694COMMON

Download Yara Rule

Strings

?=+, xrefs: 6CFA4B93
?=+, xrefs: 6CFA4B1A

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: ?=+$?=+
API String ID: 0-1499103835
Opcode ID: 335a8da96aa86d89b54891ba8c05845c4943fce2584fa371249d8e9ecdd1749a
Instruction ID: 67101196ea50b7bb240a7ebdf4f762464e4ca854bbed3b05e4c0a91872002eab
Opcode Fuzzy Hash: 335a8da96aa86d89b54891ba8c05845c4943fce2584fa371249d8e9ecdd1749a
Instruction Fuzzy Hash: 2232E137A54105DFCF04CEFCE9C57CEBBF2AB46355F20A215A821DBB54DB29890A8B04

Function 6CFA9820 Relevance: 3.1, Strings: 2, Instructions: 637COMMON

Download Yara Rule

Strings

n}), xrefs: 6CFAA077
n}), xrefs: 6CFA9CDC

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: n})$n})
API String ID: 0-2079505196
Opcode ID: 56ca91840024780233499f339759aeaa71fd282bb103824ee1516a6a172d5dfb
Instruction ID: 23f1a3b843e3034a2c4cec0408000b4f7702a3a13434cdfdda2c2dab4dc11d43
Opcode Fuzzy Hash: 56ca91840024780233499f339759aeaa71fd282bb103824ee1516a6a172d5dfb
Instruction Fuzzy Hash: 9922B076A45205CFCF08CEECC9917DEBBF2EB4A314F109529D815DBB94C6369A0ACB01

Function 6CF86350 Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

ypnhmsjacpencdisyeandsmakfxhgphvnqjparg, xrefs: 6CF86711
xzwgxrqwpaeddmh, xrefs: 6CF86911, 6CF86B75

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: xzwgxrqwpaeddmh$ypnhmsjacpencdisyeandsmakfxhgphvnqjparg
API String ID: 0-3231256247
Opcode ID: efe11c7d61149e7b84754b229ef829089fd642f6e83c6abf49b216befda9819e
Instruction ID: 55bffb2034b795a8e4a520bdc71f5fcd0884df5c100fc90239ca3e4a987417d4
Opcode Fuzzy Hash: efe11c7d61149e7b84754b229ef829089fd642f6e83c6abf49b216befda9819e
Instruction Fuzzy Hash: C622C372625B008FCB24CE3CC99579B7BF1BB4A724B105B1DE4A6CBF94D725E8098B41

Function 6CFAB340 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

], xrefs: 6CFAB62C
(3+Z, xrefs: 6CFAB52E

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: (3+Z$]
API String ID: 0-1318497048
Opcode ID: deace9399844f22f1f035f279f480db608a20fb8f70f0c26c26f31829ec1093c
Instruction ID: 8762435a4473f9de162db63546863ac885c0647c32cc99e69aa2581ac2076ade
Opcode Fuzzy Hash: deace9399844f22f1f035f279f480db608a20fb8f70f0c26c26f31829ec1093c
Instruction Fuzzy Hash: 3691F5B6A442098FCF08DEFCC4A53EFBBF2AB4A324F105519D811DB795C63A590A8B51

Function 6CFA63D0 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

GsNd, xrefs: 6CFA6572
GsNd, xrefs: 6CFA6510

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: GsNd$GsNd
API String ID: 0-3110361080
Opcode ID: a39b891d601df62d38a94dd27f7e7d0ce1021530736e1c41d9cca4dd93a8aef3
Instruction ID: 8fe387a905411c630cbe77fbc1501d7d9d58558c93293c2213533f5efa4112bd
Opcode Fuzzy Hash: a39b891d601df62d38a94dd27f7e7d0ce1021530736e1c41d9cca4dd93a8aef3
Instruction Fuzzy Hash: 709180B6A54205CFCB04CFBCC9917DEBBF2EB4A364F105219E921EBB94C735590A8B11

Function 6CF9C820 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

rAB#, xrefs: 6CF9C9DC
rAB#, xrefs: 6CF9C95D

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: rAB#$rAB#
API String ID: 0-1807774871
Opcode ID: 48bd649f575a7063960d5e8054ecb3561da8876df10f665ada4297675e20eaad
Instruction ID: fb8a1f3ec770051701c4c62a4a4fb736cc99c7e56960ae20eac64952b6f4366a
Opcode Fuzzy Hash: 48bd649f575a7063960d5e8054ecb3561da8876df10f665ada4297675e20eaad
Instruction Fuzzy Hash: AF713576A441068FEF04DE7CC9E63EF7BF2EB57360F201219D9219BB94C62A4509EB50

Function 6CFA0040 Relevance: 2.0, Strings: 1, Instructions: 743COMMON

Download Yara Rule

Strings

Af, xrefs: 6CFA09AA

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: Af
API String ID: 0-370506303
Opcode ID: aa452d961d1c950397f13cbda1b92bfcbe6878c6608fb05c663498fbc2b7fd60
Instruction ID: 83031ea4fd1c2a6f84351f11a298dd1b0db1f3c23b1a51a6efe07cb4caacffd9
Opcode Fuzzy Hash: aa452d961d1c950397f13cbda1b92bfcbe6878c6608fb05c663498fbc2b7fd60
Instruction Fuzzy Hash: 2A42C172A45244CFCB08CEFCE9D53DEBBF2AB4A354F248116E412DB764C676994B8B00

Function 6CF90EC0 Relevance: 1.9, Strings: 1, Instructions: 676COMMON

Download Yara Rule

Strings

Bp0, xrefs: 6CF917B1

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: Bp0
API String ID: 0-3634831391
Opcode ID: 6b622a0c88f5ba46ffadb53ea9ffb78fa172335ceb95a86a4c86e13e83cbc479
Instruction ID: 69be9df47b69ae76f6efdcf5628594d818e560e9f69777132ccff4371788ca3b
Opcode Fuzzy Hash: 6b622a0c88f5ba46ffadb53ea9ffb78fa172335ceb95a86a4c86e13e83cbc479
Instruction Fuzzy Hash: 27329E76E442058FEF04CEACC5957CEBBF9EB4A354F208529D829EBB54C236D946CB01

Function 6CF9BEC0 Relevance: 1.9, Strings: 1, Instructions: 660COMMON

Download Yara Rule

Strings

V?Xt, xrefs: 6CF9C53E

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: V?Xt
API String ID: 0-3307163574
Opcode ID: 6c8cf3a8937a94e7e6596f25bb2d6623c8ac89c155b8b1214b89b3bd4b2b9bf0
Instruction ID: 9b819a15b24754f6750d794ee9b40c781342116e7133100d355904ad93a3e97c
Opcode Fuzzy Hash: 6c8cf3a8937a94e7e6596f25bb2d6623c8ac89c155b8b1214b89b3bd4b2b9bf0
Instruction Fuzzy Hash: 0432DD76E542058FEF08DEBCD9953DE7BF2AB4A394F108115E421EBBA4C73688098F45

Function 6CFAB700 Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

%@So, xrefs: 6CFAB726

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: %@So
API String ID: 0-2326364046
Opcode ID: e7888ff9c0f02e3a8de56271d423ac28d2fc0b3c3a637c3d7311dd4293aa8308
Instruction ID: cc28531790e9bb9828835310428c72e624c6e9a50893fb6f9b3fdd5748978d5a
Opcode Fuzzy Hash: e7888ff9c0f02e3a8de56271d423ac28d2fc0b3c3a637c3d7311dd4293aa8308
Instruction Fuzzy Hash: 4B128B76E44119CFCB04CEFCC9D97DEBBF2AB46315F10591AD924EBB94C626880A8F41

Function 6CFBC235 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CFBC230,?,?,00000008,?,?,6CFBBE33,00000000), ref: 6CFBC462

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1a019de1c92005a4d0cb8d34e45a16711dc6136835ca3694435de8bdc4bf9803
Instruction ID: 4c34b5456c9be2fc16d72acc0c974458b745307b283853aef289b300294bcfd8
Opcode Fuzzy Hash: 1a019de1c92005a4d0cb8d34e45a16711dc6136835ca3694435de8bdc4bf9803
Instruction Fuzzy Hash: 34B16E32210608DFD705DF29C486B667BE0FF45368F658698E8E9DF6A1C335EA81CB40

Function 6CF9B7E0 Relevance: 1.7, Strings: 1, Instructions: 481COMMONLIBRARYCODE

Download Yara Rule

Strings

.0J, xrefs: 6CF9BD6A

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: .0J
API String ID: 0-2917085153
Opcode ID: f135dbd5d936372aa6b309a85ecd8d77804621b0d47a6473056a6d211e14b36e
Instruction ID: 27b3787807e17a9b9bb1aaf2a9614620547a5d8f676995cdeb2a14503e6c728a
Opcode Fuzzy Hash: f135dbd5d936372aa6b309a85ecd8d77804621b0d47a6473056a6d211e14b36e
Instruction Fuzzy Hash: E1F14672A541198FEF14CEBCC995BDFB7F2BB4A324F104A19D420EBB94C33A88058B55

Function 6CFA3A50 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

+?E, xrefs: 6CFA3E0F

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: +?E
API String ID: 0-2698160372
Opcode ID: 7eb2c8a7bc429087b268852fa9fff28941c90184dc2894b99856f05f5a93c5e9
Instruction ID: 195ec30163ca7cc25c169dbdd2d28a84196f6a8558400ea32b0eb50a7808b837
Opcode Fuzzy Hash: 7eb2c8a7bc429087b268852fa9fff28941c90184dc2894b99856f05f5a93c5e9
Instruction Fuzzy Hash: 13F16876E45209CFCB04CEEDC9956CEFBF6EB4A314F10911AE429EB644D635980B8F06

Function 6CFAFBF3 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CFAFC09

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3bce202359a7a6525f768ace3f755e3dd7a3e95d511531af6586b378b8f4d7cb
Instruction ID: 76332740d82fdbe31e6eaeb7dc240b9607e40842b5ebf6b8c1792db58a3f77fe
Opcode Fuzzy Hash: 3bce202359a7a6525f768ace3f755e3dd7a3e95d511531af6586b378b8f4d7cb
Instruction Fuzzy Hash: 9B517CB1A01216CFEB59CFA6C88279EBBF4FB45354F24842AD425EB740D3749942CF90

Function 6CFB5DC4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c27a2e880902e01699e11b8ffc3749caca2849f8f51eb3354344420469a9353
Instruction ID: 3022d67cc8373c0838cd3cf833408d9db351ba35a6c271636d6020bafca2d28a
Opcode Fuzzy Hash: 2c27a2e880902e01699e11b8ffc3749caca2849f8f51eb3354344420469a9353
Instruction Fuzzy Hash: 154194B5809219AFDB14DF6ACC88AEABBB9AF45304F1442DDE41DE3640DB349E448F50

Function 6CFA33E0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

~j[, xrefs: 6CFA3436

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: ~j[
API String ID: 0-3243419074
Opcode ID: d0d9bf9493ea963fbd18d1fcf4ce7543b82babe1e47a9037f6f5b7048315eb0e
Instruction ID: 112f38c93afe30c6dccbc466a30eb3b65563585dd0d771af2f635a7fdcda2075
Opcode Fuzzy Hash: d0d9bf9493ea963fbd18d1fcf4ce7543b82babe1e47a9037f6f5b7048315eb0e
Instruction Fuzzy Hash: 89A1C1B6A45245DFCB04CEECC5917DEFBF2AB4A364F204119E821ABB50C639DD0A8B50

Function 6CFA9180 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

QS|q, xrefs: 6CFA9452

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: QS|q
API String ID: 0-2559004770
Opcode ID: 151fc473691155fe5ab7ea6b176427b3525d6d99ed3a9ca61b226f7825dc7860
Instruction ID: 93ff85f7fd590848bbcd39f522aa8aa7edd6dc615f376cec879b95a95072f9f2
Opcode Fuzzy Hash: 151fc473691155fe5ab7ea6b176427b3525d6d99ed3a9ca61b226f7825dc7860
Instruction Fuzzy Hash: 1581E476A50215CFCF04CFBCC8A57DFB7F6AB4A324F219529DD11AB780C62B59068B50

Function 6CFAD1F0 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

FP, xrefs: 6CFAD43B

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: FP
API String ID: 0-1202436026
Opcode ID: 2bd0c2487f7adeceab5a750b23553d063d96b6128dadaa099cf7c511969d8a83
Instruction ID: c03c1304dc3a6aae6a5cdb08b18da98fff4826ae1bebb1b7bda3366bcbe0fb24
Opcode Fuzzy Hash: 2bd0c2487f7adeceab5a750b23553d063d96b6128dadaa099cf7c511969d8a83
Instruction Fuzzy Hash: 9E81D476A40515CFCF04CEFCC4953DEBBF1AB4A324F245219D821EB794D729990ACB61

Function 6CFA57D0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

yVu:, xrefs: 6CFA5A4A

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: yVu:
API String ID: 0-3406181897
Opcode ID: 10b4308e83856f419e5a09c4a60c8c772c67758eec4f15737af125652f5b55f6
Instruction ID: 787464a298a7dc45145847246af6aba01c4b4a0d00aa2535d9b339ac47f57816
Opcode Fuzzy Hash: 10b4308e83856f419e5a09c4a60c8c772c67758eec4f15737af125652f5b55f6
Instruction Fuzzy Hash: 0871E172A45609CFDF08CEFCC9C13DFB7F2AB4A354F204115D821EB754C62A9A0A8B91

Function 6CFAE4D0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

6tg, xrefs: 6CFAE67F

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: 6tg
API String ID: 0-3648482971
Opcode ID: 034e90d034b5d1cee26816ff4bf7f61f10264996d3acba5d11fe9c4bea676a33
Instruction ID: e635a19206427a2b934cf3b33bac2edd5c2fa38fe22bd15e46f3f66f6ccede2f
Opcode Fuzzy Hash: 034e90d034b5d1cee26816ff4bf7f61f10264996d3acba5d11fe9c4bea676a33
Instruction Fuzzy Hash: 1D51E2B2A54109CFDF04CFECD4A57EFBBF2AB1A314F105419D424EB790D636990A8BA1

Function 6CFA1D50 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

78, xrefs: 6CFA1D62

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: 78
API String ID: 0-629063390
Opcode ID: 995bf0e824b1052784073ab3adc18f280585de8e6195c8dc3413d8d4c3ed2af2
Instruction ID: 5afd08ccae3ec6a10a8a15893e4dd0516583bae234e2ca4e06295304647c2beb
Opcode Fuzzy Hash: 995bf0e824b1052784073ab3adc18f280585de8e6195c8dc3413d8d4c3ed2af2
Instruction Fuzzy Hash: CB41F272A45606CFCF04CEBCC5953EFBBE5AB06324F218619C534ABAD4C23A950A8B41

Function 6CFB74EA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CFB74EA

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 555a100d2525182a6cf2bb926061bdcc39f68a3d370f1f7897a46ef39237bb49
Instruction ID: 4b9ae706ebddc49e62f6a5945b37ab71d0cd2acc7395ec4bf9f0676d84f719ae
Opcode Fuzzy Hash: 555a100d2525182a6cf2bb926061bdcc39f68a3d370f1f7897a46ef39237bb49
Instruction Fuzzy Hash: FDA01130F022028BABA08F328A0A3083AF8AA0B280302802AA008C0000EB2080008F02

Function 6CFAA470 Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0849e343beb0746c405b3090b2671b417585e36cf2527bde802f823b51fbb0f9
Instruction ID: d42b4acf57a153463f421b51999ac4c22b558125d9449c05b1d8fc9321de5aa3
Opcode Fuzzy Hash: 0849e343beb0746c405b3090b2671b417585e36cf2527bde802f823b51fbb0f9
Instruction Fuzzy Hash: EB42687AA44215CFCF04CFACC5956DEBBF2AB49310F209229E815EB759D735990ACF01

Function 6CFA8B20 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8550e7bbd96c3f0844874fc5b16117a37db5f8e969b8d5da04577554dc1beeb
Instruction ID: a1647083ecd8ebf4d3cd04083e4e84711173e66fa84ecd91fed3d27bb9f787a6
Opcode Fuzzy Hash: b8550e7bbd96c3f0844874fc5b16117a37db5f8e969b8d5da04577554dc1beeb
Instruction Fuzzy Hash: 90F17F76B01204DFCB04CFACD9946DEBBF6EB8A314F20812AE515DB764C736A906CB50

Function 6CFA7F70 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8625ac49c1d67e6a9b344e77385f7cdaa0e9a43740382500ef75a85b703741
Instruction ID: 34c793296d59838f77d78d8b5b003388f6f67dae17ddd81f0bcdf70b129b0058
Opcode Fuzzy Hash: 7f8625ac49c1d67e6a9b344e77385f7cdaa0e9a43740382500ef75a85b703741
Instruction Fuzzy Hash: 76D17C76A44245CFCF04CFECC9D16DEBBF2EB4A354F10811AE821EB754D67699468B10

Function 6CF9E070 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfe1ede4925c6cbe9f3af16bcfd0820a1c52568b64679cfef5e7346ca1dae90
Instruction ID: bd5ec8959d017641246c3abb4436e6cef4e519dc2b23334b4e8e99529f0e4465
Opcode Fuzzy Hash: 5dfe1ede4925c6cbe9f3af16bcfd0820a1c52568b64679cfef5e7346ca1dae90
Instruction Fuzzy Hash: 3EB18876E052088FDF04CFACC9816DEBBF2BB49310F20851AE818EBB54D735A949CB51

Function 6CFAA0D0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559566ac5e93e7acdf0f280fe57aaab52cd280dd11482d4ffda96a75ac1b7986
Instruction ID: cadcf5a376827fbf0cf67c1831ff0ad9ae45515845aedd6e3c30dde5a2d3ef8b
Opcode Fuzzy Hash: 559566ac5e93e7acdf0f280fe57aaab52cd280dd11482d4ffda96a75ac1b7986
Instruction Fuzzy Hash: 2CB16A75A05208DFCB04CFACC9916DEBBF2EB4A314F205159E815AB7A0C236AD0ACF51

Function 6CF9F4B0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a80a97296b548ca9823805c9b5857ea0f1ccaa924f727215adbc35092d210c2
Instruction ID: 133689186db772d565e43a97ccd096a954b4ebfc30b01a573fbbbb3c02a21258
Opcode Fuzzy Hash: 0a80a97296b548ca9823805c9b5857ea0f1ccaa924f727215adbc35092d210c2
Instruction Fuzzy Hash: 1AA1D276A442058FDF44CFBCC8917DE7BF2EB4A364F245119E421EB7A4C23A9909CB11

Function 6CFADA70 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c17a6b49177df6d4431991d0e15559b180d0a004455467792a9616ecc2c3e2a
Instruction ID: 065992f7cf8080cdd753afdba69e51dbee05a780170c5267f375b4aedce3cd27
Opcode Fuzzy Hash: 7c17a6b49177df6d4431991d0e15559b180d0a004455467792a9616ecc2c3e2a
Instruction Fuzzy Hash: 1591E376A41605CFCF04CFBCC5A57DEBBF2AB4A360F205219E921EB794C736590A8B50

Function 6CFA8440 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0692101a943a8b0af9ec1a5a7296356e1ab82e4a62e7551624cda0b584ff2b4
Instruction ID: a2466fa88149e59f9770a86109ce83b20c3d0bc3d0e826561719eac4db9169f1
Opcode Fuzzy Hash: d0692101a943a8b0af9ec1a5a7296356e1ab82e4a62e7551624cda0b584ff2b4
Instruction Fuzzy Hash: B891F476A4524ACFCF04CEFCC5957CEFBF2AB1A324F104116D821EBB90D269990A8F51

Function 6CF9ECB0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae444484589fdc368ff3da1207f5df5b60db689dfaf400d34f353df82e446383
Instruction ID: 2114590aca2bf0dd1a90160ec384b22e1b14480fdf1f8d844fb3d8bd0fabff8a
Opcode Fuzzy Hash: ae444484589fdc368ff3da1207f5df5b60db689dfaf400d34f353df82e446383
Instruction Fuzzy Hash: 2F81C137B482068FEF08CFACD9963DE77F6BB4A354F148016D411E7764C22A9E099B90

Function 6CF9FA10 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b63f261b6f3af0ac191ca04149677946fd836891aa6614cd00a3d07a7fea5e
Instruction ID: 6d3e3878313fbeac88320ad80fcafb568b6ab6d030b35803d8b44f6e294855cd
Opcode Fuzzy Hash: 61b63f261b6f3af0ac191ca04149677946fd836891aa6614cd00a3d07a7fea5e
Instruction Fuzzy Hash: 7481F176A042098FDF48CFBCC8917DEBBF6AB9A310F10411AE811EB794D33A4909CB51

Function 6CFAAE40 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbb4c866d896d30c6c9e9f195517d1bace51e861c2c1a697ebb986051d73e04
Instruction ID: dd0d0ad9b92d4fc3dca50214660a62587771c4d00a570cc0884766fd840c9735
Opcode Fuzzy Hash: bcbb4c866d896d30c6c9e9f195517d1bace51e861c2c1a697ebb986051d73e04
Instruction Fuzzy Hash: 9081E476E44109CFCF08CFBCC4953DEBBF2AB0A360F118519D524AB790C336990A8B65

Function 6CF9D800 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172c35e24f11742750e14d97acfaf6fe46cff814d7c28c13b18d1cbcba37ade4
Instruction ID: 1640fd02ef6d0d4b16667bcaedfeb4f4e2b72dccc322bca48774d4734ae8bdf0
Opcode Fuzzy Hash: 172c35e24f11742750e14d97acfaf6fe46cff814d7c28c13b18d1cbcba37ade4
Instruction Fuzzy Hash: 9081AD76E042058FEF08DEBCC9917DEBBF1EB4A314F209219D811AB755C33A9809CB65

Function 6CF9DC10 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ece9e6fa691e288bf56f0ba0517a7300867afc353ccf69567d8f2807c1a2c2
Instruction ID: b1861be56a5ecdb1902ccc3c145493a795195a8c431692ebce33426fb9750b7e
Opcode Fuzzy Hash: 25ece9e6fa691e288bf56f0ba0517a7300867afc353ccf69567d8f2807c1a2c2
Instruction Fuzzy Hash: C681C1B6A041058FDF08CFBCC5917DEBBF2AB4A324F249115D521EB794C2369909CF61

Function 6CF9CD60 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756345dba17ecf7574b9e5b89146d406b695796df7666e9895bc4a5bfd944499
Instruction ID: 0a21ee85e68f19b01780243149e2a16760e9f1dda019e0dfd81212ffa2ffb026
Opcode Fuzzy Hash: 756345dba17ecf7574b9e5b89146d406b695796df7666e9895bc4a5bfd944499
Instruction Fuzzy Hash: 3971E776A405058FDF04DFBCC8D53EF7BF2AB4B324F201519D522AB7A4C62A590ACB90

Function 6CFA2B80 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4dde8f99be67ebda789ad9acc77a8140310db84ae747daea2beb7abdf4d2720
Instruction ID: a7f77cf54eb2436d269e0ea3b4220636058f70dbdbdaed55b0da31f0f6dad743
Opcode Fuzzy Hash: c4dde8f99be67ebda789ad9acc77a8140310db84ae747daea2beb7abdf4d2720
Instruction Fuzzy Hash: 3471D132B40205CFCF04CEBDC5E93DFBBF29B4A325F109509D829EB754C62A990A8B10

Function 6CFA2E70 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7179ef8c33e803b4529a99febb8331557da354fd6b12b295125f0c42713b089e
Instruction ID: b39b14a9ca0abdf42ea03ccb1f70cb9af5e16c283d77c6c9390f753720008713
Opcode Fuzzy Hash: 7179ef8c33e803b4529a99febb8331557da354fd6b12b295125f0c42713b089e
Instruction Fuzzy Hash: 67610576B40545CFCF04CEBCC89A3DFBBF2AB0A324F215119D5259B695C63A850E8750

Function 6CF9E7B0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a979d0aadbc9d30a00734f84a06b3d1959721d68d8194b36fa6b4a310b40dded
Instruction ID: 56d7d456cc5d004d7a594e37b8131cf664d67c4a80341a08fc8419fcd25d4ee6
Opcode Fuzzy Hash: a979d0aadbc9d30a00734f84a06b3d1959721d68d8194b36fa6b4a310b40dded
Instruction Fuzzy Hash: 13510236A442068FEF088EBCC9D53EFBBF2BB4A344F144219D421E7795D63A59098BD1

Function 6CF9EA50 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ee13b6f1925ba9689ea0f72578808e4e95670d97a318abe872fbaa231572d0
Instruction ID: c21b1238d56214be6cc65ca1ba60573981352588beda938adac5d74ac766413d
Opcode Fuzzy Hash: 34ee13b6f1925ba9689ea0f72578808e4e95670d97a318abe872fbaa231572d0
Instruction Fuzzy Hash: 9B512773A441124FEF089E7CC8963DF7BE1BB47324F215619D922DB6A4D2268909CBC0

Function 6CFAD850 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c88c836dab5d8b49e22c18369662be9adc1d619c67183a0fdacb4c3ade1a53
Instruction ID: a84190a831da26a77b30efaaa95c6381c80e7a58f578da26f32dc49da7912515
Opcode Fuzzy Hash: f5c88c836dab5d8b49e22c18369662be9adc1d619c67183a0fdacb4c3ade1a53
Instruction Fuzzy Hash: 0D5169B6E04609CFCF08CFACC5957DEBBF1BB4A314F108529D925AB790D235990A8F61

Function 6CF9D2B0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9110877dc7db21a7b6e1bf31939cee55b193308385409b588307c9dede547b2
Instruction ID: d87b73c86766c75bf897744bb42301be6bdcfccf4739d3a2a36f0c7da0b8c242
Opcode Fuzzy Hash: f9110877dc7db21a7b6e1bf31939cee55b193308385409b588307c9dede547b2
Instruction Fuzzy Hash: 1751E1B2E452098FEF04CFBCC4917DEBBF1EB0A324F209119D525EB745C6269909CB59

Function 6CFAB150 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902695187a7d226880a357ed04bbdc0290bb03d3b4d6c1b3f795fc7ca757870
Instruction ID: 8e94e1981aab2165071c52341b5366255d90aae2a0bbdf077dd0e01c095028c3
Opcode Fuzzy Hash: 5902695187a7d226880a357ed04bbdc0290bb03d3b4d6c1b3f795fc7ca757870
Instruction Fuzzy Hash: 8851CF76E04609CFDF05CEECC4A57DFFBF2AB0A324F11980AD824A7B41C23959068B65

Function 6CFA1AF0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24715e70902f5caf6d24fbc855c8126d2d25b8791dd1cd49cf658630bb833367
Instruction ID: 828007f1a35f0c6aafaea2218149fcb0ac753d57fd53acf0403a996cc3ad9d60
Opcode Fuzzy Hash: 24715e70902f5caf6d24fbc855c8126d2d25b8791dd1cd49cf658630bb833367
Instruction Fuzzy Hash: BD41E472E44206DFCF04CEBCC5A57DFFBF2AB06364F219215D820AB795D2359A068B04

Function 6CFAEEB0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def488d34e388dd8607a6c290154ab2a38d41bc721a397cef5954b9e7d3b89fb
Instruction ID: af3bbdd4749a7c963983ce54a333e985fc6c9a81d4c483157f1512aa7eace154
Opcode Fuzzy Hash: def488d34e388dd8607a6c290154ab2a38d41bc721a397cef5954b9e7d3b89fb
Instruction Fuzzy Hash: 5941AE76E44215CFCF44CEACC4953EFB7F1AB4A324F105629D824EB790D23A59068BA1

Function 6CFAD050 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494406fdb3cf6607c1b40a63eebab884fe471e6b4626f3f6f842a205a8cefefc
Instruction ID: dfbb8e90c59d8690c7c2ab011b5ef3015064336906d720ccc0b726824cbbe3fc
Opcode Fuzzy Hash: 494406fdb3cf6607c1b40a63eebab884fe471e6b4626f3f6f842a205a8cefefc
Instruction Fuzzy Hash: F6410672A40605CFDF05DEBCC4A53DFBBF29B02325F119119DD619B7A4C2268A0B8B91

Function 6CFB2FD9 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CFB30F8
___TypeMatch.LIBVCRUNTIME ref: 6CFB3206
_UnwindNestedFrames.LIBCMT ref: 6CFB3358
CallUnexpected.LIBVCRUNTIME ref: 6CFB3373

Strings

csm, xrefs: 6CFB3016
csm, xrefs: 6CFB3083
csm, xrefs: 6CFB312F

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: edc83101e528ee1a73b11539a13e88d134947d52afd058f3219f4ccf021fa3d4
Instruction ID: 6f40f081b7780f62e428f607275f4248557ea9840b5c4f27dea505b5f8474d8a
Opcode Fuzzy Hash: edc83101e528ee1a73b11539a13e88d134947d52afd058f3219f4ccf021fa3d4
Instruction Fuzzy Hash: AFB17B75C41609EFCF05CFA6C88099EBBB5FF04318F29415AE8147BA11DB31EA59CB92

Function 6CFB20D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CFB2107
___except_validate_context_record.LIBVCRUNTIME ref: 6CFB210F
_ValidateLocalCookies.LIBCMT ref: 6CFB2198
__IsNonwritableInCurrentImage.LIBCMT ref: 6CFB21C3
_ValidateLocalCookies.LIBCMT ref: 6CFB2218

Strings

csm, xrefs: 6CFB21AD

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 483a8b8ac4b0b9739be537e34f73e6ef99e17675f9522cafba3fa0a3fcc0dafe
Instruction ID: 6ebcade102a2e21d302d6ae968ca93bca3bba956d3db906e0858be5c3208c7df
Opcode Fuzzy Hash: 483a8b8ac4b0b9739be537e34f73e6ef99e17675f9522cafba3fa0a3fcc0dafe
Instruction Fuzzy Hash: F541B334E012099BCF00DF6ACC88BDE7BB5AF45318F218195E928BB751D732DA15CB91

Function 6CFB7119 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CFB7228,00000000,6CFB4C32,00000000,00000000,00000001,?,6CFB73A1,00000022,FlsSetValue,6CFBFA10,6CFBFA18,00000000), ref: 6CFB71DA

Strings

api-ms-, xrefs: 6CFB7170
ext-ms-, xrefs: 6CFB7184

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2928f3dfd92225119dd8a24b3ca053a5b6c848f7fc209a8f6a0e7edd002e5647
Instruction ID: 7f0400bdc585e208e6c84fdd7109abaf39a0f4f968b53681a7d820708e76620e
Opcode Fuzzy Hash: 2928f3dfd92225119dd8a24b3ca053a5b6c848f7fc209a8f6a0e7edd002e5647
Instruction Fuzzy Hash: B521BB76A06215ABDB119777DC45B4B3778EB423A4F260212E919B7A84D730E901CAF0

Function 6CFB248E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CFB2054,6CFAF4A2,6CFAF799,?,6CFAF9D1,?,00000001,?,?,00000001,?,6CFC3478,0000000C,6CFAFACA), ref: 6CFB249C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CFB24AA
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CFB24C3
SetLastError.KERNEL32(00000000,6CFAF9D1,?,00000001,?,?,00000001,?,6CFC3478,0000000C,6CFAFACA,?,00000001,?), ref: 6CFB2515

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 140018f256daf75084b8ae89fbfb22ba7a7c216279de409a7fb9cfeedbc7d798
Instruction ID: 91e86e54f752f86b44cd89740b854b16636ce72f1fc21d5d8a3fa8655cb6143e
Opcode Fuzzy Hash: 140018f256daf75084b8ae89fbfb22ba7a7c216279de409a7fb9cfeedbc7d798
Instruction Fuzzy Hash: 7D01B5322093116DAA1816FB6C8D69B3664DB426FDB20033AE534759D0EF3349155295

Function 6CFB634A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Setup_v1.29.exe, xrefs: 6CFB6366

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\Setup_v1.29.exe
API String ID: 0-3742506953
Opcode ID: be7418057b3584397811b9b01a88e055f08e70638856695bbb8093c272126b96
Instruction ID: b06961effe8ed978113b8425dcac0baaf1e1066c4e998532b330fba49ff0df60
Opcode Fuzzy Hash: be7418057b3584397811b9b01a88e055f08e70638856695bbb8093c272126b96
Instruction Fuzzy Hash: 6B218E72604615EF9B189F67C88099BB7B9AF013A87188629F815F7B40EB31EC4187A0

Function 6CFB43E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,94327FAE,00000000,?,00000000,6CFBCAE2,000000FF,?,6CFB437E,?,?,6CFB4352,?), ref: 6CFB4419
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CFB442B
FreeLibrary.KERNEL32(00000000,?,00000000,6CFBCAE2,000000FF,?,6CFB437E,?,?,6CFB4352,?), ref: 6CFB444D

Strings

mscoree.dll, xrefs: 6CFB4412
CorExitProcess, xrefs: 6CFB4423

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 70f9f060eb763d06931da4f1abba2b14063d1aae8bda067df260581575c708c1
Instruction ID: 9cbfb95998f074a424b02c0313e7d4bb161c2f5a0ec5348712917ebb034c221d
Opcode Fuzzy Hash: 70f9f060eb763d06931da4f1abba2b14063d1aae8bda067df260581575c708c1
Instruction Fuzzy Hash: 6E01D131A10529EFDF029F51CC44BAEBBB8FB08758F004A26FC21B2A94DB759900CB95

Function 6CFB2817 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CFB27C8,00000000,?,00000001,?,?,?,6CFB28B7,00000001,FlsFree,6CFBEC48,FlsFree), ref: 6CFB2824
GetLastError.KERNEL32(?,6CFB27C8,00000000,?,00000001,?,?,?,6CFB28B7,00000001,FlsFree,6CFBEC48,FlsFree,00000000,?,6CFB2563), ref: 6CFB282E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CFB2856

Strings

api-ms-, xrefs: 6CFB283B

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 144aac1e6a9fac7a9935b76c3f571c39545769742e6762056cfc8e2a33f8717d
Instruction ID: a52691a029fa9e7dc312a94707812135bd3436cc73650b1444a7f863dbee3b85
Opcode Fuzzy Hash: 144aac1e6a9fac7a9935b76c3f571c39545769742e6762056cfc8e2a33f8717d
Instruction Fuzzy Hash: 1AE04F70B4420CBBEF411A63DC49B483B75BB01B98F144431FA0CB88D8D773E4138A89

Function 6CFB9621 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(94327FAE,00000000,00000000,?), ref: 6CFB9684

Part of subcall function 6CFB6F18: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CFB90BF,?,00000000,-00000008), ref: 6CFB6F79

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CFB98D6
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CFB991C
GetLastError.KERNEL32 ref: 6CFB99BF

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3cf5568cc4e865d0a0493b580ea469380748079c44088218923053cbcede9505
Instruction ID: 58001fcf4cdb5b011db481c0d8e15c50ee2f6ce3bf35e3695893fe77c337746e
Opcode Fuzzy Hash: 3cf5568cc4e865d0a0493b580ea469380748079c44088218923053cbcede9505
Instruction Fuzzy Hash: 35D16875D052489FCF05CFA9C880ADDBBB5EF19314F28416AE466FBB51DB30AA42CB50

Function 6CFB2D82 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CFB2E49
___AdjustPointer.LIBCMT ref: 6CFB2E6C
___AdjustPointer.LIBCMT ref: 6CFB2F08

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7a5b57b51ae56e525844111790cac67f27e4bd14860de0a74b9fe896ad26ff19
Instruction ID: b6ea9a98225d9e15c3428c479104b5e312e767015c7987365f4b525ebb1fe4a5
Opcode Fuzzy Hash: 7a5b57b51ae56e525844111790cac67f27e4bd14860de0a74b9fe896ad26ff19
Instruction Fuzzy Hash: CC51F4766052069FDB198F17C888BEA77B4FF05318F24452DE8157BA90E733E845C790

Function 6CFB5B64 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CFB6F18: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CFB90BF,?,00000000,-00000008), ref: 6CFB6F79

GetLastError.KERNEL32 ref: 6CFB5BC8
__dosmaperr.LIBCMT ref: 6CFB5BCF
GetLastError.KERNEL32(?,?,?,?), ref: 6CFB5C09
__dosmaperr.LIBCMT ref: 6CFB5C10

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: a7e528d62294ce337b999334ebac6ec421bd5a70e01415f883859a23c0bf5f14
Instruction ID: 575301f770721b55927dde4a09fc1546edbc3fdcf7e499f336db89969b2801ed
Opcode Fuzzy Hash: a7e528d62294ce337b999334ebac6ec421bd5a70e01415f883859a23c0bf5f14
Instruction Fuzzy Hash: B22162B2604605AFDB14AF77C88099BB7A9FF053687048629F855F7B40EB39EC5187A0

Function 6CFBAD26 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CFBA4E5,00000000,00000001,00000000,?,?,6CFB9A13,?,00000000,00000000), ref: 6CFBAD3D
GetLastError.KERNEL32(?,6CFBA4E5,00000000,00000001,00000000,?,?,6CFB9A13,?,00000000,00000000,?,?,?,6CFB9FB6,00000000), ref: 6CFBAD49

Part of subcall function 6CFBAD0F: CloseHandle.KERNEL32(FFFFFFFE,6CFBAD59,?,6CFBA4E5,00000000,00000001,00000000,?,?,6CFB9A13,?,00000000,00000000,?,?), ref: 6CFBAD1F

___initconout.LIBCMT ref: 6CFBAD59

Part of subcall function 6CFBACD1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CFBAD00,6CFBA4D2,?,?,6CFB9A13,?,00000000,00000000,?), ref: 6CFBACE4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CFBA4E5,00000000,00000001,00000000,?,?,6CFB9A13,?,00000000,00000000,?), ref: 6CFBAD6E

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b8e6744d3615c7b95e3f57ebcecb66113b12ba8f18a60fc68fc7552ba0d1a2d0
Instruction ID: 661da9520f7b09443cee8667bea46fbedda06e856bb6e1002268d5b5c553f34c
Opcode Fuzzy Hash: b8e6744d3615c7b95e3f57ebcecb66113b12ba8f18a60fc68fc7552ba0d1a2d0
Instruction Fuzzy Hash: 8FF03036600118BBCF662FE2CC45B893F76FB0A7B5B048010FA5C95524D732C820EB95

Function 6CFB337E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CFB33A3

Strings

MOC, xrefs: 6CFB33B5
RCC, xrefs: 6CFB33BD

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: f3d639aa95f56060330cb391a19473a0b59523fabe4710a6e11085225d8b8eff
Instruction ID: 2b016118f22ffc23e351e7ffc09a236785dba7a268ef0a707ab99e3f9459c920
Opcode Fuzzy Hash: f3d639aa95f56060330cb391a19473a0b59523fabe4710a6e11085225d8b8eff
Instruction Fuzzy Hash: E7418971A00209EFCF06CF95CC80ADEBBB5BF08308F248199F904BB611DB36A955DB50

Function 6CFA2150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFA2160

Part of subcall function 6CFB0199: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CFB01A5

Strings

'E[, xrefs: 6CFA2293
string too long, xrefs: 6CFA2157

Memory Dump Source

Source File: 00000000.00000002.2081755812.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true

Associated: 00000000.00000002.2081741717.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081965580.000000006CFBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2081993922.000000006D011000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2082187214.000000006D014000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf80000_Setup_v1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$'E[
API String ID: 1997705970-4102168377
Opcode ID: 2720ff98e80d3c66d04ff08e94cf35726af204fdb6ed6a5136c5e6dee0ca739f
Instruction ID: 458e14cfca1d4efb18c5219547c53bd6e0c830647d0001ed0c7d381e99104b73
Opcode Fuzzy Hash: 2720ff98e80d3c66d04ff08e94cf35726af204fdb6ed6a5136c5e6dee0ca739f
Instruction Fuzzy Hash: 94310236B546019FDF058EBDC8D93CE7BE69B53374F20921989348BAD4C227860A8A04

Analysis Process: aspnet_regiis.exePID: 764, Parent PID: 2792COMMON

Execution Graph

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2%
Total number of Nodes:	1159
Total number of Limit Nodes:	6

Executed Functions

Function 03118680 Relevance: 6.1, APIs: 4, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,031205B7), ref: 031186CA
Process32First.KERNEL32(?,00000128), ref: 031186DE
Process32Next.KERNEL32(?,00000128), ref: 031186F3
CloseHandle.KERNELBASE(?), ref: 03118761

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 91a28774da90537830b3cbaea8e762de4e5220cdac2744791b0d5bfea46271f7
Instruction ID: 3c479647aafe10dbe3ee5d0a0fb3f94f4455682b3d68a14145662f91e3cdcb71
Opcode Fuzzy Hash: 91a28774da90537830b3cbaea8e762de4e5220cdac2744791b0d5bfea46271f7
Instruction Fuzzy Hash: A5318276942218ABCB24EF90CC50FEEBB7CEF49711F0041A9E109A6190DF706B55CFA0

Function 031045C0 Relevance: 3.1, APIs: 2, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,031169FB), ref: 0310460E
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0310479C

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID:
API String ID: 1542196881-0
Opcode ID: 7dfd5ba896443b7ae9256566fa0bf48f7273d5df111318bd38fdcd32cf45c242
Instruction ID: 916eae662332728ef7f0f2c4adb57caef476404afc881775dc292fd9cda4bda5
Opcode Fuzzy Hash: 7dfd5ba896443b7ae9256566fa0bf48f7273d5df111318bd38fdcd32cf45c242
Instruction Fuzzy Hash: 3241A975740214EFC71CFBE4E9CDA9CBF76AB4D617B408044F92299149CBB0D5A19B32

Function 03117B90 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 03117C62

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 927d682ec6bfed238d8d39327663468a1562ca4ec6bc93d5cc99eec8bcfea568
Instruction ID: 26cfa0aabd36d3ef344e4fb83b560d50ecc8f7e428224dffb890cbc1f6ef3dbf
Opcode Fuzzy Hash: 927d682ec6bfed238d8d39327663468a1562ca4ec6bc93d5cc99eec8bcfea568
Instruction Fuzzy Hash: 42414B7594121CABDB24DB94DC98BEEB778FF48711F1041A9E00A66280DB746F96CFA0

Function 03117A30 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,03120E10,00000000,?,00000000,00000000,?), ref: 03117A7D

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 13a277229e3b6b11f7f957095603f2bbe2a7c0ee2f26b706147c6ae4c980168a
Instruction ID: 225428a14394093c350f813f31c3f942b459e5c158ef2301dade12fe64a419b2
Opcode Fuzzy Hash: 13a277229e3b6b11f7f957095603f2bbe2a7c0ee2f26b706147c6ae4c980168a
Instruction Fuzzy Hash: 9C1182B1945228DFEB10DB54DC45FAABBBCF704712F0047A5E516932C0DB742A40CF51

Function 03117850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0311789F

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ecbd1248566743285912b0113b24280d3852effd1db67af16634d94baf0514a3
Instruction ID: 8831e8759d4175ff4f82bea2ab4f6620455dd9cc5b5e6711e9f3475add39ee31
Opcode Fuzzy Hash: ecbd1248566743285912b0113b24280d3852effd1db67af16634d94baf0514a3
Instruction Fuzzy Hash: 5DF04FB5944208AFC714DF98D985BAEBFFCEB09712F10026AFA15A2680C77425048BA1

Function 03117ED0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(03120E2C), ref: 03117F00

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4c97fef05afd22c441b9106895c02af6834e8a10802b5874f429f7e319cfa822
Instruction ID: 49b001de72f4c4829d05b416916f36a7968dde98e13f36915e9fdb2b9f806102
Opcode Fuzzy Hash: 4c97fef05afd22c441b9106895c02af6834e8a10802b5874f429f7e319cfa822
Instruction Fuzzy Hash: 02F0F0B1A40218EFCB10DF84EC45FEAFBBCFB48A20F000669F52592280D77929148BE0

Function 03119C10 Relevance: 12.7, APIs: 8, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A03D
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A04E
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A060
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A072
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A083
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A095
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A0A7
LoadLibraryA.KERNELBASE(?,?,03115CA3,?,00000034,00000064,03116600,?,0000002C,00000064,031165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0311A0B8

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a255c84f5bb227e0bc6ace18671707ba2287f72a7034f6cacbdb36ef5c0a10d
Instruction ID: adc55835145c9a38dd47d6d3d12d7928a664b16a5f6dc1836dfa8bbc352158de
Opcode Fuzzy Hash: 8a255c84f5bb227e0bc6ace18671707ba2287f72a7034f6cacbdb36ef5c0a10d
Instruction Fuzzy Hash: 8062D7BE5D4240AFD364FBA8E6C89563FFDE788702B14851AB6198324CDF39B441DB60

Function 03118320 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,031205B6), ref: 031183A4
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03118426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0311847B

Strings

?, xrefs: 0311837A

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: ?
API String ID: 462099255-1684325040
Opcode ID: 4f18666261df95548d4870c2c3544609662d9b297d54b07eb042929f025ae170
Instruction ID: 830df93a118898f24daa689a669c4b6874459ec4ab07fef929e622182dc237fc
Opcode Fuzzy Hash: 4f18666261df95548d4870c2c3544609662d9b297d54b07eb042929f025ae170
Instruction Fuzzy Hash: 3F81FB7595121C9BEB24EB50CD94FEABBBCBF08711F0082A8E109A6140DF716B96CF90

Function 03117500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0311757F

Strings

:, xrefs: 0311755C
C, xrefs: 0311754C
\, xrefs: 03117560

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: 58da1bc9dd6f06ca3f46bf34b1a82f5bb1affd849f960be5f592e10c3ef0cb84
Instruction ID: c4d97a6a4cba049642d802d075439a7cf0d76d487e2e8642712f639232fe50ec
Opcode Fuzzy Hash: 58da1bc9dd6f06ca3f46bf34b1a82f5bb1affd849f960be5f592e10c3ef0cb84
Instruction Fuzzy Hash: C04184B5D40358ABDF10DF94DC84BDEBBB8EF0C700F0041A9E50967280D7756A54CBA5

Function 03118100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 03118158
__aulldiv.LIBCMT ref: 03118172
__aulldiv.LIBCMT ref: 03118180

Strings

@, xrefs: 0311814D

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 37be7348d3f614fcd4d6718ee19d7b499ab0440d64640b7c564776521c0b6c2b
Instruction ID: f92fd8b64153f9b54be002a6a6b7c0f8f54eb26d7705415bb35bfa193e438139
Opcode Fuzzy Hash: 37be7348d3f614fcd4d6718ee19d7b499ab0440d64640b7c564776521c0b6c2b
Instruction Fuzzy Hash: B5213BB1E44218ABDB00DFD4DC49FAEBBB8FB48B00F104219F605BB280D77869008BA4

Function 03101220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0310123E
__aulldiv.LIBCMT ref: 03101258
__aulldiv.LIBCMT ref: 03101266

Strings

@, xrefs: 03101233

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: c658ac2e9ec366f88f06a5d475e8f4c405b87cfc3196fe38ed21ce18a889d11c
Instruction ID: b65e84bbaac5f7d15a75d6c95d667d6040ba8a33e81540a0fbfb79d80508bab0
Opcode Fuzzy Hash: c658ac2e9ec366f88f06a5d475e8f4c405b87cfc3196fe38ed21ce18a889d11c
Instruction Fuzzy Hash: 290112B4D84308FBEB10DBD4DC49B9DBB78AB0C705F248064E705BA1C0D7B895458759

Function 03106280 Relevance: 6.2, APIs: 4, Instructions: 191
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 031047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 03104849

InternetOpenA.WININET(03120DFE,00000001,00000000,00000000,00000000,03120DFB), ref: 031062E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 03106335
HttpOpenRequestA.WININET(00000000,03121A28,?,?,00000000,00000000,00400100,00000000), ref: 03106385
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 031063D1

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectCrackSend
String ID:
API String ID: 612470270-0
Opcode ID: 07f23bd075dbbc4c886fc1a9aaa5e417ad2a5faf03951ea9652040342162c9b8
Instruction ID: 6eedc08a3e0de508e9a197e55a29d28f80621bcabfa975d66d18e8554d0ddfe2
Opcode Fuzzy Hash: 07f23bd075dbbc4c886fc1a9aaa5e417ad2a5faf03951ea9652040342162c9b8
Instruction Fuzzy Hash: 57713275A40318ABDB14EFA0DC84BDE7B78FF48711F104168E509AB1C4DBB56A95CF50

Function 03119860 Relevance: 4.7, APIs: 3, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03116A00), ref: 03119A9A
LoadLibraryA.KERNELBASE(?,?,03116A00), ref: 03119AAB
LoadLibraryA.KERNELBASE(?,?,03116A00), ref: 03119ACF

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63262dd5c7f5ce388d1f20fa1c3712480bf850e878fc72eae22451574feaecb9
Instruction ID: a796b03ecece38d9042131e4ccb7253f856adbb43e8cc6006a54042df1e04415
Opcode Fuzzy Hash: 63262dd5c7f5ce388d1f20fa1c3712480bf850e878fc72eae22451574feaecb9
Instruction Fuzzy Hash: 73A1F7BE5842409FE364FFA8EAD8A663BFDE74C302B14451AB6158324CDF39B441DB50

Function 031047B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCrackUrlA.WININET(00000000,00000000), ref: 03104849

Strings

<, xrefs: 031047C9

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID: <
API String ID: 1381609488-4251816714
Opcode ID: 5380c8a85fa9aa139f5c5778f0bca32cdd2e26ac1fbcb43e4bb5aeae71b92b49
Instruction ID: d795e4383779a8acd8ec13ebeeacd1dbb67a7a35777d002bf1d3e06457e84c2f
Opcode Fuzzy Hash: 5380c8a85fa9aa139f5c5778f0bca32cdd2e26ac1fbcb43e4bb5aeae71b92b49
Instruction Fuzzy Hash: 90212CB5D00209ABDF14EFA4E945BDD7B78FF44320F108225F915AB280EB706A15CF91

Function 03104FB0 Relevance: 3.1, APIs: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 03104FD1
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 0310508A

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateDispatcherExceptionHeapUser
String ID:
API String ID: 3515689010-0
Opcode ID: 324a966da08ac198da0aa8521ceb50bbefa77ff7a4a40a1c294bcf4eed01a12c
Instruction ID: f320229dc9e8f9773d4654522f24496f9944d8f7114a02a21edd4992c451f637
Opcode Fuzzy Hash: 324a966da08ac198da0aa8521ceb50bbefa77ff7a4a40a1c294bcf4eed01a12c
Instruction Fuzzy Hash: D8311DB4A40218ABDB24DF54DD84BDDBBB8FB48704F1081D8F709A7284CB706AC58F98

Function 031183DC Relevance: 3.1, APIs: 2, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03118426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0311847B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 031184EC
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,03120B34), ref: 03118599
RegCloseKey.KERNELBASE(00000000), ref: 03118608

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID:
API String ID: 2041898428-0
Opcode ID: 2a5c273e10cb349612824afa00daee871aa66ce92eb272ffc5c1fde1c7c75292
Instruction ID: 94fb0f17a846d26a71f627acca76523d3291e42bf1de546a2d43590979cae84b
Opcode Fuzzy Hash: 2a5c273e10cb349612824afa00daee871aa66ce92eb272ffc5c1fde1c7c75292
Instruction Fuzzy Hash: 7B21077595022CABDB24DB54DC84FE9B7B8FB48705F00C1E8E609A6140DF716A86CFD4

Function 03117E00 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 03117E5E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 03117E7F

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: de733d9f09baaaf1b6b4159d9fc2cc523be156df96ab1dcddbe2ade132799dd8
Instruction ID: 81badc1ea4e7b73b493ebe2a51702b13969b2871a48126d0a76f4d781ac7e4f3
Opcode Fuzzy Hash: de733d9f09baaaf1b6b4159d9fc2cc523be156df96ab1dcddbe2ade132799dd8
Instruction Fuzzy Hash: 66114FB5A84205EBD714DB94D989FBBBBBCEB08711F104119F615A7284DB7468108BA0

Function 03117690 Relevance: 3.0, APIs: 2, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,00000000), ref: 031176DD
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,000000FF), ref: 031176FE

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 5ab138794aaf71d2ce886e6fcbc48e238f249dc1e7f5b81905501e36c81bf298
Instruction ID: 8697948ac3592515edd12d39efd18d96156588e4da809af36299c41e24ebade4
Opcode Fuzzy Hash: 5ab138794aaf71d2ce886e6fcbc48e238f249dc1e7f5b81905501e36c81bf298
Instruction Fuzzy Hash: 7001F4B9A40204BBE710EBE4E989FADBBBCEB48701F104554FA0597284EB74A954CF50

Function 03117720 Relevance: 3.0, APIs: 2, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,031176B9), ref: 0311775B
RegQueryValueExA.KERNELBASE(031176B9,03120AAC,00000000,00000000,?,000000FF), ref: 0311777A

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: a1680e996c98956815709199574889b4dc0326ef6860a0d9a58456f3ccf6e863
Instruction ID: d11258e4525516a4307fc88916dfdc95dc09633ce0c01df24429520b67d16d9b
Opcode Fuzzy Hash: a1680e996c98956815709199574889b4dc0326ef6860a0d9a58456f3ccf6e863
Instruction Fuzzy Hash: 420144B9A40308BBE710EBE4DC89FAEBBBCEB48701F004154FA05A7285DB7065108F50

Function 031169F0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 03101160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03116A17,03120AEF), ref: 0310116A

Part of subcall function 03101110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,03116A1C), ref: 03101132

Part of subcall function 03101220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0310123E
Part of subcall function 03101220: __aulldiv.LIBCMT ref: 03101258
Part of subcall function 03101220: __aulldiv.LIBCMT ref: 03101266

GetUserDefaultLCID.KERNELBASE ref: 03116A26

Part of subcall function 03117850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0311789F

Part of subcall function 031178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0311792F

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
String ID:
API String ID: 3178950686-0
Opcode ID: 54f7d80db9a5658be5fa3abb2e993098554651c53910f2695a1a388aeefd24ff
Instruction ID: 892345e466967d0f495602552e27dea82bae2b80c5d28cbcd8f0fb0c74d144f0
Opcode Fuzzy Hash: 54f7d80db9a5658be5fa3abb2e993098554651c53910f2695a1a388aeefd24ff
Instruction Fuzzy Hash: BA312B79A41308ABDB04FBF0D955BEE7B78AF0C351F404538E512AA180DFB46A66C6A1

Function 031178E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0311792F

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 4177277cb7dc41aaafbb3ed5d72981487e1938b9ecba21f78fc831dfabc5e7be
Instruction ID: b7be004b2ef5783dec0c50deeceba4166c9a3ab57e4e056ef2745211fd9fce34
Opcode Fuzzy Hash: 4177277cb7dc41aaafbb3ed5d72981487e1938b9ecba21f78fc831dfabc5e7be
Instruction Fuzzy Hash: 1E0186B1944208EFC704DF94D945BAEBBBCF708B22F104269F545E3380C77455048BA1

Function 03119470 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 031194A5

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: d14f046b92af6dce29fed023aa7df32fa1b08d8df0224ecedfe315f879867fb3
Instruction ID: a28654bee0b5d634036f7c8737d2cb8b61774104e11a438094e9bdae9a894943
Opcode Fuzzy Hash: d14f046b92af6dce29fed023aa7df32fa1b08d8df0224ecedfe315f879867fb3
Instruction Fuzzy Hash: 67F0547994020CFBDB15EF94D989FED7778EB08311F004454FA1957180DBB46A85CB90

Function 03101110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,03116A1C), ref: 03101132

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 91de3f723e7a398606df9fd0f88adfdd7c52191b88515ba15617ad0bb5901506
Instruction ID: 9942d4c94d8538218513af9f220e8caca440bf6f00d210832f85430d32441ffd
Opcode Fuzzy Hash: 91de3f723e7a398606df9fd0f88adfdd7c52191b88515ba15617ad0bb5901506
Instruction Fuzzy Hash: 89E0E6799C5308FBE710BBA1DD4AB097A7CEB04B06F504154F7097A1C4DBF536009699

Function 03101160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03116A17,03120AEF), ref: 0310116A

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0c29e6d9602c313d8366c5b7a7c69e20ada27658708a1be639f8732ec5fe9c10
Instruction ID: 70cabf7b134c1218bca55f16517685ba7b468da1717161b32cb4ea481944e6b8
Opcode Fuzzy Hash: 0c29e6d9602c313d8366c5b7a7c69e20ada27658708a1be639f8732ec5fe9c10
Instruction Fuzzy Hash: 90D017789402089BCB14EBE0D98969DBB7CEB08312F000594E90562240EB3064818AA5

Function 031010A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0310114E,?,?,03116A1C), ref: 031010B3

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0173d2bb2d9784c6219375105ed74d4cce3b6c064ec0f6a67a3c4634a50c2fb
Instruction ID: dcae4200eb5f6f176f60df263a672d2ac6759a551ef56e13417ed809373f28c3
Opcode Fuzzy Hash: d0173d2bb2d9784c6219375105ed74d4cce3b6c064ec0f6a67a3c4634a50c2fb
Instruction Fuzzy Hash: CFF0E275681308BBE714EBA4AD89FAAB7ECE709B15F300458F544E7280D671AE00CAA0

Non-executed Functions

Function 03119750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 0311C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0311C74E

Part of subcall function 0311BF9F: __getptd_noexit.LIBCMT ref: 0311BFA2
Part of subcall function 0311BF9F: __amsg_exit.LIBCMT ref: 0311BFAF

__getptd.LIBCMT ref: 0311C765
__amsg_exit.LIBCMT ref: 0311C773
__lock.LIBCMT ref: 0311C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0311C797

Memory Dump Source

Source File: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3100000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c59355314600c45a940292a0e986561b24c3c2deb7bdb94575c59f4849290505
Instruction ID: 5d135d6e731f1fb5b42b57c7b303dfed0620e8666f0db687ed46f61fcd02e86b
Opcode Fuzzy Hash: c59355314600c45a940292a0e986561b24c3c2deb7bdb94575c59f4849290505
Instruction Fuzzy Hash: 1CF024779897119FD720FBF854017CE37A06F0C720F148168E000AE1C0DFA458B08BD6

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup_v1.29.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_09f1d501-70d8-4950-b861-5593f5fb2d0e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3B8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5CD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE699.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log

C:\Users\user\AppData\Roaming\msvcp110.dll

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Setup_v1.29.exe

Function 6CF91870 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 405
nativeCOMMON

Function 6CFAF8C8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CFAF978 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CFB6FBE Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 6CFAF7C1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CFB75BB Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6CFB7EE7 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 6CF8E130 Relevance: 18.7, Strings: 14, Instructions: 1172
COMMON

Function 6CF93BA0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 503
COMMON