Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Analysis ID:	1429056
MD5:	3267524dfd0402edc79dd8bc794f6b60
SHA1:	ace93085f7ca737c26b46746c131198890b171a9
SHA256:	c22beac6359f4a40b59d7d1770dd70610d85670466c86f5d95211c98ebac96ff
Tags:	exe
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Checks for available system drives (often done to infect USB drives)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe" MD5: 3267524DFD0402EDC79DD8BC794F6B60)

msiexec.exe (PID: 7088 cmdline: MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7144 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4520 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7132 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\data\atr\Apex\pwdata\Debug\pwdata.pdb source: PWDATA.EXE.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_00410106 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,

0_2_00410106

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\_isE74C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\	Jump to behavior

Source: pdqcom32.ocx.2.dr	String found in binary or memory: http://crescent.progress.com.
Source: pdqcom32.ocx.2.dr	String found in binary or memory: http://crescent.progress.com/
Source: pdqcom32.ocx.2.dr	String found in binary or memory: http://crescent.progress.com/crescent/codedepot.html
Source: 622280.rbs.2.dr	String found in binary or memory: http://www.apexedi.com
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe, ApexWin.msi.0.dr, 62227f.msi.2.dr	String found in binary or memory: http://www.apexedi.comFile:
Source: aps102eng.exe.2.dr	String found in binary or memory: http://www.installshield.com/pftw/

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040F733 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

0_2_0040F733

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File created: C:\Windows\Downloaded Installations	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File created: C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File created: C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\62227f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{348DFD33-272D-4451-8968-31E94E81AE45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI257D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\comdlg32.ocx	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mscomctl.ocx	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\tabctl32.ocx	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\622281.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\622281.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\622281.msi

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00403A6F	0_2_00403A6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00417C44	0_2_00417C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0041D7A3	0_2_0041D7A3

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: String function: 00414644 appears 67 times

Source: ApexWin.exe.2.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: msado25.tlb.2.dr	Static PE information: No import functions for PE file found
Source: Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24.2.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE x, vs SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Binary or memory string: OriginalFilename_IsIcoRes.exeP vs SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: VB6.OLB.2.dr

Binary or memory string: Specifies the path of the project .VBP file when running the application from the development environment or the path of the executable file when running the application as an executable file.WW

Source: classification engine

Classification label: clean8.winEXE@8/83@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040F733 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

0_2_0040F733

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040EF4B LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,

0_2_0040EF4B

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_00404740 GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString,

0_2_00404740

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_004044FB FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_004044FB

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ApexWin

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML279F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

File created: C:\Users\user\AppData\Local\Temp\~CB76.tmp

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

File read: C:\Users\user\AppData\Local\Temp\_isE74C\_ISMSIDEL.INI

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior

Source: ApexWin.lnk.2.dr	LNK file: ..\..\..\..\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe
Source: ApexWin Claims.lnk.2.dr	LNK file: ..\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

File written: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Static file information: File size 10577307 > 1048576

Source:

Binary string: C:\data\atr\Apex\pwdata\Debug\pwdata.pdb source: PWDATA.EXE.2.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_00409EC8 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,lstrcmpA,CopyFileA,GetLastError,wsprintfA,lstrcatA,wsprintfA,MessageBoxA,MoveFileA,lstrcatA,CopyFileA,

0_2_00409EC8

Source: Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B.2.dr

Static PE information: section name: ENGINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00414820 push eax; ret		0_2_0041484E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00414644 push eax; ret		0_2_00414662

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\tabctl32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\ECP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\comdlg32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PWECP.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\ApexWin.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\dclient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\scrrun.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\ICONLIB.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Extra\data9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Pdqtapi.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\data.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Extra\pwmon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\msado25.tlb	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PSMON.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\pdqcom32.ocx	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF7E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF834.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PKZIP25.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PREPECF.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mscomctl.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\tabctl32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\comdlg32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mscomctl.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00409106 GetTempPathA,GetWindowsDirectoryA,GetPrivateProfileStringA,wsprintfA,	0_2_00409106
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_004019D5 GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,lstrcmpiA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,ExpandEnvironmentStringsA,lstrcpyA,GetPrivateProfileIntA,	0_2_004019D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040D9BB GetPrivateProfileIntA,wsprintfA,CharNextA,CharNextA,CharNextA,GetPrivateProfileStringA,	0_2_0040D9BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00406B4C GetPrivateProfileStringA,	0_2_00406B4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00407353 __EH_prolog,GetPrivateProfileStringA,GetPrivateProfileStringA,wsprintfA,GetPrivateProfileStringA,wsprintfA,SendMessageA,SendMessageA,MessageBoxA,GetDlgItem,SendMessageA,SendMessageA,lstrcatA,wsprintfA,lstrcatA,wsprintfA,RegQueryValueExA,SetCurrentDirectoryA,RegCloseKey,GetPrivateProfileStringA,lstrcatA,lstrcmpA,lstrcmpA,lstrcmpA,KiUserCallbackDispatcher,	0_2_00407353
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_004013EE GetPrivateProfileStringA,lstrlenA,	0_2_004013EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00406B93 GetPrivateProfileIntA,	0_2_00406B93
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00407C0F __EH_prolog,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetModuleFileNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,CoInitialize,SysFreeString,GetPrivateProfileStringA,SysFreeString,SysFreeString,CoUninitialize,	0_2_00407C0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00409437 __EH_prolog,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,CoInitialize,GetPrivateProfileStringA,lstrlenW,WideCharToMultiByte,SysFreeString,SysFreeString,CoUninitialize,	0_2_00409437
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040D487 GetPrivateProfileIntA,wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA,	0_2_0040D487
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040A5A2 __EH_prolog,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,wsprintfA,lstrlenW,WideCharToMultiByte,	0_2_0040A5A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00409EC8 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,lstrcmpA,CopyFileA,GetLastError,wsprintfA,lstrcatA,wsprintfA,MessageBoxA,MoveFileA,lstrcatA,CopyFileA,	0_2_00409EC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040CEDB __EH_prolog,lstrcpyA,IsValidCodePage,GetPrivateProfileIntA,lstrlenA,lstrlenA,lstrlenA,wsprintfA,	0_2_0040CEDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_004096DF GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,	0_2_004096DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_004081BC __EH_prolog,CopyFileA,SetFileAttributesA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,lstrcpyA,GetPrivateProfileIntA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,lstrcatA,wsprintfA,wsprintfA,lstrcpyA,GetModuleFileNameA,wsprintfA,lstrcatA,RegCreateKeyExA,RegCloseKey,lstrlenA,CoInitialize,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,CoUninitialize,lstrlenA,RegSetValueExA,RegCloseKey,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,RegCloseKey,	0_2_004081BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_004052F6 __EH_prolog,CharNextA,CharNextA,CharNextA,lstrcpyA,GetPrivateProfileIntA,wsprintfA,GetPrivateProfileStringA,	0_2_004052F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00409BB0 wsprintfA,GetPrivateProfileStringA,lstrcmpA,	0_2_00409BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00406BBB wsprintfA,GetPrivateProfileStringA,	0_2_00406BBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00406C9C lstrcatA,GetPrivateProfileStringA,	0_2_00406C9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040A51C GetPrivateProfileIntA,wsprintfA,RegCreateKeyExA,RegDeleteKeyA,RegCloseKey,	0_2_0040A51C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040FDD6 wsprintfA,wsprintfA,CharNextA,CharNextA,CharNextA,lstrcatA,wsprintfA,GetPrivateProfileStringA,VerLanguageNameA,	0_2_0040FDD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00404E21 CharNextA,CharNextA,CharNextA,lstrcpyA,GetPrivateProfileStringA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,lstrcpyA,lstrcpyA,CharNextA,	0_2_00404E21
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00408ECE GetPrivateProfileStringA,GetPrivateProfileSectionA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_00408ECE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00404740 GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString,	0_2_00404740
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_0040A779 GetPrivateProfileStringA,GetPrivateProfileIntA,	0_2_0040A779

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apex EDI Inc			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apex EDI Inc\ApexWin.lnk			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040FF30 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040FF30

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\tabctl32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ECP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PWECP.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\comdlg32.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ApexWin.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\scrrun.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ICONLIB.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\dclient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\data9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Pdqtapi.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\data.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\pwmon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\msado25.tlb	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PSMON.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\pdqcom32.ocx	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF7E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF834.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PKZIP25.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PREPECF.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mscomctl.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-15814

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_00410106 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,

0_2_00410106

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040BE0A GetVersionExA,GetSystemInfo,

0_2_0040BE0A

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\_isE74C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

0_2_00409EC8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00418923 SetUnhandledExceptionFilter,		0_2_00418923
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: 0_2_00418935 SetUnhandledExceptionFilter,		0_2_00418935

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0040F808 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

0_2_0040F808

Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Binary or memory string: Shell_TrayWndArialCANCELDescriptionMSlovenianBasque%xDefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyISScript.MsiCacheFolderCacheRootLocationTypeScriptVerServicePackPlatformIdBuildNoMinorVerMaxMinorVerMajorVerSupportOSProductCodeSuppressWrongOSSuppressRebootSoftware\Microsoft\Active Setup\Installed Components\%s{1C370964-514B-321C-7237-2B4FD86D8568}{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}{7E76A8D6-33D1-0032-16C3-4593092861D0}{E7E2C871-090A-C372-F9AE-C3C6A988D260}{F1B13231-13BE-1231-5401-486BA763DEB6}{6741C120-01BA-87F9-8734-5FB9DA8A4445}{F279058C-50B2-4BE4-60C9-369CACF06821}{78705f0d-e8db-4b2d-8193-982bdda15ecd}{9B29D757-088E-E8C9-2535-AA319B92C00A},.VersionISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1InstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerMicrosoft(R) .NET Framework /l%d /q:a /c:"install /q"dotnetredistSp1.exedotnetredist.exedotnetfx.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: GetLocaleInfoA,TranslateCharsetInfo,		0_2_0040F92E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	Code function: GetLocaleInfoA,		0_2_0040F98B

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Code function: 0_2_0041586F EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_0041586F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	32 Masquerading	OS Credential Dumping	2 Process Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Process Injection	1 Access Token Manipulation	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	1%	Virustotal		Browse
SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\ApexWin\ApexWin.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\ApexWin.exe	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\ECP.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\ECP.exe	3%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE	1%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\Extra\data9.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\Extra\data9.exe	1%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\Extra\pwmon.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\Extra\pwmon.exe	1%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\ICONLIB.DLL	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\ICONLIB.DLL	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\PKZIP25.EXE	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\PKZIP25.EXE	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\PREPECF.EXE	3%	ReversingLabs
C:\Program Files (x86)\ApexWin\PREPECF.EXE	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\PSCRIPT.DRV	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\PSCRIPT.DRV	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\PSMON.DLL	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\PSMON.DLL	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\PWECP.EXE	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\PWECP.EXE	3%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\Pdqtapi.ocx	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\Pdqtapi.ocx	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe	2%	ReversingLabs
C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\data.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\data.exe	3%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\dclient.exe	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\dclient.exe	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\msado25.tlb	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\msado25.tlb	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\pdqcom32.ocx	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\pdqcom32.ocx	0%	Virustotal	Browse
C:\Program Files (x86)\ApexWin\scrrun.dll	0%	ReversingLabs
C:\Program Files (x86)\ApexWin\scrrun.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.apexedi.com	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://crescent.progress.com/crescent/codedepot.html	pdqcom32.ocx.2.dr	false		high
http://www.apexedi.com	622280.rbs.2.dr	false	0%, Virustotal, Browse	unknown
http://crescent.progress.com.	pdqcom32.ocx.2.dr	false		high
http://www.installshield.com/pftw/	aps102eng.exe.2.dr	false		high
http://crescent.progress.com/	pdqcom32.ocx.2.dr	false		high
http://www.apexedi.comFile:	SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe, ApexWin.msi.0.dr, 62227f.msi.2.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429056
Start date and time:	2024-04-20 13:32:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Detection:	CLEAN
Classification:	clean8.winEXE@8/83@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 77 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtSetValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ApexWin\PKZIP25.EXE	HancockWhitney_AdminNoScanner_555036 (1).exe	Get hash	malicious	Unknown	Browse
	Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.5-2.2.3.1_RR_v2.2.2.1.exe	Get hash	malicious	Unknown	Browse
	Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.5-2.2.3.1_RR_v2.2.2.1.exe	Get hash	malicious	Unknown	Browse
	C55Mh1wlvj.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\622280.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	265324
Entropy (8bit):	5.514805115553223
Encrypted:	false
SSDEEP:	6144:i3MetOD9qxzlpUiX8F3mQO/sPNGiep1THf1LR0JsbwTxpBu1R6/J7dMCmNO7j0vn:Vu
MD5:	88D114F774DA32310F2AAA2D90EE3951
SHA1:	BE177A3EE5DEDE5D365645C0C8DB4FB0B0904B41
SHA-256:	9EF76DCAC2B8B451ACE27009A47F47AAE4AF5AC34B3E742DFDC44753DA8D6CBC
SHA-512:	ED38DE99F291726CBF398FBCDC543F01641F9D77EC7A1EF7E9CBB661D171E92B12BF033062E14BD979776FC14D81B2CF4F836071BCE695CB79214B8CB6AFEF8C
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@5l.X.@.....@.....@.....@.....@.....@......&.{348DFD33-272D-4451-8968-31E94E81AE45}..ApexWin..ApexWin.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{B5878C7F-DF01-43A0-9EE0-60D4127E7720}.....@.....@.....@.....@.......@.....@.....@.......@......ApexWin......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{65A9054E-7B69-47A8-963F-3BEF2931F7B3}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{B0BFDC86-941B-11D6-A99E-0050DA600812}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{B0BFDCAA-941B-11D6-A99E-0050DA600812}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{2DB6BF98-4AFD-486F-A9C1-0ABDECDD416F}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{C37FF483-4097-4D04-8250-F332372C4BD2}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{B0BFDCAF-941B-11D6-A99E-0050DA600812}&.{348DFD33-272D-4451-8968-31E94E81AE45}.@......&.{DC6BAFE4-94D8-11D6-A99E-0050DA600812}&.{348DFD33-2

C:\Program Files (x86)\ApexWin\APPLE380.SPD

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PPD file, version "4.0"
Category:	dropped
Size (bytes):	6046
Entropy (8bit):	5.260712936580884
Encrypted:	false
SSDEEP:	96:K5UW/qClUmcNFO0U0TLUPr3t6GNadToyUhs+VVeMO+/UzeVd9WK+r7V2EfArgelZ:aiClUmcNFO0U0TLUPr3t6GNaRoBH8zof
MD5:	2EF7075F72027C4DAE30A4A01E92B66C
SHA1:	E8E67F2E8740CBF57ED1189166C85EF7B62E5BC6
SHA-256:	3C39824824DA32DB93AC4CF9A62BE15D6896BA63252418A340C003FC9BF91289
SHA-512:	74591F55F63A9F90255BF020AAE59BE4DBEF5C4D23975CA3A6A258AA35C3EA21E932FAA6A0D7E731FAC7D40A7EA889BC06109BC6DBA474FED629A7CAD472120F
Malicious:	false
Reputation:	low
Preview:	PPD-Adobe: "4.0"..% APPLE380.spd: Simplified form of APPLE380.ppd..PCFileName: "APPLE380.PPD"..Product: "(LaserWriter Plus)"..PSVersion: "(38.0) 2"..ModelName: "Apple LaserWriter Plus"..NickName: "Apple LaserWriter Plus v38.0"..ColorDevice: False..FreeVM: "172872"..LanguageLevel: "1"..Password: "0"..ExitServer: ".. count 0 eq { % is the password on the stack?.. true.. }{.. dup % potential password.. statusdict /checkpassword get exec not.. } ifelse.. { % if no password or not valid.. (WARNING : Cannot perform the exitserver command.) =.. (Password supplied is not valid.) =.. (Please contact the author of this software.) = flush.. quit.. } if.. serverdict /exitserver get exec.."..End..DefaultResolution: 300dpi..*?Resolution: "..save.. initgraphics.. 0 0 moveto currentpoint matrix defaultmatrix transform.. 0 72 lineto currentpoint matrix defaultmatrix transform.. 3 -1 roll sub dup mul.. 3 1 roll exch sub dup mul.. add sqrt round cvi..

C:\Program Files (x86)\ApexWin\ApexWin Claims.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 18 21:33:02 2007, mtime=Thu Oct 18 21:33:04 2007, atime=Thu Oct 18 21:33:04 2007, length=6, window=hide
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.5972410991252755
Encrypted:	false
SSDEEP:	12:8kRURRUBIK/+Tf1sedpCKUnkm83EEADYjApeSzubdp1ykklst8nFdnxfM:8prKedtUtF8A3qdJ1oxE
MD5:	0721A9C98E6612AD9204833655565921
SHA1:	A9D362B31908FF3335F5C131A314E9E2E0A7AE4D
SHA-256:	8B6987F46361C402611E951C44490ADB35378F25140A5761E114CD5A424775A7
SHA-512:	13072369EDE34D34F08E49B68FB2F90C792FE6757FD83F5FC3715FAD88820DB027456E1B6296EDE0BC8D0858ADE58E5F888F61C240F5EB3911E767C6660F26B7
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....&?.....v.......v....................................P.O. .:i.....+00.../C:\...................J.1.....R7....PROGRA~1..2.......1.R7".....P.r.o.g.r.a.m. .F.i.l.e.s.....<.1.....R7#...Apexwin.&......R7..R7#.....A.p.e.x.w.i.n.....H.2.....R7#. .apexwin.exe........R7".R7#.....a.p.e.x.w.i.n...e.x.e.......S...............-.......R..............x.....C:\Program Files\Apexwin\apexwin.exe....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.p.e.x.W.i.n...F.:.\.P.r.o.g.\.A.p.e.x.W.i.n.\.a.p.e.x.w.i.n...i.c.o.........&...w...`.......X.......sheldonlaptop....#..JU.E..8.._r.@Lj.\|......A.e#.#..JU.E..8.._r.@Lj.\|......A.e#....

C:\Program Files (x86)\ApexWin\ApexWin Dialup.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Oct 18 21:30:59 2007, mtime=Thu Oct 18 21:31:00 2007, atime=Thu Oct 18 21:31:00 2007, length=6, window=hide
Category:	dropped
Size (bytes):	646
Entropy (8bit):	4.607882745400741
Encrypted:	false
SSDEEP:	12:8els8AMABIK/Zbf1O+dpCP98PADYjApeyzubdpkzykklst8n+nx9:8elIt1ldk998AXqdU1fx9
MD5:	3C23C2C69500D209049DE6B2DA61FBCC
SHA1:	43E08F39D268D113B0AC14AFB7E547F3A561C961
SHA-256:	0E9E74B1F80A07783647E8DD9FFAD298A17A8B89663847BD49690605C367F629
SHA-512:	A631BF2860DA5E628C4174FC78FD0A06CE32273110A3F3BDB4448E30E2FD7CD23F586FBF383A039E61C8901CA9310740350B6F56E07A5324574309D3B3BAA142
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...4.n......D......D..................................P.O. .:i.....+00.../C:\...................J.1.....R7...PROGRA~1..2.......1.R7.....P.r.o.g.r.a.m. .F.i.l.e.s.....<.1.....R7...ApexWin.&......R7.R7.....A.p.e.x.W.i.n.....H.2.....R7. .ApexWin.exe........R7.R7.....A.p.e.x.W.i.n...e.x.e.......S...............-.......R..............x.....C:\Program Files\ApexWin\ApexWin.exe....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.p.e.x.W.i.n...s.h.o.w...F.:.\.P.r.o.g.\.A.p.e.x.W.i.n.\.a.p.e.x.w.i.n...i.c.o.........&...w...`.......X.......sheldonlaptop....#..JU.E..8.._r.@Lj.\|......A.e#.#..JU.E..8.._r.@Lj.\|......A.e#....

C:\Program Files (x86)\ApexWin\ApexWin Statements.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Oct 18 21:30:59 2007, mtime=Thu Oct 18 21:31:00 2007, atime=Thu Oct 18 21:31:00 2007, length=6, window=hide
Category:	dropped
Size (bytes):	640
Entropy (8bit):	4.607583374199113
Encrypted:	false
SSDEEP:	12:8els8AMABIK/Zbf1O+dpCP98PADYjApeyzubdpi6ykklst8n+nx9:8elIt1ldk998AXqds+1fx9
MD5:	60EF1B7ACED96AA3397FA248B52148ED
SHA1:	58F0D96AE661403811D0BD2FA808A15F7E066A83
SHA-256:	9A493761AABAAA417D1984DEED4C408E57F9CAB92B54973E0AD8CB70751A4195
SHA-512:	73EF201E543F3C2BB7361E6018B38072D44C904513F6B294A2081EB3544FF3B40188836EEBA9C245B7C0E6BB605F7A6929AFA4FF1CD89F6C0334080F0847F613
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...4.n......D......D..................................P.O. .:i.....+00.../C:\...................J.1.....R7...PROGRA~1..2.......1.R7.....P.r.o.g.r.a.m. .F.i.l.e.s.....<.1.....R7...ApexWin.&......R7.R7.....A.p.e.x.W.i.n.....H.2.....R7. .ApexWin.exe........R7.R7.....A.p.e.x.W.i.n...e.x.e.......S...............-.......R..............x.....C:\Program Files\ApexWin\ApexWin.exe....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.p.e.x.W.i.n...s...F.:.\.P.r.o.g.\.A.p.e.x.W.i.n.\.a.p.e.x.w.i.n...i.c.o.........&...w...`.......X.......sheldonlaptop....#..JU.E..8.._r.@Lj.\|......A.e#.#..JU.E..8.._r.@Lj.\|......A.e#....

C:\Program Files (x86)\ApexWin\ApexWin.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	659456
Entropy (8bit):	5.86074003383588
Encrypted:	false
SSDEEP:	12288:XP5LZ4YktGKKkJFvByhjQqehXdoxTrfjF1:RLZ4/Kkh0j2NoxTrfjF1
MD5:	3DECE6FEAD9F33BFEC7E32D865135090
SHA1:	8D28964B21483D7B1C9174EEAB55AFCF4AC1D942
SHA-256:	4E8289874F4C42DDA96CCEB2078D5AE9C6E5ADC03275AFB0336E8CD24CDAD353
SHA-512:	D06882FEC8AE28AFEB14AEB42DDC4AA03A9306C08A68F8F951611EF4A08DB7ED66E111F66AC57234878733C6FD0E473A121DE0B74424320A02366ACF48F2836B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.GU..)...)...)...'...).t. ...)...$...).Rich..).........................PE..L.....{H............................dH............@..........................p......x..........................................(....@..d ..................................................................8... ....................................text............................... ..`.data....e..........................@....rsrc...d ...@...0..................@..@...H............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\DosCopy.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.711080496244278
Encrypted:	false
SSDEEP:	3:urQLK2FD3v:urQ+2Nf
MD5:	BEDF7D70BAAFC29954EDDC737639843A
SHA1:	12AC82D8FF6658312414796AD07322E982D56EC5
SHA-256:	E8A81FD39D19550D63ECBAE8BB83BD1ED5111618D47914AEE43A029656C7B537
SHA-512:	DD06221DF6CC072D71E1EDA25CCE2706FC662B65CB9D460F2D6EA5A6666AEAD940F10160B4C0BA02A570FC2F8895DF97B35D1B346D8E52FB6E494758FDF96A18
Malicious:	false
Reputation:	low
Preview:	copy %1 %2..rem copy %1 lpt1..

C:\Program Files (x86)\ApexWin\ECP.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	4.925296697489885
Encrypted:	false
SSDEEP:	768:Kj/gTU44eGIMbCFqV3Rb1GTcQyXlO+zIhEOFquegYd8ULa:eP4gIqT1FhtL
MD5:	7E70364E340035329630F73CCE2081ED
SHA1:	DEFD7713B5824849227BB4FB3DFF1C7C51837656
SHA-256:	A28935634917A088931BC97689CD35C96402AF7BEF5063305BCB4085B52F4B30
SHA-512:	AB1EAF6BE0912F75DBACA11030F34A05951FF43E86E61CB8A2361E9A7165E23D05773131669550C6B863B0E621A0258D46B99D5B26B8EA74DE6E5073557B7A9D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./]..k<..k<..k<... ..j<..$...i<..o...j<..Richk<..........PE..L...$.t=..................... ....................@.............................................................................(...........................................................................(... ....................................text............................... ..`.data...............................@....rsrc...............................@..@.\|.9............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Zip archive data, made by v2.5, extract using at least v2.0, last modified Mon Feb 28 19:55:47 1994, uncompressed size 4608, method=deflate
Category:	dropped
Size (bytes):	82326
Entropy (8bit):	7.985157690088808
Encrypted:	false
SSDEEP:	1536:fEnZtt40/RptNgTdCu5S53IKUUlfeD0Oz39J9T57lB/0VuGe:8ZIQbgagQOz39H57j0VW
MD5:	C58A33CC9BED3686792168C0B642F024
SHA1:	1CA56E063AA2FAC6EE5AB8425DFB1A99B8F57366
SHA-256:	68A8E360038573AAEB7BDAAFDDC8FCC07694BAB1582D8CF04E5CACEA7D5349D7
SHA-512:	C37A118E450316BE68A2210923254FDC062AB681DCD8E6B6D40C8824AEFB9D8C679C2C60F7E10E8E75D25CDF2EBA3E9A5D9E7DB8EAD91984CBFB86707193A027
Malicious:	false
Reputation:	low
Preview:	MZ..!............g......R.....PKLITE Copr. 1990-93 PKWARE Inc. All Rights Reserved...................A...;...r.......!..L.!Not enough memory$....N.WWR..........It...............DW...'.....9...G.]..............EDhQR..+.d..J.....R...i.i...M.u...........x.c...0aDLQf...c..YoW..3o?..0Z.w.q...C/s.^..~..f..O.Z%..1G...^..P.Z>.sL9...F6...cl.A.q.........a.B5..Gj-.F..OF....P..}..5D?C3.wJ..f...}.~N...4\|..1..(.X...H...H..:_.t.w8... ...v.....V..".j@.K7b.,.HZ...w..=..x4i.................E......LC.-................N.%......&.....7T.D...O.F..............T.]..S.E..H.F...UV...........5.v..o.......x......P..V..`..y..z.....A...2[.p....Z.....C...(....3........e.=.......ed3.....x....).d"..).u.._..p...W{....._..Y..'h..X..:..A?A.W.!.r....z......9.6..E....{......Y.K..O<..v......^^.........?.........v"ZQ................DC.......#.N..."?..v.Q3.d.8,...8....`.= ..+..M... .u&.$S........NP.........V....1....................f.....p....5....Y.2.......=......m...[...1......^.4..\

C:\Program Files (x86)\ApexWin\Extra\AltaDentForm.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Generic INItialization configuration [END FORM OPTIONS]
Category:	dropped
Size (bytes):	7909
Entropy (8bit):	5.459157067355326
Encrypted:	false
SSDEEP:	96:4Z+Po8Ox30/wFA4Wg5En//PoOtd4vBkqgk3lp+E8AuTREeOBS7y:Vw8O6wFl7+EBM5E8AuRE+m
MD5:	D6CADC8B9F2093B05C3E5FB6D7098C71
SHA1:	CE66A37316B9DC71FAF9996DFB4CE7E8ED25944E
SHA-256:	F28F36EE344378D80AF3D0B14C28A6B69552B71B4F7C1F2443115188A2C0E45E
SHA-512:	6AAC13F16A4840A8B357D0933683A06AB3F16F7F9E4E052890DDA0A4B7C7834C3C4440B0A4A242551AC0D1137B023431C94F0F4705D6CB5FCF045BD923504894
Malicious:	false
Reputation:	low
Preview:	[FORM OPTIONS].. MAXLINES = 8.. LINEHEIGHT=0.1667.. LEFTOFFSET=-2.. UPPERCASE.. CPI=10.. FILE=C:\ALTA\ECSFILE.TXT.. [END FORM OPTIONS].. .. .. [MARGINS].. Top = 0.0.. Left = 0.0.. Right = 0.0.. Bottom = 0.0.. [END MARGINS].. .. [FONTS].. Font 1 = Courier, 10, Normal.. [END FONTS].. .. [PATIENT INFORMATION].. [Primary:Company,4.854,0.427,3.000,LEFT,Font 1]..;.. [IF Bill:Estimate = True].. ["X",0.302,0.396,0.229,LEFT,Font 1].. [ENDIF].. [IF Bill:Estimate <> True].. ["X",0.302,0.552,0.250,LEFT,Font 1].. [ENDIF].. [Bill:Ins1_Prior,3.760,0.583,1.000,LEFT,Font 1].. [Primary:Address1,4.854,0.604,3.000,LEFT,Font 1]..;.. [Insurance:Prov_ID,1.156,0.719,1.333,LEFT,Font 1].. [Bill:Ins1_ID,3.635,0.750,1.135,LEFT,Font 1].. [Primary:Address2,4.854,3.604,3.000,LEFT,Font 1]..;..[Primary:City + ", " + Primary:State + " " + Primary:Zip,4.854,,4,LEFT,Font 1]..;.. ;.. [IF Bill:Ins1_GRel = "M"].. ["X",3.05,,0,2,Left,Font 1].. [ELSE].. [IF Bill:Ins1_GRel = "P"].. ["X",3.55,,0,2,Left,Font 1].. [ENDIF].. [ENDI

C:\Program Files (x86)\ApexWin\Extra\Apex Electronic Claims.LCI

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	4401
Entropy (8bit):	4.215625882265984
Encrypted:	false
SSDEEP:	96:Cdp84Ibmq0HswNQhW3Lx3auGN0IzyYxbepMjVMzkSPlkD8TPAnl2vYaxQv:iptIIQbcJlkD8LAlqbxQv
MD5:	2CBE8278F35DFCB5AD1ABA0FAD57A513
SHA1:	1D2F9F6E02659FAACE8B9F986C15D26480DD0565
SHA-256:	F58520561D988DE1C0A1149D22BCFC306C7155BE6EB90E68C2ADEE22DE428B21
SHA-512:	C280756F42ABD6988B8D68767BC50FE585869E3DD1380B620F85DBFAC5B297341C02DF3FC65190A806B3D7D1BB0AB4C7B89BF2DEBFA00DE05B8FD9DECFA2B137
Malicious:	false
Reputation:	low
Preview:	TEXTFORM...........P..........c:\program files\apexwin\ecsfile.txt.....................................................................................................e........./....+...................+...................+...............5....... ........@....... .......2....+...............5....... .......3....6...............A....... .......4....B..............f...................g...................h...................i...................m...................j....'..............k....-..............@....3........................................... .................................... ........................................%02m%02D%Y.......E..................F..../...............1....... .......G....2...............<....... .......H....=...............G....... .......I....H..................................n....!..............o....&..............p....*..............q..../...................2..................................................R........#.......if [Patient Marital Statu

C:\Program Files (x86)\ApexWin\Extra\Apex Electronic Statements.lcs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2614
Entropy (8bit):	4.661934760625104
Encrypted:	false
SSDEEP:	48:3/fex7cYKcxNp4T8GatyRvTR4qlpEBlb4lP7d7d7d70OCO/Il8MlzNlOylKqlGlL:3nTYV4T8RyRvdd3EBGHBBhC+IhzJjI9
MD5:	AA811A2844F3FC15C99BFFD86D667C5F
SHA1:	0AB52D728C0979DA26884E465E8CFE67A6C2184D
SHA-256:	8A443A9B9BDEF476A7B64E0DBE3FDBF6BE0CA6603142A5A414C27A53492CA388
SHA-512:	2FD8AE785497DC41AEEE2161A7F658C9A807A599B45761D4D332823A70A15C60875DDD56E175BA3FFA1A45498963C9E226DA195E38EDD2BC5D4DB7C845EF177B
Malicious:	false
Reputation:	low
Preview:	TEXTFORM...........P...........C:\Program Files\ApexWin\statfile.txt........................................................................................................................STATEMENT OF ACCOUNT........H.......Page............M...................................3.......Account Number:............E...................................3.......Statement Date:.......Z....H.......%02m/%02D/%Y........................................................, .................................... .......................'....3.......Payment Enclosed:____________.......$............................ .......%............................ .......#...........................................................(............................, .......)............................ .......*...............X........N... Date For Description Ref. Charges Credits...Z........P...-------- ------------- ------------------------- ------- ----------- -----------.................

C:\Program Files (x86)\ApexWin\Extra\EWD00014.MOD

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	15660
Entropy (8bit):	5.060358298590475
Encrypted:	false
SSDEEP:	192:yQHb4JvCCfg1CSfRkFLskSH18Weu40d9ZMS75FC9Thi4vYQK/mAsqGuTE:nMJv33ykSX1J//6wevymA7ZE
MD5:	153B61BC247A695196DA39524EC33EB6
SHA1:	0FA0886379028BFB2721E2AAE7AD9A1533913614
SHA-256:	0DDC78A32AF6623E4DD7882DEA882543C80E714E45F718253AC7E5ACF6C499C2
SHA-512:	3AA3890DEC0366AC307B2F7AD6FCC6FFECC571A7D50B412F5E291E6BCE4BDCE650A82650E6345DB78CD99CFA78C4D375D3B866A24550F56034AD87AAE3BFCC9D
Malicious:	false
Reputation:	low
Preview:	{ .... Standard ADA form (1994) THIS IS ORG MOD 24 CHANGED TO MOD 14.... 4-8-99 Changed Troy, made so that it will always print 2 address lines..... 7.2 Dot Matrix Form.. cemp not asked for anymore, prelate made temporary and set to a.pirel1;.. Updated 1/9/98 to add 4 digit years (yyyy) on all applicable dates.. includes payment totals if items are marked to print on Ins.. d or D in trim(profile[1,1,3]) marks Medicaid box (also EDS in profile[12,1,3]).. ..}....primary = "Primary Standard ADA Form (1994)"..secondary = "Secondary Standard ADA Form (1994)"..preprimary = "Pri. Pre-Est. Standard ADA Form (1994)"..presecondary = "Sec. Pre-Est. Standard ADA Form (1994)"..screen = "Standard ADA Form (1994)"....testprint "Patient Birth Date Field" @(6,48,10) "XX XX XXXX"....imodno = 14....{ This data structure is roughly the same as 14. Tiname, and Tgroup have.. been commented out and replaced by variables ne

C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667705
Entropy (8bit):	4.64669200698165
Encrypted:	false
SSDEEP:	6144:0h40+ZzDOznB8/SbYaqd2DoqW2VXolLeZeYTV4BW4P82H5Y4CyUCp:0hPEA8SbYaQgW2dALecYTV4VHDCyUCp
MD5:	6DFDEA7FF6AA292C85DB7AD427DCA628
SHA1:	E1A44634CF5AAD43386F248B252C8E6FD4B81D56
SHA-256:	A001F58F64AE7ADCB432493F92B58BC0ACD66445A8648A641077EC3DC6246354
SHA-512:	2F4AF6F4C19822E02A4001F0F5C02716BF514EBA6CA96137BDC9B46E89C0A706527C6B1EA8038594F55A558C7F58C970A2C572994E8B969055630860FA717A30
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L#...B...B...B..s^...B..g]..B...^...B..g].WB..V`..B..^]..B..j]..B...B..EB...a..B..Rich.B..................PE..L...=..F.....................P.......L............@..........................@..................................................d................................0......................................................T............................text............................... ..`.rdata.............................@..@.data...\^.......P..................@....idata..............................@....reloc..k9.......@..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Extra\data9.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	5.943330525747008
Encrypted:	false
SSDEEP:	3072:eAVjCEUCFUrYXdVBQteeCSGDrlLxqNtkC1xpzo:pCQFUrRY1lDBFqNtkC1D
MD5:	7CAC05E744A13DCDC275D603153E1119
SHA1:	9C91999798747519EED0BEFAE6E735684A4D4AA0
SHA-256:	51ECD6F87220A5BFB7C158B6E06E7AFF33176F0517CDBF4C0C1EDBE2216842FA
SHA-512:	60329239CA5052075FE1462A87EE24D9457260890101F81AE592E9F7223569000A722202483519C8EF98B274894C98D8EED292B46D22671ABC22E3EA44ABD7E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b6..&Wc.&Wc.&Wc.]Ko.%Wc.IHh.'Wc..Km.7Wc.IHi.xWc.&Wb.dWc.DHp.#Wc. th.$Wc.Rich&Wc.................PE..L....l.>..........................................@.......................... ..................................................<....................................................................................................................text...f........................... ..`.rdata...,.......0..................@..@.data....A.......0..................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Extra\pwmon.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	4.235513990457265
Encrypted:	false
SSDEEP:	384:3zZdPSzABXidmSRQNtBQbIhVdXPxSLPbXtDYaTMlatqD30sLXxSz:37Sz01SA/hVdXPALL1Ybla+xLXxSz
MD5:	0216DD102453523D422FE9BE14A24E30
SHA1:	840EA4355EC137FCF23F1E32710E795ED099552F
SHA-256:	928BBEB501084D365980ABDC526BA06EE62C024EEF2AC5A43CF74CF81594F0C7
SHA-512:	0C336AAFE0CA0EE2FC6A8B3D2D1DF80BD663E61EBB453F8530198B39A7A250922F3C102C630DDD3A29D1248185BAE42235963A0B6B879B799BD325E492DFBD20
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./]..k<..k<..k<... ..j<..$...i<..o...j<..Richk<..........PE..L...-..A.................P... ...............`....@..................................a.......................................Y..(....p......................................................................(... ....................................text....M.......P.................. ..`.data...0....`.......`..............@....rsrc........p.......p..............@..@'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\FONTS.MFM

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	95719
Entropy (8bit):	6.148180556378838
Encrypted:	false
SSDEEP:	1536:uQ5jA5TBmLKafph50cxebfrP3pf70NHQ+RCLUAKGHs:J5jAJCfph5OrxANHBCLUAvHs
MD5:	0429BC080C0571EB67C958DF9B46932D
SHA1:	EA05FA033B5EA5FBF4385ABAB49CA39503E796F8
SHA-256:	4E8FA2D66ECA983F0E14C9338E6F81A06998A490C865D96ABE6616F12FE68296
SHA-512:	DEEF560CAE29664FEAB59DD84220EA332CE3FB8F277BCD98968EA7D26B965253AA70904B99BBCF502202F02EE34FA015AC0B1450DF068668628302C024526D23
Malicious:	false
Preview:	..................................................)...'Fr.....'2.g'..k...E.HVB_____.PFM.................].HVBO____.PFM.................].HVO_____.PFM.................].SY______.PFM.,...............].TIB_____.PFM.................].TIBI____.PFM..$..............].TII_____.PFM..+..............].TIR_____.PFM..2..............].HVN_____.PFM..:..............].HVNB____.PFM..@..............].HVNBO___.PFM..F..............].HVNO____.PFM..L..............].HV______.PFM.JS..............].COO_____.PFM..Y..............].POB_____.PFM..\..?...........].POBI____.PFM..`..a...........].POI_____.PFM. e..U...........].POR_____.PFM.ui..h...........].GDB_____.PFM..m..............].GDBI____.PFM..y..............].GDI_____.PFM.W...K...........].GDRG____.PFM.................].GDSBI___.PFM.................].HVBL____.PFM................].HVBLO___.PFM.Y...............].HVL_____.PFM................].HVLO____.PFM.`...............].HVC_____.PFM................].HVCB____.PFM.n...............].HVCBO___.PFM.....

C:\Program Files (x86)\ApexWin\ICONLIB.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable, NE for MS Windows 3.x (DLL or font)
Category:	dropped
Size (bytes):	77712
Entropy (8bit):	2.643640745293126
Encrypted:	false
SSDEEP:	384:vglcAH9xKW25zs935xZxO5XAXtI/dSK5Ikn2a0SSSvqK9xCyoiAPCJBfFwl:Y6YxhfO2vCjfyl
MD5:	DFA53C3ABCCD572909881DEF787744FC
SHA1:	F1D61D10E1FB57C13DBD3BD16CCCE656CABD76EE
SHA-256:	24FB275FF084BD32AB940378E9C6DC9BEA88211E8CFBE0BC0470AEC7DFE0E9A8
SHA-512:	0575CE3DBE0B07E3529AC353B39DBE172B7E3AF438672A4152C56972F9C000D55EF0DC8467FCFF7C99388A16717C81FB85D66F4B53AAE486F40E5840BEB865A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ...... .........e@....@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.This program requires Microsoft Windows...$ Z.....!..L.!......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\LPT2FILE.COM

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	2497
Entropy (8bit):	6.507790160558068
Encrypted:	false
SSDEEP:	48:9tZYvnljNJ90UJmDUh+7iKkARlW4xak9yzWxqZ04zvB:9T8ljNJ9dJmDcaiKtW4xtRxqZXV
MD5:	31DEDDC674EEF38C283360A5E431BBB0
SHA1:	969EFD548A5A8C53A258AFA14B84234863535094
SHA-256:	D9F1B23E175C3477B5AE64B3B63121DAD76CDF25D2DC29B6288913A95CF6EF88
SHA-512:	3DEFE1D9CBCF74BE8BDC92868D93F1BFACDBEA571F81C6BC2321315214EA9C8FB1F22631C8F465A99B8197B5DC0673577E50CA306E1DC1E571A1E80573CF89B1
Malicious:	false
Preview:	.K....LPT2FILE.......................................................[...........................................................................................................................................>E..t....E.u5..>?..u....E.[.%W...>6..u...>7.&.=.u...>2.&.=.u...._...>F..u.......;.F.u...w.W...uJ...E.[..>?..;>;.tX...A.&..G..>?..;>=.r>..>6..u6..>7.&.=.u+..>2.&.=.u ........u...>?..t.....>?..;>;.t...._..._...>?..t%W...>6..u...>7.&.=.u...>2.&.=.u....._..........*....>?..t...>6..u.W...>2.&.=.._u.......6............&6..........6......"....&6.......6......&....&6.....:&..t..........u.........<.u...F....H....>?..t.......F....t.....H....\|..u...PSQR......E.[.?..C...?.....%.r....B3...!.@..C.3..A..!.>.!.ZY[X..=.H..!s!..C3.H..!..=.H..!s..<3.H..!s.....LPT2FILE 1.1 Copyright (c) 1993 Jeff Prosise..From: PC Magazine DOS 6 Techniques and Utilities....$Captures printer output to a file.....LPT2FILE [LPTn[:]=[[d:][path]filename]] [/B=size] [/C].... LPTn Specifies the LPT port

C:\Program Files (x86)\ApexWin\PKZIP25.EXE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339456
Entropy (8bit):	7.165300545260226
Encrypted:	false
SSDEEP:	6144:bYDDo5iLWUUzkew7hFjl/48ACpnWjrNrwtdKqvQc2iGTVlQ:UDMitU7CpMrRwtdKAQP
MD5:	998C2626A275C4EE1D59C2B3D0EDE028
SHA1:	1636374DE9362D6995946E9985E223905D480354
SHA-256:	87D9FDA6037EC79D20FA73A5116ED9A24D76DA564C15C21A1F1F111A961E9622
SHA-512:	892E0F8B52AE7C4559C17D9A3455D4B70E629C0EEF8723087FC85EDB4F2E89D61F10BB8DC1CB4B31BAA867C40A9D8149BF319511A27E278760E9E57EC8CC42DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: HancockWhitney_AdminNoScanner_555036 (1).exe, Detection: malicious, Browse Filename: Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.5-2.2.3.1_RR_v2.2.2.1.exe, Detection: malicious, Browse Filename: Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.5-2.2.3.1_RR_v2.2.2.1.exe, Detection: malicious, Browse Filename: C55Mh1wlvj.exe, Detection: malicious, Browse
Preview:	MZ...... ...............@...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!..L.!PKZIP CLI for Windows 95/NT Copyright 1989-1998 PKWARE Inc. All Rights Reserved..PKZIP Reg. U.S.Pat. and Tm Off. Patent No. 5,051,745....Error: PKZIP CLI for Windows 95/NT cannot be run in DOS mode...$.PE..L...%.%5............................@.............@..........................................................................p..P....................................................................................q..p............................text... ...............

C:\Program Files (x86)\ApexWin\PREPECF.EXE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	43248
Entropy (8bit):	7.174538700374259
Encrypted:	false
SSDEEP:	768:FZZrF9kvEYxBqt6c8G1IQPjbSQIuRgK8w0ghUnpxpH7HEYHPpJBuzeF6EPiBp:FZZrFmPxO5XByKBLOp/kYvpQp
MD5:	D3AB1AD9006D9EC67B9CB8099C69C767
SHA1:	CBE66A7C8D95B347C526A3A14CFF9613AB0CF3F5
SHA-256:	46B86D1C8CC3B88E17354839092EBAC4AC42C0A56F46216373FC6841DE97520B
SHA-512:	8C09B7883F6928905C60E9A038E3BE3D831787FC963410FCB315CF59C6BE38D7606219B4344F5B753ACCA63EE42B704152182DBBE939B69CCE346AED4C2CBD59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ..U... .O...........E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................blPREPECF ....P.j.......P.......p................1....Z.@.`..C...P.....P.....P.....PhV......hr.h\......hV..I.....u.hv..............hV.hz........u....h~...........h.......hV..6Z.j.j.......6Z......RPj.j......u.j..$...hV..............j..$...hV.h\..K...hV..6Z.j.j......h\..6`.j.j........6`..s...#.t..@..6`......h...hb.3.Pj.......hb.3.Ph..j.j..P....6Z......hb.......j..$...h\.............................U..VW..8P.....+X.K:..r0W.>b..=.......u._....A.!r..O.!s._^]......u....^.U..VW.^.....<

C:\Program Files (x86)\ApexWin\PSCRIPT.DRV

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable, NE for MS Windows 3.x (DLL or font)
Category:	dropped
Size (bytes):	393200
Entropy (8bit):	6.904272150478521
Encrypted:	false
SSDEEP:	6144:AY/gvTLGTNyQgWc2x9TS8Zf6zERc/KpYjpkr2blWvFZLzzmVl2T0KFh5Qx8ikEMw:sXGAQ7c2x9TSuf6zERc/Kmjpkr2JWvF8
MD5:	FF1F38D0435ADBD9CF0CEB4E9408C040
SHA1:	F39D1E45215F369673DE19E249A58A2A24B312E0
SHA-256:	F101B7045C5C964A2502AC83EE6BBEA54B26533B1D44C071ABE187DB1A6E6513
SHA-512:	243464E74C9BB23B4268271EE9AFBCE389B9B3085F74D9A916147A1410838FA4BC59BB24FB125F96BA94E75BE682F9E8BD1195ECA8FA6B3A529DE4CBAEC87B27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ...... .........e@....@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.This program requires Microsoft Windows...$ Z.....!..L.!......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\PSCRIPT.HLP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows 3.1 help, Wed May 10 01:36:35 1995, 20439 bytes
Category:	dropped
Size (bytes):	20439
Entropy (8bit):	4.980376704101589
Encrypted:	false
SSDEEP:	192:3iaqiMsbCxJWISERs+GJ+xUqSErDACeLzqjizk4WhjlkwSPHexlXq2mQhZoGjuf5:3Hg5J4+GTqxrDAluj2kRlAP+AWzXjuhX
MD5:	DCE9F5C61EF846BC3416C3E4FF31EF89
SHA1:	1E35BA80BDD1EC6B9017745FF91C3C53771EBE94
SHA-256:	FD9555A8700FE7BE85A3F5D8D8ECA2341EE2BC1BC683DA6A8881D09C3EA1C33A
SHA-512:	091634CCBE41D6FC52F8AC6E890410ED525189DB990C023E25C5A7425A41A2FFDD7048E9CA49D57897F2ECA8B9B0A3E215E64E45A1610080D0ADBFAFC93276E1
Malicious:	false
Preview:	?_..7........O..'.........(,.aamou.ntanandA.rchivear.easASCII.availabl.eb..foreb.uttoncal.culation.scanchan.gechoose@clickC..c.olor. sCo.mmunic1@...mputercu.stomdata.defaultd.ialogdif.ferentdo.cum. wnlo.$.d.Pi\|.dge.En..sexam plefi..on.t..s..For...matfromh aveheh.rh.owHoweve.rIfimage0inin....te0lyin40..is.itl..u$.l0..lmargin.02sX.ch. ..ma.ym+.netwo.rknonpri.a.F.notNotdeo..op>..0s ororiM.al.p..paperp.arallel.....edphoto.graphspl.acedPost.Script_ d k&.. r.@sz !.s.creense ..lec'.Send.s..=.. ..tsebrt.set1 .@s.houldsiz.espv.spec ificS.0es..0ysubsti.t..d.`..uch.supports.thattheTThe..n..s..i.....imetoT.rueTypet"ry.gun~bus.....value. .swantwF....S.rwhichw@illyou..r.%)),).-0.12253400@8;abou\.j.g..0edafx.e....oa..G.any...As..wayb...gbestbiBn..aryB. b.itBitmap.b5.boxbui.lt-#.utby$By..rae.rsHche..mm5.o.nnz!..trolhcop>.c]...a.te.0dcur...C.3..edep.1.devi..ir...}.Di..ysDo!.Ssdoe..n'.tdpidr....HchE .ef..i.J.en..opeE0PSery.2.ct.lyexcept farfa..rf.eedE.sFli.pFF#u^.fut@ureget."i.cshasH....Lei....gn).dYN#s

C:\Program Files (x86)\ApexWin\PSCRIPT.INI

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.4466994000827365
Encrypted:	false
SSDEEP:	6:d+M0cBwaeBcXtFrBcfHaYzcRqRisUezcNUodezcT5mezcrxTnpqHy:cJtEFre6YUqQbe9ImeI5nuy
MD5:	84CDE01398896F2DDA2D7449AD864E03
SHA1:	F28D72FFCBE85172B030718A3F383596D3415A56
SHA-256:	004E1F88BFB309F961A5C40B98912E05FC7A129194A201B3E56C69E0E6CF9040
SHA-512:	554C9AD4678ADE574F1E1238E4A673A95EB8DFF20EF690F2BFB4D4959DE1D33D5EFA6013455CCA2F9F3C64DC4F11AC1BEA339356C9C6C7B3CA8B35CDF1284671
Malicious:	false
Preview:	[DEFAULT_USE_PORTABILITY]..printer1="QMS 420 Print System" ..printer2="QMS 860 Print System" ..printer3="QMS 860+ Print System" ..printer4="QMS 1725 Print System" ..printer5="QMS 3225 Print System" ..printer6="QMS 4525 Print System" ..printer7="Microtek TrueLaser"..

C:\Program Files (x86)\ApexWin\PSMON.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	4.429977763667845
Encrypted:	false
SSDEEP:	384:qiTfwBMSGxSLPOAq5/C4+JNNbLrVM2WvWMWi+fyqLdyeG3BoIWIRvXk1wBxzD:qiTYBMFWWAi/g+XW58x3BoITJXTD
MD5:	88EEF8E4483471A3544F3A03947EF1DF
SHA1:	C3504BFDF6744D72A430EDF637C91A81882BCDCC
SHA-256:	AF31239F036BFF6E4F3056E6D913B0787C30E4F55C89CB73763B7C05F7142A15
SHA-512:	8495BA922EA66D69F0A39F891B0C98E84E9E335845856545B930072208848796384461E17FF2B195E5815140BA397A84988E29DFB318F1815A7B4A35D929E960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......2...........!...2. ...L...............0.....}................................................................`..h....P.......p..\#...........................................................................................................text............ .................. ..`.data........0.......$..............@....idata.......P.......B..............@..@.edata..h....`.......F..............@..@.rsrc...\#...p...$...H..............@..@.reloc..d............l..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\PWECP.EXE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.980731707849294
Encrypted:	false
SSDEEP:	1536:6S5s8D38K+cYD/82RMJxAWZTl59nXqcHXqcMXGHjS:6SyS6Sqc6cljS
MD5:	F7C0C596016B3AE86C9A6786E0B86565
SHA1:	B0A325C56D41284E062C02FBB9D27A7509BDF17C
SHA-256:	AE60D1EE6EB9CA2DC018A4C2F17ED3C25850D2F064ABC3795B9DF9A4E2236C8A
SHA-512:	3D45EEBB2F1A67400DDF607C70867CA13467970BF7F239E9DA56CF220A6D5869EC1C77DD8902FFA413AF3AF5ADF21E0A750AC06F06BA7B68A99FA0BAB68ACA7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................$..................Rich...........PE..L...r..@.....................0....................@.......................... ......Oq..........................................(...........................................................................(... .......L............................text............................... ..`.data...D...........................@....rsrc...............................@..@'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Pdqtapi.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	5.5065465753389145
Encrypted:	false
SSDEEP:	1536:pUOTLO2VExV1WOM2zIQwghbpbB+uOrI1DrOC+FD6Qf:yOm2VW3h9F+uOrI1HOB
MD5:	7FEEFC7B9EE255A019B5A7A159775BAC
SHA1:	711A8B4C3AE74B50FFC535E5E184D2BF440A453F
SHA-256:	8B4E11C197DE7B8463EA499E314AB8D6418EDBA731832ABD230D893750BAC296
SHA-512:	765414F8B85C5C3D7A8C1F09DC0DAD986863120347CED8CE7A35AB07A7AA1C510C53A46CB658E9BA99C602E26AF087E912C92C69B96378F998C31C62D158071F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.5...........!.....\...........j.......p...............................0......................................p................... S................... .......................................................................................text....[.......\.................. ..`.rdata..1....p.......`..............@..@.data................\|..............@....idata..............................@....rsrc... S.......T..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Psecpdrv.spd

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PPD file, version "4.2"
Category:	dropped
Size (bytes):	12204
Entropy (8bit):	5.275058271220109
Encrypted:	false
SSDEEP:	192:u2ZKwMMoG7mcix7w0gx7T0Qx700tOx7G0Rx750Rx7a0bx7L0Xx7c0dx7uDlgx7wm:DoGKx7w3x7Trx704Ox7G2x75qx7aEx7g
MD5:	3A41382209CE4B3C9C55DD778D0C66E7
SHA1:	253C23EF7646097131E788939A647932BF99D7A6
SHA-256:	156635E61BB5444B5D38A7439F6620C025C5F9C7A11B380FC696FDBF14FE342F
SHA-512:	76542928749C47EFCD8094F032705C6A037AAB2D22454756DECF1450080A92CBC1D71E460D95C4E9960619484FF08B65B883FE745ADC902A15E08DF4ED0AA038
Malicious:	false
Preview:	PPD-Adobe: "4.2"..% PSECPDRV.spd: ..LanguageEncoding: ISOLatin1..PCFileName: "PSECPDRV.PPD"..Product: "(ECP)"..PSVersion: "(2013.103) 32"..ModelName: "Electronic Claims Printing"..ShortNickName: "Electronic Claims Printing"..NickName: "Electronic Claims Printing"..LanguageLevel: "2"..Protocols: PJL TBCP..FreeVM: "2242128"..ColorDevice: False..TTRasterizer: Type42..Password: "()"..ExitServer: ".. count 0 eq.. { false } { true exch startjob } ifelse.. not {.. (WARNING: Cannot modify initial VM.) =.. (Missing or invalid password.) =.. (Please contact the author of this software.) = flush quit.. } if.."..End..UIConstraints: PageSize Comm10 InputSlot Cassette..UIConstraints: PageSize Monarch InputSlot Cassette..UIConstraints: PageSize DL InputSlot Cassette..UIConstraints: PageSize C5 InputSlot Cassette..UIConstraints: PageSize B5 InputSlot Cassette..UIConstraints: PageRegion Comm10 InputSlot Cassette..UIConstraints: PageRegion Monarch I

C:\Program Files (x86)\ApexWin\Spool\ApexPrint.reg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows Registry text (Win95 or above)
Category:	dropped
Size (bytes):	4227
Entropy (8bit):	3.0802039625279605
Encrypted:	false
SSDEEP:	24:pBh4srgQFj3QQjjHjIPqZxKQjQLjENbuELjVlD3jQjDjNujijQj60YovXL76E8pV:pRyyxK4VXFPL+bPPV
MD5:	2AF668F329AFB6662FD30A02419C6FD7
SHA1:	8AFCA6B9685DBF468C64891CA89618BD64A4D8CB
SHA-256:	AADDCE63992EA8A6C8E48942ACE2B0506A459EC91C95BD63D2596F8F24A20DA1
SHA-512:	F57F23563FB200A0EB74D0363493D95BCEA3F8E3A9AE6E815E24C363A689E14236C390277F1FC643AC0CD0EC88F667A64578CA2FF0144D16007CA06724461EC4
Malicious:	false
Preview:	REGEDIT4....[HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Print\Printers\Electronic Claims Printing].."Status"=dword:00000000.."Attributes"=dword:00000450.."Name"="Electronic Claims Printing".."Default DevMode"=hex:45,6c,65,63,74,72,6f,6e,69,63,20,43,6c,61,69,6d,73,20,50,\.. 72,69,6e,74,69,6e,67,00,00,00,00,00,00,00,04,03,04,94,00,b8,03,1f,67,00,00,\.. 01,00,01,00,ea,0a,6f,08,64,00,01,00,07,00,2c,01,01,00,01,00,2c,01,03,00,00,\.. 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\.. 00,00,00,00,00,00,00,00,00,00,08,00,00,00,60,09,00,00,e4,0c,00,00,01,00,00,\.. 00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\.. 00,00,00,00,52,2b,4a,c4,05,f5,40,96,bb,ad,4c,01,01,00,01,00,00,00,00,00,01,\.. 00,00,00,00,00,02,00,02,00,01,00,58,02,00,00,c2,01,00,00,00,00,00,00,00,00,\.. 64,00,00,00,00,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,\.. ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,\

C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	5316228
Entropy (8bit):	7.993282302527105
Encrypted:	true
SSDEEP:	98304:B6Wf9Dz42/mCn6eQF2oWrxS7o3Pn/AoXfJdAxpgAN73SgZPKH3KTbZrn8:3f5h36PGqo3Pn/hUkhJ3YbZrn8
MD5:	1926ADD631D8F51CED35B71F45A80E68
SHA1:	DE089199D41C7844F989EFA708FC14D7C6F44295
SHA-256:	F014274BF843C163938FE10622B6418D060FCDC64EBCB9DF55F301152250E770
SHA-512:	745B7598C06CB074A9A2532A607A21D1CCF5F0ED47D16F05B164243FFEAAC00C66118810221A94130A2CD91EBE820C4EABB2B80C06218C343A4B88881EEAFE13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.5.....................(............... ....@..........................`.........................................................................................................................................L............................text............................... ..`.rdata..[.... ......................@..@.data...4m...0...2..................@....idata...............J..............@....rsrc................Z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\Spool\psecpdrv.ppd

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PPD file, version "4.2"
Category:	dropped
Size (bytes):	12205
Entropy (8bit):	5.27585653114146
Encrypted:	false
SSDEEP:	192:u2ZKwMMoG7mcix7w0gx7T0Qx700tOx7G0Rx750Rx7a0bx7L0Xx7c0dx7uDlgx7wI:DoGKx7w3x7Trx704Ox7G2x75qx7aEx76
MD5:	571321E08F68265AEDE969CBC2F7BAF0
SHA1:	1E4BB4AD640639F4706340E0364A1584704DAC44
SHA-256:	CCBEA97662078B3A3E71FBC3A7165BAE65ED0D59C855DDE4E90230B2AEC21D5C
SHA-512:	D688CD96FAB0FFB08336AEC99B9563ADFDF79E3BD84E067D3ACDA643D2ED7AB7C072D0FBB7431DB50870C5E5CD68058745326501246CD58F5DE86260275E433C
Malicious:	false
Preview:	PPD-Adobe: "4.2"..% PSECPDRV.spd: ..LanguageEncoding: ISOLatin1..PCFileName: "PSECPDRV.PPD"..Product: "(ECP)"..PSVersion: "(2013.103) 32"..ModelName: "Electronic Claims Printing"..ShortNickName: "Electronic Claims Printing"..NickName: "Electronic Claims Printing"..LanguageLevel: "2"..Protocols: PJL TBCP..FreeVM: "2242128"..ColorDevice: False..TTRasterizer: Type42..Password: "()"..ExitServer: ".. count 0 eq.. { false } { true exch startjob } ifelse.. not {.. (WARNING: Cannot modify initial VM.) =.. (Missing or invalid password.) =.. (Please contact the author of this software.) = flush quit.. } if.."..End..UIConstraints: PageSize Comm10 InputSlot Cassette..UIConstraints: PageSize Monarch InputSlot Cassette..UIConstraints: PageSize DL InputSlot Cassette..UIConstraints: PageSize C5 InputSlot Cassette..UIConstraints: PageSize B5 InputSlot Cassette..UIConstraints: PageRegion Comm10 InputSlot Cassette..UIConstraints: PageRegion Monarch I

C:\Program Files (x86)\ApexWin\TESTPS.TXT

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2640
Entropy (8bit):	4.352808988143808
Encrypted:	false
SSDEEP:	48:WsDkIo0MV+RnCiHv3WO52XHo2FTu0pQ8Qk+HSb:PDkZ0m070XouRDeSb
MD5:	2E06C901B255B1EF1BE2EB53E103F0E3
SHA1:	4A1A0D9C7EF94E99E0554A03085477E37DB97BC8
SHA-256:	B291CB10BDB2CA62C6E5A70AE393DEECB60221C1E74310F5EB29DC1EC55FA151
SHA-512:	C2AF7067262F6AE4ADDA6A3F0A57248F77964298CCE5454418BB8C9535299E1E85D2AA3352CBB9D3250B5C238873839764620D9E3A4CA03CBBF5FDC51CF77E7C
Malicious:	false
Preview:	% This is a PostScript program that will printout the current..% communications settings of a PostScript printer that supports..% the sccbatch operator...%..% To use: copy this file to the port connected to the PostScript printer...%..% Copyright (C) 1991, Microsoft Corp...%../buf 10 string def../Courier findfont 10 scalefont setfont../Parity [ (None) (Odd) (Even) (None) ] def../Flow [ (Xon/Xoff) (Hardware) (Hardware) ] def..statusdict /sccbatch known {.. statusdict begin 25 sccbatch end % get comm settings.... 72 144 moveto % print baud rate.. (Baud Rate:) show.. 222 144 moveto.. exch buf cvs show.... 72 129 moveto % print data bits.. (Data Bits:) show.. 222 129 moveto.. dup -5 bitshift 3 and % isolate data bits.. 1 eq { (7) } { (8) } ifelse % translate to string.. show.... 72 114 moveto % print parity.. (Parity:) show.. 222 114 moveto.. dup 3 and

C:\Program Files (x86)\ApexWin\VB6.OLB

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	295514
Entropy (8bit):	4.622098138124252
Encrypted:	false
SSDEEP:	3072:Vy9igXdk4d6FRUajrZsm5vQ5MFQ5jxvxC5QfHMzxnc2g6/rspfMJtPYJxkh6tg8o:VlWdk4d6FRUekmc2r2Nm
MD5:	376F14DCD409160260FDF98B20FB12DC
SHA1:	975CC49135B199C922E3B1949AB7DA754F1D1FE6
SHA-256:	4109EE488C9E930F8884280526B4C36FFC7CEE03329CAC6A9B8F5864B15C8453
SHA-512:	F3ABBAA5AFD551CC7A67D95437F198FEEE453283F95A25B9C4DF14AE7E0516AD3795CBE761C98AA33F13B09EA32F899D33D0D4A0FFB464722D3CBFDDC86664BD
Malicious:	false
Preview:	MSFT................Q...........b.......8...8....................... ...............4.......d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%......H&..........@9..8...........x:..............P5...............)...............)...............;...............=...:.......... w.............. ...............................................................................................%!.. ..........................................................0...0...............................#!.. ....P...-......................................(..........0...0...............................#!..........................................p.......@..........0...0.........t.

C:\Program Files (x86)\ApexWin\data.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143360
Entropy (8bit):	5.9430016617431844
Encrypted:	false
SSDEEP:	3072:6QZ7LADxHpIeM84xd3RGbNpO0vO/SfLRYyYg6aDUs0o:6WcnMmvOyO/4lYyYg6a
MD5:	9E934174106BD3191B210397882CD0E2
SHA1:	83B0FC2BFD3BC93676AA337F2D9F67CDD5696A23
SHA-256:	CB5A904C68281057251F7683CA1884F4D20AF5A3311E44EE72B27250ABF3A741
SHA-512:	099CF0A79EFA62019B8598D20FB67D8F5DD19CDEC6AD643CCB0EC7ADC4E5E97316AA330044B93C28EF43BC350AD82892BE315045D07B94AFA681B19646C73F22
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j..j..j...f..j...a..j.9.d..j...`...j..k...j...y..j..a..j.Rich..j.........................PE..L...D(^E..........................................@..........................P..................................................<....................................................................................................................text............................... ..`.rdata...7.......@..................@..@.data....A.......0..................@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\dclient.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	5.974918774688758
Encrypted:	false
SSDEEP:	3072:oex+VEzGoPsR+4e+i7nzpA0JRfDzRkvRClFxhtold6uc:xx+mGoPsR+4ehnzpBkvRDc
MD5:	001F33E417F919484F47170C67A1FF16
SHA1:	7B39E3F4C3E619CF90524D3505636297AC260C80
SHA-256:	A25C47D73B9AD7E2EF9FD83B045BCCF9BE709510B9BB9AFC79D5B79C79D93112
SHA-512:	3EFFF7AEEB0C52310A02C85D7B07ECEAF918B23A83D4738D167AD40F5843DA26FE6191D846667E143E1D7E0B25309EE17A5AF70F41E41CFB6C39A9AE24CEEE61
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........};V..hV..hV..h-..hW..hV..hP..h4..hY..hV..h6..h...hJ..h...h...h...hi..h...hW..hRichV..h........PE..L....j_8............................>_............@.........................................................................`........................................................................................................................text............................... ..`.rdata...Y.......`..................@..@.data....`.......0..................@....rsrc................@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\eclaims.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.926341123822398
Encrypted:	false
SSDEEP:	3:mKDDpdZjQyaTULaCCcHKRTVz5EoUhYyMvXKUhYyHkdZjQyaQnn:hl8yaoLpHKnghYXvZhYp8yaQn
MD5:	69ED2FC3C646B6C7914794B123DD05C4
SHA1:	4063F7AA6E54FB43B938DC740CD905A8FA7E013B
SHA-256:	EB3D6EE99A1E3D1286DEFA312612EE231DD3D66A747AD6CB45FD0AAB71521588
SHA-512:	83C50976C3D580D60EACF96E33E32164CFD5AA083B83DE2A7A7EAD0D84B8DDDBFC8EEEF744C1C6A393910942FF48FA49E2A1981474E31B146C6533FA5BC954CF
Malicious:	false
Preview:	@echo off.."C:\Program Files\ApexWin\lpt2file" lpt1:=c:\progra~1\ApexWin\ecsfile.txt..cd \{my program}..{my program}.."C:\Program Files\ApexWin\lpt2file" /c..

C:\Program Files (x86)\ApexWin\msado25.tlb

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.238375077126154
Encrypted:	false
SSDEEP:	768:15RbKz663tPY1AcbERQzuahkbzM7hX2O4HvNdrCw1NEarj4U219hW+:15RuO63tPY114RX3M7MvPb2mNvnec
MD5:	2B337FCEFA4C11D1EF00292FA8F24F86
SHA1:	22E8231B64E8EC7282D30E5C12502E3A5AD9839C
SHA-256:	A7C650241B4C6AB788FB369463915645081128B083004C7645A793487CABF316
SHA-512:	BCCF720AEFDDB26A4FA6EAB72C16ABAC8CEA6ED8A218823E7FF094296ECFF8FE8F925F39671B3C83DD7D1AD91A1C4734BE66B597CD41CC1085DD96A89861F109
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%5..D[..D[..D[..L]..D[.Rich.D[.........................PE..L....X.9...........!.........0....................@..........................@..............................................................................0.......................................................................................rsrc............ ..................@..@.reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\oem95.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	2013
Entropy (8bit):	5.316549583300688
Encrypted:	false
SSDEEP:	48:BFkfxLRjI0hu+R+O+VI+fKdZmgacA5KDtQaQmEKQS:nuRjI0hucNRzZmnc/QaQ+QS
MD5:	4B618EB38A13339BEFD833A41827D146
SHA1:	756C34EFE2602A4243AF9B1BA7C9F4C4FC5EB54E
SHA-256:	7DC7FFF333D87EC31034F936DD56F6607818899700FC1AED4768F8008AD2F934
SHA-512:	57E92BED9E71EA25B045477FC070B08D332A9F040881604814967CB40378AFD7F636544C269A17CE2D433C89FB7717D600ACCDDC1D117105FD0743222BB61829
Malicious:	false
Preview:	[Version]..Signature="$CHICAGO$"..Class=Printer..Provider=%KRW%....[ClassInstall]..AddReg=ClassAddReg..DelReg=ClassDelReg....[ClassDelReg]..HKLM,"System\CurrentControlSet\Services\Class\Printer","NoUseClass"....[Environment_Ini]..win.ini,Ports,"LPT1.DOS=",..win.ini,Ports,"LPT2.DOS=",..win.ini,Ports,"LPT3.DOS=",..win.ini,Ports,"LPT1.OS2=",..win.ini,Ports,"LPT2.OS2=",..win.ini,Ports,"LPT3.OS2=",..win.ini,windows,"Spooler=",..win.ini,windows,"DosPrint=",..win.ini,windows,"DeviceNotSelectedTimeout=",..win.ini,windows,"TransmissionRetryTimeout=",....[Environment_Reg]..HKLM,"System\CurrentControlSet\Control\Print\Environments\Windows 4.0","Directory",,"CHICAGO"..HKLM,"System\CurrentControlSet\Control\Print\Environments\Windows 4.0\Drivers",,,..HKLM,"System\CurrentControlSet\Control\Print\Environments\Windows 4.0\Print Processors",,,..HKLM,"System\CurrentControlSet\Control\Print\Monitors",,,..HKLM,"System\CurrentControlSet\Control\Print\Printers",,,..HKLM,"System\CurrentControlSet\Control\Pri

C:\Program Files (x86)\ApexWin\pdqcom32.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	261120
Entropy (8bit):	6.349285756647002
Encrypted:	false
SSDEEP:	6144:aTlZe0XdLB4t3GYOZJP4sbv/ARYVg74lMbsdW3:aTlJXdWt3lOZJB+7E
MD5:	2E39C851FC5D919E5D5CD4B1B6D796C4
SHA1:	D886F25152E0460306FFDBA207FE2AE863CA7859
SHA-256:	9F4A17064E4D7A8A1761B4E6F8EE268631A988391B6AF2A7CB9D4372DA63872C
SHA-512:	D9B9834D6EABE0CB314D165729A5C8A52627A59F6F9E7A3361DBB7D03501C9A0F28A6A1FE8C192A3488E7BBCF366199ECC773C529519268E67F3C488A3E8F90C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.5...........!.....:...........G.......P...............................@..............................................0.......P...........................)..................................................`8...............................text....8.......:.................. ..`.rdata..uN...P...P...>..............@..@.data............n..................@....idata..\|....0......................@....rsrc........P......................@..@.reloc.../.......0..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ApexWin\prepare.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	927
Entropy (8bit):	4.836581508635318
Encrypted:	false
SSDEEP:	12:SKXsF9jxQbnpe9neA5FiVKUFDwINUcA5Fv9R3XjryiTS9nR3qZSg/riP1uH5g/:SKXsFpxQb4fFXUF0Fv9iaL/riP1uH+/
MD5:	4F7B6DAE22307C80C98E3E0D881C553A
SHA1:	84D850EC78D837F66C4FCD81735E465C872A3774
SHA-256:	4FA9759AF19C44181DB73D2F0A2C74ACC9C3692CEC66F65E31071180B872FD1F
SHA-512:	A46D10FFADF65854EC993575C3D173620A0400654AB5AE0387FE9BE102684A638D05B49C71818457A4363F226920EDB21A2F7DF2BD7AB49744A6D371DE3DE631
Malicious:	false
Preview:	@echo off..cd \pworks..if exist apex1111.apx goto send..rem Use pwec.bat for V3.2 and pwec32.exe for V4.5 of PracticeWorks...rem Note that there are TWO calls to these programs...rem call pwec.bat..pwec32.exe..rem It may be necessary to slow things down by adding the following pause..rem Especially if pwec32 doesn't finish creating the .rec file before I copy it to .apx..pause..copy apex1111.rec apex1111.apx..ec001000.exe..rem It may be necessary to slow things down by adding the following pause..rem pause..if exist svpickup.log del svpickup.log..if exist svpickup.$$$ ren svpickup.$$$ .log..if exist svpickup.log "C:\Program Files\ApexWin\prepecf.exe" svpickup.log..rem call pwec.bat..pwec32.exe..goto exit..:send..cls..echo...echo...echo...echo ============== There are claims waiting to be sent =============..echo...echo ============ Please send claims before preparing more ==========..echo...echo...pause..:exit..

C:\Program Files (x86)\ApexWin\pwecp.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Generic INItialization configuration [PTE Claims]
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.377278130987435
Encrypted:	false
SSDEEP:	3:hSzrFwmkFmKCvTATX:kMF7sk
MD5:	268220C5D9E866D58CC58C16B84E44A4
SHA1:	B3DEE1624E56299907CAC7A8ACAE4BCAD0B6BED9
SHA-256:	3249BEE3D6F3C6F7D9F3471ADC8F218B4E9D7874CA6FF534DE2639F8F3693323
SHA-512:	55B808400F937E9ABAD117DC5BEF55EAEF7D854D9444F849980144BC8973C4A525CA85E3849D204CE3E7AB4725A7301505CB60106C5F728869AFA22F92368284
Malicious:	false
Preview:	[ECP App]..Path=....[PTE Claims]..Retrieve=1..

C:\Program Files (x86)\ApexWin\scrrun.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147512
Entropy (8bit):	5.995654724980578
Encrypted:	false
SSDEEP:	3072:mh1XgkgKuV40n2TXr0+CXb0RTM3K9ATuMGHCAHB6guvRZTxSwFRQNaNa18Pmk3q:mxgxyr5aVGvNgRZYWaB
MD5:	FC41EF7275A6AE9BD67C4D3C443F4989
SHA1:	22A4D20A989DCBAF605B8E130F9FEE9DC492425B
SHA-256:	D2C999C0357115603A968BD610BE517DF46CB4EABBB4D44B93A4410975117D68
SHA-512:	9369A96CB3C14FC0484D8ABA2EA0104DB162F053E3CC6C34A972E2A7E5ACADED1EEC5F10433DAE2C14ED49A1017153A3D8DC93FEAB80AD8213CB72FBC2060A89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.^...0...0...0.d.<...0...>...0.p.:...0.p.4...0...0...0.I.#...0...1...0.}.#...0..6...0.@.;...0...4...0.Rich..0.................PE..L....19;...........!.....`...........I.............k.........................@......-...............................@{.......\|..........8}................... ......kh..8............................................p...............................text....X.......`.................. ..`.rdata.......p... ...p..............@..@.data...p...........................@....rsrc...8}..........................@..@.reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF7E5.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.690823455177007
Encrypted:	false
SSDEEP:	384:AM/q2MTlti5gTy71tiHmltXflB2yGRbqo5rVKjvzoUPgMV:N/xM3UgTypTvlB2DAmrVezo
MD5:	D3F63438470DDC95AFF79176FBED5167
SHA1:	1CE32A97C8DB2C50CF04A7300D5DB89E39925858
SHA-256:	EE53B4C5B89310AB11980B73CB2635356A3EA0D06130447F4644B4BB592923AC
SHA-512:	E07B5B199ECCB1C2296CB2ACE6FF0B0E4F17D9E54FF0BA73509F8FCD079EB11EE71CAF5C869682BCE04D8A22BC750B2DB5F8044D549FAFAD8DADF6A6EE9970C7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L...G...L.\|.B..L...F..L...U...L..._...L...M...L...G...L...H...L.Rich..L.................PE..L.....;...........!.....P...0......h........`......................................................................@k......Pe..d....................................................................................`..<............................text....A.......P.................. ..`.rdata.......`.......`..............@..@.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF834.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	4.085285396406264
Encrypted:	false
SSDEEP:	384:vLxoITVjboT9wGUoJJtPf37qXk8bfF33yy+zyh4FGup1++D8oO9RYv:OITVjboJwst33sN38C4FG2D8oB
MD5:	C9F3177724DCDE6073003B5EB6955318
SHA1:	C58EED5B715FFF5F2B084A6DFF1534A804BEF315
SHA-256:	9E6418C6B426C57D04673AD2EA1691CF052BD5B35B0AF0566C2043A8EBDE33A4
SHA-512:	7D77CF3FD51D1480EF8F5AB72630EEA3BD80492566AD08A453C91D93825F043758EE59D9A930C85501D3C3993E30EA2510CF3DF03D0A7804839A838F5D48F2B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.].>...>...>.......>..."...>.......>...!...>...!...>...>...>.......>..e....>..Rich.>..................PE..L...:..:...........!.....P...`...............`.......................................................................k..P...Hf..P...............................D....................................................`...............................text...JA.......P.................. ..`.rdata.......`.......`..............@..@.data....1...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_isE74C\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	Generic INItialization configuration [Languages]
Category:	dropped
Size (bytes):	4107
Entropy (8bit):	4.980163614282409
Encrypted:	false
SSDEEP:	96:Nl8/T3INLfRtMx76U0KOFWgVl2Uub0QAg80SbtEBapIx0KYL/:NYT3wLfRA0viBAvCSEB4
MD5:	47B8151455BC54356BD8EAB2D9656DFF
SHA1:	077FCE613856628B7144DB497C38283D733FF0D1
SHA-256:	DDC0262ECAF411329B7D6B0510696E934F7F15887A9B81084EF3B1D07C7F3824
SHA-512:	FE78E017C856E5DE346B781B745FBEF32EB265BFE9D33C0D543F412FBC60261535FFB355CD3F52A15F17E235273F386C40D474EF8D40F404DFFEB1FBFB610B6B
Malicious:	false
Preview:	..[0x0409]..TITLE=Choose Setup Language..DESCRIPTION=Select the language for this installation from the choices below...OK=OK..Cancel=Cancel..1100=Setup Initialization Error..1101=%s..1102=%s Setup is preparing the %s, which will guide you through the program setup process. Please wait...1103=Checking Operating System Version..1104=Checking Windows(R) Installer Version..1105=Configuring Windows Installer..1106=Configuring %s..1107=Setup has completed configuring the Windows Installer on your system. The system needs to be restarted in order to continue with the installation. Please click Restart to reboot the system...1108=%s..1150=Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running either Windows 95 (or later version), or Windows NT 4.0 Service Pack 6 (or later version), before relaunching the installation..1151=Error writing to the temporary location..1152=Error extracting %s to the temporary location..1153=Error readin

C:\Users\user\AppData\Local\Temp\_isE74C\ApexWin.msi

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Pages: 110, Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Keywords: Installer; MSI; Database, Subject: ApexWin, Name of Creating Application: InstallShield Express 3.5, Last Saved Time/Date: Thu Aug 7 14:18:25 2008, Create Time/Date: Thu Aug 7 14:18:25 2008, Last Printed: Thu Aug 7 14:18:25 2008, Revision Number: {B5878C7F-DF01-43A0-9EE0-60D4127E7720}, Code page: 1252, Template: ;1033
Category:	dropped
Size (bytes):	10358272
Entropy (8bit):	7.963206319444704
Encrypted:	false
SSDEEP:	196608:4ZMalqlAy0Q2fVztTtMYymK+dDtM4aCkGI+iYYlDFvwJw/Ilvw:ZT0Q+DzKQKQd5oDFvwuQm
MD5:	C6A24F01036DF18AF6378BF86E5AFCC6
SHA1:	3BCB1FB29B11D51E006EE5880A6B6F290E8D9335
SHA-256:	D8118591766577567A652322D51FD825E6FE6EB53973117EF26F8D7E3C0B86A0
SHA-512:	5E74F1C72DEABDCF388EF7931A0D4D719781086E9342C28849F000F0DF41CC2DA3857D2FC849FFD8B70F4D66772D51457FD012816AF804E1040B786F7C285EBA
Malicious:	false
Preview:	......................>...................................8........6..................?...@...A...B...C...D...E...F...G...H...I...J...K...L...a...b...c...d...e............................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........]...........................................................................0....................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...2...1...O...3...4...5...6...7...E...d...:...;...<...=...>...?...@...A...B...C...D...\...H...G.......I...J...K...L...M...N...Q...P...t...R...S...T...U...V...W...X...Y...Z...[...`...^...c..._...b...a...e..._...n.......f...g...h...i.......k...l...m...p...o...F...q...r...s.......u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	Generic INItialization configuration [Startup]
Category:	dropped
Size (bytes):	954
Entropy (8bit):	5.394180787686103
Encrypted:	false
SSDEEP:	24:HP3YErYcRU5daFEaFcaloaFBnTbbpqEpw:HP3T8s+hXJ4rpqEpw
MD5:	0CDB2734B00E393F14439278A4EF30B6
SHA1:	98CC4692CCF18152E4B788A3A28A69C8F6EBCD80
SHA-256:	CF57D2B2221FBDEA66C810C4DCEBFB2C1608798DCD8B3A0CAF6B827FCC65F4C8
SHA-512:	B58D150668AACAC12CB6FA0F2E8ECD6115B488E9A59D70442FB239AB46C0FC313370E6392DBC93D5D68A97A7A90A60941E2921C3BD16F04749A28BED5366E340
Malicious:	false
Preview:	[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=0..ScriptVer=4.0.0.110..Product=ApexWin..PackageName=ApexWin.msi..MsiVersion=1.20.1827.0..EnableLangDlg=Y..OnUpgrade=1..DoMaintenance=Y..ProductCode={348DFD33-272D-4451-8968-31E94E81AE45}..PackageCode={B5878C7F-DF01-43A0-9EE0-60D4127E7720}....[SupportOS]..Win95=1..Win98=1..WinME=1..WinNT4=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=1....[Win98]..MajorVer=4..MinorVer=10..MinorVerMax=11..BuildNo=1998..PlatformId=1....[WinME]..MajorVer=4..MinorVer=90..MinorVerMax=91..BuildNo=3000..PlatformId=1....[WinNT4]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=1381..PlatformId=2..ServicePack=768..[KEY]..Password=4101864564..[Languages]..count=1..default=409..key0=409..[ApexWin.msi]..Type=1..Location=ApexWin.msi..CacheRoot=36..CacheFolder=Downloaded Installations..[Setup.bmp]..Type=1..

C:\Users\user\AppData\Local\Temp\_isE74C\_ISMSIDEL.INI

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:P1:9
MD5:	ED5602CB0540D203F85998DB92821F1D
SHA1:	6090EE19D2E0D2FC3C65CB0BDF8242ABC849BA9D
SHA-256:	39DC0AA1C73F37ACA1528E6B1DBECE97E523CD1324E9B577F5DC5E2217197868
SHA-512:	14FD93C45A129A88DEFAC989F01DF8F4A25580B83AD6B5EB5A9D1D28F6A6C68F840B2F6C71EC77558F8D4F35F8FC3F8DDCECE19F3B687E40F396B153B4F79746
Malicious:	false
Preview:	[Files]..

C:\Users\user\AppData\Local\Temp\~CB76.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	Generic INItialization configuration [Startup]
Category:	dropped
Size (bytes):	954
Entropy (8bit):	5.394180787686103
Encrypted:	false
SSDEEP:	24:HP3YErYcRU5daFEaFcaloaFBnTbbpqEpw:HP3T8s+hXJ4rpqEpw
MD5:	0CDB2734B00E393F14439278A4EF30B6
SHA1:	98CC4692CCF18152E4B788A3A28A69C8F6EBCD80
SHA-256:	CF57D2B2221FBDEA66C810C4DCEBFB2C1608798DCD8B3A0CAF6B827FCC65F4C8
SHA-512:	B58D150668AACAC12CB6FA0F2E8ECD6115B488E9A59D70442FB239AB46C0FC313370E6392DBC93D5D68A97A7A90A60941E2921C3BD16F04749A28BED5366E340
Malicious:	false
Preview:	[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=0..ScriptVer=4.0.0.110..Product=ApexWin..PackageName=ApexWin.msi..MsiVersion=1.20.1827.0..EnableLangDlg=Y..OnUpgrade=1..DoMaintenance=Y..ProductCode={348DFD33-272D-4451-8968-31E94E81AE45}..PackageCode={B5878C7F-DF01-43A0-9EE0-60D4127E7720}....[SupportOS]..Win95=1..Win98=1..WinME=1..WinNT4=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=1....[Win98]..MajorVer=4..MinorVer=10..MinorVerMax=11..BuildNo=1998..PlatformId=1....[WinME]..MajorVer=4..MinorVer=90..MinorVerMax=91..BuildNo=3000..PlatformId=1....[WinNT4]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=1381..PlatformId=2..ServicePack=768..[KEY]..Password=4101864564..[Languages]..count=1..default=409..key0=409..[ApexWin.msi]..Type=1..Location=ApexWin.msi..CacheRoot=36..CacheFolder=Downloaded Installations..[Setup.bmp]..Type=1..

C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 48x48, 24 bits/pixel
Category:	dropped
Size (bytes):	7358
Entropy (8bit):	3.9072319865747183
Encrypted:	false
SSDEEP:	96:ezP1h/LlhXoaafQJEvD81rduTXV4ygqQoQwRNxiLGVWP:ezPZhXoahEL8fkVRhQwLxgP
MD5:	85573AF06209563870E58D841210F2FF
SHA1:	3A2BDF36C6225A53EDB58DABC1BA5677A8859D8C
SHA-256:	04EBD024C366699782C77DB778FFBA325E7C8DC7B9DF6B0DF90A21E623DFE869
SHA-512:	34AA985955455C8086A4DD3228BB97771D82B2752F042EF0552FA75D878E921B699BE491E030EDB279CFBEB09C83FB0BEB903DA3CF491BB5DDB0862C77B18291
Malicious:	false
Preview:	......00..............(...0...`....................................................................................._Z.A;.,&.............,&.A;._Z.....................................................................................................c^.("...........................................(".c^...................................................................................F@.............................................................F@.........................................................................OJ...................<6.kg.....................kg.<6...................OJ.............................................................\|x................1,.ur...........................................ur.1,................\|x....................................................`Z.............6/...........................................................6/.............`Z..............................................RL.............oj....................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.391287594728606
Encrypted:	false
SSDEEP:	384:C2otn0ad0TlQCxfrwntajXjDWLi9k+7yfnrF6oZ17zYahEL80hQYkif:4n0ZTBPJn7SrF6oH7NE5hQrif
MD5:	9B5F9DAD01C3B9B5AFFF0F60D6F3A7D1
SHA1:	157AE9653EE78563DB2349D9EDAAE37098EC9D52
SHA-256:	1BD8BEF92F87B50407FAC6581C95D67E69FF62E9EAAF2E5CB05614876C56AFDE
SHA-512:	557A3A41343A280064B5E80FE255FB0C64F2A27BB7722ED0254420F04D90F5475C546300019B5E075A7ACF95ECE2E02D4B2ACF0FCD1D2705B9127145979F56AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..t2`.'2`.'2`.'].t'3`.'].u'(`.'.\|q'>`.'2`~'.`.'P.l'1`.'4Ct'0`.'.fy'3`.'Rich2`.'........PE..L......<.................@...p...............P....@.........................................................................4T..(........ ...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc.... .......0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.391287594728606
Encrypted:	false
SSDEEP:	384:C2otn0ad0TlQCxfrwntajXjDWLi9k+7yfnrF6oZ17zYahEL80hQYkif:4n0ZTBPJn7SrF6oH7NE5hQrif
MD5:	9B5F9DAD01C3B9B5AFFF0F60D6F3A7D1
SHA1:	157AE9653EE78563DB2349D9EDAAE37098EC9D52
SHA-256:	1BD8BEF92F87B50407FAC6581C95D67E69FF62E9EAAF2E5CB05614876C56AFDE
SHA-512:	557A3A41343A280064B5E80FE255FB0C64F2A27BB7722ED0254420F04D90F5475C546300019B5E075A7ACF95ECE2E02D4B2ACF0FCD1D2705B9127145979F56AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..t2`.'2`.'2`.'].t'3`.'].u'(`.'.\|q'>`.'2`~'.`.'P.l'1`.'4Ct'0`.'.fy'3`.'Rich2`.'........PE..L......<.................@...p...............P....@.........................................................................4T..(........ ...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc.... .......0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apex EDI Inc\ApexWin.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	3031
Entropy (8bit):	2.9731281916377403
Encrypted:	false
SSDEEP:	48:8zbjbcb9PgtaFdqdf5IaFRK57du1BRaF:8fZqjNcXR
MD5:	B0110C24844E16200FABB82F4A25784A
SHA1:	DCB406EA9664A3EA669DDF0BA6134BED2B03C836
SHA-256:	A229A77BCC8FAE61E41A39157E0C9EE8BC67B5B14A232B63645FF471B12A3A3C
SHA-512:	3862C6F64DA7B50CF95E853D284CE9F1BFC66A34867165A8C5278214861CA46DED2F1E0F9AB3870CECE8B4AD9FA3914A5579528A63AA4EDBE2C748ACB4BDFBFF
Malicious:	false
Preview:	L..................F.P......................................................o....P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.X(\....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......X$\..user.<......CW.^.X(\..........................uZB.j.o.n.e.s.....V.1.....CW.^..AppData.@......CW.^.X(\...........................%..A.p.p.D.a.t.a.....V.1......X$\..Roaming.@......CW.^.X$\........................../3;.R.o.a.m.i.n.g.....\.1......X5\..MICROS~1..D......CW.^.X5\..............................M.i.c.r.o.s.o.f.t.....\.1......X5\..INSTAL~1..D......X5\.X5\............................I.I.n.s.t.a.l.l.e.r.......1......X5\..{348DF~1..~......X5\.X5\............................I.{.3.4.8.D.F.D.3.3.-.2.7.2.D.-.4.4.5.1.-.8.9.6.8.-.3.1.E.9.4.E.8.1.A.E.4.5.}.....~.2......X5\!.NEW_SH~1.EXE..b......X5\.X5\............................I.N.e.w._.S.h.o.r.t.c.u.t._.S.3.8.5.5._.1...e.x.e.........A.p.e.x.W.i.n.U.....\.....\.....\.....\.I

C:\Users\user\Desktop\ApexWin Claims.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	3067
Entropy (8bit):	2.992144360730278
Encrypted:	false
SSDEEP:	48:8TbjbcbyPQPHFaF9qdeIaFxK57du1daF:8/tYdaYdcv
MD5:	C265908FAE0B17D37CC58A892E646AEC
SHA1:	E4031830637D4C5938982B5092063D8E6D9CEFC7
SHA-256:	B6AB63B35D3281404A20E3863574554CFD242A6C9DEC0710F998BD8436AA9912
SHA-512:	1E3A37F436B96E34BA099725CFD39FD57FB08608102DE081D9C81BCC6CFEA3B5335A1E4023E9FEDB753036C09BF11B0E3CFDA4943B619F6D54E1EBBA70E58D42
Malicious:	false
Preview:	L..................F.P......................................................o....P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.X(\....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......X$\..user.<......CW.^.X(\..........................uZB.j.o.n.e.s.....V.1.....CW.^..AppData.@......CW.^.X(\...........................%..A.p.p.D.a.t.a.....V.1......X$\..Roaming.@......CW.^.X$\........................../3;.R.o.a.m.i.n.g.....\.1......X5\..MICROS~1..D......CW.^.X5\..............................M.i.c.r.o.s.o.f.t.....\.1......X5\..INSTAL~1..D......X5\.X5\............................I.I.n.s.t.a.l.l.e.r.......1......X5\..{348DF~1..~......X5\.X5\..........................(.G.{.3.4.8.D.F.D.3.3.-.2.7.2.D.-.4.4.5.1.-.8.9.6.8.-.3.1.E.9.4.E.8.1.A.E.4.5.}.....~.2......X5\!.NEW_SH~2.EXE..b......X5\.X5\..........................(.G.N.e.w._.S.h.o.r.t.c.u.t._.S.2.0.5.4._.1...e.x.e.........A.p.e.x.W.i.n. .C.l.a.i.m.s.f.....\.A.p.p

C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Pages: 110, Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Keywords: Installer; MSI; Database, Subject: ApexWin, Name of Creating Application: InstallShield Express 3.5, Last Saved Time/Date: Thu Aug 7 14:18:25 2008, Create Time/Date: Thu Aug 7 14:18:25 2008, Last Printed: Thu Aug 7 14:18:25 2008, Revision Number: {B5878C7F-DF01-43A0-9EE0-60D4127E7720}, Code page: 1252, Template: ;1033
Category:	dropped
Size (bytes):	10358272
Entropy (8bit):	7.963206319444704
Encrypted:	false
SSDEEP:	196608:4ZMalqlAy0Q2fVztTtMYymK+dDtM4aCkGI+iYYlDFvwJw/Ilvw:ZT0Q+DzKQKQd5oDFvwuQm
MD5:	C6A24F01036DF18AF6378BF86E5AFCC6
SHA1:	3BCB1FB29B11D51E006EE5880A6B6F290E8D9335
SHA-256:	D8118591766577567A652322D51FD825E6FE6EB53973117EF26F8D7E3C0B86A0
SHA-512:	5E74F1C72DEABDCF388EF7931A0D4D719781086E9342C28849F000F0DF41CC2DA3857D2FC849FFD8B70F4D66772D51457FD012816AF804E1040B786F7C285EBA
Malicious:	false
Preview:	......................>...................................8........6..................?...@...A...B...C...D...E...F...G...H...I...J...K...L...a...b...c...d...e............................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........]...........................................................................0....................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...2...1...O...3...4...5...6...7...E...d...:...;...<...=...>...?...@...A...B...C...D...\...H...G.......I...J...K...L...M...N...Q...P...t...R...S...T...U...V...W...X...Y...Z...[...`...^...c..._...b...a...e..._...n.......f...g...h...i.......k...l...m...p...o...F...q...r...s.......u...v...w...x...y...z...

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22288
Entropy (8bit):	4.814478820147639
Encrypted:	false
SSDEEP:	384:23Fob3slaN3oF1fHICOoMzMv/QTIBjDVquODJXsUW7ftWs6:Yo7s28JnOxzMv/QsBjRqugXspd
MD5:	3B180DA2B50B954A55FE37AFBA58D428
SHA1:	C2A409311853AD4608418E790621F04155E55000
SHA-256:	96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
SHA-512:	CF94AD749D91169078B8829288A2FC8DE86EC2FE83D89DC27D54D03C73C0DECA66B5D83ABBEAA1FF09D0ACAC4C4352BE6502945B5187ECDE952CBB08037D07E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rD.2....i......#.....2...................P.....w.................................................................?......*<..d....`.......................p..4...............................................X....................................text...#0.......2.......... V...... ..`.data........P.......B..............@....rsrc........`.......N..............@..@.reloc.......p.......R..............@..BkD.2(.....22...jD.2?....%.2J...........ole32.dll.KERNEL32.dll.USER32.dll.ADVAPI32.dll..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	147728
Entropy (8bit):	5.909287934496192
Encrypted:	false
SSDEEP:	3072:h+qD1Cd/Oa5kXFlqkFGr3CAP7LCyInPEggen5Ez:hlCd/OaaFEjCAPKyOE6na
MD5:	C89E401800DE62E5702E085D898EED20
SHA1:	72FB4F088C6AC02097B55FB267C76FBF5E0FA1F7
SHA-256:	DE83C9D9203050B40C098E4143EF8F577AA90016C7A64D4F2931B57A4C43E566
SHA-512:	70006D70DCB47361FF43E4F7C458655AD2474B70CB917873AA77D2CC06465A68D375D36C494D154A03DBBFF891DF7DD6CAB3D2C7B08E8650B9FF170E30838070
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ru..ru..ru..mf..ru..ru..su.Rich.ru.........................PE..L....!.6...........#..................... ........<e.........................`... ..^q..................................n.......d....0.......................@..0...P!............................................... ..L............................text...n.... ....... .............. ..`.data....d.......P..................@....rsrc........0......................@..@.reloc..v....@... ... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	598288
Entropy (8bit):	6.644743270512807
Encrypted:	false
SSDEEP:	12288:HCKynQWKglDhrUtrvT/NInIk4NDXsR6lMlpGz:HGXqB8V6lMlMz
MD5:	7B156D230278B8C914EF3F4169FEC1CC
SHA1:	6B58E20B2538CB308091DA838710F6AAD933A301
SHA-256:	BAEB2F7C1B8BE56738D34E1D1DDF8E0EEBD3A633215DC1575E14656BE38B939D
SHA-512:	E4EC2BC714069E0A6B56D89B52AABAD92E5BA741DC6F26D2FC2D72AA9AD2EC465DEA523CCCD810331AB78B5FB8A1244B2B521303418EAD5BD6BE5A58B43794C5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ibW.-.9.-.9.-.9...7.(.9.{.*.,.9.-.9...9.Rich-.9.................PE..L....#.6...........#..... ...................p....4e......................... ......+................................6..%$.......................................g...................................................................................text............ ... .............. ..`.data....a...0...`...@..............@....rsrc...............................@..@.reloc...g.......p..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	164112
Entropy (8bit):	5.8462943829831575
Encrypted:	false
SSDEEP:	3072:+VrhrwLXcA2Ha/joWklbo/Acjwm4AaW7zozn/zgOh0Z76:fklbsqmyWnoz/P
MD5:	CE0155405EA902797E88B92A78443AEB
SHA1:	8ADFF69050D14A57D7F553CA8978439AF188C192
SHA-256:	789C3C45EDA1749BD939F4A96616E1E9EF1B7DCC62A2889F65088954C64D0938
SHA-512:	3FDE09067F9CA8D315DE07C8DB972F99723EA4C3F997DC58210F9D6565CAA9935C79F13E8B2D20ADC5609919A381E4C2A90A0B3123A35947997229D7C615E162
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.'r!.I!!.I!!.I!w.Z!*.I!!.I!\.I!Rich!.I!........PE..L....!.6...........#.................)... ........0_............................. ..>................................................0...3...................p...... #............................................... ...............................text...q.... ....... .............. ..`.data....X.......P..................@....rsrc....3...0...@... ..............@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	4.083884450202126
Encrypted:	false
SSDEEP:	384:cogoEvM/uFrR+X6QNn1pcJIrWocDGWct:cogoEvM0rgqQNn3
MD5:	1B02577F0ADDEA32EB02A50D4A4CDD1E
SHA1:	36F701CCEC78A5D218FEA23FD05351890F14CF7D
SHA-256:	6EA525BFACE5467C1045C3708F339A4B92A3A273F70656E061C7F7322C56D667
SHA-512:	87FD4AA5158D09EB97B6131E651DB2A4761546907A960AF7792F8E95947C0A825E84F88ECCF42EC896FF5BB2BBC461488B898D5F1BD853847317493C44B330C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eU!.!4O.!4O.!4O.!4O. 4O.Rich!4O.................PE..L....!.6...........!.........D...............................................p...........................................................@...................`.......................................................................................rsrc....@.......B..................@..@.reloc.......`.......D..............@..B.............!.6............ .......8........!.6............P........!.6............h........!.6.....................!.6....................@:...........J................T.Y.P.E.L.I.B.MSFT................A...........*................................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...............h...........................................L...P.......

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	278581
Entropy (8bit):	6.371840306551786
Encrypted:	false
SSDEEP:	6144:XTHH7lfsdbunoC5XQFnqxNCDHDJDAiFMWiFaNF7R5LooRKa:XTnJfsdanocQdqaHJDAo5Bia
MD5:	4300D1A092B91E7C8DFA6F1E5E7973B2
SHA1:	63A4FCD64ECEA975C1B91DE04702C68A9F2A3C7D
SHA-256:	887EB5CE93EDB7192CA3E9220F07F9CA0F94DB02AF5862EBCBDFCB852DB99FD1
SHA-512:	DBF54F05AA371D5FF2B73AE1241A777C6BFF65C37D46FA8D10A9C23DA3B3F9D097618A5E246140AA39256BA9270EE3B7A1AB7B442B0A25F51C08BF04535A907D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@@_..._..._...=.=.\..._./.......%.M.....(.^..... .......$.......*.^...Rich_...................PE..L......8...........!.........0......(4.............x.........................@.......(..............................@5..P<.. r..6................................&...q..T...............................................D............................text...>............ .............. ..`.rdata...o.......p... ..............@..@.data...@p.......p..................@....rsrc...............................@..@.reloc...&.......0..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	6.533349685071589
Encrypted:	false
SSDEEP:	24576:u5gYLuvjckzS11wIJYbvsv9NZHa2kaV7UhH+CJ+oo8lsVhpRZpyi8F3qp/:uOQuvxzS11FjNkaV7UQCJ+oo8SVYFa/
MD5:	351BC7471A9874ACACF7D386FA8BE227
SHA1:	CE82D1CCF593088D09694EF90E44C4EA2761BE92
SHA-256:	20CBF8835F6FD3878ACACBB7868F7B95A7AAE6C2C9D5D0A926337ED31378FA7A
SHA-512:	650EFE6986A8E4DADD5FE8F95812052E047421C728FB61EAFAA4512B12A41BAB074171A9E7AB56D37C34FE284491D5CD4D60931A004D40115CED80C4CB56BBC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|.9...........#.........t.....................f.........................0......H....................................Q........... ..H....................0.......................................................................................text............................... ..`ENGINE.............................. ..`.data....n.......p..................@....rsrc........ ....... ..............@..@.reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\62227f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Pages: 110, Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Keywords: Installer; MSI; Database, Subject: ApexWin, Name of Creating Application: InstallShield Express 3.5, Last Saved Time/Date: Thu Aug 7 14:18:25 2008, Create Time/Date: Thu Aug 7 14:18:25 2008, Last Printed: Thu Aug 7 14:18:25 2008, Revision Number: {B5878C7F-DF01-43A0-9EE0-60D4127E7720}, Code page: 1252, Template: ;1033
Category:	dropped
Size (bytes):	10358272
Entropy (8bit):	7.963206319444704
Encrypted:	false
SSDEEP:	196608:4ZMalqlAy0Q2fVztTtMYymK+dDtM4aCkGI+iYYlDFvwJw/Ilvw:ZT0Q+DzKQKQd5oDFvwuQm
MD5:	C6A24F01036DF18AF6378BF86E5AFCC6
SHA1:	3BCB1FB29B11D51E006EE5880A6B6F290E8D9335
SHA-256:	D8118591766577567A652322D51FD825E6FE6EB53973117EF26F8D7E3C0B86A0
SHA-512:	5E74F1C72DEABDCF388EF7931A0D4D719781086E9342C28849F000F0DF41CC2DA3857D2FC849FFD8B70F4D66772D51457FD012816AF804E1040B786F7C285EBA
Malicious:	false
Preview:	......................>...................................8........6..................?...@...A...B...C...D...E...F...G...H...I...J...K...L...a...b...c...d...e............................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........]...........................................................................0....................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...2...1...O...3...4...5...6...7...E...d...:...;...<...=...>...?...@...A...B...C...D...\...H...G.......I...J...K...L...M...N...Q...P...t...R...S...T...U...V...W...X...Y...Z...[...`...^...c..._...b...a...e..._...n.......f...g...h...i.......k...l...m...p...o...F...q...r...s.......u...v...w...x...y...z...

C:\Windows\Installer\622281.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Pages: 110, Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Keywords: Installer; MSI; Database, Subject: ApexWin, Name of Creating Application: InstallShield Express 3.5, Last Saved Time/Date: Thu Aug 7 14:18:25 2008, Create Time/Date: Thu Aug 7 14:18:25 2008, Last Printed: Thu Aug 7 14:18:25 2008, Revision Number: {B5878C7F-DF01-43A0-9EE0-60D4127E7720}, Code page: 1252, Template: ;1033
Category:	dropped
Size (bytes):	10358272
Entropy (8bit):	7.963206319444704
Encrypted:	false
SSDEEP:	196608:4ZMalqlAy0Q2fVztTtMYymK+dDtM4aCkGI+iYYlDFvwJw/Ilvw:ZT0Q+DzKQKQd5oDFvwuQm
MD5:	C6A24F01036DF18AF6378BF86E5AFCC6
SHA1:	3BCB1FB29B11D51E006EE5880A6B6F290E8D9335
SHA-256:	D8118591766577567A652322D51FD825E6FE6EB53973117EF26F8D7E3C0B86A0
SHA-512:	5E74F1C72DEABDCF388EF7931A0D4D719781086E9342C28849F000F0DF41CC2DA3857D2FC849FFD8B70F4D66772D51457FD012816AF804E1040B786F7C285EBA
Malicious:	false
Preview:	......................>...................................8........6..................?...@...A...B...C...D...E...F...G...H...I...J...K...L...a...b...c...d...e............................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........]...........................................................................0....................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...2...1...O...3...4...5...6...7...E...d...:...;...<...=...>...?...@...A...B...C...D...\...H...G.......I...J...K...L...M...N...Q...P...t...R...S...T...U...V...W...X...Y...Z...[...`...^...c..._...b...a...e..._...n.......f...g...h...i.......k...l...m...p...o...F...q...r...s.......u...v...w...x...y...z...

C:\Windows\Installer\MSI257D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	218006
Entropy (8bit):	5.435952646209767
Encrypted:	false
SSDEEP:	6144:ohN0hTgPhjnqQtCLl8OMlyFr84kvzp9tzZPi36BOpDLGQnDMZblHWUAPAVF+5IUC:fq
MD5:	B941BDA5A7D633CA3BFBA74E6D10A711
SHA1:	4D1DB75561B5854AAB8FC3913F8458270CC53F2F
SHA-256:	97C38D8150D6380074214A934999D5248C1DE7752C27343883073DF6BD90BB70
SHA-512:	A44DF72C46918D730AB99624EDCE4855B7AE0545B595DA24C4D0AC5157C8474C970F78701E47BDEF966B4EEA80DAFDC84F1DA6ACA2EDF829358492B0FDB3FD2D
Malicious:	false
Preview:	...@IXOS.@.....@5l.X.@.....@.....@.....@.....@.....@......&.{348DFD33-272D-4451-8968-31E94E81AE45}..ApexWin..ApexWin.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{B5878C7F-DF01-43A0-9EE0-60D4127E7720}.....@.....@.....@.....@.......@.....@.....@.......@......ApexWin......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@(....@.....@.]....&.{65A9054E-7B69-47A8-963F-3BEF2931F7B3}'.C:\Program Files (x86)\ApexWin\data.exe.@.......@.....@.....@......&.{B0BFDC86-941B-11D6-A99E-0050DA600812}..C:\Program Files (x86)\.@.......@.....@.....@......&.{B0BFDCAA-941B-11D6-A99E-0050DA600812}..C:\Program Files (x86)\ApexWin\.@.......@.....@.....@......&.{2DB6BF98-4AFD-486F-A9C1-0ABDECDD416F}&.C:\Program Files (x86)\ApexWin\Connex\.@.......@.....@.....@......&.{C37FF483-4097-4D04-8250-F332372C4BD2}(.C:\Program Files (x86)\ApexWin\PWECP.EXE.@.......@.....@.....@......&.{B0BFDCAF-941B-11D6-A9

C:\Windows\Installer\SourceHash{348DFD33-272D-4451-8968-31E94E81AE45}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1636585337533516
Encrypted:	false
SSDEEP:	12:JSbX72FjHGiAGiLIlHVRpY5h/7777777777777777777777777vDHF0jIpdl0i8Q:JlJQI5eKdF
MD5:	0FEA3C64376A0256EAFCEFEE39DC76ED
SHA1:	7CF07539B0B104A4B91B86460CBECA53F2D9C417
SHA-256:	D0893470E76DFE6538E9C1424C64C0820B917261D55B21575CD83B7141488C2A
SHA-512:	9CD3344997CD559486F96786406C9D9E4198CF7B456B5C75E6561312DB17EA3247C6FE8FCCD59477971E5213361259C9C93B5FCF5F069F417547BC0198E64A9B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.2736132709991983
Encrypted:	false
SSDEEP:	96:mha1GFT1Dzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:J1UhsHgddax4Fddax
MD5:	169732B202E5D28F21F3A53C0DE8F82C
SHA1:	4EBFFEB5D4409B028299073BF92FF82139A65D45
SHA-256:	D9D8C02E67747AF1A3DBC3B5125840787A6D78327EA48F6A43B399EE678D7A9A
SHA-512:	918B74C9235E3DED084525C96FAAF0FFD31800E138D905B693FB6043E792DCAD567D6BA6C53548BDA44E3904EBE0ECD93B383EACEF72EFC6AD7E9F5EA06E1136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.3751693113914625
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau9:zTtbmkExhMJCIpErI
MD5:	4E3D4C97AAFC00E091F2578C2EBB219F
SHA1:	65EF38AD0C85B0A59C2EB29FB2DDF64D03EA77BC
SHA-256:	76D3C5BDF053AC5968BE6BDC3423F0E7EC37C920DD30C2CAFFADEB2D1F59B419
SHA-512:	03150E4DA3DCBA0AB20DC5742686431253DD634442746F2100A8F42F6E032BEB426E20060B6C71EDBB6D1B90C52C75069795B687467EF448EE97F924415491C7
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\comdlg32.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	140488
Entropy (8bit):	6.138293118127049
Encrypted:	false
SSDEEP:	3072:3ESIiWD8uq4hCqUt6mqD1gRshBgH/voqJrwo2CocrJbQN6N2TRqEydzdHv2:3ETz566VgRyOJ0oDxQRHH
MD5:	B73809A916E6D7C1AE56F182A2E8F7E2
SHA1:	34E4213D8BF0E150D3F50AE0BD3F5B328E1105F5
SHA-256:	64C6EE999562961D11AF130254AD3FFD24BB725D3C18E7877F9FD362F4936195
SHA-512:	26C28CB6C7E1B47425403AB8850A765AC420DD6474327CE8469376219C830AB46218383D15A73C9EA3A23FC6B5F392EE6E2A1632A1BF644B1BD1A05A4729E333
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.6....!......#......................... ....z!.........................0......T................................s...............@...............................................................................................................text...L........................... ..`.data........0......................@....rsrc........@.......*..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mscomctl.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1066176
Entropy (8bit):	6.377536905123536
Encrypted:	false
SSDEEP:	24576:K2woQX9+gWX6b+SHQjxnRC33Oej3zR/QhF7OnVz3S7HM7BHg:5kX9+V6KTpcPhkgVSglg
MD5:	714CF24FC19A20AE0DC701B48DED2CF6
SHA1:	D904D2FA7639C38FFB6E69F1EF779CA1001B8C18
SHA-256:	09F126E65D90026C3F659FF41B1287671B8CC1AA16240FC75DAE91079A6B9712
SHA-512:	D375FD9B509E58C43355263753634368FA711F02A2235F31F7FA420D1FF77504D9A29BB70AE31C87671D50BD75D6B459379A1550907FBE5C37C60DA835C60BC1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."x$9.....@.....#.........l...... ........p....X'.........................P.......................................@...............P...Z.........../...............................................................................................text............................... ..`.data....s.......r..................@....rsrc...4\...P...^...6..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\tabctl32.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	209608
Entropy (8bit):	6.343103011256511
Encrypted:	false
SSDEEP:	3072:kBOrV7gwFcKneF9s2x+eDYIRXDc6VNeFjzBB9g3A/Vt8DbtUfREm/UmL/8zc8N9R:k0rVdCVrsEncIRXDdVNeFBIk2DgR4d
MD5:	908938D3BA2D870EE9FC6238A4C6AF95
SHA1:	E8648D6D69FD5CF900C4BF98B210F6921BED3EF5
SHA-256:	40CADBFB2EB5732F025D687664F34239DB7153A192BCA0287F9208852B201FB6
SHA-512:	F9433F48330F7DDC64EDB8A64229C1490FA31978E9F4FFDC5FA5FF8B18430317A39A07A559D560051BA195B730429ACFB18EDB38BF712507B00AC788FFCA0B74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......:....f......#..... ..........X........0..../!.........................0.......i...............................................p...............................................................................................................text...f........ .................. ..`.data....7...0...8...&..............@....rsrc.......p.......^..............@....reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF04E16608370EE1C1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2EC89E001D2C8C42.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.4661389991266178
Encrypted:	false
SSDEEP:	96:BybkTm83UuDzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:4bkCssHgddax4Fddax
MD5:	44AAE9B96E8EB1911BA9FF599688E232
SHA1:	FC0A1AACCF90D074C21C319CFA014B07917DAD5F
SHA-256:	BA2049CC7ED06E4E64C09F044BDB0283873AF03E9A0BB659C0C80A84037B423B
SHA-512:	A049F62C6C3B0DDA30BD3AC0070928DA4C90814C4AC6CB20AB8F7C2FDD8925EAEF71D30E1CCD0BB8E27A85C6443EEEBE66901F735B9768618AFCC0702D770AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF622DB63BAE0D5B84.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7DF507050D01ADA3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.4661389991266178
Encrypted:	false
SSDEEP:	96:BybkTm83UuDzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:4bkCssHgddax4Fddax
MD5:	44AAE9B96E8EB1911BA9FF599688E232
SHA1:	FC0A1AACCF90D074C21C319CFA014B07917DAD5F
SHA-256:	BA2049CC7ED06E4E64C09F044BDB0283873AF03E9A0BB659C0C80A84037B423B
SHA-512:	A049F62C6C3B0DDA30BD3AC0070928DA4C90814C4AC6CB20AB8F7C2FDD8925EAEF71D30E1CCD0BB8E27A85C6443EEEBE66901F735B9768618AFCC0702D770AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF958D0320E5C7E12F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB5144F7914FF8B84.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07045478125126726
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0zPIskqVky6lf1:2F0i8n0itFzDHF0jmd
MD5:	8D28E768F96723E23A2FD651CE95CF58
SHA1:	E06A98DC1473BB0497ED2A31A947C3D81A134B09
SHA-256:	76BA78E9AC230942886BA7450D371CEB842FE1FE499C02EC4689755251E6A558
SHA-512:	D6C0CCD460A44F04F093C43D30F1F6E531C9019E319D99C3D7D781954F4771ADD8D7587538BDB6EDFE6D2DCCE8BDBA468B71D1E8049AA7EF0BE4919B37B2367B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC9A445D160C9889E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.2736132709991983
Encrypted:	false
SSDEEP:	96:mha1GFT1Dzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:J1UhsHgddax4Fddax
MD5:	169732B202E5D28F21F3A53C0DE8F82C
SHA1:	4EBFFEB5D4409B028299073BF92FF82139A65D45
SHA-256:	D9D8C02E67747AF1A3DBC3B5125840787A6D78327EA48F6A43B399EE678D7A9A
SHA-512:	918B74C9235E3DED084525C96FAAF0FFD31800E138D905B693FB6043E792DCAD567D6BA6C53548BDA44E3904EBE0ECD93B383EACEF72EFC6AD7E9F5EA06E1136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD6C95FFF1B74F13E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD8F00A950FBB2C61.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	0.4737066076436387
Encrypted:	false
SSDEEP:	96:wkx7ad47ORoY3hdnGbxNpjx7ad47ORoY3hdnGbxNbl9zo:wFddaxbgddaxB8
MD5:	6138F1839CEC86AB60B5A3460E024332
SHA1:	BF9DBBFB6562609D580799E8C86AA1F4A83CF3DC
SHA-256:	A4866B4A0EAB20CB79B8F1A0C571940CEB2341935504854DDF2B9704CFB5524E
SHA-512:	5AF4EEFD76EC05FCF07A13EC5508D5C86CA9CD73E16236DE29C4B991853367B4C225CFA7465C7D183295CAC9FD64BE42321610FB49AA70BC7C249A1FF6DA6747
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE48E489E60FEC1E4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE913985DC8E747CA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.4661389991266178
Encrypted:	false
SSDEEP:	96:BybkTm83UuDzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:4bkCssHgddax4Fddax
MD5:	44AAE9B96E8EB1911BA9FF599688E232
SHA1:	FC0A1AACCF90D074C21C319CFA014B07917DAD5F
SHA-256:	BA2049CC7ED06E4E64C09F044BDB0283873AF03E9A0BB659C0C80A84037B423B
SHA-512:	A049F62C6C3B0DDA30BD3AC0070928DA4C90814C4AC6CB20AB8F7C2FDD8925EAEF71D30E1CCD0BB8E27A85C6443EEEBE66901F735B9768618AFCC0702D770AD5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF6A2028701753C6B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.2736132709991983
Encrypted:	false
SSDEEP:	96:mha1GFT1Dzd+Hjx7ad47ORoY3hdnGbxNmkx7ad47ORoY3hdnGbxN:J1UhsHgddax4Fddax
MD5:	169732B202E5D28F21F3A53C0DE8F82C
SHA1:	4EBFFEB5D4409B028299073BF92FF82139A65D45
SHA-256:	D9D8C02E67747AF1A3DBC3B5125840787A6D78327EA48F6A43B399EE678D7A9A
SHA-512:	918B74C9235E3DED084525C96FAAF0FFD31800E138D905B693FB6043E792DCAD567D6BA6C53548BDA44E3904EBE0ECD93B383EACEF72EFC6AD7E9F5EA06E1136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950923043852507
TrID:	Win32 Executable (generic) a (10002005/4) 98.99% InstallShield setup (43055/19) 0.43% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
File size:	10'577'307 bytes
MD5:	3267524dfd0402edc79dd8bc794f6b60
SHA1:	ace93085f7ca737c26b46746c131198890b171a9
SHA256:	c22beac6359f4a40b59d7d1770dd70610d85670466c86f5d95211c98ebac96ff
SHA512:	43078dae2c4bf15a1a0862849020e04826c598b4081a472b94718cd406b1ed55c3e7830ac7b47aaefbe03fec3529d2a09d392dee3e3c8f0be36acd00cdb8cba2
SSDEEP:	196608:WM2ZMalqlAy0Q2fVztTtMYymK+dDtM4aCkGI+iYYlDFvwJw/Ilvww:HT0Q+DzKQKQd5oDFvwuQmw
TLSH:	BCB6335779860372C1880374C6B2BB726FBABC6706E15447A335B94C1CB7BD0867AAF1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................S...............................8.......................................................Rich...................

File Icon


Icon Hash:	57171d4de7912e31

Static PE Info

General

Entrypoint:	0x41586f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3CF5142C [Wed May 29 17:47:24 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ed4817bd12c7cb91fdcfb0ad265f5af2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041FB68h
push 004186B0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0041F24Ch]
xor edx, edx
mov dl, ah
mov dword ptr [0042940Ch], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00429408h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00429404h], ecx
shr eax, 10h
mov dword ptr [00429400h], eax
push 00000001h
call 00007F2A90C1CF0Eh
pop ecx
test eax, eax
jne 00007F2A90C1B44Ah
push 0000001Ch
call 00007F2A90C1B508h
pop ecx
call 00007F2A90C1CC02h
test eax, eax
jne 00007F2A90C1B44Ah
push 00000010h
call 00007F2A90C1B4F7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F2A90C21061h
call dword ptr [0041F250h]
mov dword ptr [0042AAE4h], eax
call 00007F2A90C20F1Fh
mov dword ptr [00429440h], eax
call 00007F2A90C20CC8h
call 00007F2A90C20C0Ah
call 00007F2A90C1AB2Dh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0041F254h]
call 00007F2A90C20B9Bh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F2A90C1B448h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x212e8	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b000	0xb918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x43c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1df66	0x1e000	fbd5df88b87541d55f16115ba642c93b	False	0.5887939453125	data	6.582537151324827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0x39a2	0x4000	40edf5d201a4eed1df36a8c566931d80	False	0.35150146484375	data	5.0218810267188605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x23000	0x7af8	0x5000	c8306b261a2d70b8c4f091b68ce4bfe5	False	0.225927734375	data	2.8228240585702427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2b000	0xb918	0xc000	86f93a44014527c49c3e1ec7fedacb1b	False	0.7881062825520834	data	7.1873227376687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
GIF	0x2ec78	0x7aea	GIF image data, version 89a, 219 x 373	English	United States	0.9879552532892646
RT_CURSOR	0x2eb28	0x134	data	English	United States	0.37012987012987014
RT_ICON	0x2bd88	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4018817204301075
RT_ICON	0x2c088	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x2c1b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0x2c718	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x2ca00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_ICON	0x2d2e8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0x2d410	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.8424855491329479
RT_ICON	0x2d978	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.5013440860215054
RT_ICON	0x2dc60	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.8217509025270758
RT_DIALOG	0x2e548	0x136	data	English	United States	0.603225806451613
RT_DIALOG	0x2e938	0x1ea	data	English	United States	0.5122448979591837
RT_DIALOG	0x2e840	0xf8	data	English	United States	0.6693548387096774
RT_DIALOG	0x2e680	0xc8	data	English	United States	0.7
RT_DIALOG	0x2e748	0xf2	data	English	United States	0.6900826446280992
RT_STRING	0x36768	0x6e	data	English	United States	0.6818181818181818
RT_STRING	0x367d8	0x6e	data	English	United States	0.6
RT_STRING	0x36848	0xcc	data	English	United States	0.5392156862745098
RT_GROUP_CURSOR	0x2ec60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x2c070	0x14	data	English	United States	1.2
RT_GROUP_ICON	0x2d2a8	0x3e	data	English	United States	0.8548387096774194
RT_GROUP_ICON	0x2e508	0x3e	data	English	United States	0.8548387096774194
RT_VERSION	0x2b860	0x528	data	English	United States	0.24393939393939393
RT_MANIFEST	0x2b5c0	0x29a	XML 1.0 document, ASCII text, with CRLF line terminators			0.48348348348348347

Imports

DLL	Import
VERSION.dll	VerQueryValueA, GetFileVersionInfoA, GetFileVersionInfoSizeA, VerLanguageNameA
SHELL32.dll	SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA
COMCTL32.dll
KERNEL32.dll	QueryPerformanceFrequency, CreateEventA, Sleep, InterlockedDecrement, MoveFileA, lstrcatA, CompareStringA, CompareStringW, GetVersionExA, SetFilePointer, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, FreeLibrary, GetProcAddress, LoadLibraryA, MapViewOfFile, UnmapViewOfFile, CreateFileMappingA, LockResource, WriteFile, SizeofResource, FindResourceA, CreateProcessA, GetModuleFileNameA, GetTickCount, GetSystemDefaultLCID, GlobalHandle, SetLastError, lstrlenW, InterlockedIncrement, GetPrivateProfileSectionA, WaitForSingleObject, GetSystemInfo, IsValidCodePage, FlushFileBuffers, LocalFree, FormatMessageA, GetDiskFreeSpaceA, _lclose, OpenFile, GetDriveTypeA, CreateDirectoryA, GetFileAttributesA, RemoveDirectoryA, GetExitCodeProcess, GetCurrentProcess, GetCurrentThread, GetLocaleInfoA, GetPrivateProfileStringA, lstrlenA, CreateFileA, GetFileSize, GlobalAlloc, CloseHandle, GlobalLock, ReadFile, GlobalUnlock, GlobalFree, WideCharToMultiByte, DeleteFileA, GetLastError, CreateThread, CopyFileA, MultiByteToWideChar, ExpandEnvironmentStringsA, GetExitCodeThread, lstrcmpiA, SetErrorMode, GetPrivateProfileIntA, GetTempPathA, WritePrivateProfileStringA, GetWindowsDirectoryA, GetTempFileNameA, lstrcmpA, lstrcpyA, SetCurrentDirectoryA, LoadResource, GetStdHandle, RaiseException, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetOEMCP, SetHandleCount, GetACP, GetCPInfo, SetUnhandledExceptionFilter, DeleteCriticalSection, InitializeCriticalSection, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, HeapSize, HeapReAlloc, LeaveCriticalSection, EnterCriticalSection, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, TerminateProcess, ExitProcess, SetStdHandle, HeapAlloc, HeapFree, RtlUnwind, SystemTimeToFileTime, QueryPerformanceCounter, ResetEvent, SetEvent, lstrcpynA, SearchPathA, FindFirstFileA, VirtualProtect, VirtualQuery, FindClose, IsBadReadPtr, GetStringTypeA, GetStringTypeW, LCMapStringW, LCMapStringA, IsBadCodePtr, GetFileType
USER32.dll	MessageBoxA, ReleaseDC, GetDC, DispatchMessageA, TranslateMessage, GetMessageA, CreateWindowExA, RegisterClassA, LoadCursorA, LoadIconA, SetTimer, PostQuitMessage, KillTimer, PostMessageA, DefWindowProcA, PeekMessageA, MsgWaitForMultipleObjects, wsprintfA, GetDesktopWindow, DialogBoxParamA, ShowWindow, GetDlgItem, EndDialog, GetWindowDC, SetWindowPos, ClientToScreen, GetClientRect, SetWindowLongA, EndPaint, BeginPaint, GetWindowLongA, WaitForInputIdle, CharNextA, SendDlgItemMessageA, ExitWindowsEx, CharPrevA, LoadStringA, wvsprintfA, GetClassInfoA, UpdateWindow, SetCursor, GetDlgItemTextA, EnableWindow, GetParent, GetWindowTextLengthA, GetWindowTextA, MoveWindow, GetWindowPlacement, DrawIcon, GetDlgCtrlID, SetWindowTextA, FillRect, GetSysColor, GetSysColorBrush, IsDialogMessageA, SendMessageA, GetWindowRect, GetSystemMetrics, FindWindowA, IntersectRect, SubtractRect, IsWindow, DestroyWindow, CreateDialogParamA, SetRect, DestroyIcon, CharLowerBuffA
GDI32.dll	CreateDIBitmap, GetDeviceCaps, CreatePalette, SelectPalette, GetStockObject, DeleteObject, GetSystemPaletteEntries, BitBlt, SelectObject, DeleteDC, CreateSolidBrush, CreateFontIndirectA, CreateCompatibleDC, SetTextColor, SetBkMode, GetObjectA, TranslateCharsetInfo, GetTextExtentPointA, RealizePalette
ADVAPI32.dll	FreeSid, RegQueryValueA, RegOpenKeyA, RegCloseKey, RegQueryValueExA, OpenThreadToken, GetTokenInformation, AllocateAndInitializeSid, OpenProcessToken, EqualSid, RegOpenKeyExA, RegSetValueExA, RegCreateKeyExA, RegEnumValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA
ole32.dll	CreateItemMoniker, CoCreateGuid, StringFromCLSID, StgIsStorageFile, StgOpenStorage, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitialize, GetRunningObjectTable
OLEAUT32.dll	SysReAllocStringLen, SysFreeString, SysAllocString, SysAllocStringLen, SysStringLen, VariantClear, VariantChangeType

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:33:16
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe"
Imagebase:	0x400000
File size:	10'577'307 bytes
MD5 hash:	3267524DFD0402EDC79DD8BC794F6B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:33:28
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop"
Imagebase:	0x9f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:33:28
Start date:	20/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff726f40000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	13:33:28
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C
Imagebase:	0x9f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:33:42
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46
Imagebase:	0x9f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00407353 Relevance: 60.1, APIs: 20, Strings: 14, Instructions: 641
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00407358

Part of subcall function 0040A5A2: __EH_prolog.LIBCMT ref: 0040A5A7
Part of subcall function 0040A5A2: GetPrivateProfileStringA.KERNEL32(DotNetVersion,004276D0,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000), ref: 0040A5F9

GetPrivateProfileStringA.KERNEL32(004276D0,?,00000014,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 004073CC
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000014,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,00000000), ref: 00407409
lstrcatA.KERNEL32(?, /q:a /c:"install /q",dotnetfx.exe,?,00000000,?,00000001), ref: 00407595
wsprintfA.USER32 ref: 004075C7
lstrcatA.KERNEL32(?,00000000), ref: 004075D7
wsprintfA.USER32 ref: 00407609

Part of subcall function 0040FCD7: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,5v@,?,?,?,?,?,75BF8400), ref: 0040FD2D
Part of subcall function 0040FCD7: MsgWaitForMultipleObjects.USER32(00000001,5v@,00000000,000000FF,000000FF), ref: 0040FD4F
Part of subcall function 0040FCD7: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0040FD65
Part of subcall function 0040FCD7: TranslateMessage.USER32(?), ref: 0040FD75
Part of subcall function 0040FCD7: DispatchMessageA.USER32(?), ref: 0040FD7F
Part of subcall function 0040FCD7: WaitForSingleObject.KERNEL32(5v@,00000000,?,?,?,?,?,75BF8400), ref: 0040FD9B
Part of subcall function 0040FCD7: GetExitCodeProcess.KERNEL32(5v@,CCCCCCCC), ref: 0040FDAE
Part of subcall function 0040FCD7: CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040FDC5
Part of subcall function 0040FCD7: CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040FDCA

RegQueryValueExA.ADVAPI32(?,InstallerLocation,00000000,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000000,00000000,?), ref: 004076D9
SetCurrentDirectoryA.KERNEL32(?), ref: 004076E6
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000000,00000000,?), ref: 004076F8
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000001,00000810), ref: 00407968
lstrcatA.KERNEL32(00001018, ISSCHEDULEREBOOT=1,00000001,00000810,00000000,00000000,?,?), ref: 0040799B
lstrcmpA.KERNEL32(00000000,004276D0,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C,00000001,00000810,00000000,00000000,?,?), ref: 00407A58
lstrcmpA.KERNEL32(00000000,004276D0,?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C,00000001,00000810,00000000,00000000,?,?), ref: 00407AC3

Strings

dotnetfx.exe, xrefs: 00407503
C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 004079CD, 00407B3B
InstallerLocation, xrefs: 004076CE
Y, xrefs: 00407411
/q:a /c:"install /q", xrefs: 0040758F
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 004073AA, 004073ED, 00407949
Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 0040768A
Microsoft(R) .NET Framework, xrefs: 004075FC
dotnetredist.exe, xrefs: 00407526
dotnetredistSp1.exe, xrefs: 00407559
/l%d, xrefs: 004075C1
ISSCHEDULEREBOOT=1, xrefs: 004079A2
Y, xrefs: 00407974
ISSCHEDULEREBOOT=1, xrefs: 00407995

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString$CloseMessagelstrcat$H_prologHandleProcessWaitlstrcmpwsprintf$CodeCreateCurrentDirectoryDispatchExitMultipleObjectObjectsPeekQuerySingleTranslateValue
String ID: /l%d$ /q:a /c:"install /q"$ ISSCHEDULEREBOOT=1$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$ISSCHEDULEREBOOT=1$InstallerLocation$Microsoft(R) .NET Framework$Software\Microsoft\Windows\CurrentVersion\Installer$Y$Y$dotnetfx.exe$dotnetredist.exe$dotnetredistSp1.exe
API String ID: 1671826068-1798567274
Opcode ID: f2d8ca4d2b3cc1d78de6bfd7cfa63a0546b8005445a3aedc005b90ea1971d979
Instruction ID: 6e2d157bc415c1b61f178a2fd5abb9b94f5a631a54399dbd1aaf507f458f5930
Opcode Fuzzy Hash: f2d8ca4d2b3cc1d78de6bfd7cfa63a0546b8005445a3aedc005b90ea1971d979
Instruction Fuzzy Hash: B232D2B1E04219ABDF21DBA0CC45BEEB7B9AB08304F14017BE505B21D1DB79AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00407C0F Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 453
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00407C14
wsprintfA.USER32 ref: 00407CED
wsprintfA.USER32 ref: 00407D0E
wsprintfA.USER32 ref: 00407D2E
GetModuleFileNameA.KERNEL32(00000000,00000400), ref: 00407D8C
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407DB3
wsprintfA.USER32 ref: 00407EA0
wsprintfA.USER32 ref: 00407EBB
wsprintfA.USER32 ref: 00407F14
wsprintfA.USER32 ref: 00407F55
CoInitialize.OLE32(00000000), ref: 00407F83
SysFreeString.OLEAUT32(00000000), ref: 00408009
GetPrivateProfileStringA.KERNEL32(004276D0,00000000,00000032,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 0040804B
SysFreeString.OLEAUT32(00000000), ref: 00408052
SysFreeString.OLEAUT32(00000000), ref: 00408138
CoUninitialize.OLE32 ref: 0040814F

Part of subcall function 004081BC: __EH_prolog.LIBCMT ref: 004081C1
Part of subcall function 004081BC: CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,00000000), ref: 00408235
Part of subcall function 004081BC: SetFileAttributesA.KERNEL32(?,00000080), ref: 00408247
Part of subcall function 004081BC: wsprintfA.USER32 ref: 0040827A
Part of subcall function 004081BC: lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?,00000000,00000000,00000000), ref: 004082BE
Part of subcall function 004081BC: lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_isE74C,?,?,?,?,?,?,00000451), ref: 004082F9
Part of subcall function 004081BC: CopyFileA.KERNEL32(?,?,00000000), ref: 0040830E

Part of subcall function 004059C8: IsWindow.USER32(0040815C), ref: 004059CE
Part of subcall function 004059C8: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,00000451), ref: 004059E7
Part of subcall function 004059C8: ShowWindow.USER32(00000000,?,?,?,?,?,00000451), ref: 004059F1

Part of subcall function 0040F5E3: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,75BF8400), ref: 0040F630
Part of subcall function 0040F5E3: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,75BF8400), ref: 0040F64D
Part of subcall function 0040F5E3: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0040F664
Part of subcall function 0040F5E3: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F67A
Part of subcall function 0040F5E3: GetExitCodeProcess.KERNELBASE(?,00000001), ref: 0040F699
Part of subcall function 0040F5E3: CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040F6AA

Strings

%s TRANSFORMS="%s", xrefs: 00407D08
%s %s, xrefs: 00407E36
%s%s%s;%s, xrefs: 00407CE7
%s /f%s "%s" %s, xrefs: 00407F32
%s /p "%s" %s, xrefs: 00407E9A
\, xrefs: 00407DB9
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040802C
TRANSFORMS=", xrefs: 00407C70
%s /a "%s"%s, xrefs: 00407F49
%s /x "%s" %s, xrefs: 00407EEA
%s="%s", xrefs: 00407DFF
%s /j%s "%s" %s, xrefs: 00407F08
/p"%s" %s, xrefs: 00407EB5
%s /i "%s" %s, xrefs: 00407E8A
TRANSFORMS=, xrefs: 00407CA1

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$FileString$FreeWindow$CopyH_prologProcessShowlstrcat$AttributesCloseCodeCreateExitHandleInitializeMessageModuleMultipleNameObjectsPeekPrivateProfileUninitializeWaitlstrcpylstrlen
String ID: %s %s$%s /a "%s"%s$%s /f%s "%s" %s$%s /i "%s" %s$%s /j%s "%s" %s$%s /p "%s" %s$%s /x "%s" %s$%s TRANSFORMS="%s"$%s%s%s;%s$%s="%s"$/p"%s" %s$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$TRANSFORMS=$TRANSFORMS="$\
API String ID: 2298955537-1907559495
Opcode ID: d6eac5da36c57705c03dab9302b2e2f6e16c2156a712744fb11c9fd5d8c25a36
Instruction ID: 45c230a29f97c92d969caffdab67c27ceb50ab962942579f6b704ff2b2f23236
Opcode Fuzzy Hash: d6eac5da36c57705c03dab9302b2e2f6e16c2156a712744fb11c9fd5d8c25a36
Instruction Fuzzy Hash: 07F1C272A00619ABDB10DF94CC40AEF77B9BF08304F1445BBF605E61D1DB78AA458F99

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC8 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 413
stringfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileIntA.KERNEL32(?,000000FE,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000001), ref: 00409EF6
GetPrivateProfileStringA.KERNEL32(?,004276D0,00000000,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00409F8A
LoadLibraryA.KERNELBASE(SHFolder.dll), ref: 00409FB1
GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00409FE5
FreeLibrary.KERNELBASE(00000451,00000000,?), ref: 0040A082
lstrcpyA.KERNEL32(00000000,0040AA17), ref: 0040A0A2

Part of subcall function 0040F289: CharNextA.USER32(?,000000FF,74DE83C0), ref: 0040F2BC
Part of subcall function 0040F289: lstrcpyA.KERNEL32(00000000,00000000), ref: 0040F2CC
Part of subcall function 0040F289: CharNextA.USER32(00000000), ref: 0040F2DE
Part of subcall function 0040F289: CharPrevA.USER32(00000000,00000000), ref: 0040F2ED
Part of subcall function 0040F289: lstrcpyA.KERNEL32(?,?), ref: 0040F306

lstrcpyA.KERNEL32(00000000,00000000,00000000), ref: 0040A0CA
lstrcmpA.KERNEL32(?,?,?,00000451), ref: 0040A197
CopyFileA.KERNEL32(00000451,?,00000001), ref: 0040A1B2
GetLastError.KERNEL32 ref: 0040A1C0
wsprintfA.USER32 ref: 0040A222
lstrcatA.KERNEL32(?,00423510), ref: 0040A233
wsprintfA.USER32 ref: 0040A261
MessageBoxA.USER32(?,?,00000024), ref: 0040A285
MoveFileA.KERNEL32(?,00000000), ref: 0040A396
lstrcatA.KERNEL32(?,.ini,?,?,?,?,?,?), ref: 0040A3F4
CopyFileA.KERNEL32(?,?,00000000), ref: 0040A40A

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040A333
SHFolder.dll, xrefs: 00409FAC
SHGetFolderPathA, xrefs: 00409FDF
.ini, xrefs: 0040A3EE
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00409EE0, 00409EE7, 00409F69

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$CharFile$CopyLibraryNextPrivateProfilelstrcatwsprintf$AddressErrorFreeLastLoadMessageMovePrevProcStringlstrcmp
String ID: .ini$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$SHFolder.dll$SHGetFolderPathA
API String ID: 4257908145-1364988588
Opcode ID: 96239c4cc85192797212722ef99c8c11ab6df88fe707698639fa5ca67278d396
Instruction ID: 05082a6190d859744ee360ef9e5be8fa99f65abd9b54b819b7a5ffb5c79f2770
Opcode Fuzzy Hash: 96239c4cc85192797212722ef99c8c11ab6df88fe707698639fa5ca67278d396
Instruction Fuzzy Hash: DFE15E7290061CAADF21DBA4CC44AEAB7BDBB48304F1444BBF605F2181EB759B8D8F55

Uniqueness

Uniqueness Score: -1.00%

Function 004019D5 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringA.KERNEL32(004276D0,00000410,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000), ref: 00401A1C
lstrlenA.KERNEL32(00000410,?,?), ref: 00401A25
GetPrivateProfileStringA.KERNEL32(004276D0,00000810,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401A5F
lstrlenA.KERNEL32(00000810,?,?,?,?,?,?), ref: 00401A68
GetPrivateProfileStringA.KERNEL32(004276D0,00000010,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401A98
lstrlenA.KERNEL32(00000010,?,?,?,?,?,?,?,?,?), ref: 00401A9E
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000002,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401AD2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401AD9
lstrcmpiA.KERNEL32(?,00423158), ref: 00401B01
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000104,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401B41
lstrlenA.KERNEL32(00000000), ref: 00401B56
GetPrivateProfileStringA.KERNEL32(004276D0,00001018,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401B98
ExpandEnvironmentStringsA.KERNEL32(00001018,00000000,00000400), ref: 00401BAA
lstrcpyA.KERNEL32(00001018,00000000), ref: 00401BB2
GetPrivateProfileIntA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00401BEF

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 004019DE
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00401A02, 00401A4B, 00401A84, 00401ABD, 00401B20, 00401B84, 00401BDC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$String$lstrlen$EnvironmentExpandStringslstrcmpilstrcpy
String ID: C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI
API String ID: 1013363181-3740074027
Opcode ID: 327f1fa32b452076d8d1392b35c75f6c9a8929b0f21fdbe793b50623b3359908
Instruction ID: 23e28cdac16f8e6250dcc03332961d4cfd7b9db0e27bbb3610493640bac2911c
Opcode Fuzzy Hash: 327f1fa32b452076d8d1392b35c75f6c9a8929b0f21fdbe793b50623b3359908
Instruction Fuzzy Hash: A7518471640205BBDB209F61EC49FEB37ACFB44755F00843AFA04D51A0E7B8A94ADB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409437 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040943C
GetPrivateProfileIntA.KERNEL32(ScriptDriven,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000451), ref: 00409469
GetPrivateProfileIntA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 004094A8
CoInitialize.OLE32(00000000), ref: 004094C1
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000014,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00409562
lstrlenW.KERNEL32(00000000), ref: 00409577
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 0040959C
SysFreeString.OLEAUT32(00000000), ref: 004095B6
SysFreeString.OLEAUT32(00000000), ref: 004095D6
CoUninitialize.OLE32 ref: 004095FD

Strings

C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00409455, 0040945C, 0040949A, 00409543
ScriptDriven, xrefs: 0040945E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString$Free$ByteCharH_prologInitializeMultiUninitializeWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$ScriptDriven
API String ID: 4043649659-3092042727
Opcode ID: 44dd281326adbe5429f4ea871f41caf59dec5a144efa66131132bf747cd7e788
Instruction ID: f4ce6a48ceed18fe39aa005fb2342b6317c294a039929f9ebc9002e9477f13bf
Opcode Fuzzy Hash: 44dd281326adbe5429f4ea871f41caf59dec5a144efa66131132bf747cd7e788
Instruction Fuzzy Hash: 8651DF71904209FFCB01CFA9DC859AEBB78EF44318F10847AF505E7292C6399D46CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEDB Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 375
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040CEE0
lstrcpyA.KERNEL32(?,?,00000452,?,?,?,00000000,0040CE5E), ref: 0040CF5A
IsValidCodePage.KERNEL32(00000000,00000BBA,00000065,?,?,00000000,?,?,?,?,00000000,0040CE5E), ref: 0040D0A7

Part of subcall function 00406053: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_isE74C,!N@,?,004054F4,00000000,00000BBA,00000065,?,?,00000000,?,?,00000000,00404C55,00404E21,?), ref: 0040605E

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Part of subcall function 0040F445: GetFileAttributesA.KERNELBASE(?,0040F4C4,0040183D,00000000,0040183D,?), ref: 0040F449

Part of subcall function 00401087: CreateFileA.KERNEL32(0040CE5E,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000,0040CE5E), ref: 004010A5

GetPrivateProfileIntA.KERNEL32(000003E9,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000,0040CE5E), ref: 0040D1D0
lstrlenA.KERNEL32(?,?,000003E8,00000000,00000000,0040CE5E), ref: 0040D238
lstrlenA.KERNEL32(00000002,?,000003E8,00000000,00000000,0040CE5E), ref: 0040D25C
wsprintfA.USER32 ref: 0040D2B5

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040CF46, 0040D167
/LangTransform, xrefs: 0040D193
C:\Users\user\Desktop, xrefs: 0040D048
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040D1BA

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$Filelstrlen$AttributesCodeCreateH_prologPagePrivateProfileValidlstrcatwsprintf
String ID: /LangTransform$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$C:\Users\user\Desktop
API String ID: 264310678-2696756071
Opcode ID: 03f921fddd716f34b54a74164471ad0218e5078c408a3ea388b7c6e25d2a4667
Instruction ID: b06e60a8aeea069a29a1e683d12a6408e1dc3b866881643a7d47357348dae029
Opcode Fuzzy Hash: 03f921fddd716f34b54a74164471ad0218e5078c408a3ea388b7c6e25d2a4667
Instruction Fuzzy Hash: F2D17271D00215AAEB24EBA5CC45FEF76B8AF44308F10447FE909B21D1EB789A49CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5A2 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040A5A7
GetPrivateProfileStringA.KERNEL32(DotNetVersion,004276D0,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000), ref: 0040A5F9
GetPrivateProfileStringA.KERNEL32(UseDotNetUI,004276D0,?,00000080,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 0040A649
wsprintfA.USER32 ref: 0040A697

Strings

UseDotNetUI, xrefs: 0040A63E
DotNetVersion, xrefs: 0040A5EE
y, xrefs: 0040A654
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040A5D8, 0040A623

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString$H_prologwsprintf
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$DotNetVersion$UseDotNetUI$y
API String ID: 1124327023-4068352467
Opcode ID: cc168417507dbb0b72713a06bdc2d9eecd11deecba7f92d6438fd89b515cfc39
Instruction ID: 7318e55f37061f415fd2d8bc6d8661d5684e75a45f2683f2b56cbf7f0fc23a38
Opcode Fuzzy Hash: cc168417507dbb0b72713a06bdc2d9eecd11deecba7f92d6438fd89b515cfc39
Instruction Fuzzy Hash: 3751DF72A00259BFDB20DF64DC41ADEBB78AB04318F00857BF515B7290DA786E49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D487 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D670: __EH_prolog.LIBCMT ref: 0040D675
Part of subcall function 0040D670: LoadCursorA.USER32(00000000,00007F02), ref: 0040D6AC
Part of subcall function 0040D670: SetCursor.USER32(00000000), ref: 0040D6B9

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,?), ref: 0040D4F0
wsprintfA.USER32 ref: 0040D51A
GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,?,00000013,?), ref: 0040D539
wsprintfA.USER32 ref: 0040D550

Part of subcall function 0040D670: SetCursor.USER32(?,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C,?), ref: 0040D710

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040D494, 0040D4D2
key, xrefs: 0040D50F
%s%d, xrefs: 0040D514
0x0%s.ini, xrefs: 0040D54A
Languages, xrefs: 0040D4E3, 0040D4EF, 0040D538
Count, xrefs: 0040D4EA

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$PrivateProfilewsprintf$H_prologLoadStringlstrcatlstrcpy
String ID: %s%d$0x0%s.ini$C:\Users\user\AppData\Local\Temp\_isE74C$Count$Languages$key
API String ID: 2218016369-2262267047
Opcode ID: 873c19686fd55547ae3c2a3b406ca6f1fa50d154eb737c0853e321d1e209d973
Instruction ID: ebc9559f78522bb5cc9f48d93aaf16ad85854cf61011976ab975afab52eeaef1
Opcode Fuzzy Hash: 873c19686fd55547ae3c2a3b406ca6f1fa50d154eb737c0853e321d1e209d973
Instruction Fuzzy Hash: D92121B1E0021CBADB51DF94EC81EEE777DAB04744F5044BAAA05F2180D778DE499B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9BB Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?), ref: 0040D9F7
wsprintfA.USER32 ref: 0040DA0C
CharNextA.USER32(?), ref: 0040DA1F
CharNextA.USER32(00000000), ref: 0040DA22
GetPrivateProfileStringA.KERNEL32(00000000,00000000,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 0040DA39

Part of subcall function 0040D670: __EH_prolog.LIBCMT ref: 0040D675
Part of subcall function 0040D670: LoadCursorA.USER32(00000000,00007F02), ref: 0040D6AC
Part of subcall function 0040D670: SetCursor.USER32(00000000), ref: 0040D6B9

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Part of subcall function 0040F445: GetFileAttributesA.KERNELBASE(?,0040F4C4,0040183D,00000000,0040183D,?), ref: 0040F449

Strings

%#x, xrefs: 0040DA06
C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040DA68
C:\Users\user\Desktop, xrefs: 0040DA84, 0040DAA4
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040D9E4, 0040D9E9, 0040DA24

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharCursorNextPrivateProfile$AttributesFileH_prologLoadStringlstrcatlstrcpywsprintf
String ID: %#x$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$C:\Users\user\Desktop
API String ID: 1822422677-1499150751
Opcode ID: 7c871475115b7313c3220157f9787300f0cef0d3d19bdfd211a8b9657bafd036
Instruction ID: 1e287bf884c6e9d9f66fd786027e448881ad62d52dd88c8547aa687d94c33c28
Opcode Fuzzy Hash: 7c871475115b7313c3220157f9787300f0cef0d3d19bdfd211a8b9657bafd036
Instruction Fuzzy Hash: B52151B1A0411DBEDB109BE5DD45EEF7B6DEB04354F008076BA04F2191DA38AE4E8E6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF4B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32,00401986,00000000), ref: 0040EF62
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040EF7A
lstrcpyA.KERNEL32(?,00000000), ref: 0040EF90

Part of subcall function 0040F399: CharNextA.USER32(?,0040EFA2,?), ref: 0040F3A3

GetDiskFreeSpaceExA.KERNELBASE(?,0040F13C,00000000,00000003,?), ref: 0040EFC5

Part of subcall function 0040F242: CharNextA.USER32(0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F257
Part of subcall function 0040F242: CharPrevA.USER32(0040F324,0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F260
Part of subcall function 0040F242: CharNextA.USER32(00000000,0040F324), ref: 0040F278
Part of subcall function 0040F242: CharNextA.USER32(00000000), ref: 0040F27E

GetDiskFreeSpaceA.KERNEL32(?,00000001,00000000,00000003,00000003), ref: 0040F016
FreeLibrary.KERNEL32(00401986), ref: 0040F036

Strings

GetDiskFreeSpaceExA, xrefs: 0040EF74
KERNEL32, xrefs: 0040EF5B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Free$DiskLibrarySpace$AddressLoadPrevProclstrcpy
String ID: GetDiskFreeSpaceExA$KERNEL32
API String ID: 711836960-2868000099
Opcode ID: ebae2a4a6cd0722d525484cb18799a98d24c7059c09cd9aaee73e872a9b5396f
Instruction ID: f04f3633e4a1cd4289c2bd7ae495367db3e8fd848d4d6b46e30ccfe108a851f4
Opcode Fuzzy Hash: ebae2a4a6cd0722d525484cb18799a98d24c7059c09cd9aaee73e872a9b5396f
Instruction Fuzzy Hash: 68313A72905159EACF10CFA5C8849DEBBFCEB08350F4484BAE545E7251DA34DA898BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409106 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 0040ED78: GetFileVersionInfoSizeA.VERSION(?,00000451,?,?,?,?), ref: 0040EDA9
Part of subcall function 0040ED78: GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000,?,?,?,00000451,?,?,?,?), ref: 0040EDD5
Part of subcall function 0040ED78: VerQueryValueA.VERSION(00000000,00423C94,?,00000000,00000000,00000000,00000000,?,?,?,00000451,?,?,?,?), ref: 0040EE08
Part of subcall function 0040ED78: wsprintfA.USER32 ref: 0040EE32
Part of subcall function 0040ED78: VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,?,00000000,00423C94,?,00000000,00000000,00000000,00000000,?,?,?,00000451), ref: 0040EE5A

Part of subcall function 00408ECE: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00007FFF,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408F16
Part of subcall function 00408ECE: GetPrivateProfileSectionA.KERNEL32(00000000,00007FFF,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408F2B
Part of subcall function 00408ECE: GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FB1
Part of subcall function 00408ECE: GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FCC
Part of subcall function 00408ECE: GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FE4
Part of subcall function 00408ECE: GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FFC

Part of subcall function 0040F808: GetCurrentThread.KERNEL32 ref: 0040F82D
Part of subcall function 0040F808: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F834
Part of subcall function 0040F808: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F844
Part of subcall function 0040F808: GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F853
Part of subcall function 0040F808: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F85A
Part of subcall function 0040F808: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F860
Part of subcall function 0040F808: GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00409195,?,?,?,?,?,?,?,?,00409195), ref: 0040F87C
Part of subcall function 0040F808: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F882
Part of subcall function 0040F808: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,00409195,00409195,?,?,?,?,?,?,?,?,00409195), ref: 0040F8A7
Part of subcall function 0040F808: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040F8C4

GetTempPathA.KERNEL32(00000400,00000000,?,?,00000000,?,00000000), ref: 004091D7
GetWindowsDirectoryA.KERNEL32(00000000,00000400,?,?,00000000,?,00000000), ref: 004091FB

Part of subcall function 0040EBAF: wsprintfA.USER32 ref: 0040EBE5
Part of subcall function 0040EBAF: wvsprintfA.USER32(?,?,?), ref: 0040EC00

Strings

Y, xrefs: 00409271
Msi.DLL, xrefs: 00409145
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00409244

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$Token$ErrorLast$CurrentFileInfoInformationOpenProcessQueryThreadValueVersionwsprintf$AllocateDirectoryInitializePathSectionSizeStringTempWindowswvsprintf
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Msi.DLL$Y
API String ID: 3567734165-4220719309
Opcode ID: a5a50f9ce4549bb5830b4a3c3958e1403c99eb817ad5050b28ac85e0b8d5d18c
Instruction ID: 2eedb63727aef3e17077834b6f22b2b3e30f5f51ac1ac28827274b0d344b61f8
Opcode Fuzzy Hash: a5a50f9ce4549bb5830b4a3c3958e1403c99eb817ad5050b28ac85e0b8d5d18c
Instruction Fuzzy Hash: A851D472B042187AEF209A75CC44BEB76A9AB48304F0408FFE605F21C2DB7C9D498A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004096DF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000), ref: 00409742
GetPrivateProfileStringA.KERNEL32(?,?,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00409763

Part of subcall function 00409437: __EH_prolog.LIBCMT ref: 0040943C
Part of subcall function 00409437: GetPrivateProfileIntA.KERNEL32(ScriptDriven,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000451), ref: 00409469

lstrcpyA.KERNEL32(00000451,?,00000000), ref: 00409809

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040978D
/URL, xrefs: 004097ED
C:\Users\user\Desktop, xrefs: 00409849
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00409732, 00409737, 0040974A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$H_prologStringlstrcpy
String ID: /URL$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$C:\Users\user\Desktop
API String ID: 566390474-2343073691
Opcode ID: 04f5eedc43fa344977f4ffb39404c3e182c2aaf3d1c1ce43addb9863f5b38283
Instruction ID: fb0724fb04ec20caa98394e32185b617df26af80f09ae4a492e9368687449053
Opcode Fuzzy Hash: 04f5eedc43fa344977f4ffb39404c3e182c2aaf3d1c1ce43addb9863f5b38283
Instruction Fuzzy Hash: F041C472510119FBDF209F51CC40EEA7B79EB44714F10807EBA44B3281DB399E869B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00406B4C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Languages,Default,004276D0,?,00000013,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406B6C

Strings

C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00406B52
Default, xrefs: 00406B62
Languages, xrefs: 00406B67

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Default$Languages
API String ID: 1096422788-2588094607
Opcode ID: 2c43f7dd33dae729437226e3045596a39d50f7365aba8b4fcbab2dddae308e7a
Instruction ID: 988aeb2ec6503ce8dd57d1752631b90004fe9991f830fa55a8ddd41ae405ff36
Opcode Fuzzy Hash: 2c43f7dd33dae729437226e3045596a39d50f7365aba8b4fcbab2dddae308e7a
Instruction Fuzzy Hash: ABE086B1744319B6CB11AE68BC47F9B37785B40B5DBA04162B506F00C1E59CE788559D

Uniqueness

Uniqueness Score: -1.00%

Function 00406B93 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406BA4

Strings

C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00406B93
Languages, xrefs: 00406B9F
Count, xrefs: 00406B9A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Count$Languages
API String ID: 1469295129-142479074
Opcode ID: b2d2d29cb98f37fcdc8a1cab51ab4690d4c473f77f7c48b16471f247a23e2fa0
Instruction ID: 86d73c2c7431dff250bb4b109255558f74bcca55b07a4110ed8a348cf9db1b39
Opcode Fuzzy Hash: b2d2d29cb98f37fcdc8a1cab51ab4690d4c473f77f7c48b16471f247a23e2fa0
Instruction Fuzzy Hash: 79C012B63D0311B6C2515F30DC07B1431A06B65F29FA48399B412D52D0D56C5541450D

Uniqueness

Uniqueness Score: -1.00%

Function 0041586F Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00415895

Part of subcall function 00417396: HeapCreate.KERNELBASE(00000000,00001000,00000000,004158CD,00000001), ref: 004173A7
Part of subcall function 00417396: HeapDestroy.KERNEL32 ref: 004173E6

GetCommandLineA.KERNEL32 ref: 004158F5
GetStartupInfoA.KERNEL32(?), ref: 00415920
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00415943

Part of subcall function 0041599C: ExitProcess.KERNEL32 ref: 004159B9

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: f0f95fcbb0ae39ebdbdf2070445effd609cf238a69a8b7e849e43a07da635b87
Instruction ID: a8d6fa2ebab13873ade2deee86d9a997968de223ae5e6df81726abac0d206858
Opcode Fuzzy Hash: f0f95fcbb0ae39ebdbdf2070445effd609cf238a69a8b7e849e43a07da635b87
Instruction Fuzzy Hash: 1E2173B0944704EBD718BFA5DD05AEE7BA8EF44718F10403EF905962A1DB7D4882C699

Uniqueness

Uniqueness Score: -1.00%

Function 004044FB Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040450C
SizeofResource.KERNEL32(?,00000000), ref: 00404518
LoadResource.KERNEL32(?,00000000), ref: 00404524
LockResource.KERNEL32(00000000), ref: 0040452B

Part of subcall function 004043A3: __EH_prolog.LIBCMT ref: 004043A8
Part of subcall function 004043A3: GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 00404488
Part of subcall function 004043A3: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004044A3
Part of subcall function 004043A3: DeleteObject.GDI32(00000000), ref: 004044B6
Part of subcall function 004043A3: ReleaseDC.USER32(00000000,?), ref: 004044C4

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$BitmapCreateDeleteFindH_prologLoadLockObjectReleaseSizeofWindow
String ID:
API String ID: 494826499-0
Opcode ID: 75915fdd9054315c4429b49ecf422562b1a55edc2c80c2fd1633fdc93e53e045
Instruction ID: d62b42f119732f1e2f16310c64a0be88d9ef310a265b3be425de328823110186
Opcode Fuzzy Hash: 75915fdd9054315c4429b49ecf422562b1a55edc2c80c2fd1633fdc93e53e045
Instruction Fuzzy Hash: 2FE06D72100018BFDB015F95EC48CEE7F6DEF882A0700C036FE08C6121DA724D66ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 004013EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Part of subcall function 0040F445: GetFileAttributesA.KERNELBASE(?,0040F4C4,0040183D,00000000,0040183D,?), ref: 0040F449

GetPrivateProfileStringA.KERNEL32(00000000,?,00000400,?,?,?), ref: 004014C0
lstrlenA.KERNEL32(00000000,?), ref: 004014ED

Part of subcall function 0040F47F: SetErrorMode.KERNELBASE(00008001,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000400,0040148C,C:\Users\user\AppData\Local\Temp\_isE74C,?,?,?), ref: 0040F49B
Part of subcall function 0040F47F: RemoveDirectoryA.KERNELBASE(?), ref: 0040F4A1
Part of subcall function 0040F47F: SetErrorMode.KERNELBASE(00000000), ref: 0040F4B0

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 004013FA, 00401406, 0040141E, 00401486

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$AttributesDirectoryFilePrivateProfileRemoveStringlstrcatlstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 1676809583-2024452353
Opcode ID: 0a6a345277d9fab97625a9ab4f5b485ca0af9b00cdfbc08defa8a71ac2abc8bb
Instruction ID: 2d86d3788d7a0ac48a14c9931100db9789351eac12942d24e2cc736109f6bf3f
Opcode Fuzzy Hash: 0a6a345277d9fab97625a9ab4f5b485ca0af9b00cdfbc08defa8a71ac2abc8bb
Instruction Fuzzy Hash: D531A47190021466DB21EB61DC45FEB77ACAF01358F1440BBBA05F60A1DA3CAD4A8BAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE0A Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,000003E8), ref: 0040BE37
GetSystemInfo.KERNELBASE(?), ref: 0040BE77

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoSystemVersion
String ID:
API String ID: 1934062620-0
Opcode ID: bf02d08315e07475010991db7baace07ab98e34757ec5c4e6d574f100e46414f
Instruction ID: a597449b208b8610f814eca68e35e6949d006125871264e0acae502aff01448e
Opcode Fuzzy Hash: bf02d08315e07475010991db7baace07ab98e34757ec5c4e6d574f100e46414f
Instruction Fuzzy Hash: 502134B0D1121A9BDB10DF95C885BEEBBB8FB44315F1000ABE605F32C1D7789A858BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00405C39 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 300
windowstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetBkMode.GDI32(?,00000001), ref: 00405CA4
GetDlgCtrlID.USER32(?), ref: 00405CAD
GetStockObject.GDI32(00000005), ref: 00405CC3
SendMessageA.USER32(00000405,00000000,00000000), ref: 00405D04
PostMessageA.USER32(00000000,00008032,00000000,00000000), ref: 00405D5B
LoadCursorA.USER32(00000000,00000068), ref: 00405D79
lstrlenA.KERNEL32(?), ref: 00405DB2
wsprintfA.USER32 ref: 00405E09
SetWindowTextA.USER32(?,?), ref: 00405E1A
SetTimer.USER32(?,000003E9,000000FA,00000000), ref: 00405E2E
GetDlgItem.USER32(?,000003E9), ref: 00405E3C
GetDlgItem.USER32(?,000003EB), ref: 00405E47
GetDlgItem.USER32(?,000003EA), ref: 00405E52
SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 00405E63
GetDlgItem.USER32(?,00000409), ref: 00405F96
GetClientRect.USER32(00000000,?), ref: 00405FA7
GetClientRect.USER32(?,?), ref: 00405FB0
GetStockObject.GDI32(00000000), ref: 00405FC7
FillRect.USER32(?,?,00000000), ref: 00405FDB
GetSysColor.USER32(0000000F), ref: 00405FDF
GetSysColorBrush.USER32(00000000), ref: 00405FE9
CreateSolidBrush.GDI32(?), ref: 00405FF6
FillRect.USER32(?,?,00000000), ref: 00406016
DeleteObject.GDI32 ref: 00406023

Strings

Arial, xrefs: 00405F39
CANCEL, xrefs: 00405E80

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemRect$MessageObject$BrushClientColorFillSendStock$CreateCtrlCursorDeleteLoadModePostSolidTextTimerWindowlstrlenwsprintf
String ID: Arial$CANCEL
API String ID: 136695782-3140315059
Opcode ID: 8e9b6139124c958a836c5e3cc1edbf5b87a561e7faddf21dfcd2b9e6e39f3eea
Instruction ID: eff958e80aee05135b5b850f24b859a354c88de1c2ecb3ea050988cb31de5009
Opcode Fuzzy Hash: 8e9b6139124c958a836c5e3cc1edbf5b87a561e7faddf21dfcd2b9e6e39f3eea
Instruction Fuzzy Hash: EDA17371A40209AFDB21AF61EC49EAE7B7CEB08711F40803BF905E61E1DB784956DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004060AB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406B93: GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406BA4

Part of subcall function 00406B4C: GetPrivateProfileStringA.KERNEL32(Languages,Default,004276D0,?,00000013,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406B6C

GlobalAlloc.KERNEL32(00000042,00000001,00428AD0,?,?,?,00000000,!N@,00406083,?,00000000,?,?,?,?,?), ref: 0040612F
GlobalLock.KERNEL32(00000000,?,004054F4,00000000,00000BBA,00000065,?,?,00000000,?,?,00000000,00404C55,00404E21,?,?), ref: 00406136

Strings

!N@, xrefs: 004060AB

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: GlobalPrivateProfile$AllocLockString
String ID: !N@
API String ID: 3184413904-3739801310
Opcode ID: 4f1822d94077781a9e8809143e4f6cc083c729ceeb79a7283574cb2712fdc4a3
Instruction ID: 3da5d038d8565427730d1c5c04c72066305ba18a0f1f23baca992323368fd1c1
Opcode Fuzzy Hash: 4f1822d94077781a9e8809143e4f6cc083c729ceeb79a7283574cb2712fdc4a3
Instruction Fuzzy Hash: 67316F72701214AFEB20AF65EC0495F3B69EB44361791443BF916E72E1DF788C228B58

Uniqueness

Uniqueness Score: -1.00%

Function 004045D8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00404603
GetWindowLongA.USER32(?,000000EB), ref: 0040461C
BeginPaint.USER32(?,?), ref: 0040462C
EndPaint.USER32(?,?), ref: 0040464B
GetWindowLongA.USER32(?,000000EB), ref: 0040465B
DeleteObject.GDI32(00000000), ref: 00404672
SetWindowLongA.USER32(?,000000EB,00000000), ref: 004046A2
GetClientRect.USER32(?,?), ref: 004046B2
ClientToScreen.USER32(?,?), ref: 004046BF
__ftol.LIBCMT ref: 004046DF
__ftol.LIBCMT ref: 004046EE
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000256), ref: 004046FF

Strings

GIF, xrefs: 00404705

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$ClientPaint__ftol$BeginDeleteObjectProcRectScreen
String ID: GIF
API String ID: 3526196457-881873598
Opcode ID: 8656f1bf2c16807a3d8a869bf5d2a0e66b5b5a78881e687c143c19a8530628a0
Instruction ID: c7215f08e248b64dcfbb21512ae417906b57565edbc8c16c4d1745d69aafd674
Opcode Fuzzy Hash: 8656f1bf2c16807a3d8a869bf5d2a0e66b5b5a78881e687c143c19a8530628a0
Instruction Fuzzy Hash: 5331C272500209BBCF115FA4DC08EAE7B79FF85321F108636FA25A61F0DB399916DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DE7 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 83
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00409DEC
LoadLibraryA.KERNELBASE(Msi.DLL,00000001), ref: 00409DFA
GetProcAddress.KERNEL32(00000000,MsiOpenDatabaseA), ref: 00409E23
GetProcAddress.KERNEL32(00000000,MsiGetSummaryInformationA), ref: 00409E42
GetProcAddress.KERNEL32(00000000,MsiCloseHandle), ref: 00409E4C
GetProcAddress.KERNEL32(00000000,MsiSummaryInfoGetPropertyA), ref: 00409E74
FreeLibrary.KERNELBASE(00000000), ref: 00409EB0

Strings

MsiCloseHandle, xrefs: 00409E44
MsiOpenDatabaseA, xrefs: 00409E1D
MsiGetSummaryInformationA, xrefs: 00409E3C
H, xrefs: 00409E6D
MsiSummaryInfoGetPropertyA, xrefs: 00409E67
Msi.DLL, xrefs: 00409DF5

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$Library$FreeH_prologLoad
String ID: H$Msi.DLL$MsiCloseHandle$MsiGetSummaryInformationA$MsiOpenDatabaseA$MsiSummaryInfoGetPropertyA
API String ID: 1090236637-2739935362
Opcode ID: d6e5e39664ea3d2b2eabfe60506c5532bd90f78a48e604fe0f3a5a2b120f0643
Instruction ID: dd615f3f3f0382b4f29d6f4d1dcefbe14e2b168fe8d7e1e1bf51e1d866a216f5
Opcode Fuzzy Hash: d6e5e39664ea3d2b2eabfe60506c5532bd90f78a48e604fe0f3a5a2b120f0643
Instruction Fuzzy Hash: BD214C31A00219AADF11DBA5CC45BEFBEB8AF59741F10402AE504B21E1DB7D9E05CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408C62 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00408C67

Part of subcall function 00407BD1: RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,000F003F,00000000,80000002,?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BEB
Part of subcall function 00407BD1: RegCloseKey.ADVAPI32(?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BFC

RegCloseKey.ADVAPI32(?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000,00000000), ref: 00408CA8
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000,00000000), ref: 00408CEF
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00408D75
RegEnumValueA.ADVAPI32(?,00000001,?,00000208,00000000,?,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00408D93
RegCloseKey.ADVAPI32(?), ref: 00408DA9
RegCloseKey.ADVAPI32(00000000,00000000,?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00408DC6
RegCloseKey.ADVAPI32(?,00000000,?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00408DD3

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 00408C87
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00408D0B
Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 00408D41

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$EnumValue$H_prologOpen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx
API String ID: 2958348514-2087105512
Opcode ID: 95567bcc3b7f16388274be2159b5b813d81d547de8a33fe3df9f324a793de722
Instruction ID: 1eb410bcdad09888176f314d7ba6d99727f7a3a31683b18ba391b409ebe46330
Opcode Fuzzy Hash: 95567bcc3b7f16388274be2159b5b813d81d547de8a33fe3df9f324a793de722
Instruction Fuzzy Hash: 9041397290021EAADF10DBE1DE45AFFB778AF68344F10453EE502B2281DA789E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004035BD Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(CABINET,0040368C), ref: 004035C2
GetProcAddress.KERNEL32(00000000,FDICreate), ref: 004035E2
GetProcAddress.KERNEL32(FDIIsCabinet), ref: 004035F4
GetProcAddress.KERNEL32(FDICopy), ref: 00403606
GetProcAddress.KERNEL32(FDIDestroy), ref: 00403618
FreeLibrary.KERNEL32 ref: 00403649

Strings

FDIDestroy, xrefs: 00403608
FDICreate, xrefs: 004035DC
FDICopy, xrefs: 004035F6
FDIIsCabinet, xrefs: 004035E4
CABINET, xrefs: 004035BD

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CABINET$FDICopy$FDICreate$FDIDestroy$FDIIsCabinet
API String ID: 2449869053-2243815904
Opcode ID: daa53c90f56aefb2710dacdb7f00e4f63a9391a9ef0bb151cb505818b6a6835e
Instruction ID: bf12d2205a31306848326cdd1929224c0679e962e426fe8328cb0a7ab2b43038
Opcode Fuzzy Hash: daa53c90f56aefb2710dacdb7f00e4f63a9391a9ef0bb151cb505818b6a6835e
Instruction Fuzzy Hash: 4F01F474B18210AEDB329F20FC15B613EA4F70475AF908C37A400A22F4DB796A56CF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED78 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeA.VERSION(?,00000451,?,?,?,?), ref: 0040EDA9
GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000,?,?,?,00000451,?,?,?,?), ref: 0040EDD5
VerQueryValueA.VERSION(00000000,00423C94,?,00000000,00000000,00000000,00000000,?,?,?,00000451,?,?,?,?), ref: 0040EE08
wsprintfA.USER32 ref: 0040EE32
VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,?,00000000,00423C94,?,00000000,00000000,00000000,00000000,?,?,?,00000451), ref: 0040EE5A
wsprintfA.USER32 ref: 0040EEC0
wsprintfA.USER32 ref: 0040EEDA

Strings

%u.%u.%u.%u, xrefs: 0040EE2A
%s,%u, xrefs: 0040EED4
\VarFileInfo\Translation, xrefs: 0040EE54

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$FileInfoQueryValueVersion$Size
String ID: %s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
API String ID: 1875041341-1385173819
Opcode ID: 826c16f37be7d14f6ca62b3546dd7c2da4319a27a7b051b51b1be40f53c65f35
Instruction ID: a8c8bfcf6390853cbbfa231794cf4e2d95e4c0ed490ea9dba4ab26fe0a86390b
Opcode Fuzzy Hash: 826c16f37be7d14f6ca62b3546dd7c2da4319a27a7b051b51b1be40f53c65f35
Instruction Fuzzy Hash: 7641A1B290011DBBDB109F56DC41EEE7B7CEF44358F00447BF908A6192E6399F558A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3BB Relevance: 15.1, APIs: 10, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000138,00000000,?,?,00000000,?,?,C:\Users\user\AppData\Local\Temp\_isE74C), ref: 0040E3F1
GetLastError.KERNEL32 ref: 0040E3FB
CreateFileA.KERNELBASE(00000002,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000000,00000000), ref: 0040E433
GetLastError.KERNEL32 ref: 0040E43D
CloseHandle.KERNEL32(?), ref: 0040E44F
ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 0040E48F
WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 0040E4A1
FindCloseChangeNotification.KERNELBASE(?), ref: 0040E4D9
FlushFileBuffers.KERNEL32(?), ref: 0040E4DE
CloseHandle.KERNEL32(?), ref: 0040E4E7

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Close$CreateErrorHandleLast$BuffersChangeFindFlushNotificationReadWrite
String ID:
API String ID: 924744691-0
Opcode ID: 4b37d5ae087695d0de75d2b6f9c0885f4d5cf0d667217bbe0786b274b551f32e
Instruction ID: c0415c827bcea698d853df7e8658ebb4636c130224e4146af452a3a5b81d517a
Opcode Fuzzy Hash: 4b37d5ae087695d0de75d2b6f9c0885f4d5cf0d667217bbe0786b274b551f32e
Instruction Fuzzy Hash: 73415B75900208FFDF109FA2CC88EEE7B79EB44364F10853AF915A6290D6359E52DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004057B6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004057BB
GetTempPathA.KERNEL32(00000104,?,00000001), ref: 004057D7
GetTempFileNameA.KERNELBASE(?,004234CC,00000000,?), ref: 004057F2
GetModuleFileNameA.KERNEL32(?,?,00000400), ref: 00405807

Part of subcall function 0040E100: __EH_prolog.LIBCMT ref: 0040E105
Part of subcall function 0040E100: lstrcpyA.KERNEL32(?,?,?,00000104,?,?,0040581F,?), ref: 0040E145
Part of subcall function 0040E100: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000104,?,?,0040581F,?), ref: 0040E16B
Part of subcall function 0040E100: GetLastError.KERNEL32(?,00000104,?,?,0040581F,?), ref: 0040E17C

GetPrivateProfileStringA.KERNEL32(KEY,PASSWORD,004276D0,?,00000104,?), ref: 0040585A
DeleteFileA.KERNELBASE(?,?,00000104,?,?,?), ref: 00405867

Strings

KEY, xrefs: 00405855
PASSWORD, xrefs: 00405850

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$H_prologNameTemp$CreateDeleteErrorLastModulePathPrivateProfileStringlstrcpy
String ID: KEY$PASSWORD
API String ID: 2865779277-2448694241
Opcode ID: 1f93873de6182cd628525b326e9388e93dfaf08bf66407cd0d391978b137f03e
Instruction ID: 45f92dec9eb859db1b0aa8d1f9a1c4194b934ebe638537af8c9e96e6cfb8fec5
Opcode Fuzzy Hash: 1f93873de6182cd628525b326e9388e93dfaf08bf66407cd0d391978b137f03e
Instruction Fuzzy Hash: BA113D72D00129ABDB11EB51DC49FD9777CEB04315F0045BAB519E2090DB78AB8ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE8D Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 174stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,00000002,?,00000000), ref: 0040DEFD
wsprintfA.USER32 ref: 0040DF17
wsprintfA.USER32 ref: 0040DF89
lstrcpyA.KERNEL32(00000000,00000001,?,00000000), ref: 0040DFF4
lstrlenA.KERNEL32(00000000,?,00000000), ref: 0040DFFD
lstrcpyA.KERNEL32(00000000,-00000003,?,00000000), ref: 0040E060

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040DEA3
%s %s, xrefs: 0040DF11
%s%s, xrefs: 0040DF83

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$wsprintf$lstrlen
String ID: %s %s$%s%s$C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 3206225328-2942242010
Opcode ID: 7bf05db7fcdfe437af71e76fc6e762a9f088c9c333969b953b791767f77cef5d
Instruction ID: 9b4e9b45db0e23f4c5c72d089e4e6dc51e41acdea25e13c4e683f0f19b8a5888
Opcode Fuzzy Hash: 7bf05db7fcdfe437af71e76fc6e762a9f088c9c333969b953b791767f77cef5d
Instruction Fuzzy Hash: 59512471D0012C6BDF30DB64CC4ABDB77B9AB14304F4488B6E645B61D1CBB89E9A8B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040155E Relevance: 13.6, APIs: 9, Instructions: 84windowregistrystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,00000100,00000000), ref: 00401579
LoadIconA.USER32(00405790,?), ref: 004015A3
LoadCursorA.USER32(00000000,00007F00), ref: 004015B2
GetStockObject.GDI32(00000004), ref: 004015BD
RegisterClassA.USER32(00000003), ref: 004015D6
CreateWindowExA.USER32(00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00405790,?), ref: 004015FC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00401617
TranslateMessage.USER32(?), ref: 00401621
DispatchMessageA.USER32(?), ref: 0040162B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Load$ClassCreateCursorDispatchIconObjectRegisterStockTranslateWindowlstrcpy
String ID:
API String ID: 287182888-0
Opcode ID: ca67cd67ef21bc4061616c9877e0a5863557eaf353e2015b8979e3854d7b46d6
Instruction ID: 5df6e510b2c3b1976da85fe788d2377f99ed77177ada08a37180185de371b0a5
Opcode Fuzzy Hash: ca67cd67ef21bc4061616c9877e0a5863557eaf353e2015b8979e3854d7b46d6
Instruction Fuzzy Hash: CB210AB2900219ABCB10DFA1DC48EDFBBBCEF49750F144476FA05E2150D7759A0ACBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6ED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E705
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 0040E71F
UnmapViewOfFile.KERNEL32(?,00000000,74DF34C0,?,00000000), ref: 0040E7B6
FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 0040E7C1

Strings

.rdata, xrefs: 0040E76D
.debug, xrefs: 0040E748

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$View$ChangeCloseCreateFindMappingNotificationUnmap
String ID: .debug$.rdata
API String ID: 3767000111-4039274918
Opcode ID: dcbeb9e44577e96d88d62ea19f9e7ff806424637c0afdd251ab2a77a894b2574
Instruction ID: 38e5f01d2997478df27d76612b7ba9d3b9d36ba6db997c189ca1219c93b964f1
Opcode Fuzzy Hash: dcbeb9e44577e96d88d62ea19f9e7ff806424637c0afdd251ab2a77a894b2574
Instruction Fuzzy Hash: 19218575600208FFDB10DF66CCC4EAEBB79EF84354B54883AE505A7381C674AD65CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF8C Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(?,000003E8,?,00000064), ref: 0040BFD3
GetDlgItem.USER32(?,00000001), ref: 0040BFE2

Part of subcall function 0040BF49: wsprintfA.USER32 ref: 0040BF67
Part of subcall function 0040BF49: lstrcmpA.KERNEL32(?,?), ref: 0040BF78

EnableWindow.USER32(00000000,?), ref: 0040C002
EndDialog.USER32(?,00000002), ref: 0040C00F
KiUserCallbackDispatcher.NTDLL(?,00000002), ref: 0040C025
GetDlgItem.USER32(?,00000001), ref: 0040C03D
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 0040C04A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Item$CallbackDispatcherUser$DialogEnableTextWindowlstrcmpwsprintf
String ID:
API String ID: 907014988-0
Opcode ID: 47ada2ccdef27ed0d9da74671ed79056f6eaec844d89eec03f2d99dc58e0e8c6
Instruction ID: ffe6f6e1923be68d1ab16ebde71d7e39ba8d4a81f9aa66913a1ed822539be13e
Opcode Fuzzy Hash: 47ada2ccdef27ed0d9da74671ed79056f6eaec844d89eec03f2d99dc58e0e8c6
Instruction Fuzzy Hash: 51217571600209EBDB21AFA0DC89FAF3B65FB14740F408136FD06EA2D0C7B5C941C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5FE Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 0040E628
GetLastError.KERNEL32(?,00000000), ref: 0040E635
ReadFile.KERNELBASE(00000000,?,00000040,?,00000000,?,00000000), ref: 0040E655
ReadFile.KERNELBASE(00000000,?,00000018,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0040E678
ReadFile.KERNEL32(00000000,?,00000028,?,00000000,00000000,?,00000000,00000001,?,00000000), ref: 0040E6AE
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,?,00000000), ref: 0040E6DF

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Read$CloseCreateErrorHandleLast
String ID:
API String ID: 2896028077-0
Opcode ID: 322b1b58613aacba4dcd9b760796951024b11fbe4ae4d8d401973d400e29e462
Instruction ID: 03501ca7afaa638ec7aa31911370e9af90ad970ae8ed4acddeacefa0a3c8f974
Opcode Fuzzy Hash: 322b1b58613aacba4dcd9b760796951024b11fbe4ae4d8d401973d400e29e462
Instruction Fuzzy Hash: D5315471D00208FBDB20DBA2DD85EEFBBBCEB58710F40496BB515B3281D6749A51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5E3 Relevance: 9.1, APIs: 6, Instructions: 87processstringwindowCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,75BF8400), ref: 0040F630
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,75BF8400), ref: 0040F64D
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0040F664
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F67A
GetExitCodeProcess.KERNELBASE(?,00000001), ref: 0040F699
CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040F6AA

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseCodeCreateExitHandleMessageMultipleObjectsPeekWaitlstrcpy
String ID:
API String ID: 324600049-0
Opcode ID: f7bd700b7906aee0fe9070d2c504044160a2be7d8a9c0bc5948c0fd65baedec3
Instruction ID: 25ce5f70cd9c2bfccd7054cc361101b87bc2a4174425d0c4477e31784ec5ca99
Opcode Fuzzy Hash: f7bd700b7906aee0fe9070d2c504044160a2be7d8a9c0bc5948c0fd65baedec3
Instruction Fuzzy Hash: 1E214C71901119BACB30DBA6DD08DEFBB7CEF45760F108136F508A21A0D3359A4ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3B8 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,?,?), ref: 0040F3CF
lstrcpyA.KERNEL32(00000000,?,?,?), ref: 0040F3E1
lstrcatA.KERNEL32(00000000,00423C94,?,?), ref: 0040F3ED
lstrlenA.KERNEL32(00000000,?,?), ref: 0040F3F6
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?), ref: 0040F40B
GetLastError.KERNEL32(?,?), ref: 0040F415

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
String ID:
API String ID: 4043630017-0
Opcode ID: 03604508347152740efccda5433ef4c0ad0c634655e194a7390cc6656b49ec17
Instruction ID: 621c0f99c41691abe571b955334e9f1e6533caed6a3632903b655bdc3eac19a0
Opcode Fuzzy Hash: 03604508347152740efccda5433ef4c0ad0c634655e194a7390cc6656b49ec17
Instruction Fuzzy Hash: 2F01F932509710AAE3215F50EC08BAB7B98DFA6365F10003AF54191581C7BD4D0A87AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040D670 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D675
LoadCursorA.USER32(00000000,00007F02), ref: 0040D6AC
SetCursor.USER32(00000000), ref: 0040D6B9
SetCursor.USER32(?,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C,?), ref: 0040D710

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040D681, 0040D6C7

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$H_prologLoad
String ID: C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 4156182439-2024452353
Opcode ID: 5a9b623316b12b41d3fb4dcf9f4b3bcf0e9084432295c53df7fc73c5bf0078ce
Instruction ID: 4d9fd033941fef19314e897c8d42053dcefd59e2c990564ddc03841f4e49facb
Opcode Fuzzy Hash: 5a9b623316b12b41d3fb4dcf9f4b3bcf0e9084432295c53df7fc73c5bf0078ce
Instruction Fuzzy Hash: B02192719002099BDB14EFA1DC01AEE7B68AB04354F00853BA915F31D1DF789989CE98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00405BC0
IsDialogMessageA.USER32(?,?,?,?,?,?,5v@,00405B59,?,?,?,?,?,75BF8400), ref: 00405BD4
TranslateMessage.USER32(?), ref: 00405BE2
DispatchMessageA.USER32(?), ref: 00405BEC

Strings

5v@, xrefs: 00405B9A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID: 5v@
API String ID: 1266772231-3529007497
Opcode ID: 1c2390b238bc1735b611f2e1a05027c5c1ba4aade4307b55ed9f4f413567d568
Instruction ID: dd19b2b9302cdfc4e043a8920811f65aff6bb6dc6aaec0f62cc6be126e67a434
Opcode Fuzzy Hash: 1c2390b238bc1735b611f2e1a05027c5c1ba4aade4307b55ed9f4f413567d568
Instruction Fuzzy Hash: 73F01D31A1161AABCB20EBA4EC48DEB777CEB447417404076B512E2190E738F547DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040588A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,021C1188,?,?,?,00404BB1,00000001,00000000,021C1188), ref: 004058A1
RegQueryValueExA.ADVAPI32(021C1188,SetupLogFileName,00000000,00000000,0042837C,00000000,?,?,?,00404BB1,00000001), ref: 004058C7
RegCloseKey.ADVAPI32(021C1188,?,?,?,00404BB1,00000001), ref: 004058DB

Strings

SetupLogFileName, xrefs: 004058BF
Software\InstallShield\ISWI\7.0\SetupExeLog, xrefs: 00405897

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog
API String ID: 3677997916-622478307
Opcode ID: 15b8d89f9745dd14b6bdd3617e93786e1d04ee3fa5ca620c0b3ad18e0d061480
Instruction ID: af2eba75da27a4b2f9c83a0c3bedb5a98cbfb3cc5957391f54c3512b39f620fb
Opcode Fuzzy Hash: 15b8d89f9745dd14b6bdd3617e93786e1d04ee3fa5ca620c0b3ad18e0d061480
Instruction Fuzzy Hash: 7DF01270740308BBEB11DB50DC46F9E7B78E704B08F608075B900B11D1D7F5AA459A18

Uniqueness

Uniqueness Score: -1.00%

Function 0040E100 Relevance: 7.6, APIs: 5, Instructions: 86filestringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E105
lstrcpyA.KERNEL32(?,?,?,00000104,?,?,0040581F,?), ref: 0040E145

Part of subcall function 0040E5FE: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 0040E628
Part of subcall function 0040E5FE: GetLastError.KERNEL32(?,00000000), ref: 0040E635

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000104,?,?,0040581F,?), ref: 0040E16B
GetLastError.KERNEL32(?,00000104,?,?,0040581F,?), ref: 0040E17C
ReadFile.KERNELBASE(?,?,0000002E,?,00000000,?,?,00000000,00000000,?,0040581F,?), ref: 0040E1DC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CreateErrorLast$H_prologReadlstrcpy
String ID:
API String ID: 4136833577-0
Opcode ID: ebe4bbf8a5598fc71bac7dca651ae66891eed2b4ae752b8977b11cd9c9c2e46f
Instruction ID: da3035fb48f68f6ba151a6856b39511593f9b794a8fb7cdaef47c1a9be69200d
Opcode Fuzzy Hash: ebe4bbf8a5598fc71bac7dca651ae66891eed2b4ae752b8977b11cd9c9c2e46f
Instruction Fuzzy Hash: 19319374940704ABC7209F66C805FDBBAF8EF94704F008C6FF599A7290DBB89991CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401644 Relevance: 7.5, APIs: 5, Instructions: 46windowtimeCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00401663
PostMessageA.USER32(?,00000002,00000000,00000000), ref: 00401696
KillTimer.USER32(?,000005DC), ref: 004016AD
PostQuitMessage.USER32(00000000), ref: 004016B5
SetTimer.USER32(?,000005DC,00000BB8,00000000), ref: 004016D6

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostTimer$KillProcQuitWindow
String ID:
API String ID: 707289242-0
Opcode ID: 21fefdefbdacdb76ec906ef2da844f568a34df925a4f148bae6caccc76446cb2
Instruction ID: a8e5118b10a68aef3b7f90214cfb26e483bde25dc2d9650d7fac387339b9c650
Opcode Fuzzy Hash: 21fefdefbdacdb76ec906ef2da844f568a34df925a4f148bae6caccc76446cb2
Instruction Fuzzy Hash: 02114C7524460DAFEB209F95EC0AB963F71BB04711F44843AFA05A92F0C7B69852DF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B91 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404B96

Part of subcall function 0040588A: RegOpenKeyExA.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,021C1188,?,?,?,00404BB1,00000001,00000000,021C1188), ref: 004058A1
Part of subcall function 0040588A: RegQueryValueExA.ADVAPI32(021C1188,SetupLogFileName,00000000,00000000,0042837C,00000000,?,?,?,00404BB1,00000001), ref: 004058C7
Part of subcall function 0040588A: RegCloseKey.ADVAPI32(021C1188,?,?,?,00404BB1,00000001), ref: 004058DB

GetModuleFileNameA.KERNEL32(?,?,00000400,00000001,00000000,021C1188), ref: 00404BF2

Part of subcall function 0040CB21: __EH_prolog.LIBCMT ref: 0040CB26
Part of subcall function 0040CB21: GetModuleFileNameA.KERNEL32(00000000), ref: 0040CBF9

lstrlenA.KERNEL32(?,00404E21,?,?,?,?,?,?,?), ref: 00404CCD

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Part of subcall function 0040D840: __EH_prolog.LIBCMT ref: 0040D845

Strings

/f1, xrefs: 00404CB8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog$FileModuleName$CloseOpenQueryValuelstrcatlstrcpylstrlen
String ID: /f1
API String ID: 2810755939-2921927892
Opcode ID: 2fe67727677e7a889a8ce6af3737818c28d8588cfd76a0ea7a4870fce2550182
Instruction ID: 96af6b9db9812abc6e0bef14fe9aa83fd07c512a111d3e5806c315f153bcce66
Opcode Fuzzy Hash: 2fe67727677e7a889a8ce6af3737818c28d8588cfd76a0ea7a4870fce2550182
Instruction Fuzzy Hash: 12517F71900609EADB24EB61C845AEEB7B4AF44314F0085BFA656B32D1DB385A4ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401797 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 0040CD61: lstrlenA.KERNEL32(?,00000000,00000000,004017CD,00000000,00000001,?,?,00000000), ref: 0040CD6A
Part of subcall function 0040CD61: lstrcpyA.KERNEL32(00000000,?), ref: 0040CD86
Part of subcall function 0040CD61: lstrcpyA.KERNEL32(C:\Users\user\Desktop,?), ref: 0040CD8E

Part of subcall function 00401914: GetTempPathA.KERNEL32(00000000,00000001,00000000,00000000,?,004017EF,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 00401933
Part of subcall function 00401914: SetErrorMode.KERNELBASE(00008003), ref: 00401942
Part of subcall function 00401914: GetWindowsDirectoryA.KERNEL32(00000001,?), ref: 0040195A
Part of subcall function 00401914: lstrcpyA.KERNEL32(00000001,004276D0), ref: 00401977

GetTempFileNameA.KERNELBASE(?,_is,00000000,?,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 0040182B

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Part of subcall function 0040D487: GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,?), ref: 0040D4F0
Part of subcall function 0040D487: wsprintfA.USER32 ref: 0040D51A
Part of subcall function 0040D487: GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,?,00000013,?), ref: 0040D539
Part of subcall function 0040D487: wsprintfA.USER32 ref: 0040D550

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00401872, 00401878, 004018C1
_is, xrefs: 00401825
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 004018AF, 004018C2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$PrivateProfileTempwsprintf$DirectoryErrorFileModeNamePathStringWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$_is
API String ID: 1590215138-3914278109
Opcode ID: 10f5cefd867dd07b4839f9c35090bbecc9fe873aa48a5fc84adf588ca32d8c3a
Instruction ID: b11144bf09981e07738f4753f035d26ec3a9eda7cbcfef28ad9570f1428053ca
Opcode Fuzzy Hash: 10f5cefd867dd07b4839f9c35090bbecc9fe873aa48a5fc84adf588ca32d8c3a
Instruction Fuzzy Hash: 8631F6A1B002146BDB2177725C92B7E26AD6F84718F10047FFA02F62D2EE7C8E464B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00415050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0041503B,00000000,00000000,00000000,0040D7CA), ref: 00415065
TerminateProcess.KERNEL32(00000000), ref: 0041506C
ExitProcess.KERNEL32 ref: 004150ED

Strings

;PA, xrefs: 00415078

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: ;PA
API String ID: 1703294689-1814036273
Opcode ID: 7694ec68d201c5ee605f6e9fa2cad2c596e6d8caa609c2c5475355232fc777f3
Instruction ID: 41e781e02100010d15453d1d307896e0a1c746017f80a0d0f18db587c43c87d9
Opcode Fuzzy Hash: 7694ec68d201c5ee605f6e9fa2cad2c596e6d8caa609c2c5475355232fc777f3
Instruction Fuzzy Hash: 8501C231304601EBC630AFA9FD856DABFA4ABC4315BA0402BE44082250DB6E68C28A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F47F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F462: GetFileAttributesA.KERNELBASE(?,0040185C,?,?), ref: 0040F466

SetErrorMode.KERNELBASE(00008001,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000400,0040148C,C:\Users\user\AppData\Local\Temp\_isE74C,?,?,?), ref: 0040F49B
RemoveDirectoryA.KERNELBASE(?), ref: 0040F4A1
SetErrorMode.KERNELBASE(00000000), ref: 0040F4B0

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040F48F

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$AttributesDirectoryFileRemove
String ID: C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 2449359760-2024452353
Opcode ID: 6237dd3b465864c1d1707d776781b8f98195cdc28cfe21e4ac26eb0959d88034
Instruction ID: 0dffb96dd93b44c59e2375f5e8027a8fdcb9cd1e21bb9bf40990d6db18d6e75a
Opcode Fuzzy Hash: 6237dd3b465864c1d1707d776781b8f98195cdc28cfe21e4ac26eb0959d88034
Instruction Fuzzy Hash: 71E01232354210BAD7301B6BED09F4B7F599BD0761F04C037BE08E55E0CAB59C4ACA69

Uniqueness

Uniqueness Score: -1.00%

Function 00401914 Relevance: 6.1, APIs: 4, Instructions: 59stringCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000001,00000000,00000000,?,004017EF,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 00401933
SetErrorMode.KERNELBASE(00008003), ref: 00401942
GetWindowsDirectoryA.KERNEL32(00000001,?), ref: 0040195A
lstrcpyA.KERNEL32(00000001,004276D0), ref: 00401977

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorModePathTempWindowslstrcpy
String ID:
API String ID: 3576100887-0
Opcode ID: c38141cd532db7b1a6c32f6f2c9fd9f8f2ac0179ad07b89b5bfb6a96b5a0696f
Instruction ID: 067de97499a61746abeba3c121921e6ffca379ec4d49dc406861407537c34e60
Opcode Fuzzy Hash: c38141cd532db7b1a6c32f6f2c9fd9f8f2ac0179ad07b89b5bfb6a96b5a0696f
Instruction Fuzzy Hash: 22015661704201BBE62026779C59F6B6AAC9F91B98F00443FF905F11E1E57DC80DD2AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D74C Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040D758

Part of subcall function 0040EC8F: wsprintfA.USER32 ref: 0040ECA1
Part of subcall function 0040EC8F: LoadStringA.USER32(?,?,?), ref: 0040ECCC

lstrlenA.KERNEL32(?), ref: 0040D78D
wsprintfA.USER32 ref: 0040D7E9
SetWindowTextA.USER32(?,?), ref: 0040D7FC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Windowwsprintf$LoadStringTextlstrlen
String ID:
API String ID: 1776808806-0
Opcode ID: c28720e2f1ae007f0a08815769aaae92320317122b1052c1c5cf2f2a8e501bfd
Instruction ID: c6a79a87447fdc931da9cfe297d7ca65f58c1c56972eaf047f79c7119f316d51
Opcode Fuzzy Hash: c28720e2f1ae007f0a08815769aaae92320317122b1052c1c5cf2f2a8e501bfd
Instruction Fuzzy Hash: 8211377190010DAAEF54DFA1EC06AEA777CAB04315F008077FA05E5191DF789A9A8B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4B9 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F445: GetFileAttributesA.KERNELBASE(?,0040F4C4,0040183D,00000000,0040183D,?), ref: 0040F449

SetErrorMode.KERNELBASE(00008001,00000000,0040183D,?,0040183D,00000000,0040183D,?), ref: 0040F4E6
SetFileAttributesA.KERNELBASE(0040183D,00000080), ref: 0040F4EE
DeleteFileA.KERNELBASE(0040183D), ref: 0040F4F5
SetErrorMode.KERNELBASE(00000000), ref: 0040F504

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesErrorMode$Delete
String ID:
API String ID: 3807840792-0
Opcode ID: a89f648a48774d84ecd088984424d714b72f0785ac6edbabed2700725ee3e615
Instruction ID: abd9a7ea935207ee29b30a990d37386c739750cca1fc7d8dbe60dfa16e36fa2d
Opcode Fuzzy Hash: a89f648a48774d84ecd088984424d714b72f0785ac6edbabed2700725ee3e615
Instruction Fuzzy Hash: C2F0E5323412107AE2702F65AC41FDB625CAF54754F008037FA05F54C1D6B89D4E46AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F50E Relevance: 6.0, APIs: 4, Instructions: 25fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008001,0040183D), ref: 0040F523
OpenFile.KERNEL32(0040183D,?,00000010), ref: 0040F531
SetErrorMode.KERNEL32(00000000), ref: 0040F53E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040F546

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$ChangeCloseFileFindNotificationOpen
String ID:
API String ID: 628232075-0
Opcode ID: 2e609905c98745ff78434a184e35709eccc4f0029e4c131716ba66f348f7c85f
Instruction ID: 66924566798271cee7dd8035dce19688d2353c4199b96b5cdb18020f13e25fe5
Opcode Fuzzy Hash: 2e609905c98745ff78434a184e35709eccc4f0029e4c131716ba66f348f7c85f
Instruction Fuzzy Hash: 8CE02032540118BBD7201F70EC05FD53A5CAB04320F40C532F615E50D0DAB06D4D8B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040598E Relevance: 6.0, APIs: 4, Instructions: 15timeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0040E9E4), ref: 00405994
KillTimer.USER32(000003E9,?), ref: 004059AA
KiUserCallbackDispatcher.NTDLL ref: 004059BC
DestroyWindow.USER32 ref: 004059C4

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallbackDestroyDispatcherKillTimerUser
String ID:
API String ID: 2023473011-0
Opcode ID: df3e350e9faeffa1c293b6da514a3bd933c0d1444f50ed054385f965e8fdb1db
Instruction ID: fc7a3464f558a5bbf4821d5f78b65b4329508923aec8d487370850422409ec3e
Opcode Fuzzy Hash: df3e350e9faeffa1c293b6da514a3bd933c0d1444f50ed054385f965e8fdb1db
Instruction Fuzzy Hash: 85D06775711115DBDB316B51FC4898A7E26EB042A1740803AAA1891570DA21591ADF8C

Uniqueness

Uniqueness Score: -1.00%

Function 00403368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00403108: CreateFileA.KERNELBASE(?,00000000,00000001,00000000,?,00000000,00000000,?,?,?,?,6@,?,00000000,00000001,?), ref: 0040314B

FindCloseChangeNotification.KERNELBASE(00000000,FFFFD8EB,00000000,6@), ref: 004033C0

Strings

6@, xrefs: 00403376, 0040337F, 0040338F, 004033B3, 004033D4, 004033E8, 00403421

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID: 6@
API String ID: 727422849-468796537
Opcode ID: afe587d1957447c36ca566d3c96b5202f50471a4e2c7b6d9aa0e1f64bb4d08b0
Instruction ID: c82a8bf9015ccb7cde91977e877d23e9d3cd41e202868005203dace3525b2305
Opcode Fuzzy Hash: afe587d1957447c36ca566d3c96b5202f50471a4e2c7b6d9aa0e1f64bb4d08b0
Instruction Fuzzy Hash: C321F8B24041187AD721AEA5AC86EEF3E6CDB45349F400577F605E2081E6389F468AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F15E Relevance: 5.0, APIs: 4, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,00000001,?,00000000), ref: 0040F184
CharNextA.USER32(00000000,?,00000000), ref: 0040F19D
lstrcpyA.KERNEL32(?,?,?,00000000), ref: 0040F1B6
lstrcpyA.KERNEL32(00404C12,00000000,?,00000000), ref: 0040F1BC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$CharNext
String ID:
API String ID: 3801418090-0
Opcode ID: 001747b320ef2a261d2bf07f21a68311c93f8bce9c93531b9fbfc50670ab44e6
Instruction ID: a31216d800cecc91f44d2421e1b1861719f5235f5bea604fae5c2f9dde41eeb9
Opcode Fuzzy Hash: 001747b320ef2a261d2bf07f21a68311c93f8bce9c93531b9fbfc50670ab44e6
Instruction Fuzzy Hash: 8A01A976510219BEE7215A60EC84FEB3BACDB41354F144077FB04E61C0D6789D49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F090 Relevance: 4.5, APIs: 3, Instructions: 33fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

OpenFile.KERNEL32(?,?,00001002), ref: 0040F0C8
_lclose.KERNEL32(00000000), ref: 0040F0D3
OpenFile.KERNEL32(?,?,00000200), ref: 0040F0EC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileOpen$_lcloselstrcatlstrcpy
String ID:
API String ID: 2660409545-0
Opcode ID: 7ebca35198462fe11e7ca4d97126e8b7596f6bff117f8bb28cba907018b96d88
Instruction ID: aef0806fc93d8b8d5e04c6d03180c5110c1f68afb4466da006edfd6b5402b729
Opcode Fuzzy Hash: 7ebca35198462fe11e7ca4d97126e8b7596f6bff117f8bb28cba907018b96d88
Instruction Fuzzy Hash: D9F019B290021DB6DF609BA1DC45FCA776CAB44345F4084B6B705F7084DE74DAC98FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406053 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 22stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_isE74C,!N@,?,004054F4,00000000,00000BBA,00000065,?,?,00000000,?,?,00000000,00404C55,00404E21,?), ref: 0040605E

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00406059
!N@, xrefs: 00406056

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy
String ID: !N@$C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 3722407311-4129786480
Opcode ID: db5eddd3c3e9897a58ab069486b71d93065ce061b27528ec51c6823a2930443c
Instruction ID: ed7af139d81c3cc53cb5a69d907df6272868ac3b1d4ee0d0b00d9febc27e817c
Opcode Fuzzy Hash: db5eddd3c3e9897a58ab069486b71d93065ce061b27528ec51c6823a2930443c
Instruction Fuzzy Hash: 24E0ED32040108FBDF115F91DC02F9A3F22BB14350F45802AFD09240A1D73A9571EB99

Uniqueness

Uniqueness Score: -1.00%

Function 004059C8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

IsWindow.USER32(0040815C), ref: 004059CE
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,00000451), ref: 004059E7
ShowWindow.USER32(00000000,?,?,?,?,?,00000451), ref: 004059F1

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show
String ID:
API String ID: 990937876-0
Opcode ID: adc1a1bfe202c915167c047fc30286635426fe5ccd96cd88940a3b8b3d154f83
Instruction ID: b1af3e11eebfca66e36bec6237a30344ee419f33483469985446a08b66436dad
Opcode Fuzzy Hash: adc1a1bfe202c915167c047fc30286635426fe5ccd96cd88940a3b8b3d154f83
Instruction Fuzzy Hash: FDD0C931711126EBEB31BB11FC04B8A3E66EB007A4F508036B618A64B0DE6169169F8C

Uniqueness

Uniqueness Score: -1.00%

Function 00403108 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,00000000,00000001,00000000,?,00000000,00000000,?,?,?,?,6@,?,00000000,00000001,?), ref: 0040314B

Part of subcall function 004030D5: SetFilePointer.KERNEL32(?,?,00000000,i1@,00000000,00403169,00000000,00000000,00000002,?,?,?,?,6@,?,00000000), ref: 004030E4
Part of subcall function 004030D5: GetLastError.KERNEL32(00000000,?,?,?,?,6@,?,00000000), ref: 004030F3

Strings

6@, xrefs: 00403112

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CreateErrorLastPointer
String ID: 6@
API String ID: 2723331319-468796537
Opcode ID: 859bf3c3471ecdf64cd5e7663ea98591f7ce875c6f2ac3b27d0709ebf3a65dd5
Instruction ID: 6da5bd52d4543feb5f15519c4b4b3d2e967b9ea49fec6ca5729c8d739340d7d7
Opcode Fuzzy Hash: 859bf3c3471ecdf64cd5e7663ea98591f7ce875c6f2ac3b27d0709ebf3a65dd5
Instruction Fuzzy Hash: 15014876800128BACF119FE9CC048DFBFBCEF49760F008166F914A2191D6358B14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB21 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CB26

Part of subcall function 0040AAB9: __EH_prolog.LIBCMT ref: 0040AABE
Part of subcall function 0040AAB9: GetLastError.KERNEL32(?,?,00000000,?,0040A9C2,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040AAE7
Part of subcall function 0040AAB9: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A9C2,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040AB15

GetModuleFileNameA.KERNEL32(00000000), ref: 0040CBF9

Part of subcall function 0040E100: __EH_prolog.LIBCMT ref: 0040E105
Part of subcall function 0040E100: lstrcpyA.KERNEL32(?,?,?,00000104,?,?,0040581F,?), ref: 0040E145
Part of subcall function 0040E100: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000104,?,?,0040581F,?), ref: 0040E16B
Part of subcall function 0040E100: GetLastError.KERNEL32(?,00000104,?,?,0040581F,?), ref: 0040E17C

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorH_prologLast$File$CreateModuleNamelstrcpy
String ID:
API String ID: 3433113430-0
Opcode ID: 2358b94dbd0a19e116e8331b1223895c7367b5f15c2174c8cbb54c62cb01f09a
Instruction ID: 0b39172f018ca90883c30c3384820bf6d4f71bff14cd243e5adbdfc4ea48e9f1
Opcode Fuzzy Hash: 2358b94dbd0a19e116e8331b1223895c7367b5f15c2174c8cbb54c62cb01f09a
Instruction Fuzzy Hash: D241DEB1800744AAD720DF6AC889DD7FAFCEF95704F10481FE19AD3251DBB4A685CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004036D3 Relevance: 3.0, APIs: 2, Instructions: 33stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004036D8
lstrcpyA.KERNEL32(?,00427F18,?,00000451), ref: 00403709

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologlstrcpy
String ID:
API String ID: 3221978047-0
Opcode ID: a5aa1a7c880f9b221d0e169f1fbd87f9ba35cb5ab9fdf4cb8246006a1908e1be
Instruction ID: 0afc35d4d8245d9530d88e751c35f4dd630a136ecd85e90c3220dcc70c223b9b
Opcode Fuzzy Hash: a5aa1a7c880f9b221d0e169f1fbd87f9ba35cb5ab9fdf4cb8246006a1908e1be
Instruction Fuzzy Hash: A7F0AFB0608105DBCB24EF65CA46BAD7B74AB50349F40853AE402B71E0DB3C8A42CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00417396 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004158CD,00000001), ref: 004173A7

Part of subcall function 0041724E: GetVersionExA.KERNEL32 ref: 0041726D

HeapDestroy.KERNEL32 ref: 004173E6

Part of subcall function 004173F3: HeapAlloc.KERNEL32(00000000,00000140,004173CF,000003F8), ref: 00417400

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: b15e7f9df503f42bfb02255a5d1143ae5dbd5dba4c5562cdeef3248f60818add
Instruction ID: 38855fb752f14a55f66a887c04a98f21df7be755761d715636cc9fb3570b5861
Opcode Fuzzy Hash: b15e7f9df503f42bfb02255a5d1143ae5dbd5dba4c5562cdeef3248f60818add
Instruction Fuzzy Hash: BCF0653175C3469ADF605771AC457EA36B5AB44746F50883BFC11C81A0EFB889C2EA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00407BD1 Relevance: 3.0, APIs: 2, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,000F003F,00000000,80000002,?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BEB
RegCloseKey.ADVAPI32(?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BFC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: a48f0935b7fc6b0ce88277f3f5acc005acf6d664070707710d1e7481f3af51cc
Instruction ID: adc41de8e2f4e258e66089ff73dc148f3ede4074109015cf6e6641d6d9e068ca
Opcode Fuzzy Hash: a48f0935b7fc6b0ce88277f3f5acc005acf6d664070707710d1e7481f3af51cc
Instruction Fuzzy Hash: 77F06D76504309FBEB258F40CC05FDE7BB8EF04355F10802DF842A6290E775AA54DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040302B Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00403042
GetLastError.KERNEL32(00000000), ref: 0040304D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 351bbcc2a0cce35f284386db86917c9b30fa957cf6e59be5fded1006b3342315
Instruction ID: e1798e0a114ccd5eedd6bf902f064829953eaacc3305b7094bb60d32aaf89e7c
Opcode Fuzzy Hash: 351bbcc2a0cce35f284386db86917c9b30fa957cf6e59be5fded1006b3342315
Instruction Fuzzy Hash: 57E01A31650109FBCF10DFA5DD05B9E7BACAB04369F204168B515A10E0D678DA15AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC8F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040ECA1

Part of subcall function 0040ECD4: GetPrivateProfileStringA.KERNEL32(?,?,004276D0,?,0000012C,?), ref: 0040ED0A

LoadStringA.USER32(?,?,?), ref: 0040ECCC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$LoadPrivateProfilewsprintf
String ID:
API String ID: 1502300193-0
Opcode ID: d0d875e722b566b43368dc0fcad622c6f31f5a5490305ffda4079c5108e5801b
Instruction ID: b56734836759180bc3d4170b853cf4acf6bf8d310ef7567fd56aaf13441f0085
Opcode Fuzzy Hash: d0d875e722b566b43368dc0fcad622c6f31f5a5490305ffda4079c5108e5801b
Instruction Fuzzy Hash: 38E0127150410EBBCF01AFA1DE05DDE7B79BB08348F408435FE14A1071E636D635AB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E88C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,00000080,6CBE74B0,0040E421,00000000,?,00000000,00000000), ref: 0040E8A0
GetLastError.KERNEL32 ref: 0040E8A8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1a110ab8bf118a4c703a2306aefacd38ea334934d30f697a3fce59e88a65255a
Instruction ID: 5e2dbe98fd0527cd017cbf9cbd3f7234a11547fc7a524aa44ce1f7c27f32547d
Opcode Fuzzy Hash: 1a110ab8bf118a4c703a2306aefacd38ea334934d30f697a3fce59e88a65255a
Instruction Fuzzy Hash: D9E048375052019BC7109F36DC0898B7FA2EBD5370F014D36F551832F1D630885E96A5

Uniqueness

Uniqueness Score: -1.00%

Function 00405BFC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C11
GetTickCount.KERNEL32 ref: 00405C22

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: f0f978b51ea9737ac1d062072b912b2144e55861bb24adbeb345e438b23498d0
Instruction ID: d329cda8dc7568171d408be9bfeefe051d39d67cb830f82fe02dd4ad9681ef40
Opcode Fuzzy Hash: f0f978b51ea9737ac1d062072b912b2144e55861bb24adbeb345e438b23498d0
Instruction Fuzzy Hash: 09E0463160C618DBE330A719AC0429B72A0EBA0360F21483BE505A31A0D7786C83CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 004016E2 Relevance: 3.0, APIs: 2, Instructions: 13stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,004276D0,?,00000400,?,00401472), ref: 004016FC
lstrlenA.KERNEL32(?), ref: 00401706

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringlstrlen
String ID:
API String ID: 481098906-0
Opcode ID: b4534868e3df5c7e749c943d49acefb4323c4200be5b536097eb3c857bc58d26
Instruction ID: 788b4b219259c01790191ebda22bb94cc914a70103f3b7545ef154622d5468ee
Opcode Fuzzy Hash: b4534868e3df5c7e749c943d49acefb4323c4200be5b536097eb3c857bc58d26
Instruction Fuzzy Hash: C8D0C931298202FBDB019F60DC09F5A7A62BB94B12F10C934B241D40F0CBB1686AEB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D402 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040D40B
SetWindowTextA.USER32(?,0040D2CC), ref: 0040D41B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Text
String ID:
API String ID: 848690642-0
Opcode ID: 9a1745201a5a11bc9c8f4e27b16a4812b2065b7774ba68ca18d5f3130968b94f
Instruction ID: 5d6cf3b0b943cd1373882f413a5696f0e6da8247964a0e0a81b1992570e5ef49
Opcode Fuzzy Hash: 9a1745201a5a11bc9c8f4e27b16a4812b2065b7774ba68ca18d5f3130968b94f
Instruction Fuzzy Hash: D0D01277100111DBDB111F50EC088C6BB65FF44380710C839F98991038C7335916DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041488D Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00414974

Part of subcall function 00418630: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041BB92,00000009,00000000,00000000,00000001,00417128,00000001,00000074,?,?,00000000,00000001), ref: 0041866D
Part of subcall function 00418630: EnterCriticalSection.KERNEL32(?,?,?,0041BB92,00000009,00000000,00000000,00000001,00417128,00000001,00000074,?,?,00000000,00000001), ref: 00418688

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 99f292101716c6882f80982b009c149816ab367331c7c2b62bcc76a961252f0a
Instruction ID: 86245370cdb92c92f69c45421029a889c4d2cb0b851c056567c7d8c41793ec0e
Opcode Fuzzy Hash: 99f292101716c6882f80982b009c149816ab367331c7c2b62bcc76a961252f0a
Instruction Fuzzy Hash: 4321B771A10255ABDB10EFB9DC42BDB7764EB40764F24422BF424EB2D0C77C99C28A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E57A Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000138,00000000,00000000), ref: 0040E5B5

Part of subcall function 0040E88C: SetFilePointer.KERNELBASE(?,?,?,?,00000080,6CBE74B0,0040E421,00000000,?,00000000,00000000), ref: 0040E8A0
Part of subcall function 0040E88C: GetLastError.KERNEL32 ref: 0040E8A8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID:
API String ID: 64821003-0
Opcode ID: ee131e94c092f9493a877b840b3e0a4fe24f5ca53381bb94e5b0ca6f0ba7eb88
Instruction ID: c78dfa9c2fd233a7acc52e5b23ebb7d97a1138e5a4376e8d7b465f640c8cf44d
Opcode Fuzzy Hash: ee131e94c092f9493a877b840b3e0a4fe24f5ca53381bb94e5b0ca6f0ba7eb88
Instruction Fuzzy Hash: A601B531210105BBEB145B56CC46FEFBA6CDF15349F104837F904A51C1DBB89E91C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CE43

Part of subcall function 0040CEDB: __EH_prolog.LIBCMT ref: 0040CEE0
Part of subcall function 0040CEDB: lstrcpyA.KERNEL32(?,?,00000452,?,?,?,00000000,0040CE5E), ref: 0040CF5A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog$lstrcpy
String ID:
API String ID: 2120869262-0
Opcode ID: 683ee500bf9e3e584ca6566bfcfba5c358dabe03872b75062e747a54d3615949
Instruction ID: ec042c92a569a593559a457583c3534eaf9015bf2eb83ccbba47b8e98edb4127
Opcode Fuzzy Hash: 683ee500bf9e3e584ca6566bfcfba5c358dabe03872b75062e747a54d3615949
Instruction Fuzzy Hash: 08014471910615DBDB24F7B2C9966EEB770AF10358F00023FE912B21D1DF7C5A45D689

Uniqueness

Uniqueness Score: -1.00%

Function 00405930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 004045A8: RegisterClassA.USER32(00000000), ref: 004045CF

CreateDialogParamA.USER32(000003E8,000003E9,00000000,00405C39,?), ref: 00405966

Part of subcall function 004059F5: GetWindowRect.USER32(?,00000400), ref: 00405A0E
Part of subcall function 004059F5: GetWindowRect.USER32(00000000,?), ref: 00405A17
Part of subcall function 004059F5: GetSystemMetrics.USER32(00000001), ref: 00405A21
Part of subcall function 004059F5: GetSystemMetrics.USER32(00000000), ref: 00405A25
Part of subcall function 004059F5: SetRect.USER32(?,00000000,00000000,00000000), ref: 00405A2E
Part of subcall function 004059F5: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00405A65
Part of subcall function 004059F5: IsWindow.USER32(00000000), ref: 00405A6E
Part of subcall function 004059F5: GetWindowRect.USER32(00000000,?), ref: 00405A84
Part of subcall function 004059F5: IntersectRect.USER32(?,?,?), ref: 00405A92
Part of subcall function 004059F5: SubtractRect.USER32(?,?,?), ref: 00405AAE
Part of subcall function 004059F5: SetWindowPos.USER32(00000000,?,000003E8,0000001E,00000000,00000000,00000005,0000001E), ref: 00405AEE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: RectWindow$MetricsSystem$ClassCreateDialogFindIntersectParamRegisterSubtract
String ID:
API String ID: 1980248331-0
Opcode ID: 69e0bc3ae1806bdff51fb746438ebf2ec8dae29237ea1da69f37c1a73636202f
Instruction ID: 38b4a6262c839abd6a396f38c12bec8cd157aff0eabbf065e44236116ddb035c
Opcode Fuzzy Hash: 69e0bc3ae1806bdff51fb746438ebf2ec8dae29237ea1da69f37c1a73636202f
Instruction Fuzzy Hash: D9F03A71112619DFD720EF24EC05BAB37E8EB04321F40413AF908A61D0DB789A51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAC8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD4: GetPrivateProfileStringA.KERNEL32(?,?,004276D0,?,0000012C,?), ref: 0040ED0A

SendDlgItemMessageA.USER32(00000001,?,0000000C,00000000,00000000), ref: 0040FB11

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemMessagePrivateProfileSendString
String ID:
API String ID: 2413843928-0
Opcode ID: 9edbea0e7d0e50963f368105c52410ce5c67ae25cea3f615126ac9a5f83437a4
Instruction ID: d2ab924560cfe330e6f48eb01df506eea9725687872136a91e23318287014c1d
Opcode Fuzzy Hash: 9edbea0e7d0e50963f368105c52410ce5c67ae25cea3f615126ac9a5f83437a4
Instruction Fuzzy Hash: C5F06DF6904218BBEF209A64DC46FCA7B68BB54700F0004B1FB58A50D0E6F19AA98A45

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB1A Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EC8F: wsprintfA.USER32 ref: 0040ECA1
Part of subcall function 0040EC8F: LoadStringA.USER32(?,?,?), ref: 0040ECCC

SendDlgItemMessageA.USER32(00000066,?,0000000C,00000000,00000000), ref: 0040FB63

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemLoadMessageSendStringwsprintf
String ID:
API String ID: 382885213-0
Opcode ID: 26c0d5ce2e8292552fcd91547b213264308ce39cd164b0d4da3367a0517c8d33
Instruction ID: ed46200cb84ae2c4c0d7b2b4f6ddba034382f050ff008b722cc8ce77afb1e064
Opcode Fuzzy Hash: 26c0d5ce2e8292552fcd91547b213264308ce39cd164b0d4da3367a0517c8d33
Instruction Fuzzy Hash: A8F06DF6A0025CBBEF209A64DD46FDA7B68AB54704F0004B1FB58A50D0D6F19AA98A44

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECD4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 0040ED12: wsprintfA.USER32 ref: 0040ED2A
Part of subcall function 0040ED12: CharNextA.USER32(?), ref: 0040ED3C
Part of subcall function 0040ED12: CharNextA.USER32(00000000), ref: 0040ED3F
Part of subcall function 0040ED12: lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040ED6F

GetPrivateProfileStringA.KERNEL32(?,?,004276D0,?,0000012C,?), ref: 0040ED0A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$PrivateProfileStringlstrcatwsprintf
String ID:
API String ID: 154278626-0
Opcode ID: 1562701c55c5f5c54015fea8b50b4bf7bd062cf04a6726ca171eaa4f99f52b38
Instruction ID: 8c7dff5f4e3dde02fed871dfe3e35a549044b20561bd2c7aa4ad609472417c4e
Opcode Fuzzy Hash: 1562701c55c5f5c54015fea8b50b4bf7bd062cf04a6726ca171eaa4f99f52b38
Instruction Fuzzy Hash: FFE086B240010EBBCF00DB90DD05DDE777CDB44314F108072B604E2091D674EA9C9B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F445 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,0040F4C4,0040183D,00000000,0040183D,?), ref: 0040F449

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1193fb88a27ee6f8d17c0747c5eaeeebd7bf459bd3fa71e0db6ca3c0e358fab5
Instruction ID: f0a9c37096b2a297bb27027b39a0b0e8cbeaf3848383d64f36ba8069ff1444ba
Opcode Fuzzy Hash: 1193fb88a27ee6f8d17c0747c5eaeeebd7bf459bd3fa71e0db6ca3c0e358fab5
Instruction Fuzzy Hash: E6C08C30509100ADD6303224AC09A5723205F32B74F208E32FE6AE05F6C3747C5F600D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F462 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,0040185C,?,?), ref: 0040F466

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 54bfa2c24912d3e7b6ed6667485d38401e7ecd3b632cc2133204052d79a17793
Instruction ID: 945011269176cc6317548d22329287b2568e896ab88df665ce375d61579737db
Opcode Fuzzy Hash: 54bfa2c24912d3e7b6ed6667485d38401e7ecd3b632cc2133204052d79a17793
Instruction Fuzzy Hash: FBC08C30100B00A9E63002388C4DF5B32006B31321F208E32FDE6E05F0C33C5C5BA008

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF26 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

DialogBoxParamA.USER32(?,000003F0,00000000,0040BF8C,?), ref: 0040BF40

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DialogParam
String ID:
API String ID: 665744214-0
Opcode ID: 453b46cdbf693c64e5b2ab3de45909e796fdc342bc060950a28fd13dfbeb53f8
Instruction ID: 64d8f26f5e796856f0b9cc86613c3e2f9d7461f0cfe532cefafe8c1eda3e4e57
Opcode Fuzzy Hash: 453b46cdbf693c64e5b2ab3de45909e796fdc342bc060950a28fd13dfbeb53f8
Instruction Fuzzy Hash: 89C04C71A84306BBE625DB00DD4AF567655E750B01F104275F540B50E187B41855D96D

Uniqueness

Uniqueness Score: -1.00%

Function 00401715 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(0040D72D,0040D72D,75C10C5C,00401556), ref: 00401727

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: a6efb61594b8c3c2e6e9037574a0b9b3280b0e84a83a0254584cbaecf4341294
Instruction ID: 415e676c9973b416eb033430f6019d657e0c14542330ab823d99cda59e586dba
Opcode Fuzzy Hash: a6efb61594b8c3c2e6e9037574a0b9b3280b0e84a83a0254584cbaecf4341294
Instruction Fuzzy Hash: 40C00232004241EBDB029F80DC04E5ABB62BB98701F04882DB25484070C762546AAB15

Uniqueness

Uniqueness Score: -1.00%

Function 004036BD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(73AC0000,00407B8C,00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000001,00000810,00000000,00000000,?,?), ref: 004036CC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 864447f9c3fee20f571f16eb9b21526f8b4541a6645981aac715ac03682e211a
Instruction ID: 25cdf2ac1cc785920770ff8f04ac79ea9e46ee15a40b3c7e70fde7c89fc56100
Opcode Fuzzy Hash: 864447f9c3fee20f571f16eb9b21526f8b4541a6645981aac715ac03682e211a
Instruction Fuzzy Hash: 6CB01270B0010067CE20DF319C28E063F9C66003C73408C757004FB2A1CE38EA05C61C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2AC Relevance: 1.3, APIs: 1, Instructions: 7stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,0040E1F2), ref: 0040E2B8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: fd7618f1325c121cf5a2397abd55e50604432c4afc4da8ffb9b5d60b601fe533
Instruction ID: 15d0c63357568603d4bd378d25c8cb3e5b8dd990ef9faded0b7c89433498dc43
Opcode Fuzzy Hash: fd7618f1325c121cf5a2397abd55e50604432c4afc4da8ffb9b5d60b601fe533
Instruction Fuzzy Hash: BFB092322A0044DACB011B30EC099A43A21F741206B184174A206C60B2CA230457AA08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004081BC Relevance: 126.8, APIs: 53, Strings: 19, Instructions: 765stringregistryfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004081C1
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,00000000), ref: 00408235
SetFileAttributesA.KERNEL32(?,00000080), ref: 00408247
wsprintfA.USER32 ref: 0040827A

Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,00000001,?,00000000), ref: 0040F184
Part of subcall function 0040F15E: CharNextA.USER32(00000000,?,00000000), ref: 0040F19D
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,?,00000000), ref: 0040F1B6
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(00404C12,00000000,?,00000000), ref: 0040F1BC

lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?,00000000,00000000,00000000), ref: 004082BE
lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_isE74C,?,?,?,?,?,?,00000451), ref: 004082F9
CopyFileA.KERNEL32(?,?,00000000), ref: 0040830E
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000,00000000,?,00408124,00000000,00000001), ref: 0040833D
GetPrivateProfileIntA.KERNEL32(00000000,?), ref: 00408357
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\RunOnceEx), ref: 004083A2
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\RunOnce), ref: 004083B6
wsprintfA.USER32 ref: 0040843A
wsprintfA.USER32 ref: 00408458
lstrcatA.KERNEL32(?, AFTERREBOOT=1,80000002,?,000F003F), ref: 00408476

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

wsprintfA.USER32 ref: 004084D4
wsprintfA.USER32 ref: 004084F9
lstrcpyA.KERNEL32(?,00423BCC,00000000,00000000,00000000,?,?,?,?,?,00000451), ref: 0040852D
GetModuleFileNameA.KERNEL32(?,00000400,00000000,00000000,00000000,?,?,?,?,?,00000451), ref: 0040855D
wsprintfA.USER32 ref: 004085C9
lstrcatA.KERNEL32(?,\0001), ref: 004085E4
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0040860A
RegCloseKey.ADVAPI32(?), ref: 0040861C
lstrlenA.KERNEL32(?), ref: 0040862F
CoInitialize.OLE32(00000000), ref: 00408641
lstrlenW.KERNEL32(0041F5DC,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F,?,?,00000001,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000001,00000000,?,00000001,?,?,00000001), ref: 004086F8
WideCharToMultiByte.KERNEL32(00000000,00000000,0041F5DC,000000FF,?,00000002,00000000,00000000), ref: 0040871D
lstrlenA.KERNEL32(?,?,00000002,00000000,00000000), ref: 00408724
RegSetValueExA.ADVAPI32(00000000,%IS_T%,00000000,00000001,?,00000001,?,?,00000002,00000000,00000000), ref: 00408738
lstrlenW.KERNEL32(0041F5DC,?,00000001,?,?,00000002,00000000,00000000), ref: 0040875E
WideCharToMultiByte.KERNEL32(00000000,00000000,0041F5DC,000000FF,?,00000002,00000000,00000000,?,00000001,?,?,00000002,00000000,00000000), ref: 00408783
lstrlenA.KERNEL32(?,?,00000002,00000000,00000000,?,00000001,?,?,00000002,00000000,00000000), ref: 0040878A
RegSetValueExA.ADVAPI32(00000000,%IS_E%,00000000,00000001,?,00000001,?,?,00000002,00000000,00000000,?,00000001,?,?,00000002), ref: 0040879E
lstrlenW.KERNEL32(0041F5DC,00000002,00000000,00000000), ref: 004087DB
WideCharToMultiByte.KERNEL32(00000000,00000000,0041F5DC,000000FF,?,?,00000000,00000000), ref: 00408803

Part of subcall function 0040A86F: __EH_prolog.LIBCMT ref: 0040A874
Part of subcall function 0040A86F: GetLastError.KERNEL32(%IS_V%,00000022,00000000,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A89D
Part of subcall function 0040A86F: SetLastError.KERNEL32(?,00000000,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A8D4
Part of subcall function 0040A86F: lstrlenA.KERNEL32(?,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A8E9
Part of subcall function 0040A86F: SetLastError.KERNEL32(?,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A90C

Part of subcall function 0040BA9F: __EH_prolog.LIBCMT ref: 0040BAA4

Part of subcall function 0040BA0B: __EH_prolog.LIBCMT ref: 0040BA10

Part of subcall function 00407008: __EH_prolog.LIBCMT ref: 0040700D
Part of subcall function 00407008: GetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 00407030
Part of subcall function 00407008: SysFreeString.OLEAUT32(?), ref: 0040704E
Part of subcall function 00407008: SetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 0040706E

lstrlenA.KERNEL32(?,?,?,00000000,00000000), ref: 0040880A
RegSetValueExA.ADVAPI32(00000000,%IS_V%,00000000,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040881F
RegCloseKey.ADVAPI32(00000000,?,00000001,?,?,?,00000000,00000000), ref: 00408838
lstrlenW.KERNEL32(0041F5DC,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F,?,?,00000001,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000001,00000000,?,00000001,?,?,00000001), ref: 004089E0
WideCharToMultiByte.KERNEL32(00000000,00000000,0041F5DC,000000FF,?,00000002,00000000,00000000), ref: 00408A05
lstrlenA.KERNEL32(?,?,00000002,00000000,00000000), ref: 00408A0C
RegSetValueExA.ADVAPI32(?,ISSetup,00000000,00000001,?,00000001,?,?,00000002,00000000,00000000), ref: 00408A20
RegCloseKey.ADVAPI32(00000000,?,00000001,?,?,00000002,00000000,00000000), ref: 00408A2E
CoUninitialize.OLE32(?,00000001,?,?,00000002,00000000,00000000), ref: 00408A77
lstrlenA.KERNEL32(?), ref: 00408A86
RegSetValueExA.ADVAPI32(?,ISSetup,00000000,00000001,?,00000001), ref: 00408AA0
RegCloseKey.ADVAPI32(?), ref: 00408AAE
GetPrivateProfileIntA.KERNEL32(00000000,?), ref: 00408ADC
wsprintfA.USER32 ref: 00408AFE
WritePrivateProfileStringA.KERNEL32(00000000,?,00000000,00000000), ref: 00408B1E
GetPrivateProfileIntA.KERNEL32(?,00000000,?), ref: 00408B3C
wsprintfA.USER32 ref: 00408B5B
WritePrivateProfileStringA.KERNEL32(?,00000000,?), ref: 00408B78
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000451), ref: 00408BA6

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 004081FF, 00408221, 004082E6, 0040857F, 00408686
"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s, xrefs: 0040859C
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 004083B0
%IS_V%, xrefs: 00408815, 0040881B, 00408943
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040838F
%IS_T%, xrefs: 00408730, 00408847
%s%s, xrefs: 00408452
%IS_E%, xrefs: 00408796, 004088C5
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00408230, 00408291, 00408337
ISSetup, xrefs: 00408A18, 00408A98
Software\Microsoft\Windows\CurrentVersion, xrefs: 004086BA
"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s, xrefs: 004085BD
/j%s, xrefs: 004084C8
Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 00408396
.ini, xrefs: 004082B8, 004082F3
/f%s, xrefs: 004084E6
AFTERREBOOT=1, xrefs: 00408470
%#04x, xrefs: 00408274
\0001, xrefs: 004085DE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$lstrcpywsprintf$CharCloseErrorH_prologLastPrivateProfileValuelstrcat$ByteFileMultiWide$String$CopyWrite$AttributesCreateFreeInitializeModuleNameNextUninitialize
String ID: AFTERREBOOT=1$"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s$"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s$%#04x$%IS_E%$%IS_T%$%IS_V%$%s%s$.ini$/f%s$/j%s$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$ISSetup$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx$\0001
API String ID: 3892240309-3737127509
Opcode ID: 604e2f4e3170323c680529ea5eb3e662beb7feb3ef49f5df59283c86ceae042e
Instruction ID: 637b3e7336e36e8fdefd7b58abeb659304bc155bbfaa286bd73024196d2b1df1
Opcode Fuzzy Hash: 604e2f4e3170323c680529ea5eb3e662beb7feb3ef49f5df59283c86ceae042e
Instruction Fuzzy Hash: F3527E7190025AEEDF11DBA0DD45EEEBB78EB04304F1084BAF509B2192DF785E49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF30 Relevance: 84.1, APIs: 24, Strings: 24, Instructions: 110libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll,00000000,0040287D,?,00000000,?,004026C6,?,?,00000000,00000006,ftp://,00000000), ref: 0040FF45
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0040FF65
GetProcAddress.KERNEL32(InternetOpenUrlA), ref: 0040FF77
GetProcAddress.KERNEL32(InternetConnectA), ref: 0040FF89
GetProcAddress.KERNEL32(InternetCrackUrlA), ref: 0040FF9B
GetProcAddress.KERNEL32(InternetCreateUrlA), ref: 0040FFAD
GetProcAddress.KERNEL32(InternetCloseHandle), ref: 0040FFBF
GetProcAddress.KERNEL32(InternetReadFile), ref: 0040FFD1
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0040FFE3
GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 0040FFF5
GetProcAddress.KERNEL32(InternetGetLastResponseInfoA), ref: 00410007
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00410019
GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0041002B
GetProcAddress.KERNEL32(InternetAutodial), ref: 0041003D
GetProcAddress.KERNEL32(InternetErrorDlg), ref: 0041004F
GetProcAddress.KERNEL32(HttpOpenRequestA), ref: 00410061
GetProcAddress.KERNEL32(HttpSendRequestA), ref: 00410073
GetProcAddress.KERNEL32(HttpSendRequestExA), ref: 00410085
GetProcAddress.KERNEL32(HttpEndRequestA), ref: 00410097
GetProcAddress.KERNEL32(InternetQueryOptionA), ref: 004100A9
GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 004100BB
GetProcAddress.KERNEL32(InternetCanonicalizeUrlA), ref: 004100CD
GetProcAddress.KERNEL32(InternetSetStatusCallbackA), ref: 004100DF
GetProcAddress.KERNEL32(InternetSetStatusCallback), ref: 004100F5

Strings

InternetQueryOptionA, xrefs: 00410099
InternetGetConnectedState, xrefs: 0041001B
InternetSetOptionA, xrefs: 00410009
InternetCloseHandle, xrefs: 0040FFAF
InternetGetLastResponseInfoA, xrefs: 0040FFF7
InternetOpenA, xrefs: 0040FF5F
InternetReadFile, xrefs: 0040FFC1
InternetOpenUrlA, xrefs: 0040FF67
HttpOpenRequestA, xrefs: 00410051
InternetCrackUrlA, xrefs: 0040FF8B
InternetErrorDlg, xrefs: 0041003F
InternetCanonicalizeUrlA, xrefs: 004100BD
InternetAutodial, xrefs: 0041002D
HttpEndRequestA, xrefs: 00410087
InternetQueryDataAvailable, xrefs: 004100AB
wininet.dll, xrefs: 0040FF40
FtpFindFirstFileA, xrefs: 0040FFE5
InternetConnectA, xrefs: 0040FF79
InternetSetStatusCallbackA, xrefs: 004100CF
HttpQueryInfoA, xrefs: 0040FFD3
InternetCreateUrlA, xrefs: 0040FF9D
InternetSetStatusCallback, xrefs: 004100EA
HttpSendRequestExA, xrefs: 00410075
HttpSendRequestA, xrefs: 00410063

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: FtpFindFirstFileA$HttpEndRequestA$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestExA$InternetAutodial$InternetCanonicalizeUrlA$InternetCloseHandle$InternetConnectA$InternetCrackUrlA$InternetCreateUrlA$InternetErrorDlg$InternetGetConnectedState$InternetGetLastResponseInfoA$InternetOpenA$InternetOpenUrlA$InternetQueryDataAvailable$InternetQueryOptionA$InternetReadFile$InternetSetOptionA$InternetSetStatusCallback$InternetSetStatusCallbackA$wininet.dll
API String ID: 2238633743-2368965065
Opcode ID: e3f02d3e62adca3548f24aeccc30e77c2e2450c09dae0448b9e9727ef094325e
Instruction ID: 55d8c29a8a04117b6affaf517ee47f65a170d4e726d0757d33f1404b0712e830
Opcode Fuzzy Hash: e3f02d3e62adca3548f24aeccc30e77c2e2450c09dae0448b9e9727ef094325e
Instruction Fuzzy Hash: BA418270B54225AEDB21DB62BC59A263EA1FB58790BD4013BBC44851F0D6B50C62DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E21 Relevance: 82.6, APIs: 35, Strings: 12, Instructions: 334stringCOMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00423478,00000000,00000000), ref: 00404E79
CharNextA.USER32(?,00000001,00000001), ref: 00404E9E
CharNextA.USER32(?,00423474,00000000), ref: 00404EB0
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_isE74C,00000000), ref: 00404EBD
GetPrivateProfileStringA.KERNEL32(004276D0,?,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,C:\Users\user\AppData\Local\Temp\_isE74C), ref: 00404EFC
CharNextA.USER32(?,00000002), ref: 00404F17
CharNextA.USER32(?,00000000), ref: 00404F27
CharNextA.USER32(?), ref: 00404F80
lstrcpyA.KERNEL32(?,00000000), ref: 00404F90
CharNextA.USER32(00000000,00000000,?,00423468,00000000,00000000), ref: 00404FB2
CharNextA.USER32(00000000,00000002), ref: 00404FED
CharNextA.USER32(00000000,00423450,00000000,00000000,00423464,00000000,00000000), ref: 00404FFF
CharNextA.USER32(00000000), ref: 0040501B
CharNextA.USER32(00000000,00423460,00000000,00000000), ref: 00405053
lstrcpyA.KERNEL32(?,00000000), ref: 00405064
CharNextA.USER32(00000000,00000003,00000000), ref: 004050B8
CharNextA.USER32(00000000), ref: 004050DD
CharNextA.USER32(00000000), ref: 004050E0
lstrcpyA.KERNEL32(?,00000000), ref: 004050F3
CharNextA.USER32(00000000), ref: 0040512F
CharNextA.USER32(00000000), ref: 00405132
CharNextA.USER32(00000000), ref: 00405147
CharNextA.USER32(00000000), ref: 0040514A
CharNextA.USER32(00000000), ref: 0040515F
CharNextA.USER32(00000000), ref: 00405162
CharNextA.USER32(00000000,/uninst,00000000,00000000), ref: 00405194
lstrcpyA.KERNEL32(?,00000000), ref: 004051A6
lstrcpyA.KERNEL32(0042837C,-00000007,/verbose,-00000007,00000001,/uninst,00000000,00000000), ref: 004051D3
CharNextA.USER32(00000000,00000000,?), ref: 004051FF

Strings

/m2, xrefs: 00405038
SMS, xrefs: 0040507E
C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00404EB6, 00404EBC, 00404ED2
/uninst, xrefs: 00405124
/f2, xrefs: 00404F3A
/verbose, xrefs: 004051B6
/SMS, xrefs: 004050A7
/f1, xrefs: 00404F50
verbose, xrefs: 0040517B
uninst, xrefs: 0040510D
/m1, xrefs: 00405048
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00404ED3, 00404ED8, 00404EDE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$lstrcpy$PrivateProfileString
String ID: /SMS$/f1$/f2$/m1$/m2$/uninst$/verbose$C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$SMS$uninst$verbose
API String ID: 2110650040-2100623836
Opcode ID: 399b2d147abd7b6b12ff1c3c5d0ad92a723d2f309190ce773ade1efedc4b1dea
Instruction ID: 2392f8c370e1d402d8c23eba3c2974bfe5f8a28523d04d4c3b09b83814ce73f8
Opcode Fuzzy Hash: 399b2d147abd7b6b12ff1c3c5d0ad92a723d2f309190ce773ade1efedc4b1dea
Instruction Fuzzy Hash: 2FA1F271A00A14BAD721AB50DC48FBF3A6CEF45750F24807BF915BA1D1CA7C59029FAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404740 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 317registrystringmemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000004,?,X:B,74DEB4B0,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,00000000), ref: 0040475A
wsprintfA.USER32 ref: 0040477A
StringFromCLSID.OLE32(?,?), ref: 00404797
SysAllocString.OLEAUT32(?), ref: 004047A0
CoTaskMemFree.OLE32(?), ref: 004047AC
lstrlenW.KERNEL32(?), ref: 004047C4

Part of subcall function 00404ADA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000002,74DEE0B0,00000000,00000000,74DEE0B0,004047E3,?,?,00000002,00000000), ref: 00404AF5

wsprintfA.USER32 ref: 004047F0
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,00020019,?,?,?,00000000), ref: 0040481B
RegOpenKeyExA.ADVAPI32(?,LocalServer32,00000000,00020019,?,?,?,00000000), ref: 0040485B
RegQueryValueExA.ADVAPI32(?,004276D0,00000000,?,?,00000104,?,?,00000000), ref: 004048B3
CoCreateGuid.OLE32(?,?,?,00000000), ref: 004048BD
lstrcatA.KERNEL32(?, /ForceROT,?,?,00000000), ref: 004048CF
StringFromCLSID.OLE32(?,?,?,?,00000000), ref: 004048DD
SysAllocString.OLEAUT32(?), ref: 004048E6
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 004048F2
lstrlenW.KERNEL32(?,?,?,00000000), ref: 00404904
lstrcatA.KERNEL32(?,00000000,?,?,00000002,00000000,?,?,00000000), ref: 0040492B
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,?,00000002,00000000), ref: 00404958
SysFreeString.OLEAUT32(?), ref: 00404965
lstrlenW.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 00404996
wsprintfA.USER32 ref: 004049C2
WaitForInputIdle.USER32(?,00004E20), ref: 004049E0
CloseHandle.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 004049EF
CloseHandle.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 004049F4
Sleep.KERNEL32(000000C8,?,?,00000002,00000000,?,?,00000000), ref: 00404A0F
CreateItemMoniker.OLE32(00423310,?,?), ref: 00404A24
GetRunningObjectTable.OLE32(00000000,?), ref: 00404A38
SysFreeString.OLEAUT32(?), ref: 00404A9A
RegCloseKey.ADVAPI32(?,?,?,00000002,00000000,?,?,00000000), ref: 00404AAE
RegCloseKey.ADVAPI32(?,?,?,00000002,00000000,?,?,00000000), ref: 00404ABB
SysFreeString.OLEAUT32(?), ref: 00404AC5

Strings

CLSID\%s, xrefs: 004047EA
X:B, xrefs: 0040474E
Forcing item moniker %s into ROT..., xrefs: 004049BC
LocalServer32, xrefs: 00404852
/ForceROT, xrefs: 004048C9
CoCreateInstance failed with error 0x%lx, try a second approach., xrefs: 00404774
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040474A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$Free$CloseCreate$lstrlenwsprintf$AllocFromHandleOpenTasklstrcat$ByteCharGuidIdleInputInstanceItemMonikerMultiObjectProcessQueryRunningSleepTableValueWaitWide
String ID: /ForceROT$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$CLSID\%s$CoCreateInstance failed with error 0x%lx, try a second approach.$Forcing item moniker %s into ROT...$LocalServer32$X:B
API String ID: 3461069662-1745655934
Opcode ID: 28a53814736717a43b0eb6e25fccc43759f90e8aefc99f790df73ee9a2b147a7
Instruction ID: e792ce2ecb248212c5a738f2e5bdebdb1b123f4d282b448fa66262c3fc873258
Opcode Fuzzy Hash: 28a53814736717a43b0eb6e25fccc43759f90e8aefc99f790df73ee9a2b147a7
Instruction Fuzzy Hash: A4B128B6A00209AFDF00DFA0DC859EE7B79EB48345F10847AFA05E6150D7359E45CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7A3 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

0, xrefs: 0041DA11
+, xrefs: 0041D998
9, xrefs: 0041DA24
-, xrefs: 0041D9A1
0, xrefs: 0041DA42
9, xrefs: 0041D8B8
C, xrefs: 0041D884
c, xrefs: 0041D892
0, xrefs: 0041D944
E, xrefs: 0041D88D
0, xrefs: 0041D8CD
-, xrefs: 0041D87A
9, xrefs: 0041D812
+, xrefs: 0041D875
9, xrefs: 0041DA34
1, xrefs: 0041DA1B
0, xrefs: 0041D87F
9, xrefs: 0041D864
1, xrefs: 0041D9E8
e, xrefs: 0041D89B
9, xrefs: 0041D9F0

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 53fcb24415a42254422ef3b704703396450c2d3c7cc4b7d7127f696e089a473e
Instruction ID: 305d178d531a77cce6adacc84922b0b727f2895881215e81db977dd96107e5ea
Opcode Fuzzy Hash: 53fcb24415a42254422ef3b704703396450c2d3c7cc4b7d7127f696e089a473e
Instruction Fuzzy Hash: 7FE1DFF0E58209DEEB25DF68D8513FE7BB1EB44344F68402BD412A6282D37D99C2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408ECE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 187registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00007FFF,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408F16
GetPrivateProfileSectionA.KERNEL32(00000000,00007FFF,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408F2B
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FB1
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FCC
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FE4
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00408FFC
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00409014
GetPrivateProfileIntA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 0040905A
RegQueryValueExA.ADVAPI32(00000000,CSDVersion,00000000,?,00000004,?,80000002,System\CurrentControlSet\Control\Windows,00020019), ref: 004090A7
RegCloseKey.ADVAPI32(00000000,80000002,System\CurrentControlSet\Control\Windows,00020019), ref: 004090BB
RegCloseKey.ADVAPI32(00000000), ref: 004090FB

Strings

CSDVersion, xrefs: 00409095
System\CurrentControlSet\Control\Windows, xrefs: 0040906F
1.20.1827.0, xrefs: 00409032
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00408EFE, 00408F08, 00408F1C, 00408FA2, 00408FBF, 00408FD7, 00408FEF, 00409007, 0040904D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$Close$QuerySectionStringValue
String ID: 1.20.1827.0$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 2153185420-17826053
Opcode ID: 536a29cb4856b3793c91167631f1a002f7ef71a8b17dfe41bbeed014e1c3edb0
Instruction ID: 76ec81929e707e410ece2cfe5b8470118fb7ce8509481e66bc0ac0c5f5c834dc
Opcode Fuzzy Hash: 536a29cb4856b3793c91167631f1a002f7ef71a8b17dfe41bbeed014e1c3edb0
Instruction Fuzzy Hash: 4C61A171900209BBDF11DFA4DD84BEE7BB9FB08344F20847AE541B6192DB799E45CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004052F6 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004052FB
CharNextA.USER32(?,00000000,?,00000001), ref: 0040531F
CharNextA.USER32(00000000), ref: 0040536E
lstrcpyA.KERNEL32(?,00000000,00000452,?,00000000,?,00000001), ref: 00405388
GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,00000000), ref: 004053D3
wsprintfA.USER32 ref: 004053F3
GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,?,00000013,?), ref: 00405416

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00405366
key, xrefs: 004053E2
%s%d, xrefs: 004053ED
Languages, xrefs: 004053C6, 004053D2, 00405415
Count, xrefs: 004053CD

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNextPrivateProfile$H_prologStringlstrcpywsprintf
String ID: %s%d$C:\Users\user\AppData\Local\Temp\_isE74C$Count$Languages$key
API String ID: 2987917610-785317816
Opcode ID: 87230f0d8856103c2ec73fbe2e991c9a03d6c4a0231d37ef754dd4b6fb78283d
Instruction ID: 93673d22d0e74f0fc408df689ce4648012e45b59f418836214859eb06ae0e6a7
Opcode Fuzzy Hash: 87230f0d8856103c2ec73fbe2e991c9a03d6c4a0231d37ef754dd4b6fb78283d
Instruction Fuzzy Hash: 5141CE72A00619ABDB11EF64DC85BEF77B8EF04351F4080BBB905A31D1DB789A458F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDD6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040FDF8
CharNextA.USER32(?), ref: 0040FE07
CharNextA.USER32(00000000), ref: 0040FE0A

Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,00000001,?,00000000), ref: 0040F184
Part of subcall function 0040F15E: CharNextA.USER32(00000000,?,00000000), ref: 0040F19D
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,?,00000000), ref: 0040F1B6
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(00404C12,00000000,?,00000000), ref: 0040F1BC

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040FE47
wsprintfA.USER32 ref: 0040FE55
GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,00000000,0000007F,?), ref: 0040FE75
VerLanguageNameA.VERSION(?,00000000,0000007F), ref: 0040FE8B

Strings

Languages, xrefs: 0040FE70
.ini, xrefs: 0040FE41
%#04x, xrefs: 0040FDEE, 0040FDF6, 0040FE53
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040FE1A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$CharNext$lstrcatwsprintf$LanguageNamePrivateProfileString
String ID: %#04x$.ini$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Languages
API String ID: 4280142108-2655950916
Opcode ID: 0f3c6fc54032adefb8c01477c8200fbd78f682c88351c97732474582c44e9e9d
Instruction ID: 05055c9343698199dcbe592b9cb086c507e315cedaf6396822a0a3f949e3fc3d
Opcode Fuzzy Hash: 0f3c6fc54032adefb8c01477c8200fbd78f682c88351c97732474582c44e9e9d
Instruction Fuzzy Hash: 7A11DAB2A0111DBBCF11EF94EC45DDE7BBCEB48264F404077FA04E2050DA75EA598BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F808 Relevance: 18.1, APIs: 12, Instructions: 119threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040F82D
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F834
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F844
GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F853
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F85A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F860
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00409195,?,?,?,?,?,?,?,?,00409195), ref: 0040F87C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F882
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,00409195,00409195,?,?,?,?,?,?,?,?,00409195), ref: 0040F8A7
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040F8C4
EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F8F5
FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00409195,?,?,00000000,?,00000000), ref: 0040F914

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
String ID:
API String ID: 884311744-0
Opcode ID: cd89e213df8a60f5ce2ff2b1baf79bcf7d3bfeed90186beb488b4e7964c16ed5
Instruction ID: 6db039a0c23f0a18c4dd1eb8657210cd1721553989911bcc79c307855ec2bc1f
Opcode Fuzzy Hash: cd89e213df8a60f5ce2ff2b1baf79bcf7d3bfeed90186beb488b4e7964c16ed5
Instruction Fuzzy Hash: 47317272904249BFDB21DBA4DC44AEFBBB8EF14344F104076E500F2691D7388E499B69

Uniqueness

Uniqueness Score: -1.00%

Function 00403A6F Relevance: 16.6, APIs: 7, Strings: 2, Instructions: 891libraryfileloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403A74
MultiByteToWideChar.KERNEL32(00000001,00000000,0040CE83,000000FF,00000000,00000000,6CBE6DE0,00423220,00000000), ref: 00403AA0
MultiByteToWideChar.KERNEL32(00000001,00000000,0040CE83,000000FF,00000000,00000000), ref: 00403ABC
StgIsStorageFile.OLE32(?,?), ref: 00403AD5
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00403AF2

Part of subcall function 00414A8E: RaiseException.KERNEL32(00413AFD,00000000,?,0041FAF0,00000000,invalid string position,00413AFD,00000000,00421230,?,invalid string position), ref: 00414ABC

LoadLibraryA.KERNEL32(crypt32.dll,?,?,?,?,?,?,?), ref: 00404123
GetProcAddress.KERNEL32(00000000,CertCompareCertificate), ref: 00404133

Strings

crypt32.dll, xrefs: 0040411A
CertCompareCertificate, xrefs: 0040412D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiStorageWide$AddressExceptionFileH_prologLibraryLoadOpenProcRaise
String ID: CertCompareCertificate$crypt32.dll
API String ID: 23035369-3596784711
Opcode ID: 25f332a7c593214476d5c52f7a69266d2a5919d8b96211d5c61d21f5829fc90d
Instruction ID: e116b8d468711f8f4d25ea7f2d94393cdd49299d5ca05c38b3c737d393f12f13
Opcode Fuzzy Hash: 25f332a7c593214476d5c52f7a69266d2a5919d8b96211d5c61d21f5829fc90d
Instruction Fuzzy Hash: 10628071900246AFDB20DFA5CC84FAFBBB9AF84314F24456EF205B6291D7789D85CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00410106 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113memoryfileCOMMON

Download Yara Rule

APIs

SearchPathA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,6CBE6DE0,74DF2F30), ref: 00410129
GetModuleFileNameA.KERNEL32(?,00000104), ref: 00410149
FindFirstFileA.KERNEL32(?,?), ref: 00410165
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0041019D
VirtualProtect.KERNEL32(00000000,00000001,00000004,?), ref: 004101EF
VirtualProtect.KERNEL32(00000000,00000001,?,?), ref: 00410202
FindClose.KERNEL32(00000000), ref: 00410225
FindClose.KERNEL32(00000000), ref: 00410235

Strings

RPAWINET.DLL, xrefs: 00410112

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindVirtual$CloseFileProtect$FirstModuleNamePathQuerySearch
String ID: RPAWINET.DLL
API String ID: 1763775632-274221676
Opcode ID: 54d15e1daa3f9d92f79e3a219cfb58fe9207ca8eb658d218ddf668af78259b15
Instruction ID: de381bab59b2e7b346eeed863875f8aafa5ddf428cfd6c323929b5f67413eab5
Opcode Fuzzy Hash: 54d15e1daa3f9d92f79e3a219cfb58fe9207ca8eb658d218ddf668af78259b15
Instruction Fuzzy Hash: FB314071A00119BBDB21DB94DC45FEF77BCAB09310F5440A2E914F7190D7B5AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A51C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040A53D
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0040A567
RegDeleteKeyA.ADVAPI32(80000002,?), ref: 0040A582
RegCloseKey.ADVAPI32(00000000,?), ref: 0040A594

Strings

{31EE4FE8-7F9C-11D5-ABB8-00B0D02332EB}, xrefs: 0040A528
Software\Microsoft\Windows\CurrentVersion\Uninstall\%s, xrefs: 0040A533
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040A526

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateDeletewsprintf
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Software\Microsoft\Windows\CurrentVersion\Uninstall\%s${31EE4FE8-7F9C-11D5-ABB8-00B0D02332EB}
API String ID: 3829835781-743048335
Opcode ID: ad14b249ec4e3b32f27f4b9dbfb18c875eaa7d68fedccfab7d32768974eb3f30
Instruction ID: 92998d3f333ff6812eaa474d38ad210b384a36723daf7995e59463d6c6c6bfa4
Opcode Fuzzy Hash: ad14b249ec4e3b32f27f4b9dbfb18c875eaa7d68fedccfab7d32768974eb3f30
Instruction Fuzzy Hash: 740148B690021CBFDB118F949C849EEBBBCFB44389F5080B6E945E2141D6345E4E8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406BBB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00406BE4
GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,?,00000013,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406C09

Strings

C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00406BF0
key, xrefs: 00406BD3
%s%d, xrefs: 00406BDE
Languages, xrefs: 00406C04

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringwsprintf
String ID: %s%d$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$Languages$key
API String ID: 1475573541-3808344251
Opcode ID: d3fa3ceadb44698d3b0575fd2b51b00084263b927a467f99acb2ee594c197a10
Instruction ID: b2a806249bca997bb3c3035006103c139dbf54d06f41aca5868bdfb0c893a2f6
Opcode Fuzzy Hash: d3fa3ceadb44698d3b0575fd2b51b00084263b927a467f99acb2ee594c197a10
Instruction Fuzzy Hash: 8D01D271704128BBD720DF98DC41EDBB77CEB04758F500173B609A2181D678AA5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F733 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F7DA: GetVersionExA.KERNEL32(?), ref: 0040F7F4

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00408B91), ref: 0040F742
OpenProcessToken.ADVAPI32(00000000,00000028,00408B91,?,?,?,?,?,?,00408B91), ref: 0040F74F
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040F766
AdjustTokenPrivileges.ADVAPI32(00408B91,00000000,?,00000000,00000000,00000000), ref: 0040F791
ExitWindowsEx.USER32(00000002,0000FFFF), ref: 0040F79F

Strings

SeShutdownPrivilege, xrefs: 0040F760

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: 9d6e964650b08a67103bbe795f7787a1a560600bbcb1ab9668dd2f6c1a01306b
Instruction ID: 784b116ac521a6c2c478d329f7eb4d3a3292c5b5e2b30c6aa42d44528e0a3793
Opcode Fuzzy Hash: 9d6e964650b08a67103bbe795f7787a1a560600bbcb1ab9668dd2f6c1a01306b
Instruction Fuzzy Hash: AD012C75900219ABDB20AFA5DC0DEEFBFBCEF09740F008135B505E2281DB749609CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406C9C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000000), ref: 00406CCE
GetPrivateProfileStringA.KERNEL32(?,Title,004276D0,?,0000007F,?), ref: 00406CED

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00406CB7
ll@, xrefs: 00406CA5
.ini, xrefs: 00406CC8
Title, xrefs: 00406CE5

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$PrivateProfileStringlstrcpy
String ID: .ini$C:\Users\user\AppData\Local\Temp\_isE74C$Title$ll@
API String ID: 1377477389-3284009775
Opcode ID: 971d20febf9b1cd123a1f5232a58be15d96a6c70d4b153541987681b6dbf68ab
Instruction ID: 8e1f3f46cb69b6d550d8885263fa61068925e1d203143575a529cd4eefaa954c
Opcode Fuzzy Hash: 971d20febf9b1cd123a1f5232a58be15d96a6c70d4b153541987681b6dbf68ab
Instruction Fuzzy Hash: 42F0BEB570422AB7CF10DFA8AD42EDA7768AB10715F000073BA4AF10D0D6B8DA948B88

Uniqueness

Uniqueness Score: -1.00%

Function 00409BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(?,004276D0,00000000,00000400,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?), ref: 00409BFC
lstrcmpA.KERNEL32(00000000,004276D0), ref: 00409C0A

Part of subcall function 0040D670: __EH_prolog.LIBCMT ref: 0040D675
Part of subcall function 0040D670: LoadCursorA.USER32(00000000,00007F02), ref: 0040D6AC
Part of subcall function 0040D670: SetCursor.USER32(00000000), ref: 0040D6B9

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 00409C31
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 00409BD7

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$H_prologLoadPrivateProfileStringlstrcatlstrcmplstrcpy
String ID: C:\Users\user\AppData\Local\Temp\_isE74C$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI
API String ID: 1495358311-3740074027
Opcode ID: e933285e72c82f212ea35d30b7674f14cc972873a581aa8bb51cdcb0db734f03
Instruction ID: 5372ba495a31e57c0f539a8f46a02c77723977cf3f3037f233afa1722115a76f
Opcode Fuzzy Hash: e933285e72c82f212ea35d30b7674f14cc972873a581aa8bb51cdcb0db734f03
Instruction Fuzzy Hash: 8901FCB2B001197BDB209B65DC41FEB3BACEB04358F004076B704F10D1D6799D4A8B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A779 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(dotnetredist.exe,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?), ref: 0040A78F

Strings

dotnetredist.exe, xrefs: 0040A78A
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040A77B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile
String ID: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$dotnetredist.exe
API String ID: 1469295129-2827233352
Opcode ID: 2b28af8c5977a1895e0916da86b5e5451d893b7ee408e14a59156d5cf28c5882
Instruction ID: 24c6b3d23fe585ca76cf5cc1adb3cea40b306731a7cfcaad2c4e68d42b9ab2a2
Opcode Fuzzy Hash: 2b28af8c5977a1895e0916da86b5e5451d893b7ee408e14a59156d5cf28c5882
Instruction Fuzzy Hash: B2E086757102107FC22056059C05B4B6A66DBC0721F14843AF944A72D0D678DC16856D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F92E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(0040F9F1,00001004,?,00000014,?,?,?,?,?,?,?,?,?,?,?,0040F9F1), ref: 0040F955
TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0040F970

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Info$CharsetLocaleTranslate
String ID:
API String ID: 641124110-0
Opcode ID: 56eae2fba263149fdd3c3d64d573036fc46774c6243c7c2bf4f80e1dc4c8256f
Instruction ID: 04784ef3acfcdf4d44ba24f372bfe72eb16b5aa754be55eb0cbbe0f5e021074c
Opcode Fuzzy Hash: 56eae2fba263149fdd3c3d64d573036fc46774c6243c7c2bf4f80e1dc4c8256f
Instruction Fuzzy Hash: 59F090B1600205BADB20DB70EC45FEB73A8A748B14F900136FA15E66D0E774DD8ACB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040F98B Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(0040CE5E,00001004,?,00000014,?,?,00000000,0040CE5E), ref: 0040F99F

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f76ce6e0b8595b29f5c4296f2c4e1bbdfa1772cbce3f669e34f7707899e4b38e
Instruction ID: bec0145e6ddf8ccc3c5a3f76ab0486fddbc7213d38749e9b183ed8aa18bf14ab
Opcode Fuzzy Hash: f76ce6e0b8595b29f5c4296f2c4e1bbdfa1772cbce3f669e34f7707899e4b38e
Instruction Fuzzy Hash: 2BE086723042087ADB11DFA4DD02ADB37AC9B44758F100076FA05E91D1D7B4D944C754

Uniqueness

Uniqueness Score: -1.00%

Function 00418923 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000188DD), ref: 00418928

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bb2b2ad8fdd381048f573802c3ec4605b01c397f92387fb20bf051d18a56d289
Instruction ID: 86f12c05e897893eae73a457fd30d9720c52f54a8f62282acfe8c7f59eaae4e2
Opcode Fuzzy Hash: bb2b2ad8fdd381048f573802c3ec4605b01c397f92387fb20bf051d18a56d289
Instruction Fuzzy Hash: 58A022B82003008B8B20FF20AC080C23A20E300303B8082BAA88080230CFB0008BCF0C

Uniqueness

Uniqueness Score: -1.00%

Function 00418935 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0041893A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d8424cc32338f7c74ff83a0b25ce6486135d29a419834388a1b4f08945f7286
Instruction ID: e04fcfd51e698c09cccf057994143c83417d07adb8245ac024dc2943462db1a2
Opcode Fuzzy Hash: 0d8424cc32338f7c74ff83a0b25ce6486135d29a419834388a1b4f08945f7286
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00417C44 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 2a97ec937554d5e1151c819ab1b1224db41be6bb008b7aa271fdadd09d850049
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: DDB16A35A0420ADFDB15CF14D5D0AE9BBB1BF58318F24819ED81A5B382C735EE82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410AF5 Relevance: 72.1, APIs: 32, Strings: 9, Instructions: 315registryfilestringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,?,004106BE), ref: 00410B61
lstrlenA.KERNEL32(?,?,00000000), ref: 00410B80
lstrlenA.KERNEL32(?,?,?,00000000), ref: 00410B9F
RegQueryValueExA.ADVAPI32(?,CurrentUser,00000000,00000000,?,?,00000000), ref: 00410BB9
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00410BCF
RegQueryValueExA.ADVAPI32(?,DirRoot,00000000,00000000,?,?,?,00000000), ref: 00410BF1

Part of subcall function 00411DF9: RegCloseKey.ADVAPI32(00000000,75A8EA50,00410BFF,?,00000000), ref: 00411E03

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00410C4D
lstrcatA.KERNEL32(?,\nsreg.dat,?,00000000), ref: 00410C5F
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 00410C7C
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00410C92
MapViewOfFile.KERNEL32(004106BE,00000004,00000000,00000000,00000000,?,00000000), ref: 00410CA7
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Netscape\Netscape Navigator\biff,?), ref: 00410CC4
RegQueryValueExA.ADVAPI32(?,CurrentUser,00000000,00000000,?,?,?,00000000), ref: 00410CEA
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00410CF9
CloseHandle.KERNEL32(004106BE,?,00000000), ref: 00410D0D
CloseHandle.KERNEL32(?,?,00000000), ref: 00410DCE
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00410DDC
lstrcatA.KERNEL32(?,\prefs.js,?,?,?,?,?,00000000), ref: 00410E3D
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000), ref: 00410E5A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000), ref: 00410E69
ReadFile.KERNEL32(00000000,00000000,?,00000064,00000000,?,?,?,?,?,00000000), ref: 00410E89
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00410E9B

Part of subcall function 00410EA6: lstrcatA.KERNEL32(00000000,00424410,0000003D,00410E9A,00000001), ref: 00410F87
Part of subcall function 00410EA6: lstrcatA.KERNEL32(?,004243A8,786F7250,00410E9A,00000001), ref: 00410FC0
Part of subcall function 00410EA6: lstrcatA.KERNEL32(?,00423F5C,786F7250,00410E9A,00000001), ref: 00410FE3

Strings

ProfileLocation, xrefs: 00410D5F, 00410D8B
\prefs.js, xrefs: 00410E37
%20, xrefs: 00410D2D
CurrentUser, xrefs: 00410BB1, 00410CE2
SOFTWARE\Netscape\Netscape Navigator\biff, xrefs: 00410CBA
d, xrefs: 00410CD1
\nsreg.dat, xrefs: 00410C59
SOFTWARE\Netscape\Netscape Navigator\Users\, xrefs: 00410B05
DirRoot, xrefs: 00410BE9

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Closelstrcat$CreateHandleOpenQueryValue$Viewlstrlen$DirectoryMappingReadSizeUnmapWindows
String ID: %20$CurrentUser$DirRoot$ProfileLocation$SOFTWARE\Netscape\Netscape Navigator\Users\$SOFTWARE\Netscape\Netscape Navigator\biff$\nsreg.dat$\prefs.js$d
API String ID: 2752808192-2579096533
Opcode ID: a1b7613e1398444611491aa50f79a3ad4907f5ec1d83aa0d9019f54f8c040468
Instruction ID: 236931272ba73699b396ed61c81dd396fecd62b7efcb34823792692a87c0ad85
Opcode Fuzzy Hash: a1b7613e1398444611491aa50f79a3ad4907f5ec1d83aa0d9019f54f8c040468
Instruction Fuzzy Hash: 78B14B71D00219EFDB119FA4DC89AEFBBB8EB04344F5081BAE505A2191D7B45EC68B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040665D Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 139stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EE), ref: 00406677
GetWindowTextLengthA.USER32(00000000), ref: 0040668D
GetWindowTextA.USER32(00000000,?,0000007F), ref: 004066A2
GetDlgItem.USER32(?,000003EF), ref: 004066AC
GetWindowTextLengthA.USER32(00000000), ref: 004066BC
GetWindowTextA.USER32(00000000,?,0000007F), ref: 004066CD
GetDC.USER32(?), ref: 004066D2
lstrlenA.KERNEL32(?,?,?,00000001), ref: 004066E9
ReleaseDC.USER32(?,00000000), ref: 00406713
GetWindowRect.USER32(00000000,?), ref: 0040673F
GetWindowPlacement.USER32(00004E20,?,?,?,00000001), ref: 0040679E
MoveWindow.USER32(00004E20,Je@,?,004288B0,?,00000001,?,?,00000001), ref: 004067B9
GetWindowPlacement.USER32(00000000,0000002C,?,?,00000001), ref: 004067C9
MoveWindow.USER32(00000000,Je@,?,004288B0,?,00000001,?,?,00000001), ref: 004067E2

Strings

Je@, xrefs: 004067A0, 004067CB, 004067B5, 004067DE
,, xrefs: 004067BE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Text$ItemLengthMovePlacement$RectReleaselstrlen
String ID: ,$Je@
API String ID: 164573090-4263041813
Opcode ID: 5a924a46e0964cb4560ff4f314f593002ba69002fee05793ea02d95d0ba3fb20
Instruction ID: e1beeb7fdb40bb4a2b34491f67658044b7a2c85853b20d965bba4cb97e8c323f
Opcode Fuzzy Hash: 5a924a46e0964cb4560ff4f314f593002ba69002fee05793ea02d95d0ba3fb20
Instruction Fuzzy Hash: 54417832C00129BFDF119FA8CC84AEEBBB9FF08304F11406AE905B7290D7759E558B94

Uniqueness

Uniqueness Score: -1.00%

Function 004108C9 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 137registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Netscape\Netscape Navigator\Proxy Information,004106B7), ref: 00410920
RegQueryValueExA.ADVAPI32(004106B7,Proxy Type,00000000,00000000,?,?), ref: 0041098C
RegQueryValueExA.ADVAPI32(004106B7,0000003D,00000000,00000000,?,00000004), ref: 004109CC
lstrcatA.KERNEL32(00000000,00424410), ref: 004109E7
lstrcatA.KERNEL32(00000000,?), ref: 004109F7
RegQueryValueExA.ADVAPI32(004106B7,786F7250,00000000,00000000,?,00000100), ref: 00410A12
lstrcatA.KERNEL32(00000000,004243A8), ref: 00410A24
lstrlenA.KERNEL32(00000000,00423B20,?), ref: 00410A35
wsprintfA.USER32 ref: 00410A43
lstrcatA.KERNEL32(00000000,00423F5C), ref: 00410A58
RegCloseKey.ADVAPI32(004106B7), ref: 00410A9F

Strings

Proxy Type, xrefs: 0041093E
CB, xrefs: 0041095B
CB, xrefs: 00410962
SOFTWARE\Netscape\Netscape Navigator\Proxy Information, xrefs: 00410916

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$QueryValue$CloseOpenlstrlenwsprintf
String ID: Proxy Type$SOFTWARE\Netscape\Netscape Navigator\Proxy Information$CB$CB
API String ID: 405122679-921548449
Opcode ID: 792a520ffd6436598e9ce95ac8550981cad981c50514454317a4b48f688d3980
Instruction ID: 8dcaaf4e8222b515414466cd15961d9994fa9a7b0fd01cf22d36f0d6e00c71bf
Opcode Fuzzy Hash: 792a520ffd6436598e9ce95ac8550981cad981c50514454317a4b48f688d3980
Instruction Fuzzy Hash: 1E51FCB1A0022DAADF11DF94DC44BDEBBB8FF48304F5080A6E604B6151D7B59A89CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402290 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402295
wsprintfA.USER32 ref: 00402341
GetLastError.KERNEL32(?,?,80400100,00000000,00000006,ftp://,00000000), ref: 00402400
GetLastError.KERNEL32 ref: 00402406

Strings

Referer: %s, xrefs: 0040233B
http://, xrefs: 004022FD
dwplayer, xrefs: 00402386, 004023B7
ftp://, xrefs: 00402318, 0040234B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$H_prologwsprintf
String ID: Referer: %s$dwplayer$ftp://$http://
API String ID: 3576247870-3801330208
Opcode ID: 9213cbc341b3dcc39c2dab24085b279192db12d2e5410281de2f8ec712b85222
Instruction ID: 70bae92ae91b166ea256a3f8d8b0686ee6c106b2f86f81336bd2aaedd10af87f
Opcode Fuzzy Hash: 9213cbc341b3dcc39c2dab24085b279192db12d2e5410281de2f8ec712b85222
Instruction Fuzzy Hash: 41C1C270A00209EFDB10DFA4CA889EEBBB5AF04304F24817EE415B72D1CB789E45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406870 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 184windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FDD6: wsprintfA.USER32 ref: 0040FDF8
Part of subcall function 0040FDD6: CharNextA.USER32(?), ref: 0040FE07
Part of subcall function 0040FDD6: CharNextA.USER32(00000000), ref: 0040FE0A
Part of subcall function 0040FDD6: lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040FE47
Part of subcall function 0040FDD6: wsprintfA.USER32 ref: 0040FE55
Part of subcall function 0040FDD6: GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,00000000,0000007F,?), ref: 0040FE75
Part of subcall function 0040FDD6: VerLanguageNameA.VERSION(?,00000000,0000007F), ref: 0040FE8B

lstrcmpiA.KERNEL32(?,?), ref: 0040694F
VerLanguageNameA.VERSION(000003FF,?,0000007F,?,?,?,?,?,?,?,?,?,00000000), ref: 00406974
lstrcmpiA.KERNEL32(?,?), ref: 00406987
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004069AC
SendMessageA.USER32(00000001,00000143,00000000,?), ref: 004069C4
SendMessageA.USER32(00000001,00000151,00000000,00000000), ref: 004069E1
lstrcpyA.KERNEL32(?,Slovenian,?,?,?,?,?,?,00000000), ref: 00406A19
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406A3A
SendMessageA.USER32(00000001,00000143,00000000,?), ref: 00406A51
SendMessageA.USER32(00000001,00000151,00000000,004065AA), ref: 00406A6A
SendMessageA.USER32(00000001,0000014C,00000000,?), ref: 00406A95
SendMessageA.USER32(00000001,0000014E,00000000,00000000), ref: 00406AA8

Strings

Slovenian, xrefs: 00406A0D
Basque, xrefs: 00406A06

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcpy$CharLanguageNameNextlstrcmpiwsprintf$PrivateProfileStringlstrcat
String ID: Basque$Slovenian
API String ID: 1642949316-3822051040
Opcode ID: 4f56e1c34031bf389b6fb32b3afbbb39d3980072d499784a1a66c5faaafa0446
Instruction ID: ddca2ca38bf87a601c8406b6a3552065ad4a4b524ee7653e07e3f3351f08a7ea
Opcode Fuzzy Hash: 4f56e1c34031bf389b6fb32b3afbbb39d3980072d499784a1a66c5faaafa0446
Instruction Fuzzy Hash: 24616E72A00118AFDB21DF64DC45BFA77B8FB04310F54417BEA1AE22D0DB789E558B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SetupBitmapCls,00000000,?,?), ref: 0040DAD5
LoadCursorA.USER32(00000000,00007F00), ref: 0040DB06
GetClassInfoA.USER32(?,SetupBitmapCls,?), ref: 0040DB26
RegisterClassA.USER32(00000003), ref: 0040DB34
GetObjectA.GDI32(00000000,00000018,00000065), ref: 0040DB7E
GetSystemMetrics.USER32(00000000), ref: 0040DB8B
GetSystemMetrics.USER32(00000001), ref: 0040DB9A
CreateWindowExA.USER32(00000080,SetupBitmapCls,SetupBitmapWin,86000000,0040CE5E,?,?,?,00000000,00000000,?,00000000), ref: 0040DBD3
GetLastError.KERNEL32(?,?), ref: 0040DBDF
SetWindowLongA.USER32(00000000,00000000,00000000), ref: 0040DBED
ShowWindow.USER32(00000000,00000005,?,?), ref: 0040DBFC
UpdateWindow.USER32(?), ref: 0040DC08

Strings

SetupBitmapWin, xrefs: 0040DBC4
SetupBitmapCls, xrefs: 0040DAC8, 0040DAD1, 0040DB19, 0040DBC9

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClassMetricsSystem$CreateCursorErrorInfoLastLoadLongObjectRegisterShowUpdatelstrcpy
String ID: SetupBitmapCls$SetupBitmapWin
API String ID: 2500980582-250169166
Opcode ID: 0a3a0cca49f73142af5d9e40e0f9517886bd5935003b6e5d10a12fcd3d0b032e
Instruction ID: 943cae74bbb7521a363dcd7cd06ab62984987df02fff16654b629b00744cf693
Opcode Fuzzy Hash: 0a3a0cca49f73142af5d9e40e0f9517886bd5935003b6e5d10a12fcd3d0b032e
Instruction Fuzzy Hash: 74413D75A00609AFDB14DFA4DC89ADEBBF8FF08340F10853AF619E6290DB74A8458B54

Uniqueness

Uniqueness Score: -1.00%

Function 004059F5 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000400), ref: 00405A0E
GetWindowRect.USER32(00000000,?), ref: 00405A17
GetSystemMetrics.USER32(00000001), ref: 00405A21
GetSystemMetrics.USER32(00000000), ref: 00405A25
SetRect.USER32(?,00000000,00000000,00000000), ref: 00405A2E
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00405A65
IsWindow.USER32(00000000), ref: 00405A6E
GetWindowRect.USER32(00000000,?), ref: 00405A84
IntersectRect.USER32(?,?,?), ref: 00405A92
SubtractRect.USER32(?,?,?), ref: 00405AAE
SetWindowPos.USER32(00000000,?,000003E8,0000001E,00000000,00000000,00000005,0000001E), ref: 00405AEE

Strings

Shell_TrayWnd, xrefs: 00405A60
F, xrefs: 00405A7B
}Y@, xrefs: 00405A34

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: RectWindow$MetricsSystem$FindIntersectSubtract
String ID: F$Shell_TrayWnd$}Y@
API String ID: 301737298-384065333
Opcode ID: 5f0b646f574c52cebe083708b3664f4df21bb1a480be9bc3117e514a87467508
Instruction ID: f42eba0711d49148488fa414f48d51c3028ed0daf7597b248b072a666f8ba4bb
Opcode Fuzzy Hash: 5f0b646f574c52cebe083708b3664f4df21bb1a480be9bc3117e514a87467508
Instruction Fuzzy Hash: 9C31BDB2A0010DAFDB10DFE8DD88EEFBBBDEB48744F118126E911E7151D674A9098B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401087 Relevance: 24.2, APIs: 16, Instructions: 152filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(0040CE5E,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000,0040CE5E), ref: 004010A5
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,0040CE5E), ref: 004010BF
GlobalAlloc.KERNEL32(00000042,0000000A,?,?,?,00000000,0040CE5E), ref: 004010CD
CloseHandle.KERNEL32(00000000,?,?,?,00000000,0040CE5E), ref: 004010DB

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocCloseCreateGlobalHandleSize
String ID:
API String ID: 2025735303-0
Opcode ID: bb6525e44aadccb1485e61962a0d3831869c04f799ad6fd960217bbe137bdcf9
Instruction ID: 3ed20fea9783f43bbddea41fcdd8d6832afeac58d9e24c10f20fc1b707560d4f
Opcode Fuzzy Hash: bb6525e44aadccb1485e61962a0d3831869c04f799ad6fd960217bbe137bdcf9
Instruction Fuzzy Hash: BA518071540604FBDB209F64DC08F9A7FA4EB09321F20C63AF65AEA2F1D7789945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406D4D Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406D52
VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00406D92
VariantClear.OLEAUT32(?), ref: 00406F56

Strings

{1C370964-514B-321C-7237-2B4FD86D8568}, xrefs: 00406ECF, 00406EDF
{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}, xrefs: 00406EC8
{6741C120-01BA-87F9-8734-5FB9DA8A4445}, xrefs: 00406E04
{F279058C-50B2-4BE4-60C9-369CACF06821}, xrefs: 00406DF5
{78705f0d-e8db-4b2d-8193-982bdda15ecd}, xrefs: 00406DEB
{9B29D757-088E-E8C9-2535-AA319B92C00A}, xrefs: 00406DE1
{E7E2C871-090A-C372-F9AE-C3C6A988D260}, xrefs: 00406E60
Software\Microsoft\Active Setup\Installed Components\%s, xrefs: 00406F10
{F1B13231-13BE-1231-5401-486BA763DEB6}, xrefs: 00406E33
{7E76A8D6-33D1-0032-16C3-4593092861D0}, xrefs: 00406E99

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ChangeClearH_prologType
String ID: Software\Microsoft\Active Setup\Installed Components\%s${021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}${1C370964-514B-321C-7237-2B4FD86D8568}${6741C120-01BA-87F9-8734-5FB9DA8A4445}${78705f0d-e8db-4b2d-8193-982bdda15ecd}${7E76A8D6-33D1-0032-16C3-4593092861D0}${9B29D757-088E-E8C9-2535-AA319B92C00A}${E7E2C871-090A-C372-F9AE-C3C6A988D260}${F1B13231-13BE-1231-5401-486BA763DEB6}${F279058C-50B2-4BE4-60C9-369CACF06821}
API String ID: 2549134154-3581822646
Opcode ID: 0da5fea9b6817eb2b90f6a28f8be48562675c424caa196ee20259212885dcfd5
Instruction ID: 341071a5372c8b553f58bac332f955cb5c518103b4ef24d0e9d78e36c2756e0c
Opcode Fuzzy Hash: 0da5fea9b6817eb2b90f6a28f8be48562675c424caa196ee20259212885dcfd5
Instruction Fuzzy Hash: 1E518F74A01258AADB14DB95C945BEEBBB8EF14304F51807BE106B32C2D7385F15CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004038E9 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 142libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004038EE
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 00403913
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00403954
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,?), ref: 00403979
GetProcAddress.KERNEL32(?,WTHelperProvDataFromStateData), ref: 004039E3
GetProcAddress.KERNEL32(?,WTHelperGetProvSignerFromChain), ref: 004039FB
GetProcAddress.KERNEL32(?,WTHelperGetProvCertFromChain), ref: 00403A1A

Strings

WTHelperProvDataFromStateData, xrefs: 004039DC
WinVerifyTrust, xrefs: 0040390D
WTHelperGetProvCertFromChain, xrefs: 00403A13
WTHelperGetProvSignerFromChain, xrefs: 004039F4
<, xrefs: 004039B5
2B, xrefs: 004039AC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ByteCharMultiWide$H_prolog
String ID: 2B$<$WTHelperGetProvCertFromChain$WTHelperGetProvSignerFromChain$WTHelperProvDataFromStateData$WinVerifyTrust
API String ID: 2820147231-2421257245
Opcode ID: 1fc87653b629af27579866f5b19f1f4087add94d12e39d7d897f10f1879e61c3
Instruction ID: 6a62ba82e06ecb5570f742511ad3b3dea378c9beb47ea45312dea3352a645477
Opcode Fuzzy Hash: 1fc87653b629af27579866f5b19f1f4087add94d12e39d7d897f10f1879e61c3
Instruction Fuzzy Hash: B15114B1D00258AFDB10DFA4DC85AEEBBB8EF08354F20412AF424B7291C7789E448F64

Uniqueness

Uniqueness Score: -1.00%

Function 00401DA8 Relevance: 21.2, APIs: 14, Instructions: 158memorywindowfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401DAD

Part of subcall function 00401F67: lstrlenA.KERNEL32(?,?,00000000,00401DC4,?,75BF8400,00000000), ref: 00401F70

CopyFileA.KERNEL32(?,00000451,00000000), ref: 00401DD0
SysAllocStringLen.OLEAUT32(00000000,00000400), ref: 00401E0E
MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,00000000,00000400), ref: 00401E25
SysAllocStringLen.OLEAUT32(00000000,00000400), ref: 00401E2D
MultiByteToWideChar.KERNEL32(00000000,00000001,00000451,000000FF,00000000,00000400), ref: 00401E40
CreateThread.KERNEL32(00000000,00000000,00401D62,?,00000000,?), ref: 00401E91
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00401EB5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00401ECC
DispatchMessageA.USER32(?), ref: 00401EEB

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocByteCharMessageMultiStringWide$CopyCreateDispatchFileH_prologMultipleObjectsPeekThreadWaitlstrlen
String ID:
API String ID: 3407787643-0
Opcode ID: aebbdfcba6c4f3aa85e104fe1cb846ad22dfdf49ce8c4e2672f0d521fd337f6f
Instruction ID: d015caec1313354450c303787664e2fc2b3fae425087dc06de4e01f474e03ec6
Opcode Fuzzy Hash: aebbdfcba6c4f3aa85e104fe1cb846ad22dfdf49ce8c4e2672f0d521fd337f6f
Instruction Fuzzy Hash: C9516B71400209BFDB10AF65DC84EEEBBB9FB45364F10863AF915A62E0C7789E45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406449 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406C42: wsprintfA.USER32 ref: 00406C54
Part of subcall function 00406C42: CharNextA.USER32(?,00000000), ref: 00406C7E
Part of subcall function 00406C42: CharNextA.USER32(00000000), ref: 00406C81

SetWindowTextA.USER32(?,?), ref: 004064EB
GetDlgItem.USER32(?,00004E21), ref: 00406559
GetWindowPlacement.USER32(00000000,?), ref: 0040656D
DestroyWindow.USER32(00000000), ref: 00406584
GetDlgItem.USER32(?,000003ED), ref: 00406590
SendMessageA.USER32(00000000,00000146,00000000,00000000), ref: 004065C0
EndDialog.USER32(?,00000001), ref: 004065DA
EndDialog.USER32(?,000000FD), ref: 004065F2

Strings

Description, xrefs: 00406508
,, xrefs: 00406564
CANCEL, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CharDialogItemNext$DestroyMessagePlacementSendTextwsprintf
String ID: ,$CANCEL$Description
API String ID: 595805203-797421613
Opcode ID: fd05284ac7cf695265b028cceeea5924f8a81cc6caf0cad93ed09fff39096333
Instruction ID: d2158c8946add76409410a689cbd27c7bd299c0dd38582cb8f2754c5ee5949e1
Opcode Fuzzy Hash: fd05284ac7cf695265b028cceeea5924f8a81cc6caf0cad93ed09fff39096333
Instruction Fuzzy Hash: C041B472601214BBE721AB51EC42FAE326CEB85744F45403AFD06F21D1EA7C9A168A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00410EA6 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041106F: lstrlenA.KERNEL32(?,00000000,00410EC8,network.proxy.type,00410E9A,?,00000000,?,00410E9A,?,?,?,?,?,00000000), ref: 00411088

lstrcatA.KERNEL32(00000000,00424410,0000003D,00410E9A,00000001), ref: 00410F87
lstrcatA.KERNEL32(?,004243A8,786F7250,00410E9A,00000001), ref: 00410FC0
lstrcatA.KERNEL32(?,00423F5C,786F7250,00410E9A,00000001), ref: 00410FE3
lstrcpynA.KERNEL32(00000000,00410E9A,00000001,00000001,0000003D,00410E9A,00000001), ref: 00411018

Strings

network.proxy.type, xrefs: 00410EBE
"network.proxy.no_proxies_on", xrefs: 00410FFB
CB, xrefs: 00410F34
PEB, xrefs: 00410F50
"network.proxy.autoconfig_url", xrefs: 00411062
dEB, xrefs: 00410F42
4EB, xrefs: 00410F57

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$lstrcpynlstrlen
String ID: "network.proxy.autoconfig_url"$"network.proxy.no_proxies_on"$4EB$PEB$dEB$network.proxy.type$CB
API String ID: 4136844717-740126210
Opcode ID: d708affc206eacaec820fc3e181d52612ee3e608394be95815f97020671cc1fb
Instruction ID: 9de840754a46e010e070f4fe8a2492d2bae018de78a18aafa1afdadd5714b2fa
Opcode Fuzzy Hash: d708affc206eacaec820fc3e181d52612ee3e608394be95815f97020671cc1fb
Instruction Fuzzy Hash: 41514F75E0025CABDF11DF90D940ADEBBB9EB48304F5040AAE640B6251DB799B88CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00407082 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198registrystringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407087

Part of subcall function 0040AAB9: __EH_prolog.LIBCMT ref: 0040AABE
Part of subcall function 0040AAB9: GetLastError.KERNEL32(?,?,00000000,?,0040A9C2,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040AAE7
Part of subcall function 0040AAB9: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A9C2,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040AB15

Part of subcall function 00406D4D: __EH_prolog.LIBCMT ref: 00406D52
Part of subcall function 00406D4D: VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00406D92
Part of subcall function 00406D4D: VariantClear.OLEAUT32(?), ref: 00406F56

lstrlenW.KERNEL32(0041F5DC,?,00000000,?,00000001,00000000), ref: 004070F4
WideCharToMultiByte.KERNEL32(00000000,00000000,0041F5DC,000000FF,?,?,00000000,00000000), ref: 00407120

Part of subcall function 0040A992: __EH_prolog.LIBCMT ref: 0040A997
Part of subcall function 0040A992: SetLastError.KERNEL32(?,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040A9FD

Part of subcall function 00407008: __EH_prolog.LIBCMT ref: 0040700D
Part of subcall function 00407008: GetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 00407030
Part of subcall function 00407008: SysFreeString.OLEAUT32(?), ref: 0040704E
Part of subcall function 00407008: SetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 0040706E

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,0041F5DC,?,?,00000000,00000000), ref: 0040713C
RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 004071AB
RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 004071E6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000), ref: 004072D8

Strings

d9B, xrefs: 00407224
Version, xrefs: 004071A3
`9B, xrefs: 0040724B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorH_prologLast$CloseVariant$ByteChangeCharClearFreeMultiOpenQueryStringTypeValueWidelstrlen
String ID: Version$`9B$d9B
API String ID: 960358220-1685220936
Opcode ID: 7276e132223a57e0333424c27e40ad815cc37ada8dfd5633fe3eb23673707c14
Instruction ID: bfcb4f5dfc5b3c7304563620bd43603a31243f6c7c85e80e1cc4a6bf95e520e8
Opcode Fuzzy Hash: 7276e132223a57e0333424c27e40ad815cc37ada8dfd5633fe3eb23673707c14
Instruction Fuzzy Hash: 88818C71904249EEDF11DFA5C845BEEBBB8BF04318F10816EE409B7282DB786A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCD7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowprocesssynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,5v@,?,?,?,?,?,75BF8400), ref: 0040FD2D
MsgWaitForMultipleObjects.USER32(00000001,5v@,00000000,000000FF,000000FF), ref: 0040FD4F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0040FD65
TranslateMessage.USER32(?), ref: 0040FD75
DispatchMessageA.USER32(?), ref: 0040FD7F
WaitForSingleObject.KERNEL32(5v@,00000000,?,?,?,?,?,75BF8400), ref: 0040FD9B
GetExitCodeProcess.KERNEL32(5v@,CCCCCCCC), ref: 0040FDAE
CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040FDC5
CloseHandle.KERNEL32(?,?,?,?,?,?,75BF8400), ref: 0040FDCA

Strings

5v@, xrefs: 0040FCE3, 0040FD17, 0040FD49, 0040FDAB, 0040FD98, 0040FCE7, 0040FD1D, 0040FD4D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$CloseHandleProcessWait$CodeCreateDispatchExitMultipleObjectObjectsPeekSingleTranslate
String ID: 5v@
API String ID: 2433874925-3529007497
Opcode ID: 2adb399738768b65386d6a0e78781aba8d47694f1d278f368c0a3c691b1303b0
Instruction ID: 4f3217057ddd8f0818a4581c8a3c92397f1ae0f6bef53ae2eeeb357b69afea33
Opcode Fuzzy Hash: 2adb399738768b65386d6a0e78781aba8d47694f1d278f368c0a3c691b1303b0
Instruction Fuzzy Hash: 5F311871901129BACB20DBA6DD48DEFBFBCEF49761B604036F505A2190D6349A09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040960A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040960F
LoadLibraryA.KERNEL32(Msi.DLL,00000001,74DEF4E0,00000000,?,?,00000000,0040CE83,00000451), ref: 00409627
GetProcAddress.KERNEL32(00000000,MsiSetInternalUI), ref: 00409646
GetProcAddress.KERNEL32(00000000,MsiInstallProductA), ref: 00409658
FreeLibrary.KERNEL32(00000000,?,00000000,0040CE83,00000451), ref: 004096B7
FreeLibrary.KERNEL32(00000000,?,00000000,0040CE83,00000451), ref: 004096C7

Strings

REBOOT=ReallySuppress ADDLOCAL=All, xrefs: 0040965E
MsiInstallProductA, xrefs: 00409652
Msi.DLL, xrefs: 00409622
MsiSetInternalUI, xrefs: 00409640

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressFreeProc$H_prologLoad
String ID: Msi.DLL$MsiInstallProductA$MsiSetInternalUI$REBOOT=ReallySuppress ADDLOCAL=All
API String ID: 2362482000-2404585225
Opcode ID: 8eed044f8f0ca2e0fd3b1e39a8baa91e007ccbe9a6123743f9a5fd91bed9d627
Instruction ID: 58cb031d8671977dcb4f627618243f7fdc2d2e00d185b5e060e72d522ac0f396
Opcode Fuzzy Hash: 8eed044f8f0ca2e0fd3b1e39a8baa91e007ccbe9a6123743f9a5fd91bed9d627
Instruction Fuzzy Hash: CA21A131A10214AAE710AF65DC01BFE7B74EF88B11F10843BF815B62D2DB7D8D058A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00411859 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FF30: LoadLibraryA.KERNEL32(wininet.dll,00000000,0040287D,?,00000000,?,004026C6,?,?,00000000,00000006,ftp://,00000000), ref: 0040FF45
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0040FF65
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetOpenUrlA), ref: 0040FF77
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetConnectA), ref: 0040FF89
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetCrackUrlA), ref: 0040FF9B
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetCreateUrlA), ref: 0040FFAD
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetCloseHandle), ref: 0040FFBF
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetReadFile), ref: 0040FFD1
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0040FFE3
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 0040FFF5
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetGetLastResponseInfoA), ref: 00410007
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00410019
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0041002B
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetAutodial), ref: 0041003D
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetErrorDlg), ref: 0041004F
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(HttpOpenRequestA), ref: 00410061
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(HttpSendRequestA), ref: 00410073
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(HttpSendRequestExA), ref: 00410085
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(HttpEndRequestA), ref: 00410097
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetQueryOptionA), ref: 004100A9
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 004100BB
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetCanonicalizeUrlA), ref: 004100CD
Part of subcall function 0040FF30: GetProcAddress.KERNEL32(InternetSetStatusCallbackA), ref: 004100DF

SetLastError.KERNEL32(00002EE6,?,00000000,00000001), ref: 004118C2

Part of subcall function 004102F3: SetLastError.KERNEL32(0000007F,00411AB9,?,00000000,00000000,0000003C,00000000,00000001,?,0041188D,?,00000000,00000001), ref: 0041030B

lstrcmpiA.KERNEL32(?,?), ref: 00411945
lstrlenA.KERNEL32(?,?,?,?,00000000,00000001), ref: 0041198D
lstrcpyA.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004119A1
lstrlenA.KERNEL32(?,?,00000000,00000001), ref: 004119A6
lstrcpyA.KERNEL32(00000000,?), ref: 004119BC
lstrcatA.KERNEL32(00000000,?), ref: 004119C9

Part of subcall function 00410277: SetLastError.KERNEL32(0000007F), ref: 00410292

Strings

<, xrefs: 00411872
GET, xrefs: 004119E2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorLast$lstrcpylstrlen$LibraryLoadlstrcatlstrcmpi
String ID: <$GET
API String ID: 4248792880-427699995
Opcode ID: 00cdc1b7b45a9b81b0ad9ce531c665a08bae25ab33a9bd255061adeacd934bc9
Instruction ID: d454bed951bc937fea2474256ee7df80ba3e9a54d2215ff14b635aa7a0d2b20a
Opcode Fuzzy Hash: 00cdc1b7b45a9b81b0ad9ce531c665a08bae25ab33a9bd255061adeacd934bc9
Instruction Fuzzy Hash: 27518E71900109FBCF11AFA1DC45EDE7F79FF44340F14802AFA15A6161D7798A92DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004092FD Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 101registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00409363

Part of subcall function 00407BD1: RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,000F003F,00000000,80000002,?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BEB
Part of subcall function 00407BD1: RegCloseKey.ADVAPI32(?,?,00408C98,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,00000000,00000000), ref: 00407BFC

RegQueryValueExA.ADVAPI32(?,InstallerLocation,00000000,?,?,00000451,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000001), ref: 00409405
SetCurrentDirectoryA.KERNEL32(?), ref: 00409412
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000001), ref: 00409420

Strings

Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 004093B0
"%s" /q, xrefs: 00409349
InstallerLocation, xrefs: 004093FA
2.0.2600.0, xrefs: 00409336
"%s" /c:"msiinst /delayrebootq", xrefs: 00409357

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$CurrentDirectoryOpenQueryValuewsprintf
String ID: "%s" /c:"msiinst /delayrebootq"$"%s" /q$2.0.2600.0$InstallerLocation$Software\Microsoft\Windows\CurrentVersion\Installer
API String ID: 1126078984-2648366974
Opcode ID: 60ced0822bc46b774d62c44b454e71d9866ff17e15e27a56cf554e815e71a3d9
Instruction ID: 5281ee353c064b749b0e99f1f95fda547c98ee70bd910d36824a3aff268f5237
Opcode Fuzzy Hash: 60ced0822bc46b774d62c44b454e71d9866ff17e15e27a56cf554e815e71a3d9
Instruction Fuzzy Hash: 5631D872604208FFDB149F64DC45ACA7B68AB48344F50C47BF944B62C2D6789E858B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408DDA Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81stringregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,6CBE7B60,80000002), ref: 00408E26
GetModuleFileNameA.KERNEL32(?,00000208), ref: 00408E49
lstrcatA.KERNEL32(00000022," /%), ref: 00408E61
lstrcatA.KERNEL32(00000022,00000000), ref: 00408E7A
lstrcatA.KERNEL32(00000022,00000000), ref: 00408E98
lstrlenA.KERNEL32(00000022), ref: 00408EA1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000022,00000001), ref: 00408EB9

Strings

", xrefs: 00408E3C
" /%, xrefs: 00408E5B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$Value$FileModuleNameQuerylstrlen
String ID: "$" /%
API String ID: 2867228763-2760458533
Opcode ID: 2e5aca85e3162b05d1547660b122ace4ea25b00408d703b3d32fefe4402ee6e3
Instruction ID: a98ef6092016a955b5d434545a23420013631c4a190c04f4a62e860cd62ae0a7
Opcode Fuzzy Hash: 2e5aca85e3162b05d1547660b122ace4ea25b00408d703b3d32fefe4402ee6e3
Instruction Fuzzy Hash: 672141B2D4011DBBDB11DBA0DD49BDE7B7CEB58311F1080B6A509F2190DA749B498F64

Uniqueness

Uniqueness Score: -1.00%

Function 0041070A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80stringregistryCOMMON

Download Yara Rule

APIs

RegQueryValueA.ADVAPI32(80000000,.htm,?,00000000), ref: 0041073B
lstrcatA.KERNEL32(?,\shell\open\command), ref: 00410751
RegQueryValueA.ADVAPI32(80000000,?,?,00000104), ref: 00410771
lstrlenA.KERNEL32(?), ref: 00410782
CharLowerBuffA.USER32(?,00000000), ref: 00410790
lstrcpynA.KERNEL32(?,?,-0000000D), ref: 004107C7

Part of subcall function 00411E48: GetFileVersionInfoSizeA.VERSION(?,?,00000000,?,004107E4,?), ref: 00411E58
Part of subcall function 00411E48: GetFileVersionInfoA.VERSION(?,?,?,00000000,?,?,00000000,?,004107E4,?), ref: 00411E78
Part of subcall function 00411E48: VerQueryValueA.VERSION(?,00423C94,004107E4,?,?,?,?,00000000,?,?,00000000,?,004107E4,?), ref: 00411E91

Part of subcall function 0041086E: InterlockedDecrement.KERNEL32(00412FD1), ref: 00410874

Strings

netscape.exe, xrefs: 0041079C
.htm, xrefs: 0041072B
\shell\open\command, xrefs: 0041074B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$FileInfoVersion$BuffCharDecrementInterlockedLowerSizelstrcatlstrcpynlstrlen
String ID: .htm$\shell\open\command$netscape.exe
API String ID: 2323798835-348284140
Opcode ID: e4f05516b473ca2e6f2bc1503f9a90c71bb3e6f7c2734cafd50cd7d5b1b6ee8a
Instruction ID: 8f8f487036de5bb914c985387ce7c1daeeaa83d007af129c00fcf38c015d5eb5
Opcode Fuzzy Hash: e4f05516b473ca2e6f2bc1503f9a90c71bb3e6f7c2734cafd50cd7d5b1b6ee8a
Instruction Fuzzy Hash: BB21657690061DEBDB10DBE0DD48EDEB7BCEF44305F1001AAA505E7250D7B89BC98B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC18 Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 0040DC27
DefWindowProcA.USER32(?,00000002,?,?), ref: 0040DC58
GetDC.USER32(?), ref: 0040DC76
SelectPalette.GDI32(00000000,?,00000000), ref: 0040DC80
RealizePalette.GDI32(00000000), ref: 0040DC87
ReleaseDC.USER32(00000000,00000000), ref: 0040DC9A
GetDC.USER32(00000000), ref: 0040DCA5
ReleaseDC.USER32(00000000,00000000), ref: 0040DCC1
BeginPaint.USER32(?,?), ref: 0040DCD1
EndPaint.USER32(?,?), ref: 0040DCF4

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PaintPaletteReleaseWindow$BeginLongProcRealizeSelect
String ID:
API String ID: 1992308970-0
Opcode ID: 5bb52cb42f028abd9ea18cda19b317b3653256121ea963afede6a61d3bd16927
Instruction ID: da12acdbde2d7202721e727bbadc5c305af507cc7501287e1c3980dfc4ab96ef
Opcode Fuzzy Hash: 5bb52cb42f028abd9ea18cda19b317b3653256121ea963afede6a61d3bd16927
Instruction Fuzzy Hash: FA31B532804208BBDB125FA0DD48EAF7B79FF44700F04803AFA15A22A0C375D955DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004098A9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 205windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004098AE
SendMessageA.USER32(00000401,00000000,00000001,00000451), ref: 004098F2
wsprintfA.USER32 ref: 004099B5
wsprintfA.USER32 ref: 00409A47

Part of subcall function 0040EBAF: wsprintfA.USER32 ref: 0040EBE5
Part of subcall function 0040EBAF: wvsprintfA.USER32(?,?,?), ref: 0040EC00

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 0040994C

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendwvsprintf
String ID: C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 4186911900-2024452353
Opcode ID: 93f7413ad64467d8f4f7fbad6551a9a47f2031534a847f29d3abe292d407582d
Instruction ID: aa0f7b490e1ecfe213bcad85d5f173008e9b01d156b0ef159d66e7d6f7f86d91
Opcode Fuzzy Hash: 93f7413ad64467d8f4f7fbad6551a9a47f2031534a847f29d3abe292d407582d
Instruction Fuzzy Hash: D271D571A0025DEFDF10DBA4DC41ADEBB79BB04304F0044BAEA09B21D1EA795E59CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041173B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410484: SetLastError.KERNEL32(0000007F,00411755,?,00000000,E%@,?,00002F00,?,?,004113EC,00000000), ref: 0041049C

wsprintfA.USER32 ref: 004117A5
lstrcatA.KERNEL32(?,00001000,E%@,?,00002F00,?,?,004113EC,00000000), ref: 004117B9
ResetEvent.KERNEL32(?,E%@,?,00002F00,?,?,004113EC,00000000), ref: 004117C7
GetLastError.KERNEL32(?,004113EC,00000000), ref: 004117E8

Part of subcall function 004104B1: SetLastError.KERNEL32(0000007F,0041176D,?,00000000,E%@,?,00002F00,?,?,004113EC,00000000), ref: 004104C9

ResetEvent.KERNEL32(?,E%@,?,00002F00,?,?,004113EC,00000000), ref: 0041182B

Strings

Range: bytes=%d-, xrefs: 00411796
Range: bytes=%d-, xrefs: 0041179D
E%@, xrefs: 00411743

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EventReset$lstrcatwsprintf
String ID: E%@$Range: bytes=%d-$Range: bytes=%d-
API String ID: 4195990047-3543219724
Opcode ID: 5646e347fde6d50864c07478f6c3f7d1e9609bc75d6cbbb7386aca67c6b2707c
Instruction ID: ebc2aadffaacfdbe01e45abad9207fa22b18bc638f1606cd9407a5b0d270aefc
Opcode Fuzzy Hash: 5646e347fde6d50864c07478f6c3f7d1e9609bc75d6cbbb7386aca67c6b2707c
Instruction Fuzzy Hash: E9419171200610EFDB219F55DC84DA7B7EAEF05324324892EF6A682AB0C735ECC19B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C5F5

Part of subcall function 0040C7F5: SysStringLen.OLEAUT32(?), ref: 0040C811
Part of subcall function 0040C7F5: SysAllocStringLen.OLEAUT32(?,00000000), ref: 0040C81B

wsprintfA.USER32 ref: 0040C676
SysStringLen.OLEAUT32(00000000), ref: 0040C691

Part of subcall function 0040C75A: SysAllocStringLen.OLEAUT32(00000000,0041F4A8), ref: 0040C781

wsprintfA.USER32 ref: 0040C6CB
SysStringLen.OLEAUT32(?), ref: 0040C6E6
wsprintfA.USER32 ref: 0040C703
SysStringLen.OLEAUT32(?), ref: 0040C71B

Strings

%d , xrefs: 0040C670, 0040C6C5, 0040C6FD

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$wsprintf$Alloc$H_prolog
String ID: %d
API String ID: 2476474016-4214805362
Opcode ID: 6f07cca65dd0c5cfc80517f843fbbbf6adb7c82ba021d59b0d7e41aeec6d4786
Instruction ID: ab19f78ec432e35389fb94dbfad5e9c1d685b0ec45c8008b5b11832a815ba691
Opcode Fuzzy Hash: 6f07cca65dd0c5cfc80517f843fbbbf6adb7c82ba021d59b0d7e41aeec6d4786
Instruction Fuzzy Hash: 3A412E75A00119EBCF14EFA5DD80AEEB3B9FF48304F00856AE515B3180DB79AA09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B706 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0041B773
GetStdHandle.KERNEL32(000000F4,0041FF94,00000000,00000000,00000000,?), ref: 0041B849
WriteFile.KERNEL32(00000000), ref: 0041B850

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0041B81F
<program name unknown>, xrefs: 0041B783
Runtime Error!Program: , xrefs: 0041B7D9
`pB, xrefs: 0041B721
..., xrefs: 0041B7C5

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $`pB
API String ID: 3784150691-777092070
Opcode ID: 52bb7cd367a75b0683a659d76b9107db961eef7d4bc57e3bc9bb79fb6dad192a
Instruction ID: fe09af3f5c403617a9caff98d2efa67aa44444d144a397c7618a176632816476
Opcode Fuzzy Hash: 52bb7cd367a75b0683a659d76b9107db961eef7d4bc57e3bc9bb79fb6dad192a
Instruction Fuzzy Hash: 343127B2B40218AFDF20E661ED45FDA37ACEF89308F50006BF544D2180E778A9C68B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D03B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041B82A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041FF94,?,0041FFE4,?,?,?,Runtime Error!Program: ), ref: 0041D04D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041D065
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041D076
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0041D083

Strings

GetLastActivePopup, xrefs: 0041D078
GetActiveWindow, xrefs: 0041D070
user32.dll, xrefs: 0041D048
MessageBoxA, xrefs: 0041D05F

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: d145e0fabb31c8ae57904d267066804f186e01ed33601297e0987b9f5d3b4793
Instruction ID: 87314d2632c46300da5881b34d6ee20045557b76515f0c84d07762342841cb7b
Opcode Fuzzy Hash: d145e0fabb31c8ae57904d267066804f186e01ed33601297e0987b9f5d3b4793
Instruction Fuzzy Hash: BA015EB1B002119A97309FB5AC84B9B7EE9EB9C640B40443BE205C2222D6788847CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED12 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040ED2A
CharNextA.USER32(?), ref: 0040ED3C
CharNextA.USER32(00000000), ref: 0040ED3F

Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,00000001,?,00000000), ref: 0040F184
Part of subcall function 0040F15E: CharNextA.USER32(00000000,?,00000000), ref: 0040F19D
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(?,?,?,00000000), ref: 0040F1B6
Part of subcall function 0040F15E: lstrcpyA.KERNEL32(00404C12,00000000,?,00000000), ref: 0040F1BC

Part of subcall function 0040F30D: lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316
Part of subcall function 0040F30D: lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040ED6F

Strings

@, xrefs: 0040ED27
.ini, xrefs: 0040ED67
%#04x, xrefs: 0040ED22
C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI, xrefs: 0040ED4B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$CharNext$lstrcat$wsprintf
String ID: %#04x$.ini$C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI$@
API String ID: 2308228915-2875163118
Opcode ID: 7683d359a23807601d4dfce5f06ab99acaa0f555805527c084ba31fe873b81f4
Instruction ID: b0c1661b301fa64bb38d22197aae97e683fc8e10e2b53a8244b99480385ac44f
Opcode Fuzzy Hash: 7683d359a23807601d4dfce5f06ab99acaa0f555805527c084ba31fe873b81f4
Instruction Fuzzy Hash: C8F03A7190012CBBCF116F50EC05E993F29EB00368F008072BE1865060DA359B6A9B88

Uniqueness

Uniqueness Score: -1.00%

Function 0041C12A Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042003C,00000001,00000000,00000000,74DEE860,00429AAC,?,?,?,0041D518,?,?,?,00000000), ref: 0041C16C
LCMapStringA.KERNEL32(00000000,00000100,00420038,00000001,00000000,00000000,?,?,0041D518,?,?,?,00000000,00000001), ref: 0041C188
LCMapStringA.KERNEL32(?,?,?,0041D518,?,?,74DEE860,00429AAC,?,?,?,0041D518,?,?,?,00000000), ref: 0041C1D1
MultiByteToWideChar.KERNEL32(?,00429AAD,?,0041D518,00000000,00000000,74DEE860,00429AAC,?,?,?,0041D518,?,?,?,00000000), ref: 0041C209
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0041D518,?,00000000,?,?,0041D518,?), ref: 0041C261
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0041D518,?), ref: 0041C277
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0041D518,?), ref: 0041C2AA
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0041D518,?), ref: 0041C312

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: c82b7ae3e96faeafa2d0faeaf22c1e265184ab4f00390003ae5dfbba3497d8cd
Instruction ID: cf58abbda60d21a58dde2433af4dd757cfad5ad6b12e3260a37299e1811fe5e7
Opcode Fuzzy Hash: c82b7ae3e96faeafa2d0faeaf22c1e265184ab4f00390003ae5dfbba3497d8cd
Instruction Fuzzy Hash: 1F514A31980209FFDF228F94DC85ADF7BB9FB49750F10426AF914A1260C37A8891DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401233 Relevance: 13.6, APIs: 9, Instructions: 64windowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,00000418,?,004011BE,00000000,?,?), ref: 0040123B
GlobalLock.KERNEL32(00000000,00000000,00000000,00000000,?,004011BE,00000000,?,?), ref: 0040124D
GetDC.USER32(00000000), ref: 00401283
GetSystemPaletteEntries.GDI32(00000000,00000000,0000000A,00000004), ref: 0040129A
GetSystemPaletteEntries.GDI32(00000000,000000F6,0000000A,000003DC), ref: 004012AB
ReleaseDC.USER32(00000000,00000000), ref: 004012B0
CreatePalette.GDI32(00000000), ref: 004012C2
GlobalUnlock.KERNEL32(00000000,?,004011BE,00000000,?,?), ref: 004012CB
GlobalFree.KERNEL32(00000000), ref: 004012D2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Palette$EntriesSystem$AllocCreateFreeLockReleaseUnlock
String ID:
API String ID: 685945034-0
Opcode ID: 84dc288f182c1570466e85bd960f8108761bd051ae020a4f7d2028a95e821eb4
Instruction ID: 525c4cc2ce28fecf6233161b2e6c9cf45216dbde464277c0669d16e3ea21a9e2
Opcode Fuzzy Hash: 84dc288f182c1570466e85bd960f8108761bd051ae020a4f7d2028a95e821eb4
Instruction Fuzzy Hash: D9115B36148344BFE3218B60EC48FE77BECDF19715F0480B9F64A97391D5659809C325

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD14 Relevance: 13.6, APIs: 9, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(?,?,00000000), ref: 0040DD43
RealizePalette.GDI32(?), ref: 0040DD49
CreateCompatibleDC.GDI32(?), ref: 0040DD50
GetObjectA.GDI32(?,00000018,?), ref: 0040DD62
SelectObject.GDI32(?,?), ref: 0040DD6E
BitBlt.GDI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00CC0020), ref: 0040DD87
DeleteDC.GDI32(?), ref: 0040DD90
SelectPalette.GDI32(?,?,00000000), ref: 0040DDA0
DrawIcon.USER32(?,00000000,00000000,?), ref: 0040DDAC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PaletteSelect$Object$CompatibleCreateDeleteDrawIconRealize
String ID:
API String ID: 2931627916-0
Opcode ID: 9e11ae602dee7f486c230c17982d1766caf90f1a72159404f6b11d0249746eb4
Instruction ID: 14955d85a2fb63b60c781846b9652b8e33c357bbcb020e2e9830bbab857c6e31
Opcode Fuzzy Hash: 9e11ae602dee7f486c230c17982d1766caf90f1a72159404f6b11d0249746eb4
Instruction Fuzzy Hash: 5311D432801219FBCF229FA5ED48DDF7F39FF09761B108036FA09A1162C6358925DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040620D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B93: GetPrivateProfileIntA.KERNEL32(Languages,Count,00000000,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406BA4

Part of subcall function 00406B4C: GetPrivateProfileStringA.KERNEL32(Languages,Default,004276D0,?,00000013,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406B6C

Part of subcall function 00406097: GetSystemDefaultLCID.KERNEL32(00406279,?,?,?,?,?,?,!N@,00406090,?,?,?,?,004054F4,00000000,00000BBA), ref: 00406097

GlobalAlloc.KERNEL32(00000042,00000001,?,?,?,?,?,?,!N@,00406090,?,?,?,?,004054F4,00000000), ref: 004062A2
GlobalLock.KERNEL32(00000000,?,?,!N@,00406090,?,?,?,?,004054F4,00000000,00000BBA,00000065,?,?,00000000), ref: 004062A9

Part of subcall function 00406BBB: wsprintfA.USER32 ref: 00406BE4
Part of subcall function 00406BBB: GetPrivateProfileStringA.KERNEL32(Languages,?,004276D0,?,00000013,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI), ref: 00406C09

GlobalHandle.KERNEL32 ref: 0040631E
GlobalUnlock.KERNEL32(00000000,?,?,!N@,00406090,?,?,?,?,004054F4,00000000,00000BBA,00000065,?,?,00000000), ref: 00406321
GlobalHandle.KERNEL32 ref: 0040632D
GlobalFree.KERNEL32(00000000), ref: 00406330

Strings

!N@, xrefs: 0040620D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$PrivateProfile$HandleString$AllocDefaultFreeLockSystemUnlockwsprintf
String ID: !N@
API String ID: 2177272023-3739801310
Opcode ID: 7f09e2ef2de0fc269bd7b0829f40000967d68b34e51c130caa9186bde55926f4
Instruction ID: 58d15cf32241941b23ffea42bd941867eab7c7a9fd7cc1454cb85ac04b72b8e3
Opcode Fuzzy Hash: 7f09e2ef2de0fc269bd7b0829f40000967d68b34e51c130caa9186bde55926f4
Instruction Fuzzy Hash: 3D314172600215AFDB20EF66DC0499F3BA8EF54354752443FFC06E72A0EB38D9519B58

Uniqueness

Uniqueness Score: -1.00%

Function 004105CB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041070A: RegQueryValueA.ADVAPI32(80000000,.htm,?,00000000), ref: 0041073B
Part of subcall function 0041070A: lstrcatA.KERNEL32(?,\shell\open\command), ref: 00410751
Part of subcall function 0041070A: RegQueryValueA.ADVAPI32(80000000,?,?,00000104), ref: 00410771
Part of subcall function 0041070A: lstrlenA.KERNEL32(?), ref: 00410782
Part of subcall function 0041070A: CharLowerBuffA.USER32(?,00000000), ref: 00410790
Part of subcall function 0041070A: lstrcpynA.KERNEL32(?,?,-0000000D), ref: 004107C7

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000), ref: 00410602
RegQueryValueExA.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?), ref: 0041062C
RegQueryValueExA.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,?,00000004), ref: 00410651
RegCloseKey.ADVAPI32(00000000), ref: 00410679

Strings

AutoConfigURL, xrefs: 00410649
ProxyEnable, xrefs: 0041061D
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004105F8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$BuffCharCloseLowerOpenlstrcatlstrcpynlstrlen
String ID: AutoConfigURL$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
API String ID: 194912974-3224623278
Opcode ID: 0bc090a9669bae7499313fdab850517a7dea20976f6372977ed2db55b761f75e
Instruction ID: fc7c89d60b120a78f651fc1d3690fbfaf762ca23cd47414913ff6d445a1810a2
Opcode Fuzzy Hash: 0bc090a9669bae7499313fdab850517a7dea20976f6372977ed2db55b761f75e
Instruction Fuzzy Hash: 0D314C71900219EEDF10DF918D419EEBBB8EB54354F10807BA904A2210DBB88EE4DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004067E9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(e@,?), ref: 004067F9
GetParent.USER32(?), ref: 0040680E
GetSystemMetrics.USER32(00000000), ref: 00406819
GetSystemMetrics.USER32(00000001), ref: 0040682A
GetClientRect.USER32(00000000,?), ref: 00406837
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004065E8,?), ref: 00406862

Strings

e@, xrefs: 004067F6

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsRectSystemWindow$ClientMoveParent
String ID: e@
API String ID: 3434607708-2322025198
Opcode ID: f69e22d10ce75f4464072d192d176d5d391f2d268846de9b42561e855943031c
Instruction ID: d90f52f57b62a261e5f1b0dd2c43a8a1b8ae6fc4bdbb4031cd0dfd089ed26b8d
Opcode Fuzzy Hash: f69e22d10ce75f4464072d192d176d5d391f2d268846de9b42561e855943031c
Instruction Fuzzy Hash: 45113C72A0011AAFDB00DFBCDD4DDEEBF79EB84341F098674F915E2194D670A9058A54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F043 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(COMCTL32,00000000,?,?,?,0040E082,?,00000000), ref: 0040F04E
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040F060
#17.COMCTL32(?,?,?,0040E082,?,00000000), ref: 0040F080
FreeLibrary.KERNEL32(00000000,?,?,?,0040E082,?,00000000), ref: 0040F087

Strings

COMCTL32, xrefs: 0040F049
, xrefs: 0040F075
InitCommonControlsEx, xrefs: 0040F05A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: $COMCTL32$InitCommonControlsEx
API String ID: 145871493-1772614818
Opcode ID: a66aec32ad4e611d115578eb6a6fd513bd4be32b0e16f025c1d325afd4d8f919
Instruction ID: 78f6441d07612d86404b72351ac7faca63b956e63408269415ebb37fa557ff1c
Opcode Fuzzy Hash: a66aec32ad4e611d115578eb6a6fd513bd4be32b0e16f025c1d325afd4d8f919
Instruction Fuzzy Hash: C0E09271501620FBC7209B90EC0DBDE3EA8EF0C751F408135F806A1282DBB89A4EC6BD

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3DF Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00415905), ref: 0041B3FA
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00415905), ref: 0041B40E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00415905), ref: 0041B43A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00415905), ref: 0041B472
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00415905), ref: 0041B494
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00415905), ref: 0041B4AD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00415905), ref: 0041B4C0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041B4FE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 79f267f7f3189af74b962c0b837170e94ee892466dd397bfa2ba89b8bcb7ad38
Instruction ID: bdaad77457ee80f370a816b85f46faccd783caf2723ab9684bb57116a6a163e4
Opcode Fuzzy Hash: 79f267f7f3189af74b962c0b837170e94ee892466dd397bfa2ba89b8bcb7ad38
Instruction Fuzzy Hash: 5D31E3B26042157F97217F79DCC48FBBA9CE645328725853BF592C3202DB288CC282ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040D840 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D845
wsprintfA.USER32 ref: 0040D933

Part of subcall function 0040A992: __EH_prolog.LIBCMT ref: 0040A997
Part of subcall function 0040A992: SetLastError.KERNEL32(?,00000000,00000000,00000001,?,0040D97A,-00001060,0000000F,00000001), ref: 0040A9FD

Strings

%s, xrefs: 0040D954
%s"%s", xrefs: 0040D946
%s%s, xrefs: 0040D927

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog$ErrorLastwsprintf
String ID: %s$ %s"%s"$ %s%s
API String ID: 3467476366-1501842002
Opcode ID: 26131b5300ab6f320ae660855de6c9dde97c53c218b5d044babed4693bc77c06
Instruction ID: 80889ead2699bfa28146b5b049502586afe6ce3f076d8c36278bf149af6b5ebd
Opcode Fuzzy Hash: 26131b5300ab6f320ae660855de6c9dde97c53c218b5d044babed4693bc77c06
Instruction Fuzzy Hash: 45412472A00258ABDB15DBA4CC05AEE7B69FB45314F1441BFF406B72C2DB385E49CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403172 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?), ref: 00403203
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00403247
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040325A
SetFileTime.KERNEL32(?,?,00000000,?), ref: 0040326F
SetFileAttributesA.KERNEL32(?,00000000), ref: 004032A1

Strings

I7@, xrefs: 004031A2, 004031C1, 0040327D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileTime$AttributesDateErrorLastLocal
String ID: I7@
API String ID: 1921563805-1725009657
Opcode ID: e84afe18105b9ec6c30533271b5b1c84a84a43a0e3f31bd25371dbd037fa840c
Instruction ID: 78fe16231a2a1341e8dfd08af2594f5fbb5768508dfe300d6538e3e7944295b2
Opcode Fuzzy Hash: e84afe18105b9ec6c30533271b5b1c84a84a43a0e3f31bd25371dbd037fa840c
Instruction Fuzzy Hash: 56319372500409BBDB20DF94DC85DEB7B6CEB08722F100A7AF215E61D0D7789F498769

Uniqueness

Uniqueness Score: -1.00%

Function 00401F8F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00401FAF
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,75BF8400,00000000), ref: 00401FCE
wsprintfA.USER32 ref: 00402047

Strings

http://, xrefs: 00402008, 0040203C
%s%s, xrefs: 00402041
https://, xrefs: 00402022
ftp://, xrefs: 00401FF0

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$lstrlen
String ID: %s%s$ftp://$http://$https://
API String ID: 217384638-620530764
Opcode ID: c2a33745eb913b0cdeb1d7b99eba0f319e49dc97eb235abdb58b62353472a749
Instruction ID: e3f792bbe4a6d778f1804c58ae1799b2f08e94d4e54d0df15184f67de5484cfe
Opcode Fuzzy Hash: c2a33745eb913b0cdeb1d7b99eba0f319e49dc97eb235abdb58b62353472a749
Instruction Fuzzy Hash: FC213872A043857EEB01ABB4AC41B9F7B685B06314F1444B7F514BE1C2C2BC9615876C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A86F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A874
GetLastError.KERNEL32(%IS_V%,00000022,00000000,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A89D
SetLastError.KERNEL32(?,00000000,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A8D4
lstrlenA.KERNEL32(?,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A8E9
SetLastError.KERNEL32(?,?,00408854,%IS_T%,?,00000001,?,00000001,?,?,?,00000000,00000000), ref: 0040A90C

Strings

%IS_V%, xrefs: 0040A883

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$H_prologlstrlen
String ID: %IS_V%
API String ID: 3457754828-2868766794
Opcode ID: c5c823dbf1e64a1d0bfa352b86f0079bbcd04cd74f9039eb26c0bab0197afaa7
Instruction ID: 440c182d74437a3be1da1bdb92ce61584be7bc89636fb1c052d84c81ddf0666a
Opcode Fuzzy Hash: c5c823dbf1e64a1d0bfa352b86f0079bbcd04cd74f9039eb26c0bab0197afaa7
Instruction Fuzzy Hash: 08217771600608EFCB21DF69C88099AFBF0FF09304B04853EE58A97321C774E956CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040219E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00001000,?,00000000,?,?,00402AA1,?,00000005,00402632), ref: 004021B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,00402AA1,?,00000005,00402632), ref: 004021DE
DeleteFileA.KERNEL32(?,?,00000002,00000000,00000000,?,00402AA1,?,00000005,00402632), ref: 004021E5
GetLastError.KERNEL32(?,?,00000002,00000000,00000000,?,00402AA1,?,00000005,00402632), ref: 004021F5
GetLastError.KERNEL32(?,?,00000002,00000000,00000000,?,00402AA1,?,00000005,00402632), ref: 004021FB

Strings

d, xrefs: 00402200

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$ByteCharDeleteFileMultiWidelstrlen
String ID: d
API String ID: 1873936967-2564639436
Opcode ID: f14efff5ae0306acaec754ea7f575b8dfd4140f38eafcd8a3b3eb1ba9cfda755
Instruction ID: c924a43b8c16c0333f50d8f2cebe290197a96749e273386a78ba0d10392ab4fb
Opcode Fuzzy Hash: f14efff5ae0306acaec754ea7f575b8dfd4140f38eafcd8a3b3eb1ba9cfda755
Instruction Fuzzy Hash: 7501F271600215FBDB109BA1DD09FEBBBACEF01368B10403AEA04E7291D7789D0686E8

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC9A Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042003C,00000001,?,74DEE860,00429AAC,?,?,0041D518,?,?,?,00000000,00000001), ref: 0041BCD9
GetStringTypeA.KERNEL32(00000000,00000001,00420038,00000001,?,?,0041D518,?,?,?,00000000,00000001), ref: 0041BCF3
GetStringTypeA.KERNEL32(?,?,?,?,0041D518,74DEE860,00429AAC,?,?,0041D518,?,?,?,00000000,00000001), ref: 0041BD27
MultiByteToWideChar.KERNEL32(?,00429AAD,?,?,00000000,00000000,74DEE860,00429AAC,?,?,0041D518,?,?,?,00000000,00000001), ref: 0041BD5F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0041D518,?), ref: 0041BDB5
GetStringTypeW.KERNEL32(?,?,00000000,0041D518,?,?,?,?,?,?,0041D518,?), ref: 0041BDC7

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 8802d034bd86ef68e80e6af450181e961d77318ead6963786f89074303fe7346
Instruction ID: ae4d32602b1e026544b5414bb55ebdd33b79475d3bab94948f3d0b8e5d4f0b6c
Opcode Fuzzy Hash: 8802d034bd86ef68e80e6af450181e961d77318ead6963786f89074303fe7346
Instruction Fuzzy Hash: 53416C71600219AFCF219F94EC85EEB7BA9FF04750F10452AF915D6260C3398996CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF6 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00402F27
GetDlgItem.USER32(?,00000001), ref: 00402F87
GetDlgItem.USER32(?,00000066), ref: 00402F8E
ShowWindow.USER32(00000000,00000000), ref: 00402FA2
ShowWindow.USER32(00000000,00000000), ref: 00402FBE

Part of subcall function 0040F733: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00408B91), ref: 0040F742
Part of subcall function 0040F733: OpenProcessToken.ADVAPI32(00000000,00000028,00408B91,?,?,?,?,?,?,00408B91), ref: 0040F74F
Part of subcall function 0040F733: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040F766
Part of subcall function 0040F733: AdjustTokenPrivileges.ADVAPI32(00408B91,00000000,?,00000000,00000000,00000000), ref: 0040F791
Part of subcall function 0040F733: ExitWindowsEx.USER32(00000002,0000FFFF), ref: 0040F79F

DeleteObject.GDI32 ref: 00402FE8

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemProcessShowTokenWindow$AdjustCurrentDeleteDialogExitLookupObjectOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 1933714880-0
Opcode ID: 33be622ac37f2409779b2a77c6f2f3044de36f566d089fb70e8ba88732ec8cd0
Instruction ID: 62169dfe703e46a87b45b9b9ee40b698aa1f8b2f4fe086f568974f4ab9548cbc
Opcode Fuzzy Hash: 33be622ac37f2409779b2a77c6f2f3044de36f566d089fb70e8ba88732ec8cd0
Instruction Fuzzy Hash: C3210A727042057BDA306B65DC4AF6B3A78EB447A4F40803BFA00F65D2C6FD9542A75C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC5D Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AC62
GetLastError.KERNEL32(74DEDFA0,?,00000000,?,0040A904,?,00000000,?,00000001,?,00408854,%IS_T%,?,00000001,?,00000001), ref: 0040AC8B
SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A904,?,00000000,?,00000001,?,00408854,%IS_T%,?,00000001), ref: 0040ACBE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,?,0040A904,?,00000000,?,00000001,?,00408854), ref: 0040ACDE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00000000,?,0040A904,?,00000000,?,00000001), ref: 0040AD07
SetLastError.KERNEL32(?,?,00000000,?,0040A904,?,00000000,?,00000001,?,00408854,%IS_T%,?,00000001,?,00000001), ref: 0040AD15

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$H_prolog
String ID:
API String ID: 2853668335-0
Opcode ID: 7a9ed8ae12351d183c2d4e0126d093fd2d1ef0c732cd943beeafc3e019fc61a3
Instruction ID: c840037349f61e20cdcf0b34be0afb61157f8f06e93ee9d342e2f581ae6ab085
Opcode Fuzzy Hash: 7a9ed8ae12351d183c2d4e0126d093fd2d1ef0c732cd943beeafc3e019fc61a3
Instruction Fuzzy Hash: EB216975500609EFCB10CF69D98499ABBFAFF48304B00843EF54A97221C734ED55DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDB7 Relevance: 9.0, APIs: 6, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040DDBD
GetWindowLongA.USER32(?,00000000), ref: 0040DDCE
DeleteObject.GDI32(00000000), ref: 0040DDF6
DestroyIcon.USER32(00000000,?,?,?,0040DD02,?), ref: 0040DDFE
DeleteObject.GDI32(?), ref: 0040DE17
SetWindowLongA.USER32(0040DD02,00000000,00000000), ref: 0040DE23

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$DeleteLongObject$DestroyIcon
String ID:
API String ID: 2866036538-0
Opcode ID: d0f31bc488a4534c78c24a02bc2d094f958cb4608bb899801a11b29b84401896
Instruction ID: 536b5fc07a3b4e0f00f98db0731a70deb17b3c8dd736b7ac53a7a7aa394d40f6
Opcode Fuzzy Hash: d0f31bc488a4534c78c24a02bc2d094f958cb4608bb899801a11b29b84401896
Instruction Fuzzy Hash: 250128369007089FC6205FE1EC44887BF69EF04365311883AF457A21A0C335AC49CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040545F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405464
lstrcpyA.KERNEL32(?,00000000,00000452,?,00000000,00401380,?,?,00000000,00404C55,00404E21,?,?,?,?,?), ref: 004054D1

Strings

C:\Users\user\AppData\Local\Temp\_isE74C, xrefs: 004054BA
%s%s%s%s%s%s%s%s, xrefs: 0040575B

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologlstrcpy
String ID: %s%s%s%s%s%s%s%s$C:\Users\user\AppData\Local\Temp\_isE74C
API String ID: 3221978047-2176817246
Opcode ID: 1481b5a2d73afb28eace4fdf90807bd356fa21ebbdb5e90a87a437fb09fc4bba
Instruction ID: 0f4c00b670bb6e896f673beccc249875b4c2d31d8557fa9c022eebe4fd350f94
Opcode Fuzzy Hash: 1481b5a2d73afb28eace4fdf90807bd356fa21ebbdb5e90a87a437fb09fc4bba
Instruction Fuzzy Hash: 9591E772A0055CBEEB11D776CD11AEEBB7AAB4C340F0044FAE605F7181DA355B448FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041724E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0041726D
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004172A2
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00417302

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0041729D
__GLOBAL_HEAP_SELECTED, xrefs: 004172DC

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 26f83bd0f4839faf01d0c0e4f3131c57a0ad6f5eff9e5eb2036915bcd80abe6e
Instruction ID: 228431d0bf0e37d77ed34996949d58742352b8a7ea34f0db8d076b27a591e31c
Opcode Fuzzy Hash: 26f83bd0f4839faf01d0c0e4f3131c57a0ad6f5eff9e5eb2036915bcd80abe6e
Instruction Fuzzy Hash: 5D312A7184D25CADEB318670AC81BDF77789B06304F2404EBED84D5242E63C8ECAD719

Uniqueness

Uniqueness Score: -1.00%

Function 0040380F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403814
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 00403833
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,0040CE83), ref: 00403875
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,0040CE83), ref: 00403891

Strings

WinVerifyTrust, xrefs: 0040382D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AddressH_prologProc
String ID: WinVerifyTrust
API String ID: 2363843230-2766335691
Opcode ID: c941536ace7f1b2240c812b444b0fedcc57cabe505280654ebb9d94a01629ce0
Instruction ID: 55dd8c03615e28fab73f56df4faf3e7d5138907412b83b827fba6f4ac8305a76
Opcode Fuzzy Hash: c941536ace7f1b2240c812b444b0fedcc57cabe505280654ebb9d94a01629ce0
Instruction Fuzzy Hash: 56219072D00209BADB00AF95CC45EEFBFBCEF85715F10816BF510F6291D6799A408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411E48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(?,?,00000000,?,004107E4,?), ref: 00411E58
GetFileVersionInfoA.VERSION(?,?,?,00000000,?,?,00000000,?,004107E4,?), ref: 00411E78
VerQueryValueA.VERSION(?,00423C94,004107E4,?,?,?,?,00000000,?,?,00000000,?,004107E4,?), ref: 00411E91
VerQueryValueA.VERSION(?,\VarFileInfo\Translation,?,?,80000000,75A820C0,?,00423C94,004107E4,?,?,?,?,00000000,?,?), ref: 00411EC3

Strings

\VarFileInfo\Translation, xrefs: 00411EB9

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: \VarFileInfo\Translation
API String ID: 2099394744-675650646
Opcode ID: f37f1efd02e15f364b4b0c15c204742fd3f94a45ca3c275d1da78450bd44c024
Instruction ID: f79135112dfd882342fb04ee112e896b8a22fc70d0bfd4d3a58e7071d48ec3a1
Opcode Fuzzy Hash: f37f1efd02e15f364b4b0c15c204742fd3f94a45ca3c275d1da78450bd44c024
Instruction Fuzzy Hash: 39216A72A00209BBCF10DFA5CC819EA7BBDFF45304B1044B7EE11DB252E635DA858B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1C9 Relevance: 7.7, APIs: 5, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C1CE

Part of subcall function 0040EC8F: wsprintfA.USER32 ref: 0040ECA1
Part of subcall function 0040EC8F: LoadStringA.USER32(?,?,?), ref: 0040ECCC

Part of subcall function 0040C84B: GetLastError.KERNEL32(?,00000200,0040C284,?,75BF8400,00000000), ref: 0040C855
Part of subcall function 0040C84B: SetLastError.KERNEL32(00000000,?,?,00000200,0040C284,?,75BF8400,00000000), ref: 0040C869

SysAllocString.OLEAUT32(00423F44), ref: 0040C289
SysStringLen.OLEAUT32(?), ref: 0040C2AC

Part of subcall function 0040C75A: SysAllocStringLen.OLEAUT32(00000000,0041F4A8), ref: 0040C781

Part of subcall function 0040209C: SysFreeString.OLEAUT32(?), ref: 004020B8
Part of subcall function 0040209C: SysFreeString.OLEAUT32(?), ref: 004020D4

SysAllocString.OLEAUT32(00423F44), ref: 0040C302
SysStringLen.OLEAUT32(?), ref: 0040C322

Part of subcall function 0040C75A: SysStringLen.OLEAUT32(00000000), ref: 0040C76E
Part of subcall function 0040C75A: SysFreeString.OLEAUT32(?), ref: 0040C7BD

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocFree$ErrorLast$H_prologLoadwsprintf
String ID:
API String ID: 62473941-0
Opcode ID: 867292efca95c71800118f870c9c4a0d5d2a26f48c5afdd066937b380f8f4dea
Instruction ID: eab7efd8fdd49989c90e7c24b3b285096cc0baa694c0de26ee5147fe365bfbbf
Opcode Fuzzy Hash: 867292efca95c71800118f870c9c4a0d5d2a26f48c5afdd066937b380f8f4dea
Instruction Fuzzy Hash: 9A5151B1901255EBD700EBAAC645ADEBBF4AF19304F1081AFE405B3281DBB95B14CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B511 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041B56F
GetFileType.KERNEL32(?,?,00000000), ref: 0041B61A
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0041B67D
GetFileType.KERNEL32(00000000,?,00000000), ref: 0041B68B
SetHandleCount.KERNEL32 ref: 0041B6C2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 296aebd9a0a19de81182f0c0a786f195a4bde2cebd70d71b2f4f8d98efa58592
Instruction ID: d428f089cf5f5f06d759f683b58d28e5684b3be7d56c2f33866953acdfbc9ff8
Opcode Fuzzy Hash: 296aebd9a0a19de81182f0c0a786f195a4bde2cebd70d71b2f4f8d98efa58592
Instruction Fuzzy Hash: A4510831610601CBC7209F28C8847E677E1FB62368F29867ED566C72E0D738CC86C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004043A3 Relevance: 7.6, APIs: 5, Instructions: 115windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004043A8
GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 00404488
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004044A3
DeleteObject.GDI32(00000000), ref: 004044B6
ReleaseDC.USER32(00000000,?), ref: 004044C4

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: BitmapCreateDeleteH_prologObjectReleaseWindow
String ID:
API String ID: 2483735875-0
Opcode ID: 240b6ecebae4ec462d17d3ab67414fee9b22cb69a1fe3ceba0f0ea72b1c450c6
Instruction ID: 512bc3d4a2fdf94f66abed1889349a0e27ce12bf0ab160411975230f56531260
Opcode Fuzzy Hash: 240b6ecebae4ec462d17d3ab67414fee9b22cb69a1fe3ceba0f0ea72b1c450c6
Instruction Fuzzy Hash: 38419AB2D00209EFCB14DFA5DD85BEEBBB9FF48304F10416AE615A72A1D7349A45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00415585 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00429AAC), ref: 004155A9
InterlockedDecrement.KERNEL32(00429AAC), ref: 004155C0
MultiByteToWideChar.KERNEL32(00000009,0000000F,000000FF,00000000,00000000,?,00000000,?,00000000,0040A9DF,00000000,00000000,00000000,00000001,?,0040D97A), ref: 004155E6

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked$ByteCharDecrementIncrementMultiWide
String ID:
API String ID: 817727928-0
Opcode ID: 16020749211caf1e879c517bc11b824cc858c4659586cfae250b837cc179e816
Instruction ID: fac43b47f8ef6a32a10b91ecbb2d89002430c32c5ec643058a29ff7a384c1948
Opcode Fuzzy Hash: 16020749211caf1e879c517bc11b824cc858c4659586cfae250b837cc179e816
Instruction Fuzzy Hash: E321D130104A14FEDB219F15EC44BEA3B64AF81765F60412FE4499A1D1CA788AC3DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBE2 Relevance: 7.6, APIs: 5, Instructions: 50stringCOMMON

Download Yara Rule

APIs

VerLanguageNameA.VERSION(00003CFF,?,00000103,?,?,?), ref: 0040FC00
VerLanguageNameA.VERSION(?,?,00000103,00003CFF,?,00000103,?,?,?), ref: 0040FC2A
lstrcmpiA.KERNEL32(?,?), ref: 0040FC3D
VerLanguageNameA.VERSION(?,?,00000103,?,?), ref: 0040FC5A
lstrcpyA.KERNEL32(00000000,?,?,?), ref: 0040FC69

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LanguageName$lstrcmpilstrcpy
String ID:
API String ID: 422536988-0
Opcode ID: 1f00d6ae191dc1188888142ea6cf7c8318565d4db08274d75d8c949c8568fe38
Instruction ID: 951de856e2face4986eaeb38611f369e5d20f33bf08b83ecc906e3180e6f6794
Opcode Fuzzy Hash: 1f00d6ae191dc1188888142ea6cf7c8318565d4db08274d75d8c949c8568fe38
Instruction Fuzzy Hash: 9A01A7B65001286BE720AA51DC85EFB73ACEF45354F004177BA84E2081E6789E8986A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F289 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

CharNextA.USER32(?,000000FF,74DE83C0), ref: 0040F2BC
lstrcpyA.KERNEL32(00000000,00000000), ref: 0040F2CC
CharNextA.USER32(00000000), ref: 0040F2DE
CharPrevA.USER32(00000000,00000000), ref: 0040F2ED
lstrcpyA.KERNEL32(?,?), ref: 0040F306

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Nextlstrcpy$Prev
String ID:
API String ID: 1912086007-0
Opcode ID: d6d163d11248204fa3fb4a8c2b38f341e2fa5e46e48f9d7201b3e4c945c31d40
Instruction ID: a228e04c6c80064008ba42afc0bd2ddf78a11a0f2dbd312c1e0e13f2f547e11b
Opcode Fuzzy Hash: d6d163d11248204fa3fb4a8c2b38f341e2fa5e46e48f9d7201b3e4c945c31d40
Instruction Fuzzy Hash: 770184B2C0015C7AEB229764CC04BEB7BAC6B45314F0540F6D704F7181C7786E8A8FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417103 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0041D27E,0041C018,00000000,?,?,00000000,00000001), ref: 00417105
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00417113
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041715F

Part of subcall function 0041BADC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00417128,00000001,00000074,?,?,00000000,00000001), ref: 0041BBD2

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00417137
GetCurrentThreadId.KERNEL32 ref: 00417148

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: ccf3116fe8e4a5b8f8f62eedcba65172a0daae3fa305e6c31e857d6014ab9aa4
Instruction ID: d0e0c4ee26a6ef9b2752701af01e982d4923b9d2cb5e7d4f5fc2158ba873f365
Opcode Fuzzy Hash: ccf3116fe8e4a5b8f8f62eedcba65172a0daae3fa305e6c31e857d6014ab9aa4
Instruction Fuzzy Hash: AEF02B36A05611ABC7342B70BC096DA3B70EF45BB1710453AF645D63A0CF79C8838AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEBC Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AEC1

Strings

%*.*f, xrefs: 0040B151
I64, xrefs: 0040AF9A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: %*.*f$I64
API String ID: 3519838083-2444075078
Opcode ID: 3a9dc28bd7432a94f9860b71b244f56467c84af2cecbe68c017094a855976367
Instruction ID: 49e9d12d0d950ae315c298444018172c7f7129d7b6f25ec24111d37c3321bf66
Opcode Fuzzy Hash: 3a9dc28bd7432a94f9860b71b244f56467c84af2cecbe68c017094a855976367
Instruction Fuzzy Hash: CF91D2B69002079BDB219F68D8596BF77A0EB00394F14803BE811BA2C0D77C8E9187DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040C574
lstrcatA.KERNEL32(00000000,00000000), ref: 0040C5B0
wsprintfA.USER32 ref: 0040C5D2

Strings

%01d.%01d %s%s, xrefs: 0040C56E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$lstrcat
String ID: %01d.%01d %s%s
API String ID: 2661776893-3724692234
Opcode ID: ef8198b7229c2f1d27eeaf2b8cb6b96563b9d86abc76fb8fd098d0bca9285eef
Instruction ID: 5dc63a584747553359075bcdc665199435cf58911c18520bbe5dff4cdf45afa9
Opcode Fuzzy Hash: ef8198b7229c2f1d27eeaf2b8cb6b96563b9d86abc76fb8fd098d0bca9285eef
Instruction Fuzzy Hash: 8731C8F6A002186FD714DF55DD94FDA73ADEB48304F0084BAF709E7182DA34DA598B54

Uniqueness

Uniqueness Score: -1.00%

Function 00409C48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000104,?,75BF8400,00000000), ref: 00409C8C
wsprintfA.USER32 ref: 00409CD1

Strings

%s /g %s /g %s /s, xrefs: 00409CBE
%s /g %s /g %s, xrefs: 00409CC5

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleNamewsprintf
String ID: %s /g %s /g %s$%s /g %s /g %s /s
API String ID: 2476234104-3131057161
Opcode ID: 21aa4cd4b75d25a0136ae9b148e2149742b44e91f1ad551827c064cf803b93da
Instruction ID: 7a28c6a644ef9dfccf65eb745fb41cacc82916743fe112d2f3212a817283e11d
Opcode Fuzzy Hash: 21aa4cd4b75d25a0136ae9b148e2149742b44e91f1ad551827c064cf803b93da
Instruction Fuzzy Hash: 1131C4B2A04518BFEF218B14DC54BDBBBB9BB44300F0044B6F605A61D1D7B9AE998F49

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001300,00000000,0040A248,00000000,0040A248,00000000,00000000,75BF8400), ref: 0040EB50
wsprintfA.USER32 ref: 0040EB85

Part of subcall function 0040EA57: __EH_prolog.LIBCMT ref: 0040EA5C

LocalFree.KERNEL32(0040A248), ref: 0040EB9D

Strings

%s %s, xrefs: 0040EB7F

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatFreeH_prologLocalMessagewsprintf
String ID: %s %s
API String ID: 1200432034-2939940506
Opcode ID: ef9f6198d764ac88331878f32a1209181f77fbfd1dab7a7bcd01329148ccc067
Instruction ID: c3c81c3a576f95806d6bf109f0f717f5de0830efdbee103c71039bbb065f11bb
Opcode Fuzzy Hash: ef9f6198d764ac88331878f32a1209181f77fbfd1dab7a7bcd01329148ccc067
Instruction Fuzzy Hash: C501D1B264010CBFEF119F94DC85FEA7B7CFB04358F008472BB05B5090D675AA5A9A68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0040EC8F: wsprintfA.USER32 ref: 0040ECA1
Part of subcall function 0040EC8F: LoadStringA.USER32(?,?,?), ref: 0040ECCC

wsprintfA.USER32 ref: 0040EC4E
wvsprintfA.USER32(?,?,X:B), ref: 0040EC69

Part of subcall function 0040E9CE: __EH_prolog.LIBCMT ref: 0040E9D3

Strings

%d: %s, xrefs: 0040EC48
X:B, xrefs: 0040EC57, 0040EC5A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$H_prologLoadStringwvsprintf
String ID: %d: %s$X:B
API String ID: 2226253583-2304160093
Opcode ID: e23bb99ac17b86d9ba4c79944b898c8479e0a2903eafbae313e9cf7f9c9be1c9
Instruction ID: cd24ca460fcbe3ab1b7df6951e8c8c76e9e2282d90779b5793163f3126dfe83b
Opcode Fuzzy Hash: e23bb99ac17b86d9ba4c79944b898c8479e0a2903eafbae313e9cf7f9c9be1c9
Instruction Fuzzy Hash: 87F036B280021C6BDF11DB91DD45FDA777CAB04304F4045A6F615E2091EA74D7584F94

Uniqueness

Uniqueness Score: -1.00%

Function 00418991 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00414E8F), ref: 00418996
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004189A6

Strings

KERNEL32, xrefs: 00418991
IsProcessorFeaturePresent, xrefs: 004189A0

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a40f78d4438184231aa530712f264357f9482522d02172ee085c14cc9329f9b3
Instruction ID: c315093e17c3418619785170cc18a8c05aa3e52e82af44751a8c6c69b86e663f
Opcode Fuzzy Hash: a40f78d4438184231aa530712f264357f9482522d02172ee085c14cc9329f9b3
Instruction Fuzzy Hash: BBC012B035430195D9101BB15C0DFE616046B81B01F14853A7805D01A0EE98C085602E

Uniqueness

Uniqueness Score: -1.00%

Function 004163A5 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c090c61eb718decdc1f05358aed91ee8d6de83e68e3732634dee2ecf84599938
Instruction ID: 55f043e2370be53b6ae1138a624654170f79dddc3ad6b8671253639b5c6fb009
Opcode Fuzzy Hash: c090c61eb718decdc1f05358aed91ee8d6de83e68e3732634dee2ecf84599938
Instruction Fuzzy Hash: 26912672D00614AACF21AF69DC40ADE7BB9EB44764F25412BF814B6291D739CDC1CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00417F3A Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00424C00,00424C00,?,?,00418406,00000000,00000010,00000000,00000009,00000009,?,00414939,00000010,00000000), ref: 00417F5B
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00418406,00000000,00000010,00000000,00000009,00000009,?,00414939,00000010,00000000), ref: 00417F7F
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00418406,00000000,00000010,00000000,00000009,00000009,?,00414939,00000010,00000000), ref: 00417F99
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00418406,00000000,00000010,00000000,00000009,00000009,?,00414939,00000010,00000000,?), ref: 0041805A
HeapFree.KERNEL32(00000000,00000000,?,?,00418406,00000000,00000010,00000000,00000009,00000009,?,00414939,00000010,00000000,?,00000000), ref: 00418071

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 68b61db9d74a1e9bd384a4449376a233af2e41c5646803233d9a78d4f98e78b3
Instruction ID: 18e640d76552e6016a06290242ca292447ec59b7ceded5785e2b3790c4ec2108
Opcode Fuzzy Hash: 68b61db9d74a1e9bd384a4449376a233af2e41c5646803233d9a78d4f98e78b3
Instruction Fuzzy Hash: 6C31E8716457059FD3308F29EC40BA2BBF0EB84765F12853AF15597390EB78A886CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041126C Relevance: 6.3, APIs: 5, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410423: SetLastError.KERNEL32(0000007F,00411281,?,004111C0,?,?,?,004023F6,?,?,80400100,00000000,00000006,ftp://,00000000), ref: 0041043B

lstrlenA.KERNEL32(00000006,?,00000000,?,?,?,004023F6,?,?,80400100,00000000,00000006,ftp://,00000000), ref: 004112BD
lstrcpyA.KERNEL32(00000000,00000006,?,?,?,004023F6,?,?,80400100,00000000,00000006,ftp://,00000000), ref: 004112CC
lstrlenA.KERNEL32(00000006,?,00000000,?,?,?,004023F6,?,?,80400100,00000000,00000006,ftp://,00000000), ref: 004112D3
lstrlenA.KERNEL32(?,?,00000000,?,?,?,004023F6,?,?,80400100,00000000,00000006,ftp://,00000000), ref: 004112EA
GetLastError.KERNEL32(?,80400100,00000000,00000006,ftp://,00000000), ref: 00411320

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$ErrorLast$lstrcpy
String ID:
API String ID: 2253992269-0
Opcode ID: fc279a07606b398fe730a37f0a38355dc1e6d288099d59b63df3746af6d03339
Instruction ID: ef617cb116120f6526aafeaff2f768660d25ab535d3dfaa4c1a281413b39f1bc
Opcode Fuzzy Hash: fc279a07606b398fe730a37f0a38355dc1e6d288099d59b63df3746af6d03339
Instruction Fuzzy Hash: 1521A171800704AFDB20EF79CC45AAB7BE8EB05320B20482FF655D7661E678E8C18B18

Uniqueness

Uniqueness Score: -1.00%

Function 0041202C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000000,GIF87a), ref: 00412070
lstrcmpA.KERNEL32(00000000,GIF89a), ref: 00412088

Strings

GIF87a, xrefs: 0041206A
GIF89a, xrefs: 00412082

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcmp
String ID: GIF87a$GIF89a
API String ID: 1534048567-2918331024
Opcode ID: 9ab12c3764cfa2adbc0bed1688a85b76323b927d3f66a94383401ffdd73f3259
Instruction ID: 35d5fc4ec5f3b308a17ffab6994a8650543f83a83f49782d81a195eae2999ead
Opcode Fuzzy Hash: 9ab12c3764cfa2adbc0bed1688a85b76323b927d3f66a94383401ffdd73f3259
Instruction Fuzzy Hash: A16105B1600201BFDB108F64E985FDAB7B9EF19304F30485BE945CA242E3B9D9E5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF6C Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000), ref: 0041DFE6
GetLastError.KERNEL32 ref: 0041DFF0
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 0041E0B6
GetLastError.KERNEL32 ref: 0041E0C0

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: c63f5395341a58d837d33969029704076b7423894e581e8373e759a7042238f5
Instruction ID: b5cb4c39371aebfe9f5bd120697f5d3ec2ea3e924ffdf49a9cb420a09c7498c1
Opcode Fuzzy Hash: c63f5395341a58d837d33969029704076b7423894e581e8373e759a7042238f5
Instruction Fuzzy Hash: 5351B438A04395EFDF218F59C880BDA7FB0AF06314F54409AEC918B352C3799986CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B951 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000002,00000001,00000001), ref: 0041BA18

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c3bc02c462e9f790cae4cef7dde377e4b3f0d1083719fd0d7ffa2303185c9847
Instruction ID: ed8301a868819c6c61ce2c151d3376a63ea0e9e6bc9b117069ab1ed67e799499
Opcode Fuzzy Hash: c3bc02c462e9f790cae4cef7dde377e4b3f0d1083719fd0d7ffa2303185c9847
Instruction Fuzzy Hash: 2C51B471900248EFCB11CFA9C884ADE7FB4FF45384F2085AAE9159B261D734DAC1DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402D4B Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00402E02: GetVersionExA.KERNEL32(?), ref: 00402E25

CompareStringW.KERNEL32(00000400,00000000,?,?,?,?,?,?,?,?,00402C5B,?,?,?,?,?), ref: 00402D6D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 00402DE0
CompareStringA.KERNEL32(00000400,00000001,?,?,00000000,?,?,?,00000000,00000000,?,?,?,?,00402C5B,?), ref: 00402DF2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CompareString$ByteCharMultiVersionWide
String ID:
API String ID: 3684582312-0
Opcode ID: adf6c0d269ccebc62fdf49ccb775c7338caec307ff2196007bf75c9cacf9b683
Instruction ID: 689f7ab31defb649d54a4508ae692f2e9117af33b115653b84745ae5acf41886
Opcode Fuzzy Hash: adf6c0d269ccebc62fdf49ccb775c7338caec307ff2196007bf75c9cacf9b683
Instruction Fuzzy Hash: A62179B6000249BFEB00AF94CC89CEB7B6CFF09358B00882AFA1586250D371DE55DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C959 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0040C973
SysStringLen.OLEAUT32(?), ref: 0040C9AA
SysStringLen.OLEAUT32(?), ref: 0040C9BC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000001,?,00000000,00000000,?,00000000,?,0041F4A8,0040C883,00000000,00000200,0040C26A), ref: 0040C9D2

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 485e78f38e8ecca6b0aa356b765a7af9840c717fe1d9eecdd7ff5645885d5122
Instruction ID: 6480aee660a05b8c20473d8eca3c28834e00b050f319b4ae9e4aba73afa20be0
Opcode Fuzzy Hash: 485e78f38e8ecca6b0aa356b765a7af9840c717fe1d9eecdd7ff5645885d5122
Instruction Fuzzy Hash: 4A113AB2205705EFC320DB65D8C0C27B3EEEA553143508A3EE1AAE3650D734FC458668

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE16 Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AE1B
lstrlenA.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,0040A9F5,00000000,00000000,00000013,00000001,00000000,00000000,00000001), ref: 0040AE63
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00000000,?,0040A9F5,00000000,00000000,00000013,00000001,00000000,00000000), ref: 0040AE87
SetLastError.KERNEL32(?,?,?,00000001,?,00000000,?,0040A9F5,00000000,00000000,00000013,00000001,00000000,00000000,00000001), ref: 0040AEA0

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorH_prologLastMultiWidelstrlen
String ID:
API String ID: 1667447809-0
Opcode ID: aea1f0512b9b23b77c40c873183e74f0beadcf66ca4f382ef98c6a92f04a8b7f
Instruction ID: 03652912e03a41226fb864dc06771d2973ae028a9131b90316ccc2eae4e55d69
Opcode Fuzzy Hash: aea1f0512b9b23b77c40c873183e74f0beadcf66ca4f382ef98c6a92f04a8b7f
Instruction Fuzzy Hash: 2211EC72A00219EFCB109F69DC4089BBBA9FF45358B00843FF806A3350D7388D11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004029C9 Relevance: 6.1, APIs: 4, Instructions: 57sleepfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004029CE

Part of subcall function 00402B6F: SysFreeString.OLEAUT32(?), ref: 00402B84
Part of subcall function 00402B6F: SysStringLen.OLEAUT32(?), ref: 00402B8D
Part of subcall function 00402B6F: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00402B97

Part of subcall function 00402CD0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,?,00000000,00000000,?,?,00000000,00402332,00000000,00000007,http://,00000000), ref: 00402D39

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000,?,0040249D,?), ref: 00402A0F
CloseHandle.KERNEL32(00000000,?,?,00000000,?,0040249D,?), ref: 00402A23
Sleep.KERNEL32(000001F4,?,?,00000000,?,0040249D,?), ref: 00402A3E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocByteCharCloseCreateFileFreeH_prologHandleMultiSleepWide
String ID:
API String ID: 1308190005-0
Opcode ID: b2ee8c3b43c42789cfbe7dd5b52b55bfb13a7f2a1e0404b338597c555feead68
Instruction ID: 1f0baa8091998049a5f2caba2e735702fe21631069831b6f12c67c8171f30744
Opcode Fuzzy Hash: b2ee8c3b43c42789cfbe7dd5b52b55bfb13a7f2a1e0404b338597c555feead68
Instruction Fuzzy Hash: 9211B235700602EBDB309F68CD4AB9EB6A1EB40334F10473AF5B5B61D0C7B85945CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004110D1 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000002,?,00000000,?,000000FF), ref: 004110FE
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0041110E
TranslateMessage.USER32(?), ref: 0041111C
DispatchMessageA.USER32(?), ref: 00411126

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchMultipleObjectsPeekTranslateWait
String ID:
API String ID: 2231909638-0
Opcode ID: e45d30157258f1475afa903d925079d2af7593081df2a175743d8b641e48481a
Instruction ID: fc3992301a88164a591f12066c05fb541b717ff1eadcb122e2d569d971fa6d5b
Opcode Fuzzy Hash: e45d30157258f1475afa903d925079d2af7593081df2a175743d8b641e48481a
Instruction Fuzzy Hash: CD0108B6A00118BBDB10DBD8DC85DEABBBCEB08754F204476F601E6150E675DE868B64

Uniqueness

Uniqueness Score: -1.00%

Function 00407008 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040700D
GetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 00407030
SysFreeString.OLEAUT32(?), ref: 0040704E
SetLastError.KERNEL32(?,00000001,?,0040D9AA,00000000,00000000,-00001060,0000000F,00000001), ref: 0040706E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FreeH_prologString
String ID:
API String ID: 1156525562-0
Opcode ID: df675709519ede901a6b27e722521da79bd94d99f8e0581253ab0229c33039a4
Instruction ID: 9ef0d4a6eb968e57b04b6fec11fd2771d42adfe1aa2f5e48d495183dea721b2b
Opcode Fuzzy Hash: df675709519ede901a6b27e722521da79bd94d99f8e0581253ab0229c33039a4
Instruction Fuzzy Hash: FA01DF3AA00510EFCB18DF28E805AA8BBF0FF48314B04423EE846D36A1DB75AD04CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00404543 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0040454F
SelectObject.GDI32(00000000), ref: 0040455E
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0040458F
DeleteDC.GDI32(00000000), ref: 0040459A

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CompatibleCreateDeleteObjectSelect
String ID:
API String ID: 3360107340-0
Opcode ID: bdea70d02c44de6786ae307531ccef3a255048b8b52c18e48f01eaaef915eaeb
Instruction ID: e86d319534ede0d65b995da959d9d6ddb71e2f612c9df41f95961832384100df
Opcode Fuzzy Hash: bdea70d02c44de6786ae307531ccef3a255048b8b52c18e48f01eaaef915eaeb
Instruction Fuzzy Hash: D6F03635100504BBC7119F25EC44FBB7F66EF85760F108239FA25962E0C735AC529A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C888 Relevance: 6.0, APIs: 4, Instructions: 40memorystringCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0040C896
lstrlenA.KERNEL32(00000000,?,0040C868,?), ref: 0040C8A9
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,0040C868,?), ref: 0040C8D0
SysAllocString.OLEAUT32(00000000), ref: 0040C8DA

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 90228818-0
Opcode ID: 2761847eb21fb87b5455af778377211a5f9864bd036d7a3d9f84811b9de007bc
Instruction ID: bf4324fd89ff3a9daff045ac874c361c8f494fbf1e29873f25a3d42c74b41ebc
Opcode Fuzzy Hash: 2761847eb21fb87b5455af778377211a5f9864bd036d7a3d9f84811b9de007bc
Instruction Fuzzy Hash: 89F08136900114FBDB105B55DC09B8ABBA8EF82361F108176F916A6290E7745A16CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406C42 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00406C54

Part of subcall function 00406C9C: lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_isE74C,?,00000000), ref: 00406CCE
Part of subcall function 00406C9C: GetPrivateProfileStringA.KERNEL32(?,Title,004276D0,?,0000007F,?), ref: 00406CED

CharNextA.USER32(?,00000000), ref: 00406C7E
CharNextA.USER32(00000000), ref: 00406C81

Strings

%#04x, xrefs: 00406C4E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$PrivateProfileStringlstrcatwsprintf
String ID: %#04x
API String ID: 154278626-3155933392
Opcode ID: 6abfd67c145333f5a9ce7efda54decf226e6e056c9b2cdf68dff288ce81226d8
Instruction ID: 74360b82d49db96629d162a06317072c9e9c88ca73191cacff23417e9fab72a8
Opcode Fuzzy Hash: 6abfd67c145333f5a9ce7efda54decf226e6e056c9b2cdf68dff288ce81226d8
Instruction Fuzzy Hash: 54F03AB290010DBBDF01AFA4CC09CEF3F6DEB04258B044422BD19A6061E636DA25DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405B41 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000001), ref: 00405B4A
GetDlgItem.USER32(000003EA), ref: 00405B64
SendMessageA.USER32(00000000,00000408,00000000,00000000), ref: 00405B7C
SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 00405B94

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ItemWindow
String ID:
API String ID: 591194657-0
Opcode ID: 048dae4ef78fa1eaf688730aaad24d9f9d41049a1ad6e1a65314f47279c9dc05
Instruction ID: bbd22299ebe009119ab93eb97d2cc7ebe997cf50d8cb128a7a629f20f6858ad8
Opcode Fuzzy Hash: 048dae4ef78fa1eaf688730aaad24d9f9d41049a1ad6e1a65314f47279c9dc05
Instruction Fuzzy Hash: 07E0A0B03002047FE6106B51AC85C3B766DEB80766710403AFB05B5090CA646C06CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9C1 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0040F9D7
GetObjectA.GDI32(00000000,0000003C,?), ref: 0040F9E0

Part of subcall function 0040F92E: GetLocaleInfoA.KERNEL32(0040F9F1,00001004,?,00000014,?,?,?,?,?,?,?,?,?,?,?,0040F9F1), ref: 0040F955
Part of subcall function 0040F92E: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0040F970

CreateFontIndirectA.GDI32(?), ref: 0040F9F9
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0040FA0C

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
String ID:
API String ID: 2681337867-0
Opcode ID: a392ebd618903a0b4f1e063355c5d0045daa065785f20432a971cda2566997c1
Instruction ID: 0196674412a20cad7465a952cae238b2de01ec99654ba8a6d97a99e86c40ff7c
Opcode Fuzzy Hash: a392ebd618903a0b4f1e063355c5d0045daa065785f20432a971cda2566997c1
Instruction Fuzzy Hash: 79F0FE76940218BADF156BE0EC06FC97F6C9B18750F108026BA11AA1E1DAB06605CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F242 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

CharNextA.USER32(0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F257
CharPrevA.USER32(0040F324,0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F260
CharNextA.USER32(00000000,0040F324), ref: 0040F278
CharNextA.USER32(00000000), ref: 0040F27E

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID:
API String ID: 589700163-0
Opcode ID: 57217a3962540ae54ff7779be00984dba9ce9091f90a6f3455d6afe001b42661
Instruction ID: 6e9a87c0d93684a42042aa9792f038b96edadf18755cbbdbddb960601ea9845d
Opcode Fuzzy Hash: 57217a3962540ae54ff7779be00984dba9ce9091f90a6f3455d6afe001b42661
Instruction Fuzzy Hash: 45F0E5A59043946EE732A3359C44B576FCC4F4A761F1800FBE940E3292C77C9C468738

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD61 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 21stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,004017CD,00000000,00000001,?,?,00000000), ref: 0040CD6A
lstrcpyA.KERNEL32(00000000,?), ref: 0040CD86
lstrcpyA.KERNEL32(C:\Users\user\Desktop,?), ref: 0040CD8E

Strings

C:\Users\user\Desktop, xrefs: 0040CD89

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$lstrlen
String ID: C:\Users\user\Desktop
API String ID: 367037083-224404859
Opcode ID: 0d71a98d71965918ffbc2de261f9d409615f5cfb98049f8b65683e034014bffb
Instruction ID: e057b0b0a12f9df7d9787752b6e359577504d21b7a0e1f37924b61b5f6a59b4c
Opcode Fuzzy Hash: 0d71a98d71965918ffbc2de261f9d409615f5cfb98049f8b65683e034014bffb
Instruction Fuzzy Hash: 27D012729041207AD2105766AC0DC9BBF6CDAD5771705843FB558D3100CA746C428AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0041A40D

Strings

, xrefs: 0041A432
, xrefs: 0041A456

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: ebba663e26ad4b7179e9643e293e24352813f03598d3ea499a0f3dc6617135c1
Instruction ID: e1bffbc567e226a0805b56bc4cacdc6d8679fa31fc204e0275b0645289ade700
Opcode Fuzzy Hash: ebba663e26ad4b7179e9643e293e24352813f03598d3ea499a0f3dc6617135c1
Instruction Fuzzy Hash: 9E418B3110A2982EEB219724DD49BFB3FE9DF06704F5800E6E149C6153C27A4D98CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004111C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00411237
SetEvent.KERNEL32(00000046), ref: 00411249

Strings

d, xrefs: 004111D4

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Event
String ID: d
API String ID: 4201588131-2564639436
Opcode ID: 353f53f65004a0052401b0344b0cfc8e6c0dd797b5af1e0db1dbede181b2f67e
Instruction ID: f0fc92cd46fd43c56d8037d3c566dcbff5289eb84586adff025731235eee51d8
Opcode Fuzzy Hash: 353f53f65004a0052401b0344b0cfc8e6c0dd797b5af1e0db1dbede181b2f67e
Instruction Fuzzy Hash: DC216735501604CFCB24CF54D4489EAB7F0FF19311B1089AEEA9AD7721D738E995CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(00401986,00000000,?,?,00401986,00000003,00000000,00000001), ref: 0040F123

Part of subcall function 0040F090: OpenFile.KERNEL32(?,?,00001002), ref: 0040F0C8

Strings

\, xrefs: 0040F102
:, xrefs: 0040F0FE

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DriveFileOpenType
String ID: :$\
API String ID: 3438546130-1166558509
Opcode ID: 3d0c5b6ff068512e4c0bf2d41de2d16c917eddc20efdf94ed0f9767c81f53711
Instruction ID: cf51e52007c286b95ec3148dfe5cf95ccafd74978a48a6d72d33f1b262ad2653
Opcode Fuzzy Hash: 3d0c5b6ff068512e4c0bf2d41de2d16c917eddc20efdf94ed0f9767c81f53711
Instruction Fuzzy Hash: 6201D8300093C6DDDB129E7898409CB3FA85F12364F14447BE8A4DA683D238D91DD365

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0040EC8F: wsprintfA.USER32 ref: 0040ECA1
Part of subcall function 0040EC8F: LoadStringA.USER32(?,?,?), ref: 0040ECCC

wsprintfA.USER32 ref: 0040EBE5
wvsprintfA.USER32(?,?,?), ref: 0040EC00

Part of subcall function 0040E9CE: __EH_prolog.LIBCMT ref: 0040E9D3

Strings

%d: %s, xrefs: 0040EBDF

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$H_prologLoadStringwvsprintf
String ID: %d: %s
API String ID: 2226253583-204819183
Opcode ID: 209dee38e97cd21e61dace71c9ad49c1c1cc31c95884004d63b32c06150c9590
Instruction ID: 405d0e39725304e2adf69b74adbd8a199fac57509e0d996f82fff7a96288691d
Opcode Fuzzy Hash: 209dee38e97cd21e61dace71c9ad49c1c1cc31c95884004d63b32c06150c9590
Instruction Fuzzy Hash: 94F036B280011C6BDF11DB91DD45FC9777CAB04304F4041A6F619E6091EA74D7594F94

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,This Setup was created with an EVALUATION VERSION of InstallShield Developer,Evaluation,00000000), ref: 00404E16

Strings

Evaluation, xrefs: 00404E0E
This Setup was created with an EVALUATION VERSION of InstallShield Developer, xrefs: 00404DE5, 00404DEA, 00404E13

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: Evaluation$This Setup was created with an EVALUATION VERSION of InstallShield Developer
API String ID: 2030045667-1943497255
Opcode ID: d35770f22b77d224fde98f1c57e51f2df697ac697fa06e62f14eaf269e39e730
Instruction ID: 81f7d222206aed133d5e53af743ba4917593388314f3f2079da2c3e5fefd30fc
Opcode Fuzzy Hash: d35770f22b77d224fde98f1c57e51f2df697ac697fa06e62f14eaf269e39e730
Instruction Fuzzy Hash: 17E02B7178431025EB30D660BC05B931A106FC0366F154077F611D41E1CABC49C283CC

Uniqueness

Uniqueness Score: -1.00%

Function 004030D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,i1@,00000000,00403169,00000000,00000000,00000002,?,?,?,?,6@,?,00000000), ref: 004030E4
GetLastError.KERNEL32(00000000,?,?,?,?,6@,?,00000000), ref: 004030F3

Strings

i1@, xrefs: 004030D6

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: i1@
API String ID: 2976181284-147222431
Opcode ID: 3c9ddf8cc38e2a870be55b7397a8d046ff65148e255932fde6e800d86c4e774c
Instruction ID: 042e5969e138c2fce12c46e914f6b64b02bd92ca054ab00e1a9b2a544df1988f
Opcode Fuzzy Hash: 3c9ddf8cc38e2a870be55b7397a8d046ff65148e255932fde6e800d86c4e774c
Instruction Fuzzy Hash: F2D05B31108121BBC6106FA5BD05B9A7D55AB48732F010675F750751E0C6344C049B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040F30D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,@,0040ED67,?,?,?,C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI,?,?), ref: 0040F316

Part of subcall function 0040F242: CharNextA.USER32(0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F257
Part of subcall function 0040F242: CharPrevA.USER32(0040F324,0040F324,?,75BF3530,00000000,0040F324,?), ref: 0040F260
Part of subcall function 0040F242: CharNextA.USER32(00000000,0040F324), ref: 0040F278
Part of subcall function 0040F242: CharNextA.USER32(00000000), ref: 0040F27E

lstrcatA.KERNEL32(?,?,?), ref: 0040F32A

Strings

@, xrefs: 0040F30D

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prevlstrcatlstrcpy
String ID: @
API String ID: 333020154-216407459
Opcode ID: 94da3b3547a6f0991777008452cf4caa6ac9ecc6c115eda2bf12a7b700ad68aa
Instruction ID: 4597e092d500045f105f8e0b2915276f10ab28f1c4a2e0cd29367d17fda8055b
Opcode Fuzzy Hash: 94da3b3547a6f0991777008452cf4caa6ac9ecc6c115eda2bf12a7b700ad68aa
Instruction Fuzzy Hash: 46D09236004108FBCF026F91EC09D9D3F26FB08390F00C039FA0848071C773AAA6AB88

Uniqueness

Uniqueness Score: -1.00%

Function 00417A98 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00417860,00000000,00000000,00000000,004148DB,00000000,00000000,?,00000000,00000000,00000000), ref: 00417AC0
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00417860,00000000,00000000,00000000,004148DB,00000000,00000000,?,00000000,00000000,00000000), ref: 00417AF4
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00417B0E
HeapFree.KERNEL32(00000000,?), ref: 00417B25

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 0aa75030797d9862e50fafdc6ad67cbaffe824285314370c6480fc9b37fb1b73
Instruction ID: 1492b65c8b157c5c15f754d8dabc6513125b96d0921b254dcfda24046497e98f
Opcode Fuzzy Hash: 0aa75030797d9862e50fafdc6ad67cbaffe824285314370c6480fc9b37fb1b73
Instruction Fuzzy Hash: 97112B312043419FC7308F18EC45DA67BB5FB84725B944A79E152CA9F0D771AC46CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1CC Relevance: 5.0, APIs: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,?,?,00000000), ref: 0040F1E8
CharNextA.USER32(00000000), ref: 0040F217
lstrcpyA.KERNEL32(?,?), ref: 0040F22C
lstrcpyA.KERNEL32(00409945,00000000), ref: 0040F232

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpy$CharNext
String ID:
API String ID: 3801418090-0
Opcode ID: 98ee409b7162e74dd1ef00b953de598329116295b9619d47c33548f82f7e43aa
Instruction ID: 737425925e3ffa32475055a8a1c6109e485c36dada703ec692aadefc2715eca0
Opcode Fuzzy Hash: 98ee409b7162e74dd1ef00b953de598329116295b9619d47c33548f82f7e43aa
Instruction Fuzzy Hash: 7E01D6BB5002197ADB205BA0EC44FAB3B6CEBC0364F14007BF704E60C0DA74994A8BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F348 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CharNextA.USER32(0040F324,00000000,75BF3530,0040F340,0040F324,0040F273,0040F324), ref: 0040F35A
CharNextA.USER32(0040F324,00000000,75BF3530,0040F340,0040F324,0040F273,0040F324), ref: 0040F374
CharNextA.USER32(00000000), ref: 0040F37C
CharNextA.USER32(00000000), ref: 0040F381

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 3d882604434e25ae71606fddee9628c7fad0dfbd49be08e115b562999293879b
Instruction ID: 8f3878698910b8e5039ab4ec968b372c541e7bc5bb3ed7296f04d6f71a41229b
Opcode Fuzzy Hash: 3d882604434e25ae71606fddee9628c7fad0dfbd49be08e115b562999293879b
Instruction Fuzzy Hash: F8F09061808A957CE73212285C4076B5B854B87330F598077D880E2ED1C27C8C8B8769

Uniqueness

Uniqueness Score: -1.00%

Function 00411142 Relevance: 5.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0041114C
GetLastError.KERNEL32 ref: 00411152
SetLastError.KERNEL32(?), ref: 00411187
SetLastError.KERNEL32(00000000), ref: 00411191

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 92de6eb2833a6d751395bf6cf8189499a40896732fdf4b99897d6eeeb9044dfb
Instruction ID: 6f681ee8b13283bb125db7fc2e862b738ffcd1c767d15f9ec49550bca3a90396
Opcode Fuzzy Hash: 92de6eb2833a6d751395bf6cf8189499a40896732fdf4b99897d6eeeb9044dfb
Instruction Fuzzy Hash: 28F02735200621B7CA202B21DC046EFE756AF99710F11442BDB1553374CB3C9CC34AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00418607 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,004170A2,?,004158DF), ref: 00418614
InitializeCriticalSection.KERNEL32(?,004170A2,?,004158DF), ref: 0041861C
InitializeCriticalSection.KERNEL32(?,004170A2,?,004158DF), ref: 00418624
InitializeCriticalSection.KERNEL32(?,004170A2,?,004158DF), ref: 0041862C

Memory Dump Source

Source File: 00000000.00000002.2201574323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2201553724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201599967.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201622780.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201643464.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201662893.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2201683599.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 2e94cbee5c03e037dec18ed3b5f2628982395c1a7f57b0771ee43528fc9b5a67
Instruction ID: 599c18b1103dc95e23d505d8d02e62436a1cff87f546676f323db1b7c574fdf4
Opcode Fuzzy Hash: 2e94cbee5c03e037dec18ed3b5f2628982395c1a7f57b0771ee43528fc9b5a67
Instruction Fuzzy Hash: 70C00231A05034DACB727B67FC048453F66EB442A03568476E544510348E231C16DFDC

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\622280.rbs

C:\Program Files (x86)\ApexWin\APPLE380.SPD

C:\Program Files (x86)\ApexWin\ApexWin Claims.lnk

C:\Program Files (x86)\ApexWin\ApexWin Dialup.lnk

C:\Program Files (x86)\ApexWin\ApexWin Statements.lnk

C:\Program Files (x86)\ApexWin\ApexWin.exe

C:\Program Files (x86)\ApexWin\DosCopy.bat

C:\Program Files (x86)\ApexWin\ECP.exe

C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE

C:\Program Files (x86)\ApexWin\Extra\AltaDentForm.txt

C:\Program Files (x86)\ApexWin\Extra\Apex Electronic Claims.LCI

C:\Program Files (x86)\ApexWin\Extra\Apex Electronic Statements.lcs

C:\Program Files (x86)\ApexWin\Extra\EWD00014.MOD

C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE

C:\Program Files (x86)\ApexWin\Extra\data9.exe

C:\Program Files (x86)\ApexWin\Extra\pwmon.exe

C:\Program Files (x86)\ApexWin\FONTS.MFM

C:\Program Files (x86)\ApexWin\ICONLIB.DLL

C:\Program Files (x86)\ApexWin\LPT2FILE.COM

C:\Program Files (x86)\ApexWin\PKZIP25.EXE

C:\Program Files (x86)\ApexWin\PREPECF.EXE

C:\Program Files (x86)\ApexWin\PSCRIPT.DRV

C:\Program Files (x86)\ApexWin\PSCRIPT.HLP

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe