Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Analysis ID:	1430330
MD5:	61144b1d8168af54da7f364640019e2c
SHA1:	091838658ea6001e64291d5541508bbb7b42f77e
SHA256:	9cfe6496621b2695f95bfabfe9baab9f167a168dd633d3c9271f86d168699cdd
Tags:	exe
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Query firmware table information (likely to detect VMs)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe (PID: 4888 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe" MD5: 61144B1D8168AF54DA7F364640019E2C)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: e:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Source: global traffic

UDP traffic: 192.168.2.6:60599 -> 209.58.131.173:3800

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: dispatch.integrate.drivethelife.com

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://bbs.160.com/forum-66-1.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.160.com/forum-66-1.html0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabjA
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx.
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%dhttp://int.updrv.com/dtl/server.ashx?type=
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/common/IntegrateUnInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/dtl/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drivethelife.com/D
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/EULA.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html3
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/install/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/web/install/%d/1d?/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/uninstall/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.sy
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E28968 ExitWindowsEx,

0_2_00E28968

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E486A0	0_2_00E486A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E24712	0_2_00E24712
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3187C	0_2_00E3187C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E720D9	0_2_00E720D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33145	0_2_00E33145
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E652E7	0_2_00E652E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5C2C0	0_2_00E5C2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E692AF	0_2_00E692AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6E290	0_2_00E6E290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3320D	0_2_00E3320D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5E3DD	0_2_00E5E3DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4A4D0	0_2_00E4A4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E54496	0_2_00E54496
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47460	0_2_00E47460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E645A6	0_2_00E645A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3F6B3	0_2_00E3F6B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E687CF	0_2_00E687CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4B726	0_2_00E4B726
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6571C	0_2_00E6571C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E408C7	0_2_00E408C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6B8CC	0_2_00E6B8CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E7089E	0_2_00E7089E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E2782D	0_2_00E2782D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E51AF0	0_2_00E51AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E64A9A	0_2_00E64A9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4CA00	0_2_00E4CA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47BE0	0_2_00E47BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33BDD	0_2_00E33BDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E46CF0	0_2_00E46CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48CF1	0_2_00E48CF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48C50	0_2_00E48C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E45DC0	0_2_00E45DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E32D86	0_2_00E32D86
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E68D3F	0_2_00E68D3F

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E4E0C0 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2D9AF appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2E753 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E56770 appears 54 times

Source: DTInstUI.dll.0.dr

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract, compression method=store

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423076833.000000006E877000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: substat.dll.0.dr	Binary string: %d IsWow64Processkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwCloseH
Source: pcid.dll.0.dr	Binary string: PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}maclen[%d]CPCIDCalculator::CalculatePCID..\..\project\src\PCIDCalculator.cppcpulen[%d]bioslen[%d]GetDiskEx drive[%d] ret[%d]GetDisk drive[%d] ret[%d]disklen[%d][%d]:[%2x]GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClosevector<T> too longm_cAssetTagNumber:%d

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr

Binary or memory string: ...Slnt

Source: classification engine

Classification label: mal42.evad.winEXE@1/16@4/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E3FC89 GetLastError,FormatMessageA,

0_2_00E3FC89

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E229D4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00E229D4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E27203 __EH_prolog3_catch_GS,FindWindowW,PostMessageW,CreateToolhelp32Snapshot,

0_2_00E27203

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C69C FindResourceW,LoadResource,

0_2_00E2C69C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}33

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR0	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR2	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: global_app_id	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: InstallPath	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DTLSE_OnInstall	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: ~&	0_2_00E625D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: <soft><softid>%d</softid><name>%s</name><describe>%s</describe><url>%s</url><checked>%d</checked> <installparam>%s</installpar
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: Khttp://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: -start
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: 'http://www.ostoto.com/web/install/%d/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File written: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static file information: File size 12960432 > 1048576

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc21e00

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4F47C push ecx; ret	0_2_00E4F48F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E567B5 push ecx; ret	0_2_00E567C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58728 push edx; ret	0_2_00E58729

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E54496 __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E54496

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-34754

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node			graph_0-35513
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node			graph_0-35313

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E671A1 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00E671A1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2764D _memset,SHGetSpecialFolderPathW,_memset,__swprintf,OutputDebugStringW,OutputDebugStringW,_memset,GetLastError,__swprintf,OutputDebugStringW,SetEnvironmentVariableW,_memset,GetLastError,__swprintf,OutputDebugStringW,

0_2_00E2764D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E74433 GetProcessHeap,

0_2_00E74433

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BC7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E58BC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BA4 SetUnhandledExceptionFilter,		0_2_00E58BA4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21E30 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,FindWindowW,SwitchToThisWindow,

0_2_00E21E30

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E547A7 cpuid

0_2_00E547A7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6702D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,	0_2_00E63248
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,	0_2_00E6420E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_2_00E663B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	0_2_00E5A5E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00E67598
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E666E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E66668
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: EnumSystemLocalesW,	0_2_00E66628
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_00E66768
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00E6384C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E66A83
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00E66B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00E66C04

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E508F5 GetSystemTimeAsFileTime,__aulldiv,

0_2_00E508F5

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E60779 __lock,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E60779

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	3 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	4 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	4%	ReversingLabs

Source	Detection	Scanner	Label
http://int.updrv.com/dtl/server.ashx?type=%d	0%	Avira URL Cloud	safe
http://int.updrv.com/common/IntegrateUnInstallStat.ashx	0%	Avira URL Cloud	safe
https://d.sy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
online1.integrate.drivethelife.com	209.58.131.173	true	false	high
dispatch.integrate.drivethelife.com	209.58.131.173	true	false	high
behaviorgather.integrate.drivethelife.com	209.58.131.173	true	false	high
int.softconfig.drivethelife.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ostoto.com/web/install/%d/1d?/	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://int.updrv.com/dtl/server.ashx?type=%d	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false	Avira URL Cloud: safe	unknown
http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html3	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html....................	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	false		high
http://www.symauth.com/rpa00	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	false		high
http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx.	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bbs.160.com/forum-66-1.html	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
https://d.sy	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://int.softconfig.drivethelife.com/server.ashx?type=%d	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
http://www.drivethelife.com/	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
http://www.ostoto.com/web/uninstall/%d/1	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
http://bbs.160.com/forum-66-1.html0	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	false		high
http://int.updrv.com/common/IntegrateUnInstallStat.ashx	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false	Avira URL Cloud: safe	unknown
http://www.drivethelife.com/EULA.html	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
http://www.ostoto.com/web/install/%d/1	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	false		high
http://www.openssl.org/support/faq.html	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	false		high
http://int.softconfig.drivethelife.com/server.ashx?type=%dhttp://int.updrv.com/dtl/server.ashx?type=	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	false		high
http://www.drivethelife.com/D	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
209.58.131.173	online1.integrate.drivethelife.com	United States		7203	LEASEWEB-USA-SFO-12US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430330
Start date and time:	2024-04-23 14:39:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Detection:	MAL
Classification:	mal42.evad.winEXE@1/16@4/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 127
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
209.58.131.173	DriverTalent_111_8_1_5_16	Get hash	malicious	Unknown	Browse
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
online1.integrate.drivethelife.com	DriverTalent_111_8_1_5_16	Get hash	malicious	Unknown	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173
behaviorgather.integrate.drivethelife.com	DriverTalent_111_8_1_5_16	Get hash	malicious	Unknown	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173
dispatch.integrate.drivethelife.com	DriverTalent_111_8_1_5_16	Get hash	malicious	Unknown	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173
	n7Vvc3eoSX.exe	Get hash	malicious	Babadeda, Vidar	Browse	209.58.131.173

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-SFO-12US	file.exe	Get hash	malicious	Unknown	Browse	23.106.238.238
	file.exe	Get hash	malicious	Unknown	Browse	23.106.238.238
	o2mV9s50D5.elf	Get hash	malicious	Mirai	Browse	142.91.171.245
	xQwEu422am.elf	Get hash	malicious	Mirai	Browse	23.108.167.236
	file.exe	Get hash	malicious	Unknown	Browse	23.106.238.238
	file.exe	Get hash	malicious	Unknown	Browse	23.106.238.238
	http://midjourney.co	Get hash	malicious	Unknown	Browse	23.81.165.11
	z3LCu8rCpN.elf	Get hash	malicious	Mirai	Browse	23.108.120.209
	x86.elf	Get hash	malicious	Mirai	Browse	142.91.37.62
	https://digitalmissioners.com	Get hash	malicious	Unknown	Browse	23.81.165.11

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1410736
Entropy (8bit):	7.504942644396103
Encrypted:	false
SSDEEP:	24576:67szuWfBpQgHQeZYzrRJXG+y7Cz39X50Uk8e8Fa53AzB9Q:p/OVyQ39J0UkMap4Q
MD5:	301BC53BE97D7F122FBD2CCFF6D196B8
SHA1:	FCCAB579B8CF0A723FE917C0C1DF67194DE6B977
SHA-256:	9576B6749E538B2E8FC1A8BBDD8CF5135F31C5BF9F297DE6CE35602E0D8C013F
SHA-512:	04D3B3F3C240A51EAB4FF3C42E5FFC0BB59AFF054637E203C86C16275240361C70D3CB80F1EA525B2F674F98838CB41F1A2F52710DC151A269F1AA3F57B5B30C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.[jY..jY..jY..M...kY..c!..qY..c!..-Y..c!...Y..M.\|.gY..M.j.qY..jY..0X..c!..TY..c!..kY..t...kY..c!..kY..RichjY..........PE..L.....Y...........!.................]....................................................@.......................................... ...............R...4......Ll..................................s..@............................................text...M........................... ..`.rdata..............................@..@.data...,Z.......:..................@....rsrc........ ......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2002
Entropy (8bit):	4.3703707325215095
Encrypted:	false
SSDEEP:	48:rKs/Z8XrvU1SG8wsiFeUNuCX99IQJm9mCbmx+d8dtmL+SmeA+ImWUPmoddJQYQ:rKs/6TnG8L+NuCXfIQJm9mCbmxzXmL+d
MD5:	477E56882AF75A082F45CFB4E67BC834
SHA1:	575D1FA531BFD3A04BBB67805791C8CF2DF5503E
SHA-256:	DC8216486E3007C03E2E43964983401DF699D9E86398974BB79470CCC5F0FF5C
SHA-512:	CB16BDAF10297BCDEF49425DD75192B59F05D5C16CFC26FEF400DBAC3F1BBA75EB5D72F542895B43FC74650FC3C0C0CE25F7A8A7C6C0FDABADC195BA3242DB05
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.2.e.\|.v.~.x...t. .g. .D.r.i.v.e.r. .T.a.l.e.n.t. ...e.r.a.d...t.a.v. .p.a.t.a.........S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.2.a...k. .c.a.l.x...}... .D.r.i.v.e.r. .T.a.l.e.n.t.-. .k. ...c...a.c.x...n.x...t.h.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.O.e.r.a.d...e.l.x.~. .o.a.t. ...c...a.c.x...n.e.l.x.~. .a.u.}. .a.z...a.v...h.,. .d.x..... .p.a.t.a.q.a.u.v.x...t. .e... .<.a.>. .<.u.>. .D.r.i.v.e.r. .T.a.l.e.n.t. .l.k...e.v.f.a.u.k.v. .z.a.u.t.a.v.a.c...k. .<./. .u.>. .<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.8.v.d.x...v.e.l. .e... ...e.r.a.d...e.l.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.1.v.q.v.a.o.a.v. ...e.r.a.d...x...t.h.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.2.a... .i.r.i.a.z.a.v.a.o.h.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Bulgarian.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2004
Entropy (8bit):	4.3275744310729864
Encrypted:	false
SSDEEP:	48:r0ymZ8X80yG8jmDZX0IQKJm0DmklhDmxXj+emLZWjZ+1mPY7E:rPm68pG86dX0IQgmgmk/mxNmLZ6QmPYw
MD5:	B1105D3C95E6E4377F22636424DADE56
SHA1:	AD991766A038C61ACC58351AFC6A8C53EC06C375
SHA-256:	84FA2843F6F6900DE29FAFD9B2B8C76016720E494350F52F002E5DB6B5358966
SHA-512:	1BA8450656F29C6AE4DCB9039FC4472591CC8BDB12DF968A39F38E04265F676ECB0BBF2D191DAEF87905F2B9B994B1C4EFEA0A62607EE697F90D2185EE61EDC3
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=...0.@.5.6.4.0.=.5. .7.0. .8.=.A.B.0.;.8.@.0.=.5. .D.r.i.v.e.r. .T.a.l.e.n.t.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=...>.1.@.5. .4.>.H.;.8. .4.0. .8.7.?.>.;.7.2.0.B.5. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.'.@.5.7. .8.=.A.B.0.;.8.@.0.=.5.B.>. .8.;.8. .8.7.?.>.;.7.2.0.=.5.B.>. .=.0. .B.>.7.8. .?.@.>.4.C.:.B. .?.@.8.5.<.0.B.5. .<.a.>. .<.u.>. .;.8.F.5.=.7.8.>.=.=.>.B.>. .A.?.>.@.0.7.C.<.5.=.8.5. .D.r.i.v.e.r. .T.a.l.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=...@.8.5.<.0.=.5. .8. .8.=.A.B.0.;.8.@.0.=.5.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=...=.A.B.0.;.8.@.0.=.5. .?.>. .;.8.G.=.8. .?.@.5.4.?.>.G.8.B.0.=.8.O.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=...B.2.>.@.5.=.0. .?.0.?.:.0.....S.T.R._.C.U.S.T.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1826
Entropy (8bit):	3.8002533942888994
Encrypted:	false
SSDEEP:	48:rmmdZ8Xm0yG8lDMtZX+u7IQQCNmr4mxUmxmNAC94mLL1iQB+ubmc7l18HICj:rmmd6mpG85AX+UIQxmr4mxUmxmuC94mO
MD5:	C218CB809230BB3C74AD64A247B4D9EE
SHA1:	CA1E77DA0926B7BF6C47971BBDA1947A03E009E1
SHA-256:	00F77A864DB64DB06A2FC71E6CB979D6D20477E181906A13D531A272BBC9B1F9
SHA-512:	06811D5E129F2F8DDCD6CDFD0A309CF3BAF1A76197234C7A0C93309CAF4233D525AC4169139894745AA9F074EB6221F25526DC2BF42E469B4AF5E90F505BA04B
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.L.o.a.d.i.n.g. .f.o.r. .D.r.i.v.e.r. .T.a.l.e.n.t. .i.n.s.t.a.l.l.a.t.i.o.n.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.W.e.l.c.o.m.e. .t.o. .u.s.e. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.B.y. .i.n.s.t.a.l.l.i.n.g. .o.r. .u.s.i.n.g. .t.h.i.s. .p.r.o.d.u.c.t.,. .y.o.u. .a.g.r.e.e. .t.o. .<.a.>.<.u.>.D.r.i.v.e.r. .T.a.l.e.n.t. .L.i.c.e.n.s.e. .A.g.r.e.e.m.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.c.c.e.p.t. .a.n.d. .I.n.s.t.a.l.l.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.C.u.s.t.o.m. .I.n.s.t.a.l.l.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.O.p.e.n. .F.o.l.d.e.r.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.P.=.C.r.e.a.t.e. .a. .D.e.s.k.t.o.p. .I.c.o.n.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.M.E.N.U.=.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\French.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	3.793793035589772
Encrypted:	false
SSDEEP:	48:rzmZ8X00yG8US0qWsDZX+FYTIQMKrmQ4mVmxD4mLF6L+wt4mF9R9i9:rzm60pG8US0qWsdX+CTIQ/mQ4mVmxD42
MD5:	DADC5BBC0A65A7DF49D77EDC793C75BA
SHA1:	C20B28B9AC761640C9E60B1BD5F12C5BBB297FCB
SHA-256:	59EDA82F15B828FFF349F28C1BE769B36F7872317AF4BBE94C2793A009FBEF5B
SHA-512:	6E11BEB68EAFDDFA61CADC7B9192CE53922B12E49E7FB6002F1D59F1CF5A6D9FC910595CBDC91A41EF637716ADB97C69DB503B78C0BBC9374DAD2978A616D712
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.C.h.a.r.g.e.m.e.n.t. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.e. .D.r.i.v.e.r. .T.a.l.e.n.t.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.B.i.e.n.v.e.n.u.e. .d.a.n.s. .l.'.I.n.s.t.a.l.l.e.u.r. .d.e. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.E.n. .i.n.s.t.a.l.l.a.n.t. .o.u. .e.n. .u.t.i.l.i.s.a.n.t. .c.e. .p.r.o.d.u.i.t.,. .v.o.u.s. .a.c.c.e.p.t.e.z. .l.e. .<.a.>.<.u.>.c.o.n.t.r.a.t. .d.e. .l.i.c.e.n.c.e. .D.r.i.v.e.r. .T.a.l.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.c.c.e.p.t.e.r. .e.t. .I.n.s.t.a.l.l.e.r.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.I.n.s.t.a.l.l.a.t.i.o.n. .p.e.r.s.o.n.n.a.l.i.s...e.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.O.u.v.r.i.r. .l.e. .d.o.s.s.i.e.r.....S.T.R._.C.U.S.T.O.M._.P.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\German.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2070
Entropy (8bit):	3.7941777374928076
Encrypted:	false
SSDEEP:	48:rnStdZ8X1UdxTG8wweaeUO9gZX+M0+wpIQIumPmFDa9mxaDaOy4mLhc9R+mmdlVH:rnGd61WxTG8VCbUX+M0vpIQFmPmZ+mx5
MD5:	4744678D11BE01D0CD1B335DA1828FFB
SHA1:	CAB4B8B174D2514E64D2AEA8B13A3B27EB69B11F
SHA-256:	B582D72220E4432B32A587B0186192ACE366377DE7B4AE9D7590DABEC137061C
SHA-512:	89F15A1EB64CEA8A7DF294CD55499ED5AC52EF823603E4EFEB5A7880FB478A461A16A4F910B3E0FEAF8A75A01A8427BE5BEB5D3A70C468DD5DA1D043589E58F8
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.L.a.d.e.n. .f...r. .D.r.i.v.e.r. .T.a.l.e.n.t. .I.n.s.t.a.l.l.a.t.i.o.n.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.W.i.l.l.k.o.m.m.e.n. .b.e.i.m. .D.r.i.v.e.r.-.T.a.l.e.n.t.-.I.n.s.t.a.l.l.i.e.r.e.r.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.D.u.r.c.h. .I.n.s.t.a.l.l.i.e.r.e.n. .o.d.e.r. .B.e.n.u.t.z.e.n. .d.i.e.s.e.s. .P.r.o.d.u.k.t.s. .a.n.e.r.k.e.n.n.e.n. .S.i.e. .d.i.e. .<.a.>.<.u.>.D.r.i.v.e.r.-.T.a.l.e.n.t.-.L.i.z.e.n.z.v.e.r.e.i.n.b.a.r.u.n.g.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.k.z.e.p.t.i.e.r.e.n. .u.n.d. .I.n.s.t.a.l.l.i.e.r.e.n.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.B.e.n.u.t.z.e.r.d.e.f.i.n.i.e.r.t.e. .I.n.s.t.a.l.l.a.t.i.o.n.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.O.r.d.n.e.r. ...f.f.n.e.n.....S.T.R._.C.U.S.T.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Greek.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2082
Entropy (8bit):	4.498077062477437
Encrypted:	false
SSDEEP:	48:rntmZ8XsC0yG8l+G+uCXuZEIQYLPm44mmm0n6mxcvsmLrre+vmYhflADRSZ:rntm6sCpG8l+ZuCXWEIQsPm44mR06mxq
MD5:	CFD3F871C1DF18233522A2045D80A139
SHA1:	CC4DB1A2221717E88187F755EF8D0674A9A9494F
SHA-256:	9CF117A5B422250A3E44E3561708612A2A5762BF2AA515C7CFCB7609418D451B
SHA-512:	37213625A656C35D17C3BDC107A5754EA6FAD7D31B0F791D6788ED00EB663F8A486AD04A45D19119B4415C6EAC48A90A12C1757699C16C7614769B06161DA4EA
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=............... ....... ....................... ....... .D.r.i.v.e.r. .T.a.l.e.n.t.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=........... ............... ....... ........... ....... .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=..... ....... ....................... ... ..... ........... ........... ....... ...................,. ..................... ..... .<.a.>. .<.u.>. ........... ............. .D.r.i.v.e.r. .T.a.l.e.n.t. .<./. .u.>. .<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=............... ....... ...........................S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=........................... ...............................;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=................. ...................S.T.R._.C.U.S.T.O.M._.P.A.G.E._.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Japanese.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	4.578522500187184
Encrypted:	false
SSDEEP:	48:rFZRzZ8XwVG8z0/X7IQPmgmrkrmxrVA1mLp/+C2m4SL:rFvz6wVG8zMX7IQPmgmqmxrK1mLp/j20
MD5:	725D679274128A159D8E9A822837BD80
SHA1:	3B1D7A7EDF78B03702F4C50C69D05AA0001F321C
SHA-256:	480699028A553C761126B6527DE9AE228055A24D9398ACF88D2BABD5FF75A85A
SHA-512:	5AD7315068FA1D0447A931304782E0448E7EB869CBC7C20A727880D83E9994C41DACADC9E63F23BEE1EC551F9A3F4859CBA3639D4686EF6AB8307036DE62B287
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.D.r.i.v.e.r. .T.a.l.e.n.t.n0.0.0.0.0.0.0n0_0.0n0...0...0.0....S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. ..0.0.0.0.0.0.0k0.0F0S0]0....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.S0n0...T.0.0.0.0.0.0.0~0_0o0.O(uY0.0S0h0g0.0<.a.>.<.u.>.D.r.i.v.e.r. .T.a.l.e.n.t. ..O(u1...QY.}<./.u.>.<./.a.>.k0.T.aW0_0S0h0k0j0.0~0Y0.0....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=..T.aW0f0.0.0.0.0.0.0....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=..0.0.0.0.0.0.0.0.0.0........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=..0.0.0.0.0..O0....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.P.=..0.0.0.0.0.0n0.0.0.0.0.0\O.b....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.M.E.N.U.=..0.0.0.0.0.0.0.0.0.0.0.0.0\O.bW0~0Y0....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.B.A.C.K.=..0.0.0.0........;.OS..u.b.....S.T.R._.l.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Polish.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	3.9391359271038993
Encrypted:	false
SSDEEP:	48:rEiZ8XQ0yG8o+xEWfMsCX+RIQvmo4m4oY5mxhMRmmLefU4E+C5m6wrLV:rEi6QpG8o+/FCX+RIQvmo4mtamxhMRmV
MD5:	D3A6D66B591B77EF3803F19BFE43357F
SHA1:	52B0A3650B1686791572DBCA8A15E462A18D516B
SHA-256:	8B4B06E23058560D9F93E370C63D99AF6ABAD7ED5FE905282D304E7A2B4DA899
SHA-512:	963C8EF9476C6836B9C739F96ABAF57CAEB8F412B3E3FC6CBB2864AB860B1987B4CA6888721953B08B3A1014F576AE21420A2CA9E7D20DCED06119113649E239
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.A.a.d.o.w.a.n.i.e. .d.o. .D.r.i.v.e.r. .T.a.l.e.n.t. .i.n.s.t.a.l.a.c.j.i.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.Z.a.p.r.a.s.z.a.m.y. .d.o. .k.o.r.z.y.s.t.a.n.i.a. .z. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.I.n.s.t.a.l.u.j...c. .l.u.b. .u.\|.y.w.a.j...c. .t.e.g.o. .p.r.o.d.u.k.t.u.,. .w.y.r.a.\|.a.s.z. .z.g.o.d... .n.a. .<.a.>. .<.u.>. .D.r.i.v.e.r. .T.a.l.e.n.t. .L.i.c.e.n.s.e. .A.g.r.e.e.m.e.n.t. .<./. .u.>. .<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.k.c.e.p.t.u.j. .i. .z.a.i.n.s.t.a.l.u.j.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.I.n.s.t.a.l.a.c.j.a. .n.i.e.s.t.a.n.d.a.r.d.o.w.a.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.O.t.w...r.z. .f.o.l.d.e.r.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.P.=.S.t.w...

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Portuguese.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1954
Entropy (8bit):	3.7968320372005917
Encrypted:	false
SSDEEP:	48:rEmZ8XeE0yG8YFNdaDZX+1FITIQsomQmtjR7mxwJ4mL0h+E4m6ZYggOf+3:rEm6HpG8YladX+1yTIQbmQmt17mxU4mW
MD5:	148F7CD8F300A45128677375760EB2E2
SHA1:	F2DD4388B3076A3AEC9E037DB482BCCE35288669
SHA-256:	A935DDAEC2F4DECD46E63D6BE75929C1663D7CD8352A8C8273BBA753755889B2
SHA-512:	6A8F0C4CD26D2BDD742A7E71215D429C6F2DA24769514A6EB2A11C83FD4732950C61A5932B9B7F7791C6B3AAF97FA2AB2154C7DF018C9AA2529453B87B20D12F
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.C.a.r.r.e.g.a.n.d.o. .p.a.r.a. .a. .i.n.s.t.a.l.a.....o. .d.o. .D.r.i.v.e.r. .T.a.l.e.n.t.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.B.e.m.-.v.i.n.d.o. .a.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.A.o. .i.n.s.t.a.l.a.r. .o.u. .u.s.a.r. .e.s.t.e. .p.r.o.d.u.t.o.,. .v.o.c... .a.c.e.i.t.a. .o. .<.a.>.<.u.>.C.o.n.t.r.a.t.o. .d.e. .L.i.c.e.n...a. .d.a. .D.r.i.v.e.r. .T.a.l.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.c.e.i.t.a.r. .e. .I.n.s.t.a.l.a.r.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.I.n.s.t.a.l.a.....o. .p.e.r.s.o.n.a.l.i.z.a.d.a.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.P.a.s.t.a. .a.b.e.r.t.a.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.P.=.C.r.i.a.r. .u.m. ...c.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Russian.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.360400151941801
Encrypted:	false
SSDEEP:	48:r0fmZ8Xik0yG8gqu/YADZXfTIQ46mEKmpDmxKbmLZ8Yw+7m3plnBYW:ram6rpG8gL/YAdX7IQ5mtmtmxKbmLZ8V
MD5:	850DCB75CA9AD9E82262809BEB776993
SHA1:	E05F86ACF326925529D6577AB12E35B19F46D613
SHA-256:	84BEFF254365E394B92EB5EA686BB98ED8DB240281F2D16AAA30F4F2AA247B37
SHA-512:	F213FFBF864862CA7E86E29871E4016A30B4E0A6AAE959E858FBFFD24E1B671F8846EF02B662BA7C3ADEDBFCFA6068789264EE36192ABC0B573E6D7B0ED94125
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=...0.3.@.C.7.:.0. .4.;.O. .C.A.B.0.=.>.2.:.8. .D.r.i.v.e.r. .T.a.l.e.n.t.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=...>.1.@.>. .?.>.6.0.;.>.2.0.B.L. .2. .8.A.?.>.;.L.7.>.2.0.=.8.5. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=...@.8. .C.A.B.0.=.>.2.:.5. .8.;.8. .8.A.?.>.;.L.7.>.2.0.=.8.8. .M.B.>.3.>. .?.@.>.4.C.:.B.0. .2.K. .A.>.3.;.0.H.0.5.B.5.A.L. .<.a.>.<.u.>...8.F.5.=.7.8.>.=.=.>.5. .A.>.3.;.0.H.5.=.8.5. .>. .D.r.i.v.e.r. .T.a.l.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=...@.8.=.O.B.L. .8. .C.A.B.0.=.>.2.8.B.L.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=...K.1.>.@.>.G.=.0.O. .C.A.B.0.=.>.2.:.0.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=...B.:.@.K.B.L. .D.0.9.;.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Spanish.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2012
Entropy (8bit):	3.7680430429090093
Encrypted:	false
SSDEEP:	48:rSvLZ8XiP0yG8kiKYDZX+yFITIQzkom8mxMZmxmyymmLNAB+o1+4mNXB8lmPiBA:rSvL6iPpG8kZYdX+yyTIQzjm8mxwmxmd
MD5:	5AA1FE95F88A79A5D2181855A9228033
SHA1:	00B254E1DA56BC54D3D68475AC987292E9B43703
SHA-256:	850017B3DB86BD86DED1F1170E893F2EC18F45EF0D54325F0A1B2FF665DF3B2A
SHA-512:	E45056B2346CCD80506192C64941EF84E0CDCCF62EF8B6936E6F29B1947C7B845511BD4B511592A933F90582444D4DCB42959502230CEACCA0E3DB6A70EFAA3C
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.C.a.r.g.a.n.d.o. .p.a.r.a. .D.r.i.v.e.r. .T.a.l.e.n.t. .i.n.s.t.a.l.a.c.i...n.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.B.i.e.n.v.e.n.i.d.o. .a.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .D.r.i.v.e.r. .T.a.l.e.n.t.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.P.a.r.a. .i.n.s.t.a.l.a.r. .o. .u.s.a.r. .e.s.t.e. .p.r.o.d.u.c.t.o.,. .u.s.t.e.d. .d.e.b.e. .e.s.t.a.r. .d.e. .a.c.u.e.r.d.o. .c.o.n. .e.l. .<.a.>.<.u.>.A.c.u.e.r.d.o. .d.e. .L.i.c.e.n.c.i.a. .D.r.i.v.e.r. .T.a.l.e.n.t.<./.u.>.<./.a.>.....S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.A.c.e.p.t.a.r. .e. .I.n.s.t.a.l.a.r.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=.I.n.s.t.a.l.a.c.i...n. .P.e.r.s.o.n.a.l.i.z.a.d.a.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.A.b.r.i.r. .C.a.r.p.e.t.a.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Turkish.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1890
Entropy (8bit):	3.9177491703568497
Encrypted:	false
SSDEEP:	48:rFfRZ8XwTG8DliFq4XiGIQdrmHmSWmx5omLPvUs+ymDIeaeFcu:rFfR6wTG8oFTXTIQBmHmSWmx5omLnUsu
MD5:	8809690693704F3BFAA513F2D9784CBF
SHA1:	6029E5AF271495CDFB3103F8AD84083A6DF508AA
SHA-256:	EA3D87F15E6D7A7B08F3E37F754F40CEDE2E41F8C146B67476ABA1534D97E648
SHA-512:	CD2D131AF9F74D83180BC8F922F3904C0BCD2BE5A57A77D9725CF69FFBCA77290846D0DDE0A8F3AF9CF69BDE320F0DA235C64AF2581A4B707B38F056CB714B05
Malicious:	false
Reputation:	low
Preview:	..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T._.I.N.I.T._.T.I.P.=.D.r.i.v.e.r. .T.a.l.e.n.t. .y...k.l.e.m.e.s.i. .y...k.l.e.n.i.y.o.r.......S.T.R._.M.A.I.N.W.N.D._.T.I.T.L.E.=.D.r.i.v.e.r. .T.a.l.e.n.t. .-. .I.n.s.t.a.l.l.a.t.i.o.n.........;..[...u.....S.T.R._.F.I.R.S.T._.P.A.G.E._.W.E.L.C.O.M.E.=.D.r.i.v.e.r. .T.a.l.e.n.t.'.i. .k.u.l.l.a.n.m.a.y.a. .h.o._. .g.e.l.d.i.n.i.z.....S.T.R._.F.I.R.S.T._.P.A.G.E._.l.I.C.E.N.S.E.=.B.u. ...r...n... .y...k.l.e.y.e.r.e.k. .v.e.y.a. .k.u.l.l.a.n.a.r.a.k.,. .<.a.>. .<.u.>. .D.r.i.v.e.r. .T.a.l.e.n.t. .L.i.s.a.n.s. .A.n.l.a._.m.a.s.1. .<./. .u.>. .<./.a.>. .n.1. .k.a.b.u.l. .e.t.m.i._. .o.l.u.r.s.u.n.u.z.......S.T.R._.F.I.R.S.T._.P.A.G.E._.I.N.S.T.A.L.L.=.K.a.b.u.l. .E.t. .v.e. .Y...k.l.e.....S.T.R._.F.I.R.S.T._.P.A.G.E._.C.U.S.T.O.M.=...z.e.l. .y...k.l.e.m.e.........;.(u7b..y.u.b.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.O.P.E.N.F.L.O.D.E.R.=.A...1.k. .d.o.s.y.a.....S.T.R._.C.U.S.T.O.M._.P.A.G.E._.D.E.S.K.T.O.P.=.M.a.s.a...s.t... .s.i.m.g.e.s.i. .y.a.r.a.t.....

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	134320
Entropy (8bit):	6.670168945334509
Encrypted:	false
SSDEEP:	1536:rpfIBeWKNKHHH6kNr8oeie2dLVyTECMlB7LWZ0QwlncB5nEhG44hV:dflGHa/7aB3QwlncB5n6b4f
MD5:	25B1811C74D68C23E13727C0CD71DABD
SHA1:	1F309CE705766382DCC196B9E4D67E6A4ABABC1F
SHA-256:	873D35358170C308C98BE5215CE5B255B788D3FEFFF5AE82B86AF59279DE1677
SHA-512:	E85F4238F6B3AE6CC7288D7655992B389CAE9A59F06265F10FA29F0EFA8FF7E25BF6873661308DC483DAA3A4A55DFA04E85E8C21F88EE6D773F6E7FAF8BC17EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..^..^..^.....^....z.^..[3..^......^.....^..[%..^.._.l.^......^.....^.....^.....^.Rich.^.........PE..L.....W...........!.....^...v......(........p............................... .......J....@.........................`..................L................4...........q..................................@............p...............................text....].......^.................. ..`.rdata..N<...p...>...b..............@..@.data....0..........................@....rsrc...L...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1780736
Entropy (8bit):	6.791309928164918
Encrypted:	false
SSDEEP:	24576:T/mW5mVjT3xTe9axrYFb1xXcUcgTKapa6Y9juppaCcp/IodwVHapK:bmB3xTeSOLs4Tzpa3EUCcp/IoUHapK
MD5:	8CBD024FA59F52272C6B7E2EFBD3507A
SHA1:	C7A4C35642A1B91D093CFB3D9900F7EC84DB352C
SHA-256:	FF9FD95D6F98CFFC6D2C296320501BEC0DA9748BDFB59D3C28C5FA055341B893
SHA-512:	11046325B7CEEE77FE662F4D59702421500DCC9E53C76329150209E3E7BC764EFB95A78F94AE2172C5BCC519A52A86CCDD5AC018C102EA462BBEBB9B0BF48A02
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..m..@>..@>..@>...>..@>...>D.@>...>M.@>...>..@>',;>..@>..A>..@>...>8.@>...>..@>...>..@>...>..@>Rich..@>........PE..L...qv.Y...........!.........p......l...............................................).....@......................... }.......k.......p..L............................................................)..@............................................text.............................. ..`.rdata..............................@..@.data................l..............@....rsrc...L....p......................@..@.reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	169648
Entropy (8bit):	6.658586828116448
Encrypted:	false
SSDEEP:	3072:PdUA7dHAlB70un3xxjUrfQn2ZilfNZxlM59dHKki8L+:VN7+PBLjUr42ZilFZkUR
MD5:	BE8B79788E7E42CB2B90D775EC97A094
SHA1:	8C605A7E70BD01C8F516C00BA001F44E69958E7D
SHA-256:	D5D48D7BA1204C057455195D9388FA3CF86AE896C7ABA3457653329DB7B56BCD
SHA-512:	3506668F658DB81B53ABE7C98DC87C5A62780325C3587E498616B9CB3852D4C4C261A124AB0FA8626F8E54B5AE7325BF0D99C2C078F26D62C77D4F7729C6ED7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............q^..q^..q^.;.^..q^..^..q^...^..q^...^..q^...^V.q^.;.^..q^..p^..q^...^..q^...^..q^..^..q^...^..q^Rich..q^........................PE..L.....<X...........!................................................................j.....@......................... ...............p..@............b...4..............................................@...............4............................text.............................. ..`.rdata...Q.......R..................@..@.data....>...0..."..................@....rsrc...@....p.......0..............@..@.reloc...*.......,...6..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.992476917613254
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
File size:	12'960'432 bytes
MD5:	61144b1d8168af54da7f364640019e2c
SHA1:	091838658ea6001e64291d5541508bbb7b42f77e
SHA256:	9cfe6496621b2695f95bfabfe9baab9f167a168dd633d3c9271f86d168699cdd
SHA512:	d281c9c3ad370b884606ce38e1b1d2b55008598de2af6a1f9527d9bc97df3f1a9e085ce2e9b66c8ad0873c0d0539a70f9817b27baabf82f27bccbf30dab0a779
SSDEEP:	196608:mINErayu7wK1k7fVPWJ4bc/Hkxqjk1gnyx/RnQx9jx/dy0PtGrc5DL4p/DG6Jhm/:1NEAh1k7fxWJ4GBk1XgtZkbGuhPO2O9D
TLSH:	86D633D17994194BC84E063EF0275A796FB2E19D0A20B31AC7466D5CFB64FCDF20A90E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................A~......A}.7....A\|.......0....... .........A....i~.....?k`.....?kz.......$.....?k......Rich...................

File Icon


Icon Hash:	8e1939602d29370e

Static PE Info

General

Entrypoint:	0x10ae930
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x59929765 [Tue Aug 15 06:40:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9839050326998486d9cba92bfaf396b9

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	16/02/2017 01:00:00 19/11/2019 00:59:59
Subject Chain	CN=OSTOTO CO. LIMITED, OU=International DEPT, O=OSTOTO CO. LIMITED, L=HongKong, S=HongKong, C=HK
Version:	3
Thumbprint MD5:	954398F2A4B792C85166DCCCE550E20C
Thumbprint SHA-1:	1439D6BD763B63B3FCDA5393B1998A17EAA7898B
Thumbprint SHA-256:	30093174523EB36392CD3F18D025660FBD22D24B8EF7399B2DDD7DA0D146326A
Serial:	4D5940384D9AD293948E2C4013C204D0

Entrypoint Preview

Instruction
pushad
mov esi, 01078000h
lea edi, dword ptr [esi-00C77000h]
push edi
jmp 00007F8A2150B83Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8A2150B81Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F8A2150B83Dh
jne 00007F8A2150B85Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8A2150B851h
dec eax
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8A2150B806h
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F8A2150B884h
xor ecx, ecx
sub eax, 03h
jc 00007F8A2150B843h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F8A2150B8A7h
sar eax, 1
mov ebp, eax
jmp 00007F8A2150B83Dh
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8A2150B7FEh
inc ecx
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8A2150B7F0h
add ebx, ebx
jne 00007F8A2150B839h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8A2150B821h
jne 00007F8A2150B83Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8A2150B816h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8A2150B840h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD3 build 60610
[LNK] VS2012 UPD3 build 60610

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18d0ba8	0x238	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcaf000	0xc21ba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc58e00	0x34b0	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18d0de0	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xcaeb14	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xc77000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xc78000	0x37000	0x36c00	91282aa39832b8be3a324adbd474c699	False	0.9679205907534246	data	7.924885102773607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xcaf000	0xc22000	0xc21e00	78ba9e5f4451ef3e213e7eda17cf9c57	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
DAR	0xcaf460	0x5c5	Lua bytecode, version 5.3	Chinese	China	0.5802301963439405
DAR	0xcafa2c	0x5769	Lua bytecode, version 5.3	Chinese	China	0.37547481789337267
DAR	0xcb519c	0xc814	Lua bytecode, version 5.3	Chinese	China	0.3644279578289731
DATA	0xcc19b4	0xa6c0c1	data	Chinese	China	1.0003108978271484
DATA	0x172da7c	0x173f67	data	Chinese	China	1.0003108978271484
RT_ICON	0x18a19e8	0x6f80	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9948500560538116
RT_ICON	0x18a896c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18276055838163965
RT_ICON	0x18b9198	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	Chinese	China	0.24153878494849695
RT_ICON	0x18c2644	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	Chinese	China	0.2666820702402957
RT_ICON	0x18c7ad0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.25679026924893716
RT_ICON	0x18cbcfc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.33443983402489624
RT_ICON	0x18ce2a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.3794559099437148
RT_ICON	0x18cf354	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.48237704918032787
RT_ICON	0x18cfce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.5656028368794326
RT_DIALOG	0x18d014c	0x72	data	Chinese	China	0.6666666666666666
RT_GROUP_ICON	0x18d01c4	0x84	data	Chinese	China	0.7272727272727273
RT_VERSION	0x18d024c	0x564	data	Chinese	China	0.2536231884057971
RT_MANIFEST	0x18d07b4	0x3f2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (950), with CRLF line terminators	English	United States	0.5138613861386139

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ole32.dll	CoInitialize
PSAPI.DLL	GetProcessImageFileNameW
SHELL32.dll
SHLWAPI.dll	PathIsURLW
urlmon.dll	URLDownloadToFileW
USER32.dll	EnumWindows
VERSION.dll	VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 14:40:13.024750948 CEST	60598	53	192.168.2.6	1.1.1.1
Apr 23, 2024 14:40:13.372553110 CEST	53	60598	1.1.1.1	192.168.2.6
Apr 23, 2024 14:40:13.460217953 CEST	60599	3800	192.168.2.6	209.58.131.173
Apr 23, 2024 14:40:13.623482943 CEST	3800	60599	209.58.131.173	192.168.2.6
Apr 23, 2024 14:40:13.624723911 CEST	52095	53	192.168.2.6	1.1.1.1
Apr 23, 2024 14:40:13.663503885 CEST	54837	53	192.168.2.6	1.1.1.1
Apr 23, 2024 14:40:13.867048979 CEST	53	52095	1.1.1.1	192.168.2.6
Apr 23, 2024 14:40:13.868024111 CEST	60599	3800	192.168.2.6	209.58.131.173
Apr 23, 2024 14:40:14.031574965 CEST	3800	60599	209.58.131.173	192.168.2.6
Apr 23, 2024 14:40:14.032351971 CEST	65009	53	192.168.2.6	1.1.1.1
Apr 23, 2024 14:40:14.057173967 CEST	53	54837	1.1.1.1	192.168.2.6
Apr 23, 2024 14:40:14.204763889 CEST	53	65009	1.1.1.1	192.168.2.6
Apr 23, 2024 14:40:14.831219912 CEST	60599	6130	192.168.2.6	209.58.131.173
Apr 23, 2024 14:40:14.831789017 CEST	60599	6130	192.168.2.6	209.58.131.173
Apr 23, 2024 14:40:14.994754076 CEST	6130	60599	209.58.131.173	192.168.2.6
Apr 23, 2024 14:40:14.995037079 CEST	6130	60599	209.58.131.173	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 14:40:13.024750948 CEST	192.168.2.6	1.1.1.1	0xac14	Standard query (0)	dispatch.integrate.drivethelife.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:13.624723911 CEST	192.168.2.6	1.1.1.1	0x2f50	Standard query (0)	online1.integrate.drivethelife.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:13.663503885 CEST	192.168.2.6	1.1.1.1	0xed1d	Standard query (0)	int.softconfig.drivethelife.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:14.032351971 CEST	192.168.2.6	1.1.1.1	0x34d8	Standard query (0)	behaviorgather.integrate.drivethelife.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 14:40:13.372553110 CEST	1.1.1.1	192.168.2.6	0xac14	No error (0)	dispatch.integrate.drivethelife.com		209.58.131.173	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:13.867048979 CEST	1.1.1.1	192.168.2.6	0x2f50	No error (0)	online1.integrate.drivethelife.com		209.58.131.173	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:14.057173967 CEST	1.1.1.1	192.168.2.6	0xed1d	Name error (3)	int.softconfig.drivethelife.com	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 14:40:14.204763889 CEST	1.1.1.1	192.168.2.6	0x34d8	No error (0)	behaviorgather.integrate.drivethelife.com		209.58.131.173	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:40:10
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe"
Imagebase:	0xe20000
File size:	12'960'432 bytes
MD5 hash:	61144B1D8168AF54DA7F364640019E2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.4%
Total number of Nodes:	1080
Total number of Limit Nodes:	32

Executed Functions

Function 00E24712 Relevance: 79.3, APIs: 36, Strings: 9, Instructions: 527
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E227EE: __EH_prolog3.LIBCMT ref: 00E227F5

PathFileExistsW.SHLWAPI(?,?,?), ref: 00E248EA
_memset.LIBCMT ref: 00E24913
__swprintf.LIBCMT ref: 00E2493C
OutputDebugStringW.KERNEL32(?), ref: 00E2494C
PathFileExistsW.SHLWAPI(00E7D368), ref: 00E249B5
_memset.LIBCMT ref: 00E249DB
__swprintf.LIBCMT ref: 00E24A04
OutputDebugStringW.KERNEL32(?), ref: 00E24A14
_memset.LIBCMT ref: 00E24A4A
__swprintf.LIBCMT ref: 00E24A7D
OutputDebugStringW.KERNEL32(?), ref: 00E24A8D
_memset.LIBCMT ref: 00E24B46
__swprintf.LIBCMT ref: 00E24B60
OutputDebugStringW.KERNEL32(?), ref: 00E24B70
_memset.LIBCMT ref: 00E24BF2
__swprintf.LIBCMT ref: 00E24C0C
OutputDebugStringW.KERNEL32(?), ref: 00E24C1C
FreeResource.KERNEL32(00000000), ref: 00E24C58
_memset.LIBCMT ref: 00E24C70
__swprintf.LIBCMT ref: 00E24CA3
OutputDebugStringW.KERNEL32(?), ref: 00E24CB3
LockResource.KERNEL32(?), ref: 00E24CD2
VirtualProtect.KERNEL32(00000000,00000001,00000004,00000000), ref: 00E24CF6
VirtualProtect.KERNEL32(?,00000001,?,00000000), ref: 00E24D0C
VirtualProtect.KERNEL32(00000001,00000001,00000004,00000000), ref: 00E24D18
VirtualProtect.KERNEL32(00000001,00000001,?,00000000), ref: 00E24D28
SizeofResource.KERNEL32(?), ref: 00E24D42

Part of subcall function 00E2C69C: FindResourceW.KERNEL32(00000000,?,DAR,00E23D3D,?,?,5E3F636C,00000000,DAR), ref: 00E2C6AD

FreeResource.KERNEL32(00000000,?,00000000,?), ref: 00E24D67
_memset.LIBCMT ref: 00E24DAD
__swprintf.LIBCMT ref: 00E24DC7
OutputDebugStringW.KERNEL32(?,?,?,?,?,00000001,00000000), ref: 00E24DD7
_memset.LIBCMT ref: 00E24DF0
__swprintf.LIBCMT ref: 00E24E05
OutputDebugStringW.KERNEL32(?,?,00000001,00000000), ref: 00E24E14
_Func_class.LIBCPMT ref: 00E24E4D
_Func_class.LIBCPMT ref: 00E24E56

Strings

Fun:%s, Description: UnCompress failed.!, xrefs: 00E24DC1
Fun:%s, Description:%s it's not exists!, xrefs: 00E24936, 00E249FE
DATA, xrefs: 00E24B13, 00E24BC3
Fun:%s ,LoadResource failed!, xrefs: 00E24B5A, 00E24C06
lc?^, xrefs: 00E248AC, 00E24AE5, 00E24B9B, 00E24AF7, 00E2497F, 00E24882, 00E247F7, 00E24815, 00E24819
Lua_UnCompress7z, xrefs: 00E2492A, 00E249F2, 00E24B55, 00E24C01, 00E24DBC
UnCompress successful., xrefs: 00E24DFF
UnCompress %s to %s ., xrefs: 00E24A77, 00E24C9D
hwang , xrefs: 00E248F4, 00E249B7, 00E24B26, 00E24BCE, 00E24D92

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset$Resource$ProtectVirtual$ExistsFileFreeFunc_classPath$FindH_prolog3LockSizeof
String ID: DATA$Fun:%s ,LoadResource failed!$Fun:%s, Description: UnCompress failed.!$Fun:%s, Description:%s it's not exists!$Lua_UnCompress7z$UnCompress %s to %s .$UnCompress successful.$hwang $lc?^
API String ID: 2171481348-3067499199
Opcode ID: 56c57ad88a0cb433b59a426455615048396fa435a3bfd1dd3405bcb5cf2add4b
Instruction ID: 4705871f290c82eec90a5c2e8f5e351560631062eb115694ac829a40cc6ec9d1
Opcode Fuzzy Hash: 56c57ad88a0cb433b59a426455615048396fa435a3bfd1dd3405bcb5cf2add4b
Instruction Fuzzy Hash: AA227DB15083409FD314DF24E882BABB7E9FF84704F50581DF599A7292DB71E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E21F35 Relevance: 44.0, APIs: 9, Strings: 16, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00E21F5C
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00E21F8D

Part of subcall function 00E222C1: PathRemoveFileSpecW.SHLWAPI(00000000,00000000,00000104,00E21FA6,00000000), ref: 00E222D0

SetCurrentDirectoryW.KERNEL32(?,00000000), ref: 00E21FB3
CoInitialize.OLE32(00000000), ref: 00E21FC6
_memset.LIBCMT ref: 00E22020
__swprintf.LIBCMT ref: 00E22035
OutputDebugStringW.KERNEL32(?), ref: 00E22044
SetCurrentDirectoryW.KERNEL32(?), ref: 00E22057

Part of subcall function 00E23CD8: _memset.LIBCMT ref: 00E23D5E
Part of subcall function 00E23CD8: __swprintf.LIBCMT ref: 00E23D7E
Part of subcall function 00E23CD8: OutputDebugStringW.KERNEL32(?,?,?,?,?,DAR), ref: 00E23D91
Part of subcall function 00E23CD8: _memset.LIBCMT ref: 00E23DAC
Part of subcall function 00E23CD8: GetLastError.KERNEL32(?,?,?,?,?,?,?,DAR), ref: 00E23DB4
Part of subcall function 00E23CD8: __swprintf.LIBCMT ref: 00E23DC5
Part of subcall function 00E23CD8: OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,DAR), ref: 00E23DD2
Part of subcall function 00E23CD8: FreeResource.KERNEL32(00000000,00000000,00000000,?), ref: 00E23EC3

_memset.LIBCMT ref: 00E220B4

Part of subcall function 00E226CF: __EH_prolog3_GS.LIBCMT ref: 00E226D6

Strings

DAR2, xrefs: 00E22079
Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}, xrefs: 00E22117
DTLSE_AfterComplete, xrefs: 00E22274
DoResLua failed, DAR0, xrefs: 00E22028
DAR0, xrefs: 00E21FE0
hwang , xrefs: 00E21FFF, 00E22093
global_app_id, xrefs: 00E220F2
DTLSE_BeforeInit, xrefs: 00E22155
global_install_mutex_guid, xrefs: 00E220D4
global_install_path, xrefs: 00E221B5
DAR, xrefs: 00E21FE8
DTLSE_BeforeComplete, xrefs: 00E22246
DoResLua failed, DAR2, xrefs: 00E220BC
InstallPath, xrefs: 00E221DE
DTLSE_OnInstall, xrefs: 00E22218
DTLSE_BeforeInstall, xrefs: 00E22187, 00E221EA

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CurrentDebugDirectoryOutputString__swprintf$File$ErrorFreeH_prolog3_InitializeLastModuleNamePathRemoveResourceSpec
String ID: DAR$DAR0$DAR2$DTLSE_AfterComplete$DTLSE_BeforeComplete$DTLSE_BeforeInit$DTLSE_BeforeInstall$DTLSE_OnInstall$DoResLua failed, DAR0$DoResLua failed, DAR2$Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}$InstallPath$global_app_id$global_install_mutex_guid$global_install_path$hwang
API String ID: 3785559241-2980821603
Opcode ID: 6aae8e1162fb9694dceab450f79dc84158e3314c9474592823c071434217c273
Instruction ID: 0b842bc14542396de92572ccc8d6f5083f73f166fda75acd90ee9ced363c0a26
Opcode Fuzzy Hash: 6aae8e1162fb9694dceab450f79dc84158e3314c9474592823c071434217c273
Instruction Fuzzy Hash: 94912632608760ABC624FB35AC06D5F76E5AFC2720F10A61DF569B71E1DF349902CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E2764D Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E27698
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00E276A8
_memset.LIBCMT ref: 00E276D5
__swprintf.LIBCMT ref: 00E276EE
OutputDebugStringW.KERNEL32(?), ref: 00E27704
_memset.LIBCMT ref: 00E27726
GetLastError.KERNEL32 ref: 00E2772E
OutputDebugStringW.KERNEL32(?), ref: 00E27752
__swprintf.LIBCMT ref: 00E27742

Part of subcall function 00E4E0C0: __woutput_l.LIBCMT ref: 00E4E119

SetEnvironmentVariableW.KERNEL32(?,?), ref: 00E2778F
_memset.LIBCMT ref: 00E277BE
GetLastError.KERNEL32(?,?,00000001), ref: 00E277C6
__swprintf.LIBCMT ref: 00E277DA
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,00000001), ref: 00E277EA

Strings

SHGetSpecialFolderPathW csidl=%d failed!, xrefs: 00E276E8
hwang err:%d, xrefs: 00E2773C
SetEnvironmentVariableW failed!hwang err:%d, xrefs: 00E277D4
hwang , xrefs: 00E276B6, 00E27706, 00E2779D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memset$DebugOutputString__swprintf$ErrorLast$EnvironmentFolderPathSpecialVariable__woutput_l
String ID: SHGetSpecialFolderPathW csidl=%d failed!$SetEnvironmentVariableW failed!hwang err:%d$hwang $hwang err:%d
API String ID: 2944793419-723870597
Opcode ID: 3f72be3f22ec6be0d7762eca2d13dcb32eb997f85f44551a92f085b09f4a9ebf
Instruction ID: 08d2ccf52ba1d4182330138542ec888b9c05a51ee64ab59a3a2c77812ed53ee2
Opcode Fuzzy Hash: 3f72be3f22ec6be0d7762eca2d13dcb32eb997f85f44551a92f085b09f4a9ebf
Instruction Fuzzy Hash: 914180725143409BC320DF65EC4AB9BB3E8FF89314F405929F94CDB142EBB59649CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E21E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00E21E70
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00E21E81

Part of subcall function 00E2101F: __EH_prolog3_GS.LIBCMT ref: 00E21026

CreateMutexW.KERNEL32(?,00000000,00000000), ref: 00E21EBB
GetLastError.KERNEL32(00000001,00000000), ref: 00E21EF1
FindWindowW.USER32(SMG_Installer,00000000), ref: 00E21F04
SwitchToThisWindow.USER32(00000000,00000001), ref: 00E21F11

Strings

SMG_Installer, xrefs: 00E21EFF

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DescriptorSecurityWindow$CreateDaclErrorFindH_prolog3_InitializeLastMutexSwitchThis
String ID: SMG_Installer
API String ID: 2013107316-1780044750
Opcode ID: 386a39d01221a260f2c18a6119bf436578b5195c5da76a38fe210e4632d3a161
Instruction ID: d031a297f78004264246f77e994ba76c15238f063b06afd7106db452f66fdedb
Opcode Fuzzy Hash: 386a39d01221a260f2c18a6119bf436578b5195c5da76a38fe210e4632d3a161
Instruction Fuzzy Hash: 2A318E31608340AFD710CF69DC08A9BBBF8FF98314F005A2AF959E6151D770DA48CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01ACE930 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 01ACEA6A
GetProcAddress.KERNEL32(?,01ACAFF9), ref: 01ACEA88
ExitProcess.KERNEL32(?,01ACAFF9), ref: 01ACEA99
VirtualProtect.KERNEL32(00E20000,00001000,00000004,?,00000000), ref: 01ACEAE7
VirtualProtect.KERNEL32(00E20000,00001000), ref: 01ACEAFC

Memory Dump Source

Source File: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: f96569962d8490cabe86609db11f07e55abb59a778f0655005cc79c78326c73d
Instruction ID: 19f415d97a708e85070024e61e372218102a8ef2e3bd0eede618715f3908e25c
Opcode Fuzzy Hash: f96569962d8490cabe86609db11f07e55abb59a778f0655005cc79c78326c73d
Instruction Fuzzy Hash: 1A51D5B2A542525ED7218FBCCCC06A4FFA5EB45A31B1C073DC6E6C73C6EBA4580587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C69C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,DAR,00E23D3D,?,?,5E3F636C,00000000,DAR), ref: 00E2C6AD
LoadResource.KERNEL32(00000000), ref: 00E2C6C5

Strings

DAR, xrefs: 00E2C69C

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoad
String ID: DAR
API String ID: 2619053042-3839210130
Opcode ID: 396e2b61eb9cfabf15f397506625449fa8c6a7dd1bda9f7ac027a4ec7144cb71
Instruction ID: 0bd23e3ef47f8b7146af42a91f0456e6eb52f201bdf9ff8d424c0ada491d4513
Opcode Fuzzy Hash: 396e2b61eb9cfabf15f397506625449fa8c6a7dd1bda9f7ac027a4ec7144cb71
Instruction Fuzzy Hash: FAE04F36404712EFCB119F21FC0847ABBA5FF24755320A82BE896B2220E771C895EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E486A0 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

lc?^, xrefs: 00E487DE, 00E48836, 00E488F8

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: lc?^
API String ID: 0-3458774033
Opcode ID: 47de951206a761522049aeb14e359c792bc614238fd2cd8400a5f4054e73e33e
Instruction ID: bf291dc4edb8af7ee59b2490911420554a8ce6257d4ca2393dc87b6e105c8d74
Opcode Fuzzy Hash: 47de951206a761522049aeb14e359c792bc614238fd2cd8400a5f4054e73e33e
Instruction Fuzzy Hash: 07B18F32E001189BCF54DFE8E981AEDB7F5EF88314F14516AE909F7342EA70AD458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3187C Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0a91fc2da87ce406fdb78e9d736d2e98b321360a202a0dab696a9ae80e4d9
Instruction ID: 76fff2e01bbdbd833915906a37cded7c4c0ae99efa520e92be3da5172a6bb71a
Opcode Fuzzy Hash: 50f0a91fc2da87ce406fdb78e9d736d2e98b321360a202a0dab696a9ae80e4d9
Instruction Fuzzy Hash: DFF12DB5E006199BDB18CF59C8456AEBBF2FF84304F2982ACD416BB750D734AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3320D Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caae16fb309dd417c58563bd18ab06a793007305648432a07970532f1d2a6de0
Instruction ID: 85c77c4f7605650fa3c2cd77cb3369aea82a26afe08c0fab698467bcd7a8f68d
Opcode Fuzzy Hash: caae16fb309dd417c58563bd18ab06a793007305648432a07970532f1d2a6de0
Instruction Fuzzy Hash: F0E11CB2E006199FDB18CF99C8446ADBBF2FF88304F1981A9D815B7744D775AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E33145 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135d62eb7ebc8b519e5aed100b11b51b4f0aae791db16a22cf4f64f06b9af6ba
Instruction ID: 224c4d3d9b785c15c4cf2807b16eaae652d687f71a0a975fa83d46ee69984d23
Opcode Fuzzy Hash: 135d62eb7ebc8b519e5aed100b11b51b4f0aae791db16a22cf4f64f06b9af6ba
Instruction Fuzzy Hash: 54E12BB5E006199FDB18CF59C845AADBBF2FF88304F2981A9D411BB744D735AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E32D86 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39081b72b43619e5533319b66845ba54d56a32206617a608db9f7dc18d5d31e6
Instruction ID: 8c8680f5bb7b3754bcae3605243e63c0fa7c09fcfabb718da0551ff563a653cc
Opcode Fuzzy Hash: 39081b72b43619e5533319b66845ba54d56a32206617a608db9f7dc18d5d31e6
Instruction Fuzzy Hash: A1D13BB2E0061AABDB18CF58C8456ADBBF2FF88304F1582A9D516B7740D774AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E23337 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 194
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00E2333E
PathFileExistsA.SHLWAPI(00000048), ref: 00E23411
GetLastError.KERNEL32 ref: 00E2341F
lstrcmp.KERNEL32(00000000,00000000), ref: 00E2343F

Strings

astr, xrefs: 00E234CE
uint64, xrefs: 00E23484
bool, xrefs: 00E234A7
unknow argument type, xrefs: 00E23451
int64, xrefs: 00E23464
int, xrefs: 00E23437
wstr, xrefs: 00E23500
ptr, xrefs: 00E23537
uint, xrefs: 00E23474

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExistsFileH_prolog3_LastPathlstrcmp
String ID: astr$bool$int$int64$ptr$uint$uint64$unknow argument type$wstr
API String ID: 671010600-603663793
Opcode ID: bdd560b5672b78a85bfe062a994b7f716f83c40cf02fa07c3f739ceb850043d7
Instruction ID: 9a959a3c94a6b8b29db8ba628702afd7de818a9ed4698b87a846f5d45ba92f76
Opcode Fuzzy Hash: bdd560b5672b78a85bfe062a994b7f716f83c40cf02fa07c3f739ceb850043d7
Instruction Fuzzy Hash: CA619070B00724DBCB15EF75EC55AAEBBB5BF40704B60A429E01AB7252DB789E068F10

Uniqueness

Uniqueness Score: -1.00%

Function 00E43EFB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcmp.LIBCMT ref: 00E43F3A

Strings

lua_Number, xrefs: 00E44028
Lua, xrefs: 00E43F26, 00E43F32, 00E43F9C
lua_Integer, xrefs: 00E44017
size_t, xrefs: 00E43FF5
int, xrefs: 00E43FE4
binary string, xrefs: 00E440AE
version mismatch in, xrefs: 00E44089
xV, xrefs: 00E44046
corrupted, xrefs: 00E43FD5
endianness mismatch in, xrefs: 00E4407F
format mismatch in, xrefs: 00E43FCB
Instruction, xrefs: 00E44006
not a, xrefs: 00E43FA2
float format mismatch in, xrefs: 00E44076

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID: Instruction$Lua$binary string$corrupted$endianness mismatch in$float format mismatch in$format mismatch in$int$lua_Integer$lua_Number$not a$size_t$version mismatch in$xV
API String ID: 2931989736-932411338
Opcode ID: f6481a2f11b408fb8846f1622c78d92c44040e51d7dd67a014bf81154739ea27
Instruction ID: 3620baf34e9a7f7effe3d52ed62eea7b4e1461489ecb1db8f73aa49c3b86baa0
Opcode Fuzzy Hash: f6481a2f11b408fb8846f1622c78d92c44040e51d7dd67a014bf81154739ea27
Instruction Fuzzy Hash: 1EF0A971B001145B9B04EF78ED418FEB7F9EF89304754156AEC46F3246ED709E0986A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E26198 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 124
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E26217
SHCreateDirectory.SHELL32(00000000,?), ref: 00E2623B
PathFileExistsW.SHLWAPI(?), ref: 00E26250
_memset.LIBCMT ref: 00E26270
__swprintf.LIBCMT ref: 00E26296
OutputDebugStringW.KERNEL32(?), ref: 00E262A3
_memset.LIBCMT ref: 00E262B7
__swprintf.LIBCMT ref: 00E262D8
OutputDebugStringW.KERNEL32(?), ref: 00E262E5

Strings

Lua_CreateDirectory, xrefs: 00E26287
Create Directory %s!, xrefs: 00E262D2
Fun:%s, Description:%s it's not exists!, xrefs: 00E26290
hwang , xrefs: 00E26252

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugExistsFileOutputPathString__swprintf_memset$CreateDirectoryEnvironmentExpandStrings
String ID: Create Directory %s!$Fun:%s, Description:%s it's not exists!$Lua_CreateDirectory$hwang
API String ID: 3850036116-1673828136
Opcode ID: b975a7d70df44ef8f8bc37a317891c7e3a0895f49b24e86e7d107ea32d084ba3
Instruction ID: d7e13ec0ec0bb9f0067ceddd59168f77deb7ff8dabf8200936bdacbf2fe1d523
Opcode Fuzzy Hash: b975a7d70df44ef8f8bc37a317891c7e3a0895f49b24e86e7d107ea32d084ba3
Instruction Fuzzy Hash: 92416C72608300DFC710DF29E885A5AB7E8FF88715F50592EF498E7191DB70E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E26B11 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E26B8A
SHFileOperationW.SHELL32(?), ref: 00E26BE3
_memset.LIBCMT ref: 00E26C7F
__swprintf.LIBCMT ref: 00E26CA3
OutputDebugStringW.KERNEL32(?), ref: 00E26CB6
_memset.LIBCMT ref: 00E26CD6

Strings

Delete %s failed!, xrefs: 00E26C9D
hwang , xrefs: 00E26C62, 00E26CB8
SHFileOperation error code : %#x, xrefs: 00E26CE9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: File_memset$DebugEnvironmentExistsExpandOperationOutputPathStringStrings__swprintf
String ID: Delete %s failed!$SHFileOperation error code : %#x$hwang
API String ID: 2973828913-2413928965
Opcode ID: fd5d2b9e1b3416663e15176bb9a89b667b9a34f00e41b5a867819da6e02e5a2c
Instruction ID: 30ed4c5ba1e49113c03cd0aa7f31a24bd0ffe269ee579b09124f273fc8f74420
Opcode Fuzzy Hash: fd5d2b9e1b3416663e15176bb9a89b667b9a34f00e41b5a867819da6e02e5a2c
Instruction Fuzzy Hash: 1761AF726083049FC714DF69D881A9BB7E8FF89700F50592EF589E7251EB71D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E454D0 Relevance: 18.3, APIs: 12, Instructions: 325
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddBackslashW.SHLWAPI(00000000), ref: 00E4555B
_memset.LIBCMT ref: 00E45659
_memmove.LIBCMT ref: 00E45678
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00E45795
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00E457C0
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?), ref: 00E457DC
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00E457F9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?), ref: 00E458A6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00E458C5
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00E4592C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 00E45936
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E45979

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Create$ErrorFileLast$Directory$AttributesBackslashChangeCloseFindNotificationPath_memmove_memset
String ID:
API String ID: 3092469951-0
Opcode ID: a7926552f18c3d217ca19567d97496d7bbe23a7dc1d09d9dcc4c185e912daa2e
Instruction ID: 5f55bb340c6a1632ef136547ec815ee066d56fd6586a76cf58567312cd4cf59e
Opcode Fuzzy Hash: a7926552f18c3d217ca19567d97496d7bbe23a7dc1d09d9dcc4c185e912daa2e
Instruction Fuzzy Hash: 9EE16CB2A016299BCB20DF55DC84AD9B7B4FF84304F8141E9E609B7251EB706E89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E23EF5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E23F77
__swprintf.LIBCMT ref: 00E23F98
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00E23FAB
_memset.LIBCMT ref: 00E23FC3
__swprintf.LIBCMT ref: 00E23FD5
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00E23FE1

Strings

%s, xrefs: 00E23F92
luaL_loadbuffer failed!, xrefs: 00E23FCF
hwang , xrefs: 00E23F58, 00E23FAD

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset
String ID: %s$hwang $luaL_loadbuffer failed!
API String ID: 797231043-2333062901
Opcode ID: d9853d1fb3afc1e17b576dc8b6cf039e3d3cf34a46712f94e0296d4f27b50b40
Instruction ID: 3644cab8657c9b6a18dc969cafc9a284b128e8a0ed32daafd6af394551ca3741
Opcode Fuzzy Hash: d9853d1fb3afc1e17b576dc8b6cf039e3d3cf34a46712f94e0296d4f27b50b40
Instruction Fuzzy Hash: 50314572504204AFD210EE64EC42EABB3DCFB89354F505929F998E7181E671A9098BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A8A7 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00E5A8B5

Part of subcall function 00E5BF5B: __mtinitlocknum.LIBCMT ref: 00E5BF6D
Part of subcall function 00E5BF5B: RtlEnterCriticalSection.NTDLL(?), ref: 00E5BF86

__calloc_crt.LIBCMT ref: 00E5A8C6

Part of subcall function 00E5663A: __calloc_impl.LIBCMT ref: 00E56649
Part of subcall function 00E5663A: Sleep.KERNEL32(00000000,000003BC,00E500CE,00E4F07C), ref: 00E56660

@_EH4_CallFilterFunc@8.LIBCMT ref: 00E5A8E1
GetStartupInfoW.KERNEL32(?,00E968B0,00000064,00E4F2CB,00E96440,00000014), ref: 00E5A93A
__calloc_crt.LIBCMT ref: 00E5A985
GetFileType.KERNEL32(00000001), ref: 00E5A9CC
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00E5AA05

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: da44f91c9c321c37c719f4406cf58c206a22af89124c237cd922d3b9741afd56
Instruction ID: 2fb0eda90067602e4c85495865b4935c006e724761a6835f37aa174f6b2648e3
Opcode Fuzzy Hash: da44f91c9c321c37c719f4406cf58c206a22af89124c237cd922d3b9741afd56
Instruction Fuzzy Hash: 7B8105719057418FDB14CF68C8805ADBBF0AF06325B286B6ED8A6B73E1D734984BCB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E23803 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 42
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNEL32(?,HKCR), ref: 00E23813
lstrcmpW.KERNEL32(?,HKCU,?,HKCR), ref: 00E23826

Strings

HKCU, xrefs: 00E23820
HKLM, xrefs: 00E23833
HKU, xrefs: 00E23846
HKCC, xrefs: 00E23859
HKCR, xrefs: 00E2380D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: lstrcmp
String ID: HKCC$HKCR$HKCU$HKLM$HKU
API String ID: 1534048567-62392802
Opcode ID: a3ae62871da4db20ae5cb0ff209da82b97d18dc56c47d1bd462f7888248901c7
Instruction ID: c23e0cd58a0f15ecc6421157c45b5eda835c7e27a9fbc838ae4a439eba9a57ec
Opcode Fuzzy Hash: a3ae62871da4db20ae5cb0ff209da82b97d18dc56c47d1bd462f7888248901c7
Instruction Fuzzy Hash: 87F012527C9737A2E21D213E7C01FAB15984F91B5CF316225F819FA1D8E68CCB434DA6

Uniqueness

Uniqueness Score: -1.00%

Function 00E25059 Relevance: 7.7, APIs: 5, Instructions: 198
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E23803: lstrcmpW.KERNEL32(?,HKCR), ref: 00E23813

Part of subcall function 00E2BEBD: RegCloseKey.ADVAPI32(?,?,00E25127,00000000,?), ref: 00E2BF01

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?), ref: 00E25173
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00E251B9
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00E251F5
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E25252
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000000,?), ref: 00E252B7

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$Close$lstrcmp
String ID:
API String ID: 1731512416-0
Opcode ID: fca8ead6cbaeefde84fb1b7e999bcf1d882c0b6f60bf89f97d5d31cde5f3c795
Instruction ID: e87707c03d4ed1d61df1ee91ec6cd690db4083a4d09586fb62ed810fc415110e
Opcode Fuzzy Hash: fca8ead6cbaeefde84fb1b7e999bcf1d882c0b6f60bf89f97d5d31cde5f3c795
Instruction Fuzzy Hash: 96719E72608350AFC324DF14D845FABBBE8FF99714F50491EF59AA2191DB70E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E36167 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E3617D

Strings

attempt to load a %s chunk (mode is '%s'), xrefs: 00E3618F
binary, xrefs: 00E361E1
text, xrefs: 00E361FB

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: attempt to load a %s chunk (mode is '%s')$binary$text
API String ID: 601868998-592341459
Opcode ID: 46e61018d429f63792bab232b308eee2ab54908df3244320c8941dcb04bff82b
Instruction ID: 9d0c2060c6b9c78b7e80a18884b95d312d0228dd45aa22f8deb7cfb9834b4257
Opcode Fuzzy Hash: 46e61018d429f63792bab232b308eee2ab54908df3244320c8941dcb04bff82b
Instruction Fuzzy Hash: 7C31E6722053047FD714DF29D885AA6BBE9EF85324F14D46EF8599B242DA31EC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5066E Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00E5067A

Part of subcall function 00E4EF94: __FF_MSGBANNER.LIBCMT ref: 00E4EFAB
Part of subcall function 00E4EF94: __NMSG_WRITE.LIBCMT ref: 00E4EFB2
Part of subcall function 00E4EF94: RtlAllocateHeap.NTDLL(008E0000,00000000,00000001), ref: 00E4EFD7

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 0e87318c3576b37e9314783c626a83dd6ad889a009b15297d0f51033d323927f
Instruction ID: e3bcabd694cea199f0b235b55f0d57bebaf5a2a787cccf0c92b1696174fd9105
Opcode Fuzzy Hash: 0e87318c3576b37e9314783c626a83dd6ad889a009b15297d0f51033d323927f
Instruction Fuzzy Hash: 80110A32505712EFCF203B75BC0575A37D4AF40367B202C26FD08BA991DAB1889C9694

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A1E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(lc?^), ref: 00E2A25F

Strings

lc?^, xrefs: 00E2A255, 00E2A259, 00E2A25E
DllManagerMetaTable, xrefs: 00E2A286

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: DllManagerMetaTable$lc?^
API String ID: 1029625771-3872318702
Opcode ID: dc9cf7fc9737963c8a5077a3d2c3493baa507356456e48fc9c10036becaf5c8f
Instruction ID: f894c021c68e8742bbe6cafe2d00e04e034738914f053e355153f1fed2f68434
Opcode Fuzzy Hash: dc9cf7fc9737963c8a5077a3d2c3493baa507356456e48fc9c10036becaf5c8f
Instruction Fuzzy Hash: BE31B1326047108FD740DF29D882B2AB3E5FF85334F54992AF816AF2D2E771D8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BEBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,lc?^,?,?,00000000,?,?,00E25127,00000000,?), ref: 00E2BEED
RegCloseKey.ADVAPI32(?,?,00E25127,00000000,?), ref: 00E2BF01

Part of subcall function 00E2BE5A: GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,lc?^,00E2BEE4,?,?,?,lc?^,?,?,00000000,?,?,00E25127,00000000), ref: 00E2BE6C
Part of subcall function 00E2BE5A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00E2BE7C

Strings

lc?^, xrefs: 00E2BECE

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: lc?^
API String ID: 823179699-3458774033
Opcode ID: acb5ddda6fe87423fe7b83f9771c1443b6a96abf5f9bedf414c394b1bcec17a9
Instruction ID: fd7b5a81a4b3f6f867c7c4850add9a3d57bdfb9a09c3427990ea82d1a30d8899
Opcode Fuzzy Hash: acb5ddda6fe87423fe7b83f9771c1443b6a96abf5f9bedf414c394b1bcec17a9
Instruction Fuzzy Hash: 820131B5604219FFDF258F06DC14CAEBBF9EF94350710842DF856A2220D7B19E50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E28C97 Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

_memset.LIBCMT ref: 00E28D2A
GetTempFileNameW.KERNEL32(?,?,00000000,?), ref: 00E28D56

Part of subcall function 00E226CF: __EH_prolog3_GS.LIBCMT ref: 00E226D6

DeleteFileW.KERNEL32(?,00000001,00000000), ref: 00E28DA4

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: File$DeleteEnvironmentExpandH_prolog3_NameStringsTemp_memset
String ID:
API String ID: 2698847642-0
Opcode ID: 18bb09650aafeea00910c1739586f67bd8c36618aa912f69b528e0eb98595f24
Instruction ID: ab710beefa88adb3d16f4d7febe30c069f73c2a5e21c4a7c6af9f660fb0e45ee
Opcode Fuzzy Hash: 18bb09650aafeea00910c1739586f67bd8c36618aa912f69b528e0eb98595f24
Instruction Fuzzy Hash: C3415D712083409FC714DF69D889E9BF7E8EFD9710F404A2EF49993291EB74A508CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E3463D Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E3468D
_memmove.LIBCMT ref: 00E346F3

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp_memmove
String ID:
API String ID: 533621379-0
Opcode ID: a31d6048b0dffde2358a07a89cf99a6fd82ef31f1ae8bd217b0cbff476ad4a1d
Instruction ID: ae11226b16889e560fe7fc2f7994c8fd3127faa67bdc44fc6ee06affe781b35f
Opcode Fuzzy Hash: a31d6048b0dffde2358a07a89cf99a6fd82ef31f1ae8bd217b0cbff476ad4a1d
Instruction Fuzzy Hash: AC31C2B1A04B05AFCB15CF68C445AAABBF4BF09314F1485ADE855A7791D730FA11CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E45B10 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,00E45913,00000000,?,00000000,?,?), ref: 00E45B4C
GetLastError.KERNEL32 ref: 00E45B78

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 77c536d25727c0e9bcbb03bca258d7e4b898f8e80c163d85e3a54a858d1c5aea
Instruction ID: 2b6f756661b9b4ef9af48c92b4f0493831aab3302fddce6d34979251dd4db89e
Opcode Fuzzy Hash: 77c536d25727c0e9bcbb03bca258d7e4b898f8e80c163d85e3a54a858d1c5aea
Instruction Fuzzy Hash: CB01F236B01A19AFEB148E49E8407AAB7A8EF88769F20403AED08E7740D3709C0087D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E45360 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00E45383

Part of subcall function 00E4EF94: __FF_MSGBANNER.LIBCMT ref: 00E4EFAB
Part of subcall function 00E4EF94: __NMSG_WRITE.LIBCMT ref: 00E4EFB2
Part of subcall function 00E4EF94: RtlAllocateHeap.NTDLL(008E0000,00000000,00000001), ref: 00E4EFD7

_memmove.LIBCMT ref: 00E45397

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_malloc_memmove
String ID:
API String ID: 3795339465-0
Opcode ID: bea8169b006b0bd92e0618d362164a57a1bcb8948c447838a9d6833a33bd5de8
Instruction ID: e3889850335ff86540e9b7a683ccf575da654ed0096daa109d37fd050968b3e8
Opcode Fuzzy Hash: bea8169b006b0bd92e0618d362164a57a1bcb8948c447838a9d6833a33bd5de8
Instruction Fuzzy Hash: 4C0162B2E001196BCF00DF99AC05B9FBBFCAF54354F044065F808B7202E7B19A188BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4EF5C Relevance: 3.0, APIs: 2, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00E57717), ref: 00E4EF70

Part of subcall function 00E500C9: __getptd_noexit.LIBCMT ref: 00E500C9

GetLastError.KERNEL32(00000000,?,00E57717), ref: 00E4EF82

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast__getptd_noexit
String ID:
API String ID: 269751013-0
Opcode ID: a4af1780984817ee71ec31e5cd674e40f4bc4265fd1f24b6484ab4b17ab36dd2
Instruction ID: 2f0ffcc554c4502c06ec6026e66182a210e0b22144e92cc1ed9ead05f797d7be
Opcode Fuzzy Hash: a4af1780984817ee71ec31e5cd674e40f4bc4265fd1f24b6484ab4b17ab36dd2
Instruction Fuzzy Hash: 9BE0CD32105714AFDB102FF5FC0C7953BD8BB00356F604825F54CF6160D6704988C740

Uniqueness

Uniqueness Score: -1.00%

Function 00E356BC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__setjmp3.LIBCMT ref: 00E356F9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __setjmp3
String ID:
API String ID: 3396615879-0
Opcode ID: 2b3b4e1d99f9d50ebbf6919e5e36c1fa27ef98537655f5e9f61868c14e5cf5f9
Instruction ID: 3423de4b83bfc2e7123360ab616f6a99a151a34165d0cee7ace39b361d2f9136
Opcode Fuzzy Hash: 2b3b4e1d99f9d50ebbf6919e5e36c1fa27ef98537655f5e9f61868c14e5cf5f9
Instruction Fuzzy Hash: 1501B075A043189FCB00DFE8D845A9EBBF4BF08314F60102AE805EB344E735AA05CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00E34726 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E34757

Part of subcall function 00E3463D: _memcmp.LIBCMT ref: 00E3468D
Part of subcall function 00E3463D: _memmove.LIBCMT ref: 00E346F3

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$_memcmp
String ID:
API String ID: 2205784470-0
Opcode ID: 8dad051b43dee63f4de58a0bead84476dfbbea11e449282d58693d5f199a13da
Instruction ID: e4dd93ce01fb9268a2fa693a0039867ead6b3acce5c19f3e99bb8a8e5dabc7e2
Opcode Fuzzy Hash: 8dad051b43dee63f4de58a0bead84476dfbbea11e449282d58693d5f199a13da
Instruction Fuzzy Hash: FBE022C37012082B41286568AC8A8BFBB8DDAD3675F15172AFD25B32C1EA207D00C2E5

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B8B4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00E4D7C4: _malloc.LIBCMT ref: 00E4D7DC

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00E2B8E1

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID:
API String ID: 657562460-0
Opcode ID: 4cfeb62aa40882b6b010b3bafd5334faf86f9cb9b67c8545b29f5845b6165288
Instruction ID: 1e43d9adc07c869543fc4c721d826ba4e656aef821f4452a432ca5db3650f25d
Opcode Fuzzy Hash: 4cfeb62aa40882b6b010b3bafd5334faf86f9cb9b67c8545b29f5845b6165288
Instruction Fuzzy Hash: 6BF05839108601AFD308EB48D851916B7E1AF89324B00D86AF54AAB262CB70E810DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E48C20 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00E48C2D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 0fd6d89af8e6344ec75c770dbe4c57ed6021efd2d1aa1f4a50308734aa1426fd
Instruction ID: ae8f30958905078b81719efe53be4c76be0e49ed9f0a619ff96025826fd6dffb
Opcode Fuzzy Hash: 0fd6d89af8e6344ec75c770dbe4c57ed6021efd2d1aa1f4a50308734aa1426fd
Instruction Fuzzy Hash: FAC09B71A4030C165D0455B9794155B73CD5550528F045461F90C9A701F531F9544053

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E2782D Relevance: 47.6, APIs: 20, Strings: 7, Instructions: 323fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

_memset.LIBCMT ref: 00E2791E
__swprintf.LIBCMT ref: 00E27938
OutputDebugStringW.KERNEL32(?), ref: 00E27945
_memset.LIBCMT ref: 00E279BC
__swprintf.LIBCMT ref: 00E279D6
OutputDebugStringW.KERNEL32(?), ref: 00E279E3
FreeResource.KERNEL32(?), ref: 00E27BE3

Part of subcall function 00E2C69C: FindResourceW.KERNEL32(00000000,?,DAR,00E23D3D,?,?,5E3F636C,00000000,DAR), ref: 00E2C6AD

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000002), ref: 00E27A42
_memset.LIBCMT ref: 00E27A7C
__swprintf.LIBCMT ref: 00E27B96
OutputDebugStringW.KERNEL32(?), ref: 00E27BA3
CloseHandle.KERNEL32(?), ref: 00E27BD4

Strings

Fun:%s ,WriteFile %s failed!, xrefs: 00E27B89
lc?^, xrefs: 00E27AE0, 00E27B16, 00E27AF3
Fun:%s ,CreateFileW %s failed!, xrefs: 00E27A98
_7Z, xrefs: 00E27AB2
Fun:%s ,LoadResource failed!, xrefs: 00E27932, 00E279D0
Lua_ExtractResource, xrefs: 00E2792D, 00E279CB, 00E27A93, 00E27B84
hwang , xrefs: 00E27900, 00E2799E, 00E27A5E, 00E27B4F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset$Resource$CloseCreateEnvironmentExpandFileFindFreeHandleStrings
String ID: Fun:%s ,CreateFileW %s failed!$Fun:%s ,LoadResource failed!$Fun:%s ,WriteFile %s failed!$Lua_ExtractResource$_7Z$hwang $lc?^
API String ID: 3702404746-2470483299
Opcode ID: 090a6e4614637d61943893dd43c8a90075217af633089f4c6c0d40506251cc8d
Instruction ID: dbe7c019d128f3ab086a5a0de3bb0609f15d183ed24578f798e3a2d394bb6041
Opcode Fuzzy Hash: 090a6e4614637d61943893dd43c8a90075217af633089f4c6c0d40506251cc8d
Instruction Fuzzy Hash: FEB19F726083109FC710DF29EC85E9BB7E9FF89710F10591DF989A7151DBB19908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F6B3 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 396COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E3F793
__localtime64.LIBCMT ref: 00E3F7C1
__localtime64.LIBCMT ref: 00E3F7CF
_memcmp.LIBCMT ref: 00E3F8A9
_memmove.LIBCMT ref: 00E3F8C4
_wcsftime.LIBCMT ref: 00E3F8E5

Part of subcall function 00E2E5CA: _memcmp.LIBCMT ref: 00E2E61C

__time64.LIBCMT ref: 00E3F97A

Part of subcall function 00E508F5: GetSystemTimeAsFileTime.KERNEL32(00E2FC0D,?,?,?,00E2FC0D,00000000), ref: 00E508FE
Part of subcall function 00E508F5: __aulldiv.LIBCMT ref: 00E5091E

Strings

day, xrefs: 00E3F9D5
year, xrefs: 00E3F9FE
aAbBcdHIjmMpSUwWxXyYzZ%||#c#x#d#H#I#j#m#M#S#U#w#W#y#Y, xrefs: 00E3F87C, 00E3F8A7
month, xrefs: 00E3F9E8
%, xrefs: 00E3F81F
hour, xrefs: 00E3F9C3
invalid conversion specifier '%%%s', xrefs: 00E3F933
field '%s' is out-of-bound, xrefs: 00E3F733
field '%s' missing in date table, xrefs: 00E3F6F7
field '%s' is not an integer, xrefs: 00E3F73B
isdst, xrefs: 00E3FA14
time result cannot be represented in this installation, xrefs: 00E3F927, 00E3FA84
min, xrefs: 00E3F9B0
sec, xrefs: 00E3F9A4

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Time__localtime64__time64_memcmp$FileSystem__aulldiv_memmove_wcsftime
String ID: %$aAbBcdHIjmMpSUwWxXyYzZ%||#c#x#d#H#I#j#m#M#S#U#w#W#y#Y$day$field '%s' is not an integer$field '%s' is out-of-bound$field '%s' missing in date table$hour$invalid conversion specifier '%%%s'$isdst$min$month$sec$time result cannot be represented in this installation$year
API String ID: 2487876962-2557036086
Opcode ID: c073ffbeafe80b847a191a5f107f5519e561aaa2fb598d11aefb6478ea092e59
Instruction ID: 97c2fdff642f4109ee9965cf92692b38b810b1aa4c451f6b10a89c273d70c0ba
Opcode Fuzzy Hash: c073ffbeafe80b847a191a5f107f5519e561aaa2fb598d11aefb6478ea092e59
Instruction Fuzzy Hash: 13C12871B083505BD714EA399C46A6FBBD9EFC5314F10A53EF499F7281EA708D02C692

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C2C0 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ac75984d18924aef6d5d14c6bc6da49327253679f5522441b29435f7384c94
Instruction ID: 8d357d4cba851ef0da715857af5ae92c1c6cbdcf7127b67c44c171e3b39b41f5
Opcode Fuzzy Hash: 21ac75984d18924aef6d5d14c6bc6da49327253679f5522441b29435f7384c94
Instruction Fuzzy Hash: 7B325C75A022288FCB24CF25DC516E9B7F4FB4A315F1858D9E80AB7A81D7709E84CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00E66C04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

_memset.LIBCMT ref: 00E66C3A
_TranslateName.LIBCMT ref: 00E66C85
_TranslateName.LIBCMT ref: 00E66CD0
GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 00E66D1D

Part of subcall function 00E66EED: _GetTableIndexFromLcid.LIBCMT ref: 00E66F1A
Part of subcall function 00E66EED: _wcsnlen.LIBCMT ref: 00E66F2E

IsValidCodePage.KERNEL32(00000000), ref: 00E66D71
IsValidLocale.KERNEL32(?,00000001), ref: 00E66D84
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 00E66DD7
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00E66DEE
__itow_s.LIBCMT ref: 00E66E00

Strings

4|, xrefs: 00E66C1F
4|, xrefs: 00E66C36, 00E66C47, 00E66D0A, 00E66CB3, 00E66CA8, 00E66C39, 00E66CAB, 00E66CB6, 00E66D0D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoNameTranslateValid$CodeDefaultFromIndexLcidPageTableUser__getptd_noexit__itow_s_memset_wcsnlen
String ID: 4|$4|
API String ID: 1819841604-704439468
Opcode ID: edef25c8ffbc20bfa0e02ae8fb680d83ef139f63dee3584996af833a13ce8d32
Instruction ID: 96219dfc8be994ea0e72851b0f1ceaee54e8eeae4e499defc0c99346529a1045
Opcode Fuzzy Hash: edef25c8ffbc20bfa0e02ae8fb680d83ef139f63dee3584996af833a13ce8d32
Instruction Fuzzy Hash: 49519275A50609AFDF10EFA4EC45BBEB7B8EF04384F14182AE914FB141E7719A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C521 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2C5E0: FindClose.KERNEL32(?,?,00E2C52B,00000000,hwang ,00000000,00E2418E,?,00000001,00000000), ref: 00E2C5FA

FindFirstFileW.KERNEL32(?,?), ref: 00E2C553
GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00E2C570
SetLastError.KERNEL32(0000007B), ref: 00E2C583
lstrlenW.KERNEL32(?,00000000,hwang ,00000000,00E2418E,?,00000001,00000000), ref: 00E2C58E
_wcsrchr.LIBCMT ref: 00E2C59F
_wcsrchr.LIBCMT ref: 00E2C5A9

Strings

*.*, xrefs: 00E2C538, 00E2C53D, 00E2C552, 00E2C56F
hwang , xrefs: 00E2C522

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Find_wcsrchr$CloseErrorFileFirstFullLastNamePathlstrlen
String ID: *.*$hwang
API String ID: 3086268848-3721845571
Opcode ID: 7f1210ed32d778d986c4aa2ff8b30ebe9ae1f5d5b51e02c46d8c9df2b3b82c01
Instruction ID: 50c7f414c0d29d8ee1fbab7b02866ff543add3205f00d2fcb91166bb658e78b0
Opcode Fuzzy Hash: 7f1210ed32d778d986c4aa2ff8b30ebe9ae1f5d5b51e02c46d8c9df2b3b82c01
Instruction Fuzzy Hash: FF11E6726807145BC3206735FC85A6F36EDEF99358F211C29F51AF3141FB74E50582A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E66A83 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00E66A9A
_wcscmp.LIBCMT ref: 00E66AAB
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00E66D49,?,00000000), ref: 00E66AC7
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00E66D49,?,00000000), ref: 00E66AF1

Strings

ACP, xrefs: 00E66A94
OCP, xrefs: 00E66AA5

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 344c0f912e351810bfca47436ed53f542a9efc919af91d6edb2015c9530f8108
Instruction ID: becc52418d28616f9ae7d69017eb1da49572303931af8baeb1ba8c2b132f93bd
Opcode Fuzzy Hash: 344c0f912e351810bfca47436ed53f542a9efc919af91d6edb2015c9530f8108
Instruction Fuzzy Hash: 09018032291615AAEB10DFA8FC45FDA37D8EF007E9F44E025F909FA051EB70D9819785

Uniqueness

Uniqueness Score: -1.00%

Function 00E22BD5 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00000000,00000000,5E3F636C,?,?,?,?), ref: 00E22C1C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00E22C55
_memset.LIBCMT ref: 00E22C7C
QueryDosDeviceW.KERNEL32(00000000,?,00000104,?,?,?), ref: 00E22CCE
PathAddBackslashW.SHLWAPI(?,?,?,?), ref: 00E22CDC
PathAddBackslashW.SHLWAPI(00000000,?,?,?), ref: 00E22CDF

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: BackslashDriveLogicalPathStrings$DeviceQuery_memset
String ID:
API String ID: 1915353016-0
Opcode ID: c19cebd278e58660219d500e3cd6452fadee0730be27c3102371959dbff9128c
Instruction ID: f1610f0a108b60ce69879fb06acb798f266255d624b4986c77d2d3a1797cfff4
Opcode Fuzzy Hash: c19cebd278e58660219d500e3cd6452fadee0730be27c3102371959dbff9128c
Instruction Fuzzy Hash: 2C51C072604390AFD321EF25EC85B6BB7E8EFD4704F01192DF589A7251EB70A944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E2111A Relevance: 7.6, APIs: 5, Instructions: 89serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 00E21137
OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 00E2114D
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,000F01FF), ref: 00E2117E
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,000F01FF), ref: 00E211A5
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,000F01FF), ref: 00E211BE

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Service$OpenQueryStatus$ManagerStart
String ID:
API String ID: 1532350385-0
Opcode ID: 502d9dce5cf6dfd484856cd324c4b634f90e6dd3d435d377a33fe05fb6239c51
Instruction ID: 7adb283153b03fe11effdafc05d16a0298e4bd35be773f89898127fba3cb4e85
Opcode Fuzzy Hash: 502d9dce5cf6dfd484856cd324c4b634f90e6dd3d435d377a33fe05fb6239c51
Instruction Fuzzy Hash: CA217471A0121DAEDB20DFA6DC84DFEB7BCEF19758F041469EA01F6180DA709E45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E66768 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00E667C1
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00E6680E
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00E668BE

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$__getptd_noexit
String ID:
API String ID: 1862418609-0
Opcode ID: 1231ca271af80d1b97d11771e2d0e32d7d211e9940deb03e6d1831c6bd8810d5
Instruction ID: e411d0e7f24c02c4b18473e482abfa56128f62b8ddcd2e68db789b12941db919
Opcode Fuzzy Hash: 1231ca271af80d1b97d11771e2d0e32d7d211e9940deb03e6d1831c6bd8810d5
Instruction Fuzzy Hash: 0451F1715A02129FDF289F28EC82BBA77E8EF10364F145179EC04EA195E774ED94CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E27203 Relevance: 6.1, APIs: 4, Instructions: 136processwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E2720D
FindWindowW.USER32(?,00000000), ref: 00E27258
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 00E272BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E272FA

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CreateFindH_prolog3_catch_MessagePostSnapshotToolhelp32Window
String ID:
API String ID: 3104000208-0
Opcode ID: 9024872093f1d423669bf7f47947979ad3df04919e20df878283c68e402baf29
Instruction ID: fa23ed08b73077709898f5117298c62c7ad40c6768e260f0739482985127e1c0
Opcode Fuzzy Hash: 9024872093f1d423669bf7f47947979ad3df04919e20df878283c68e402baf29
Instruction Fuzzy Hash: 8B419171A04628DEDB24DF25AD45A9EB7F9BF84710F1090AEE189A6291DE705E80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E229D4 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00E229F7
OpenProcessToken.ADVAPI32(00000000), ref: 00E229FE
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E22A1C
AdjustTokenPrivileges.ADVAPI32(00000010,00000000,00000000,00000010,00000000,00000000,?,?), ref: 00E22A46

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: c23fd06de89d659aa9328e1f5c256940af638dc923e48817846577e3598921b3
Instruction ID: 92d99ce1d1eb866668825c105a606e4bc55be590a5b9ba0d59996fdcb04a0bd3
Opcode Fuzzy Hash: c23fd06de89d659aa9328e1f5c256940af638dc923e48817846577e3598921b3
Instruction Fuzzy Hash: 4811A572A04704AFD320DF2AEC45A5BBBECFBC8748F41092DF649E7110D671D9098AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E21094 Relevance: 6.1, APIs: 4, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E210A6
Sleep.KERNEL32(?), ref: 00E210D7
GetTickCount.KERNEL32 ref: 00E210F1

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 9707ad16b730b7842f65cd319406b5f9eb7d6311b380fb346782c845cf3297ed
Instruction ID: 7bcace7afe581b2194d7b952e3cf5c758ec541d5251eb489d4b4ff67f866c754
Opcode Fuzzy Hash: 9707ad16b730b7842f65cd319406b5f9eb7d6311b380fb346782c845cf3297ed
Instruction Fuzzy Hash: 5B01A1716097559FD324DF26FC4482BF3E8EFA4345B101D6EE646D3240DAB0EE548A72

Uniqueness

Uniqueness Score: -1.00%

Function 00E408C7 Relevance: 5.4, Strings: 4, Instructions: 435COMMON

Download Yara Rule

Strings

too many elements to move, xrefs: 00E40D20
position out of bounds, xrefs: 00E409AD, 00E40AD0
wrong number of arguments to 'insert', xrefs: 00E409A2
destination wrap around, xrefs: 00E40BD2

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: destination wrap around$position out of bounds$too many elements to move$wrong number of arguments to 'insert'
API String ID: 0-3791153335
Opcode ID: c336a51e470627e5b7a4214f2cadc6a837aa0c9e941ee311a4da71dc0f0ddf34
Instruction ID: 78ff2b87a900f08e9d9acb3ccab92bcd0996c6f7d88711dd13f39ccd48cf5ef2
Opcode Fuzzy Hash: c336a51e470627e5b7a4214f2cadc6a837aa0c9e941ee311a4da71dc0f0ddf34
Instruction Fuzzy Hash: DED1FC327087108BD718DE29AC81A2EF3D6EFC4714F14A93DFA99E7382DA70DD454686

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FC89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000105), ref: 00E3FCA0
FormatMessageA.KERNEL32(00001200,00000000,00000000,00000000,?,00000080,00000000), ref: 00E3FCBF

Strings

system error %d, xrefs: 00E3FCD9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: system error %d
API String ID: 3479602957-1688351658
Opcode ID: 51833daf9c674da23830975e5a2af4ef557b6b0498da3282290b2354c30fdfe6
Instruction ID: 32cff1f7b9d2aa39f3135cbaf5b7df95d6e4094c3eb46485dc313ea77fa432ae
Opcode Fuzzy Hash: 51833daf9c674da23830975e5a2af4ef557b6b0498da3282290b2354c30fdfe6
Instruction Fuzzy Hash: D9F09631600214AFD714E7269C0EEAF77E8EB85714F405169F445F6280EEA05E0987A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E28968 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E229D4: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E229F7
Part of subcall function 00E229D4: OpenProcessToken.ADVAPI32(00000000), ref: 00E229FE
Part of subcall function 00E229D4: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E22A1C
Part of subcall function 00E229D4: AdjustTokenPrivileges.ADVAPI32(00000010,00000000,00000000,00000010,00000000,00000000,?,?), ref: 00E22A46

ExitWindowsEx.USER32(00000000,00000000), ref: 00E2899C

Strings

SeShutdownPrivilege, xrefs: 00E28971

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: 2f2ea82234fbbf3b1acfa61871f00c3fb1b1bc76c13f8e97b4240e746d4ba9f4
Instruction ID: ed192c7ba2bd3ce32724a7603dea1026626c70c53c4f6105314321f07fb5c7cb
Opcode Fuzzy Hash: 2f2ea82234fbbf3b1acfa61871f00c3fb1b1bc76c13f8e97b4240e746d4ba9f4
Instruction Fuzzy Hash: 00F089723056115BE7089E5ABC86A2AE399EFC5230F60D13EF205DB2D1CA709C558690

Uniqueness

Uniqueness Score: -1.00%

Function 00E66668 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

_GetPrimaryLen.LIBCMT ref: 00E666B3
EnumSystemLocalesW.KERNEL32(00E66768,00000001,000000A0,?,?,00E66CF2,00000000,?,?,?,?,?,00000055), ref: 00E666C3

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: EnumLocalesPrimarySystem__getptd_noexit
String ID:
API String ID: 1605451767-0
Opcode ID: 097de8ed2d942fec1fa9dcbe19a704450e6dad96a35746440c6dfaa363cf1836
Instruction ID: 0c9251cb461bed52db7150f2c117462fe3e553af5959642a5e5adacffb1424bb
Opcode Fuzzy Hash: 097de8ed2d942fec1fa9dcbe19a704450e6dad96a35746440c6dfaa363cf1836
Instruction Fuzzy Hash: CC01A7325A4706DFEB209F34F509B69B7E4EF01759F105929E449F6091DBB4A864CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E66B30 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E6692A,00000000,00000000,?), ref: 00E66B5A
_GetPrimaryLen.LIBCMT ref: 00E66B79

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocalePrimary__getptd_noexit
String ID:
API String ID: 3580725100-0
Opcode ID: e46c697874db102edac5733d1a1011325f07fbfd06f285c2e14843308aa24082
Instruction ID: b39e4420ca5029042309e8fd146e4d5152774683feaee5d0fd3962edb09eea16
Opcode Fuzzy Hash: e46c697874db102edac5733d1a1011325f07fbfd06f285c2e14843308aa24082
Instruction Fuzzy Hash: 98F02433A60514FBEF146734EC06BEE779CEB00798F144136E949F7080EA74BD1086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E666E5 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

_GetPrimaryLen.LIBCMT ref: 00E66717
EnumSystemLocalesW.KERNEL32(00E6695B,00000001,?,?,00E66CBC,4|,?,?,00000055,?,?,00E57C34,?,?,?), ref: 00E6672A

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: EnumLocalesPrimarySystem__getptd_noexit
String ID:
API String ID: 1605451767-0
Opcode ID: b82e4b31633672f4a22824c19651e7abd7b1f3e6a5d84e19002ed5d26bee8623
Instruction ID: 3c88fa3fcbc76f850978998fb20c16f27018e0de79de9985870623e9fb24d8d3
Opcode Fuzzy Hash: b82e4b31633672f4a22824c19651e7abd7b1f3e6a5d84e19002ed5d26bee8623
Instruction Fuzzy Hash: 79F0EC315A4705EFEB106B34FC45FA17BD1DB127A9F105417F44DFA0D2CA716C508A10

Uniqueness

Uniqueness Score: -1.00%

Function 00E58BC7 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E54A11,?,?,?,00000000), ref: 00E58BCC
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00E58BD5

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bae1a82179ebbf3731d69f93cc60d893eb3f59e19c0a32e150112668963267bf
Instruction ID: d957fd7e0baca7fbd89e2c1869c522cbb787e213b8029320e69241f782c6808c
Opcode Fuzzy Hash: bae1a82179ebbf3731d69f93cc60d893eb3f59e19c0a32e150112668963267bf
Instruction Fuzzy Hash: 23B09232048A08EFDA006B92EC09B983F29EB04663F400060F60D580B18BE358958B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E33BDD Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

memory allocation error: block too big, xrefs: 00E33BD1, 00E33C28, 00E33E17
table overflow, xrefs: 00E33C7F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: memory allocation error: block too big$table overflow
API String ID: 0-350483971
Opcode ID: 23c657c70ab87327dbda470ca4200402d01e262f6b21f11aac432c134cc3ae17
Instruction ID: aba29335e97236b8b5a163cc943427b4eb31a75ef4e43ef37ed01aabba856297
Opcode Fuzzy Hash: 23c657c70ab87327dbda470ca4200402d01e262f6b21f11aac432c134cc3ae17
Instruction Fuzzy Hash: 05C1BE71A043158FDB14CF29C884A5AFBF5EF88314F1495AEE859E7381EB309E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E47BE0 Relevance: 2.3, APIs: 1, Instructions: 793COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E47EFE

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2b0dfc0710faed2328d6814c4213b29e4371b17e6604780dcc7d41ef5b22d60f
Instruction ID: fc3b37da26927779bda6f6bd49d258ca7d20f05e73dd6e5fdceef02c9dbb3a7d
Opcode Fuzzy Hash: 2b0dfc0710faed2328d6814c4213b29e4371b17e6604780dcc7d41ef5b22d60f
Instruction Fuzzy Hash: 94623970A002099FCF24CF98E990AAEBBF1FF49708F145199E845BB345EB30AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E720D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c6ee61c2885820a1cc40d2007009af3ce3541728c1207480eac7c57701b7db
Instruction ID: 68cd23844398081124327bff280bbd7ae6c94389eec525d0e4cfc0f8e5919cce
Opcode Fuzzy Hash: c2c6ee61c2885820a1cc40d2007009af3ce3541728c1207480eac7c57701b7db
Instruction Fuzzy Hash: 32322621D29F414DD7279636DC22335A248EFB73C4F15E72BF81AB5EAAEB29C5834101

Uniqueness

Uniqueness Score: -1.00%

Function 00E46CF0 Relevance: 2.0, APIs: 1, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046b9a1d3e26648ed3790f6ecc71e2e039b8fe691e6f5e6ba3b340492e5b10f0
Instruction ID: 6f65acd84403a5dfe17bef7b7bf36fb17232e50fd7f276b2d7f014d90e2d1e22
Opcode Fuzzy Hash: 046b9a1d3e26648ed3790f6ecc71e2e039b8fe691e6f5e6ba3b340492e5b10f0
Instruction Fuzzy Hash: 75223F74A052298FDF24DF28E880BA9B7B6BF45308F1451D9D84DB7252DB309E85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E7089E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea5c180d9e5252d43c1ce86c08a858b4dec78c7d6e99bc2e4ff608555e5b8fc
Instruction ID: 9d1f4b55f3c403c5d59bd6fef5735c6012c88af7ed172326a22e830ff57fa8e8
Opcode Fuzzy Hash: 8ea5c180d9e5252d43c1ce86c08a858b4dec78c7d6e99bc2e4ff608555e5b8fc
Instruction Fuzzy Hash: 4EB1F531D2AF414DD32396399831336B69CAFBB2D5F61D71BFC1A70D22EB2295874240

Uniqueness

Uniqueness Score: -1.00%

Function 00E6695B Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00E669B4

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale__getptd_noexit
String ID:
API String ID: 2161030339-0
Opcode ID: e5dee1e6d04f8ca83463de6bccec5928d836057087c5dbe6e9f74dfaf94cf51d
Instruction ID: abdac4db9f9dfc4ac90ca1b0de3418cb804648f514e4987a883905dffcd651a4
Opcode Fuzzy Hash: e5dee1e6d04f8ca83463de6bccec5928d836057087c5dbe6e9f74dfaf94cf51d
Instruction Fuzzy Hash: 3721D0715602069FDB28DB68EC42BBA73ECEF01358F10647AE801F6181EB70AD54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6702D Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,00E57CBC,?,00E57CBC,?,20001004,?,00000002,?,00000004,?,00000000), ref: 00E67054

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31b1746c57a53a0217e42227ce91eb04b7d917c26ff3b3d5e4476778479981db
Instruction ID: 845566f679c6dca3160a6d7246de811552857c9953d8c8597d5a07b5cf13b60c
Opcode Fuzzy Hash: 31b1746c57a53a0217e42227ce91eb04b7d917c26ff3b3d5e4476778479981db
Instruction Fuzzy Hash: F8D05E33144109FFCF01AFE6FC05C6A3BA9FF08354B445406F90CA5020DA72E8649B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E58BA4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E58BAA

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e756a01fae1d3544e6416a23c61ff380a304d52e061f0d188e3e8520e446573f
Instruction ID: 4a329c89f39a9dc6463fd5863519ee3c9e333f12d7df52f805be1b7dd7784403
Opcode Fuzzy Hash: e756a01fae1d3544e6416a23c61ff380a304d52e061f0d188e3e8520e446573f
Instruction Fuzzy Hash: CCA0123100460CAB8A001B42EC044443F1DD7001537400060F40C0402087A354504A80

Uniqueness

Uniqueness Score: -1.00%

Function 00E74433 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E74433

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f4fd6191a68f3d0b80c182929be863b2b089d29e19d51943c14894045b8fcaac
Instruction ID: f2a6c9e7379ed2382b2c7f6b2f20005267642283b30ab49263fd87c8804cbbe4
Opcode Fuzzy Hash: f4fd6191a68f3d0b80c182929be863b2b089d29e19d51943c14894045b8fcaac
Instruction Fuzzy Hash: D7C012A22017419EC340DB63BE09B083A94634130AF60A54BE029752A0D7F001888F00

Uniqueness

Uniqueness Score: -1.00%

Function 00E4B726 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78117140076c9fa30991c39c806b5a8f7b600ec533652547dfe1fc8cfa7181d5
Instruction ID: fc48f1497915ec922c5c160e100dbea438753758397d41c6025d16e8a7571a5e
Opcode Fuzzy Hash: 78117140076c9fa30991c39c806b5a8f7b600ec533652547dfe1fc8cfa7181d5
Instruction Fuzzy Hash: 5FD108B1E005258BCF0CCE59D4A02BDBBB2FFD8301F25966ED95AA7388D7309941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E652E7 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: eb3f6e7f051a99536340ecc6292c31cb38651f85e92ab6b0c04056867c3b453d
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: CAC1F4732855934ADB2D4A39E43803EBAE1AEA27F571A235DD4B3DF0C4EE21C564C620

Uniqueness

Uniqueness Score: -1.00%

Function 00E6571C Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 5414e93943b98ef1876f207c62d3b1b10eb4a6c8a7334894e45319dc168087ab
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: A9C1E47328559349DF2D4639E43403EBAE0AAE27F571A236DD4B3EF0C4EE21C564D620

Uniqueness

Uniqueness Score: -1.00%

Function 00E64A9A Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2a7f464aa7bce3d0066c971db0faebf5adfd2f4313669e0f237e2c37e1fd36e7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B9C1D4B228519349DF2D4A3AE43403EFAE1AAA27F531A675DD4B3DF1C4EE21C564C620

Uniqueness

Uniqueness Score: -1.00%

Function 00E47460 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf4a54bea3bba5f9d2523af80ea2aede104ebe357da2cada934512c4f6ed797
Instruction ID: b1351115250ca5f5df65f83c6de55fa225b40be0fe644e86919e10d383bbba77
Opcode Fuzzy Hash: baf4a54bea3bba5f9d2523af80ea2aede104ebe357da2cada934512c4f6ed797
Instruction Fuzzy Hash: FBB14E75E042099FCB14CFA9E4806ADBBF2FF98314F24956AD885AB340E735E941CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E4CA00 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289001fb307db5d759d0ea81cc18fb09c0bcca247cecbbde20984d36be10ad56
Instruction ID: f1bfb8a78341a94ba5bd3d4cf969952e32cf53a0a15268e4cb05d5da0da03c34
Opcode Fuzzy Hash: 289001fb307db5d759d0ea81cc18fb09c0bcca247cecbbde20984d36be10ad56
Instruction Fuzzy Hash: 9E7173B2E015588BDB08CB6DD8503ADFBF2EFD9300F1A8179E469E7351DA749905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A4D0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d2e1ae542a1be86dd4ad8c944031fdad3bb7ce672f4c644007da6c66dde631
Instruction ID: 0296e93b6f6bfd08f586d97e9f68a835deea0fb65879296536cacffffe390ca6
Opcode Fuzzy Hash: 51d2e1ae542a1be86dd4ad8c944031fdad3bb7ce672f4c644007da6c66dde631
Instruction Fuzzy Hash: B4315733F442640B8B248A6C69D40ADFBD2DBD533972EC3BACD9AAB681D4758C05C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E45DC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771790367dc5b6a472a37329ebfae59437e59acfa1e9a72b7b166e995cf9daf0
Instruction ID: 5906f8e62921d89488ef63db37a1c1a9c143a05b37d98a05088c54f9ccae1153
Opcode Fuzzy Hash: 771790367dc5b6a472a37329ebfae59437e59acfa1e9a72b7b166e995cf9daf0
Instruction Fuzzy Hash: FF21807E265E014BA70CC71BAD73A7A2143E3C4305688E12EE24BDA3E9EE7C4815C109

Uniqueness

Uniqueness Score: -1.00%

Function 00E48CF1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33a8aa4f4cd679048c9687fcf20e7cc67de5e4bf1e25cd606c97537424b384f
Instruction ID: 370c104bf1af28279c85deadb3d2d38f6a0f9aaf32200ce0f75fe4959e0ad200
Opcode Fuzzy Hash: c33a8aa4f4cd679048c9687fcf20e7cc67de5e4bf1e25cd606c97537424b384f
Instruction Fuzzy Hash: D121DE329219279BD72ADE0DDC817F9B361FF98309F548325DD4097289C739AA22C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00E51AF0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: aac374bc6067afad2802b75ad789e0f395e845dee2bc8f24d7e9b6c40af64d09
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 28113B77200041C3D6948A2DD4F47B6E3A6EAD633BB2C6BF9C8416B644F122994D9500

Uniqueness

Uniqueness Score: -1.00%

Function 00E48C50 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a841ba4d3933f4d7009d1e3633c227c1fa50a95a4d5e76c970b6527f4421cf20
Instruction ID: b47a64c706c4936260e1879b88e4d3a4dceacbda501dd78f41ef108e736b2e17
Opcode Fuzzy Hash: a841ba4d3933f4d7009d1e3633c227c1fa50a95a4d5e76c970b6527f4421cf20
Instruction Fuzzy Hash: DF1136325215260BE7269D0CDCD17BAB351FF90318F498235DC41AB248CA38E811C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E38B30 Relevance: 44.2, APIs: 7, Strings: 18, Instructions: 493COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E38C28
___from_strstr_to_strchr.LIBCMT ref: 00E38CB2
___from_strstr_to_strchr.LIBCMT ref: 00E38CD1
___from_strstr_to_strchr.LIBCMT ref: 00E38D32
___from_strstr_to_strchr.LIBCMT ref: 00E38D7C
___from_strstr_to_strchr.LIBCMT ref: 00E38DB6
___from_strstr_to_strchr.LIBCMT ref: 00E38DD3

Part of subcall function 00E2E5CA: _memcmp.LIBCMT ref: 00E2E61C

Strings

level out of range, xrefs: 00E38F09, 00E39004
namewhat, xrefs: 00E38D6C
lastlinedefined, xrefs: 00E38C84
currentline, xrefs: 00E38CC1
short_src, xrefs: 00E38C62
invalid option, xrefs: 00E38E16
nparams, xrefs: 00E38CF5
flnStu, xrefs: 00E38B62
what, xrefs: 00E38CA2
istailcall, xrefs: 00E38D9A
isvararg, xrefs: 00E38D14
activelines, xrefs: 00E38DC1
func, xrefs: 00E38DDE
linedefined, xrefs: 00E38C73
name, xrefs: 00E38D4E
nups, xrefs: 00E38CE2
>%s, xrefs: 00E38B96
source, xrefs: 00E38C44

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_memcmp
String ID: >%s$activelines$currentline$flnStu$func$invalid option$istailcall$isvararg$lastlinedefined$level out of range$linedefined$name$namewhat$nparams$nups$short_src$source$what
API String ID: 2585625864-3424287483
Opcode ID: a75c89ae3af2c30092eada020e17563ecbeac7e04e6363229364a61c76b90bd7
Instruction ID: c7874a6959e315b8dc801528b0e63fa00ef5fa8e7d18381608df10c5d77b12e8
Opcode Fuzzy Hash: a75c89ae3af2c30092eada020e17563ecbeac7e04e6363229364a61c76b90bd7
Instruction Fuzzy Hash: 4EE1B4317043115BDB14AE34A89652EB7D6DFC8724F24A92DF80AAF3C6DEB4DC058791

Uniqueness

Uniqueness Score: -1.00%

Function 00E27C25 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 235libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,Wow64DisableWow64FsRedirection,00000001,00000000,00000000), ref: 00E27D0F
GetProcAddress.KERNEL32(00000000), ref: 00E27D18
GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 00E27D5D
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000), ref: 00E27D83
GetProcAddress.KERNEL32(00000000), ref: 00E27D86
GetCurrentProcess.KERNEL32(00000000), ref: 00E27D93
PathAppendW.SHLWAPI(00000000,System32\regsvr32.exe,00000000), ref: 00E27DBD
_memset.LIBCMT ref: 00E27E6A
ShellExecuteExW.SHELL32(0000003C), ref: 00E27EC2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E27ED4
CloseHandle.KERNEL32(?), ref: 00E27EDE
GetModuleHandleW.KERNEL32(Kernel32,Wow64RevertWow64FsRedirection), ref: 00E27F3F
GetProcAddress.KERNEL32(00000000), ref: 00E27F42

Strings

Wow64DisableWow64FsRedirection, xrefs: 00E27D00
kernel32, xrefs: 00E27D7E
@, xrefs: 00E27E7E
SysWOW64\regsvr32.exe, xrefs: 00E27DA1
<, xrefs: 00E27E76
/s %s, xrefs: 00E27DEA, 00E27DF2
System32\regsvr32.exe, xrefs: 00E27DA8, 00E27DBB
Kernel32, xrefs: 00E27D05, 00E27F3A
IsWow64Process, xrefs: 00E27D79
/s /u %s, xrefs: 00E27DE5
Wow64RevertWow64FsRedirection, xrefs: 00E27F35

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Handle$AddressModuleProc$AppendCloseCurrentDirectoryExecuteObjectPathProcessShellSingleWaitWindows_memset
String ID: /s %s$/s /u %s$<$@$IsWow64Process$Kernel32$SysWOW64\regsvr32.exe$System32\regsvr32.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32
API String ID: 2190183658-2197895514
Opcode ID: 26deae4081bcd37216b101a7ce493458b0e5daa101d2296bcd35b4eb0c98009b
Instruction ID: 6a107f24c742646428fe43786f4f9c37a55edb7d9f206963dc8f39e4f0083d98
Opcode Fuzzy Hash: 26deae4081bcd37216b101a7ce493458b0e5daa101d2296bcd35b4eb0c98009b
Instruction Fuzzy Hash: 6B919C712083419FD320DF24D846BABB7E9FF88714F10592EF199A7291DBB4A908CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00E23CD8 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00E2C69C: FindResourceW.KERNEL32(00000000,?,DAR,00E23D3D,?,?,5E3F636C,00000000,DAR), ref: 00E2C6AD

_memset.LIBCMT ref: 00E23D5E
__swprintf.LIBCMT ref: 00E23D7E
OutputDebugStringW.KERNEL32(?,?,?,?,?,DAR), ref: 00E23D91
_memset.LIBCMT ref: 00E23DAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,DAR), ref: 00E23DB4
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,DAR), ref: 00E23DD2
__swprintf.LIBCMT ref: 00E23DC5

Part of subcall function 00E4E0C0: __woutput_l.LIBCMT ref: 00E4E119

LockResource.KERNEL32(lc?^,?,?,5E3F636C,00000000,DAR), ref: 00E23DDD
_memset.LIBCMT ref: 00E23E02
GetLastError.KERNEL32 ref: 00E23E0A
__swprintf.LIBCMT ref: 00E23E1B
OutputDebugStringW.KERNEL32(?), ref: 00E23E72
FreeResource.KERNEL32(00000000,00000000,00000000,?), ref: 00E23EC3

Strings

LoadResource failed. Type : %s ID : %s, xrefs: 00E23D78
lc?^, xrefs: 00E23DD9
hwang err:%d, xrefs: 00E23DBF
LockResource failed.hwang err:%d, xrefs: 00E23E15
DAR, xrefs: 00E23CFC
ResSize == 0, xrefs: 00E23E60
hwang , xrefs: 00E23D45, 00E23D93, 00E23DE9, 00E23E3B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputResourceString__swprintf_memset$ErrorLast$FindFreeLock__woutput_l
String ID: DAR$LoadResource failed. Type : %s ID : %s$LockResource failed.hwang err:%d$ResSize == 0$hwang $hwang err:%d$lc?^
API String ID: 2013659159-450655138
Opcode ID: 121276a4b92c18e7af57e8b5cb4c13156c9803e96404f97f16c8ba91087f236a
Instruction ID: 3ef3bb88b5ef987cadca6de56f16ea777d7d8c0d39053934bfd3655123ea73d4
Opcode Fuzzy Hash: 121276a4b92c18e7af57e8b5cb4c13156c9803e96404f97f16c8ba91087f236a
Instruction Fuzzy Hash: 7F51B272509704AFC311EF64EC41A9FB7E9FF89704F40582DF598A7241DBB2A909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E26D85 Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 300synchronizationCOMMON

Download Yara Rule

APIs

PathIsURLW.SHLWAPI(?), ref: 00E26E4E
PathFileExistsW.SHLWAPI(?), ref: 00E26E7A
_memset.LIBCMT ref: 00E26EF0
__swprintf.LIBCMT ref: 00E26F19
OutputDebugStringW.KERNEL32(?), ref: 00E26F29
_memset.LIBCMT ref: 00E27014
ShellExecuteExW.SHELL32(0000003C), ref: 00E27071
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E2707F
GetExitCodeProcess.KERNEL32(?,00000000), ref: 00E27093
CloseHandle.KERNEL32(?), ref: 00E2709D

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

ShellExecuteW.SHELL32(00000000,?,?,?,?,00000001), ref: 00E2711A

Strings

Taskbarunpin, xrefs: 00E26EBF, 00E2713E
Startpin, xrefs: 00E27133
Fun:%s, Description:%s it's not exists!, xrefs: 00E26F13
Lua_Exec, xrefs: 00E26F07
Taskbarpin, xrefs: 00E27149
@, xrefs: 00E27058
hwang , xrefs: 00E26ED0
Startunpin, xrefs: 00E26E99, 00E27128
<, xrefs: 00E27050

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExecutePathShell_memset$CloseCodeDebugEnvironmentExistsExitExpandFileHandleObjectOutputProcessSingleStringStringsWait__swprintf
String ID: <$@$Fun:%s, Description:%s it's not exists!$Lua_Exec$Startpin$Startunpin$Taskbarpin$Taskbarunpin$hwang
API String ID: 3840862688-2712104450
Opcode ID: c2b7f3eed974079763b7d5a17c829507ff46dff4774c2d447a5cd114fedb4ab8
Instruction ID: 895429672ddea85e91ade01e286be5600a8646abff591c1161149a8d57c1eb43
Opcode Fuzzy Hash: c2b7f3eed974079763b7d5a17c829507ff46dff4774c2d447a5cd114fedb4ab8
Instruction Fuzzy Hash: D2C18C72508340DFD730DF64E885B9BB7E8FF84314F50892EE589A7291DB70A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E2632C Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E263A7
_memset.LIBCMT ref: 00E263CC
__swprintf.LIBCMT ref: 00E263F5
OutputDebugStringW.KERNEL32(?), ref: 00E26402
SHFileOperationW.SHELL32(00000000), ref: 00E264A1
_memset.LIBCMT ref: 00E264CD
__swprintf.LIBCMT ref: 00E26500
OutputDebugStringW.KERNEL32(?), ref: 00E26513
_memset.LIBCMT ref: 00E26530
__swprintf.LIBCMT ref: 00E26546
OutputDebugStringW.KERNEL32(?), ref: 00E26553

Strings

Fun:%s, Description:%s it's not exists!, xrefs: 00E263EF
Lua_CopyFile, xrefs: 00E263E3
Copy %s to %s failed!, xrefs: 00E264FA
hwang , xrefs: 00E263B1, 00E264A7, 00E26515
Copy %s to %s !, xrefs: 00E2659F
SHFileOperation error code : %#x, xrefs: 00E26540

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset$File$EnvironmentExistsExpandOperationPathStrings
String ID: Copy %s to %s !$Copy %s to %s failed!$Fun:%s, Description:%s it's not exists!$Lua_CopyFile$SHFileOperation error code : %#x$hwang
API String ID: 846663681-3038730398
Opcode ID: 336c54ed9e0c8481f3d3f00fe246e7410357bcd45a95ed80652b3f9aa1967a08
Instruction ID: 8a6fcbac4112b3c823f4a6c765f6858831f818fc54d8f5934ace406abfb2eea7
Opcode Fuzzy Hash: 336c54ed9e0c8481f3d3f00fe246e7410357bcd45a95ed80652b3f9aa1967a08
Instruction Fuzzy Hash: 2D816B725083009FC710DF64D886A9BB7E8FF88314F509D2EF599A7251EBB5E508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E26605 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E26680
_memset.LIBCMT ref: 00E266A5
__swprintf.LIBCMT ref: 00E266CE
OutputDebugStringW.KERNEL32(?), ref: 00E266DB
SHFileOperationW.SHELL32(00000000), ref: 00E2677C
_memset.LIBCMT ref: 00E267A8
__swprintf.LIBCMT ref: 00E267DB
OutputDebugStringW.KERNEL32(?), ref: 00E267EE
_memset.LIBCMT ref: 00E2680B
__swprintf.LIBCMT ref: 00E26821
OutputDebugStringW.KERNEL32(?), ref: 00E2682E

Strings

Fun:%s, Description:%s it's not exists!, xrefs: 00E266C8
Move %s to %s !, xrefs: 00E2687A
Move %s to %s failed!, xrefs: 00E267D5
Lua_MoveFile, xrefs: 00E266BC
hwang , xrefs: 00E2668A, 00E26782, 00E267F0
SHFileOperation error code : %#x, xrefs: 00E2681B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset$File$EnvironmentExistsExpandOperationPathStrings
String ID: Fun:%s, Description:%s it's not exists!$Lua_MoveFile$Move %s to %s !$Move %s to %s failed!$SHFileOperation error code : %#x$hwang
API String ID: 846663681-4246444332
Opcode ID: fbe4923399d159ade054cce414b80c94d878595b9ab93629e59c303437dcc91a
Instruction ID: 71fca66c67fccb1ff1d1e535497dfbccb42692163d9e084268609764517a26a2
Opcode Fuzzy Hash: fbe4923399d159ade054cce414b80c94d878595b9ab93629e59c303437dcc91a
Instruction Fuzzy Hash: C2816B725083009FC710DF64D886A9BB7E8FF88314F509D2EF999A7251EBB5D508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E2565C Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E23803: lstrcmpW.KERNEL32(?,HKCR), ref: 00E23813

_memset.LIBCMT ref: 00E2579B
__swprintf.LIBCMT ref: 00E257C3
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00E257F5
_memset.LIBCMT ref: 00E25825
RegDeleteValueW.ADVAPI32(?,?,?,00000000,00000000), ref: 00E25870
_memset.LIBCMT ref: 00E25894
__swprintf.LIBCMT ref: 00E258C8
OutputDebugStringW.KERNEL32(?), ref: 00E258D5
_memset.LIBCMT ref: 00E25907
__swprintf.LIBCMT ref: 00E25930
OutputDebugStringW.KERNEL32(?), ref: 00E2593D
RegCloseKey.ADVAPI32(00000000), ref: 00E25985

Strings

OpenKey %s %s failed, errcode: %ld, xrefs: 00E2592A
DeleteSubKey %s failed, errcode: %ld, xrefs: 00E25832
OpenKey %s failed, errcode: %ld, xrefs: 00E257B6
Delete Value %s, %s, %s, xrefs: 00E258C2
hwang , xrefs: 00E2577D, 00E25807, 00E25876, 00E258E9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memset$__swprintf$DebugDeleteOutputString$CloseValuelstrcmp
String ID: Delete Value %s, %s, %s$DeleteSubKey %s failed, errcode: %ld$OpenKey %s %s failed, errcode: %ld$OpenKey %s failed, errcode: %ld$hwang
API String ID: 3739965220-3264612562
Opcode ID: fd3df26539749cfc85292d591975b192f54954c10da8c04441d02bb9d7a64432
Instruction ID: 865d3b32074c6d8db09ae099e538d06cbf1b527b44aa2a106c577511e988559c
Opcode Fuzzy Hash: fd3df26539749cfc85292d591975b192f54954c10da8c04441d02bb9d7a64432
Instruction Fuzzy Hash: FC91DF72508710DFC320DF25E841AABB7E9FF84714F50592EF999A7181DB71D908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E28188 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 238fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E281EF
__swprintf.LIBCMT ref: 00E28204
OutputDebugStringW.KERNEL32(?), ref: 00E28213

Part of subcall function 00E227EE: __EH_prolog3.LIBCMT ref: 00E227F5

PathFileExistsW.SHLWAPI(?,?,?), ref: 00E28346
PathIsDirectoryW.SHLWAPI(?), ref: 00E28380
_memset.LIBCMT ref: 00E283AA
__swprintf.LIBCMT ref: 00E283BF
OutputDebugStringW.KERNEL32(?), ref: 00E283CE
DeleteFileW.KERNEL32(?), ref: 00E283E3
_memset.LIBCMT ref: 00E283EB
__swprintf.LIBCMT ref: 00E28400
OutputDebugStringW.KERNEL32(?), ref: 00E2840F

Strings

Lua_DelFileRecursive, xrefs: 00E281FE
Path is file!, xrefs: 00E283B9
PathIsDirectoryW, xrefs: 00E283FA
hwang , xrefs: 00E281CB, 00E28386

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset$FilePath$DeleteDirectoryExistsH_prolog3
String ID: Lua_DelFileRecursive$Path is file!$PathIsDirectoryW$hwang
API String ID: 136051702-689166761
Opcode ID: 49ed58bfe18f44a520fcd02087109b69bdc8d4cb9b39a3832ddfb969ddbbebdb
Instruction ID: 8def0f014b8ac8296c34433cb9674c039ab34d918e218efde67eac3be37f6b46
Opcode Fuzzy Hash: 49ed58bfe18f44a520fcd02087109b69bdc8d4cb9b39a3832ddfb969ddbbebdb
Instruction Fuzzy Hash: 0791AC725083409FC320DF68D881B9BB7E8FF89714F40592EF599A7281DB70E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E268E0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E26957
_memset.LIBCMT ref: 00E2697C
__swprintf.LIBCMT ref: 00E269A2
OutputDebugStringW.KERNEL32(?), ref: 00E269AF
MoveFileExW.KERNEL32(?,?,00000001), ref: 00E26A0F
_memset.LIBCMT ref: 00E26A34
__swprintf.LIBCMT ref: 00E26A64
OutputDebugStringW.KERNEL32(?), ref: 00E26A71

Strings

MoveFile %s to %s failed!, xrefs: 00E26A5E
Fun:%s, Description:%s it's not exists!, xrefs: 00E2699C
Lua_RenameFile, xrefs: 00E26993
hwang , xrefs: 00E26961, 00E26A15
MoveFile %s to %s !, xrefs: 00E26AAB

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugFileOutputString__swprintf_memset$EnvironmentExistsExpandMovePathStrings
String ID: Fun:%s, Description:%s it's not exists!$Lua_RenameFile$MoveFile %s to %s !$MoveFile %s to %s failed!$hwang
API String ID: 2574488690-3112440984
Opcode ID: 3e3a4cf5ef4dc9551604260a7ca1fa5dd42f1cc677648097bcaa29634cef2f4e
Instruction ID: 5de610ff497bb19e30b2d0aae7d1a8bd31c0efdebbe2630613c6319fe254b2a7
Opcode Fuzzy Hash: 3e3a4cf5ef4dc9551604260a7ca1fa5dd42f1cc677648097bcaa29634cef2f4e
Instruction Fuzzy Hash: DE519D725083009FC300DF64D886A9BB7E8FF98715F50492EF589A7152EB70E949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2400D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 273fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E24072
__swprintf.LIBCMT ref: 00E24099
OutputDebugStringW.KERNEL32(?), ref: 00E240A9
PathIsDirectoryW.SHLWAPI(00000000), ref: 00E240F8
PathCombineW.SHLWAPI(00000000,?,*.*), ref: 00E24125
_memset.LIBCMT ref: 00E24208
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000001,00000000), ref: 00E2429D
DeleteFileW.KERNEL32(00000000,?,?,00000001,00000000), ref: 00E24318
FindNextFileW.KERNEL32(?,?), ref: 00E2434B
RemoveDirectoryW.KERNEL32 ref: 00E2438E

Strings

*.*, xrefs: 00E2411E
DTLScriptuser::DeleteDirectories, xrefs: 00E24087
%s %s, xrefs: 00E24093
hwang , xrefs: 00E24053, 00E24123

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: File$DirectoryPath_memset$AttributesCombineDebugDeleteFindNextOutputRemoveString__swprintf
String ID: %s %s$*.*$DTLScriptuser::DeleteDirectories$hwang
API String ID: 3676729722-2739714048
Opcode ID: 0fa03993db42ac68d6ff3be94233d1af8e8b6c3933070b81aabba0101cfa32a0
Instruction ID: 423e53d0b1e0bdf294ca85b85d560c31350e246059ed7eeca2ba2cb4b727b737
Opcode Fuzzy Hash: 0fa03993db42ac68d6ff3be94233d1af8e8b6c3933070b81aabba0101cfa32a0
Instruction Fuzzy Hash: A1B1D0B1208391CFC724DF24E885BAFB7E9BF94308F10192EF599A7291DB709944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E2744F Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00E2111A: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 00E21137
Part of subcall function 00E2111A: OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 00E2114D
Part of subcall function 00E2111A: QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,000F01FF), ref: 00E2117E
Part of subcall function 00E2111A: StartServiceW.ADVAPI32(00000000,00000000,00000000,?,000F01FF), ref: 00E211A5
Part of subcall function 00E2111A: QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,000F01FF), ref: 00E211BE

_memset.LIBCMT ref: 00E2758B
__swprintf.LIBCMT ref: 00E275A2
OutputDebugStringW.KERNEL32(?), ref: 00E275B5
_memset.LIBCMT ref: 00E275D2
GetLastError.KERNEL32 ref: 00E275DA
__swprintf.LIBCMT ref: 00E275EB

Part of subcall function 00E4E0C0: __woutput_l.LIBCMT ref: 00E4E119

OutputDebugStringW.KERNEL32(?), ref: 00E275F8

Strings

hwang err:%d, xrefs: 00E275E5
Unknow Error in fun:%s, xrefs: 00E2759C
Lua_SCM, xrefs: 00E27597
start, xrefs: 00E274BB, 00E274C0, 00E274D0
stop, xrefs: 00E2750B, 00E27510, 00E27518, 00E2751D
hwang , xrefs: 00E27571, 00E275B7

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Service$DebugOpenOutputQueryStatusString__swprintf_memset$ErrorLastManagerStart__woutput_l
String ID: Lua_SCM$Unknow Error in fun:%s$hwang $hwang err:%d$start$stop
API String ID: 2724863133-1376429012
Opcode ID: e48015f3f7a88e998d8f9408c13fd2177129a06d90f897a825442dbce0fe989f
Instruction ID: bf184cd6625bd9b084df233fc2f36c35e26bfe85ff15ab03f4ef8ecaf9d98096
Opcode Fuzzy Hash: e48015f3f7a88e998d8f9408c13fd2177129a06d90f897a825442dbce0fe989f
Instruction Fuzzy Hash: B35195726087009FD310DF65EC42B5BB7E9FF85714F10982DF549AB282DBB19905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E252E4 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 275registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E23803: lstrcmpW.KERNEL32(?,HKCR), ref: 00E23813

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?,00000000,?,?), ref: 00E253CB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 00E25440
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,00000000,?,?), ref: 00E2562F

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

RegSetValueExW.ADVAPI32(?,?,00000000,0000000B,?,00000008,?,00000000,?,?), ref: 00E25564
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?,?,00000000,?,?), ref: 00E255C7

Strings

REG_SZ, xrefs: 00E25464
REG_EXPAND_SZ, xrefs: 00E254CC
REG_QWORD, xrefs: 00E25528
lc?^, xrefs: 00E253E7
REG_DWORD, xrefs: 00E254FB
REG_BINARY, xrefs: 00E25570

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Value$CloseCreateEnvironmentExpandQueryStringslstrcmp
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_QWORD$REG_SZ$lc?^
API String ID: 3752836482-2035963083
Opcode ID: eba1621feb70e10210961de00e9461c1b28301d2a393781c5c6bedcc118cc835
Instruction ID: 96175914e66419b98da6b7036cafdc73be66f75b73ee52bcdd2f5f1162a1a80a
Opcode Fuzzy Hash: eba1621feb70e10210961de00e9461c1b28301d2a393781c5c6bedcc118cc835
Instruction Fuzzy Hash: 51A1CF71208350AFE314EF14E881FABB7E8EFD4714F50582DF68AA7191DBB09949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C745 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00E3C8CF
_sprintf.LIBCMT ref: 00E3C912
_sprintf.LIBCMT ref: 00E3C980

Part of subcall function 00E3C633: ___from_strstr_to_strchr.LIBCMT ref: 00E3C652

___from_strstr_to_strchr.LIBCMT ref: 00E3C9F7
_sprintf.LIBCMT ref: 00E3CA24

Strings

d, xrefs: 00E3CA02
%, xrefs: 00E3C7C1
%, xrefs: 00E3C7EE
no value, xrefs: 00E3CA4B
invalid option '%%%c' to 'format', xrefs: 00E3CA7A
string contains zeros, xrefs: 00E3CA85

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _sprintf$___from_strstr_to_strchr
String ID: %$%$d$invalid option '%%%c' to 'format'$no value$string contains zeros
API String ID: 2993986216-2671167248
Opcode ID: 770a73c1901561db9e57c14fd20a05343802329974a1ac2cac8eb43ed77fb733
Instruction ID: 943d60e930aa2d77c0a25d5e7b156d56551ed31aaf5db06fa6e47bd5057adf7b
Opcode Fuzzy Hash: 770a73c1901561db9e57c14fd20a05343802329974a1ac2cac8eb43ed77fb733
Instruction Fuzzy Hash: AB91E7312083919BD718DF28D8499AFBBE6EFC5304F24A91EF486B3255DA30DE45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E231B9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E23208
__swprintf.LIBCMT ref: 00E2321A
OutputDebugStringW.KERNEL32(?), ref: 00E23226
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E23259
OutputDebugStringW.KERNEL32(if (nullptr == pfn)), ref: 00E2326C
GetLastError.KERNEL32 ref: 00E23272

Strings

if (nullptr == phMod), xrefs: 00E23214
if (nullptr == pfn), xrefs: 00E23267
hModule is nil, xrefs: 00E2322F
DllManagerMetaTable, xrefs: 00E231DB
hwang , xrefs: 00E231EF

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString$AddressErrorLastProc__swprintf_memset
String ID: DllManagerMetaTable$hModule is nil$hwang $if (nullptr == pfn)$if (nullptr == phMod)
API String ID: 1717717894-1859836620
Opcode ID: 540733b28def50b4ee0fa6b8be2d1c5ec2093fa72d8208bdfb2e4a6b768b28fd
Instruction ID: 56ce71404cd7479f43655136e80ae85d316ce6f3eb9aaa4b20031b6ee4237a12
Opcode Fuzzy Hash: 540733b28def50b4ee0fa6b8be2d1c5ec2093fa72d8208bdfb2e4a6b768b28fd
Instruction Fuzzy Hash: CF41B172600710CFCB44DF29E885A56B3E5FF89324B14D46AFD09AF292DBB5D9058F90

Uniqueness

Uniqueness Score: -1.00%

Function 00E213A1 Relevance: 18.1, APIs: 12, Instructions: 147sleepserviceCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E213DD
OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 00E213F0
OpenServiceW.ADVAPI32 ref: 00E2140B
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 00E21440
Sleep.KERNEL32(?), ref: 00E21482
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 00E2149A
GetTickCount.KERNEL32 ref: 00E214B3
GetTickCount.KERNEL32 ref: 00E214C4
ControlService.ADVAPI32(00000000,00000001,?), ref: 00E214E9
Sleep.KERNEL32(?), ref: 00E214F9
QueryServiceStatusEx.ADVAPI32(?,00000000,?,00000024,00000000), ref: 00E21514
GetTickCount.KERNEL32 ref: 00E21525

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Service$CountTick$QueryStatus$OpenSleep$ControlManager
String ID:
API String ID: 2662810397-0
Opcode ID: b3481b679aa74bf80bd599d0ea8cf0b2cd3d33818a00d19d261b9a7311449ebd
Instruction ID: 75e5f3198b321ae56fcdca7422e77ef1d5d694e604da80067805a1e081f0cecc
Opcode Fuzzy Hash: b3481b679aa74bf80bd599d0ea8cf0b2cd3d33818a00d19d261b9a7311449ebd
Instruction Fuzzy Hash: 9551AD716083419FD710DF25EC84A2BB7E8FF99748F40196EF58AE3290D770DA088B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E3952B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00E39558

Part of subcall function 00E4FF5C: _flsall.LIBCMT ref: 00E4FF70

_fgets.LIBCMT ref: 00E3957C
_memcmp.LIBCMT ref: 00E3959D
_fprintf.LIBCMT ref: 00E3961F
_fprintf.LIBCMT ref: 00E3964F
_fgets.LIBCMT ref: 00E39673

Strings

%s, xrefs: 00E39612
=(debug command), xrefs: 00E395D8
lua_debug> , xrefs: 00E39543, 00E3963D
cont, xrefs: 00E39597

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _fprintf$_fgets$_flsall_memcmp
String ID: %s$=(debug command)$cont$lua_debug>
API String ID: 1882596661-1535575468
Opcode ID: e8d1b9757e1e5d304f1fc07d5a2cc6dc4c1ef5e920084e2336f3a649d42c44c4
Instruction ID: 0e68e006fc7d83ae9196d80dce8b064d40ba98ae881763448e0b00ec1eebe2e1
Opcode Fuzzy Hash: e8d1b9757e1e5d304f1fc07d5a2cc6dc4c1ef5e920084e2336f3a649d42c44c4
Instruction Fuzzy Hash: C13129B2F0024426DB15BA759C47FAF72EC9FA5B04F0460B9F919F2283FEB49D444261

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C207 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

_frexp.LIBCMT ref: 00E3C279
__floor_pentium4.LIBCMT ref: 00E3C2C0
_localeconv.LIBCMT ref: 00E3C30C
__floor_pentium4.LIBCMT ref: 00E3C338
_sprintf.LIBCMT ref: 00E3C382
_sprintf.LIBCMT ref: 00E3C39B

Strings

%.14gx0p+0, xrefs: 00E3C264
%.14g, xrefs: 00E3C395
p%+d, xrefs: 00E3C37C

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4_sprintf$_frexp_localeconv
String ID: %.14g$%.14gx0p+0$p%+d
API String ID: 3234680198-2818671220
Opcode ID: 417bbc03bc4156b163cab3e83535502edeb603916132ff29b6b8cf22837f55df
Instruction ID: 290767c6534d851af8bfa8d2481436dbec00f5b8a79dca5ed3a3d5e51b6b350d
Opcode Fuzzy Hash: 417bbc03bc4156b163cab3e83535502edeb603916132ff29b6b8cf22837f55df
Instruction Fuzzy Hash: 4541F3B6C04E09DEC706DF78D8565BFB7B8FF4A340F20535AE98A72141EB3091999391

Uniqueness

Uniqueness Score: -1.00%

Function 00E30240 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 139COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E3034C

Strings

method, xrefs: 00E302ED
local, xrefs: 00E3029D
upvalue, xrefs: 00E30387
global, xrefs: 00E30356
_ENV, xrefs: 00E30346
field, xrefs: 00E30361
constant, xrefs: 00E303BF

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID: _ENV$constant$field$global$local$method$upvalue
API String ID: 2931989736-2491131414
Opcode ID: 7d3b8678d4408ee14b0a0d1e51f438a6c685046d1fbb7c94c9bbff1b35153a6e
Instruction ID: fb58d16e0776b78c47e067dd52ead71f60ee4c31a7da4c4d0680b55e7d015467
Opcode Fuzzy Hash: 7d3b8678d4408ee14b0a0d1e51f438a6c685046d1fbb7c94c9bbff1b35153a6e
Instruction Fuzzy Hash: 4C4124713056029BCB288A5DC8AD97A7BD5EBE8714F20A56EE80AEB356DE30DC01C340

Uniqueness

Uniqueness Score: -1.00%

Function 00E354EF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E35523
_memmove.LIBCMT ref: 00E3555F

Strings

..., xrefs: 00E35542, 00E355BC
[C], xrefs: 00E3551A, 00E3551B, 00E35521, 00E35590, 00E355B4
[string ", xrefs: 00E35572

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID: ...$[C]$[string "
API String ID: 4104443479-2990245297
Opcode ID: 8ee27acd5f2fbf3a567b597daec5d5cac95db605848730a284caa2fbfa6cc38c
Instruction ID: 42a9bf5945bb392a66a400648ec8bf3b1775b53a1f230c6b93ffdbf68981aa41
Opcode Fuzzy Hash: 8ee27acd5f2fbf3a567b597daec5d5cac95db605848730a284caa2fbfa6cc38c
Instruction Fuzzy Hash: F831886B904641BED701CF589C859FABBBD9F59304F1420AAFC49F7302E260AE48C771

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E5CA Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 105COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E2E61C

Strings

__name, xrefs: 00E2E684
method, xrefs: 00E2E614
calling '%s' on bad self (%s), xrefs: 00E2E62F
bad argument #%d (%s), xrefs: 00E2E5F6
%s expected, got %s, xrefs: 00E2E6CD
light userdata, xrefs: 00E2E6B2, 00E2E6C9
bad argument #%d to '%s' (%s), xrefs: 00E2E665

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID: %s expected, got %s$__name$bad argument #%d (%s)$bad argument #%d to '%s' (%s)$calling '%s' on bad self (%s)$light userdata$method
API String ID: 2931989736-2714722004
Opcode ID: b6320c81dfa4ee9f3839fa53dbbaca59784703a83dc15640a6509a0fa93f284c
Instruction ID: d59d424836b9c0f41c3b9db9a03b27fd62f644bf4232652b34650677a9afbb0d
Opcode Fuzzy Hash: b6320c81dfa4ee9f3839fa53dbbaca59784703a83dc15640a6509a0fa93f284c
Instruction Fuzzy Hash: 9421FD31700734BBAB24A635AC42E7F26DE9F95B14F207119F919BB3D1EA60CD014696

Uniqueness

Uniqueness Score: -1.00%

Function 00E243F9 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00E30097: ___from_strstr_to_strchr.LIBCMT ref: 00E300F2
Part of subcall function 00E30097: ___from_strstr_to_strchr.LIBCMT ref: 00E30118

_strlen.LIBCMT ref: 00E2447B

Part of subcall function 00E2B15D: __EH_prolog3.LIBCMT ref: 00E2B164

Part of subcall function 00E29C6D: _memmove.LIBCMT ref: 00E29CD4

Strings

<call stack>, xrefs: 00E24471, 00E24482
%s%s() : line %d [%s : line %d], xrefs: 00E244B0
-> | , xrefs: 00E24476, 00E244AF
nSlu, xrefs: 00E24460
%sunknown : line %d [%s : line %d], xrefs: 00E244E3
-- | , xrefs: 00E2448C, 00E244DB
lc?^, xrefs: 00E24447, 00E2445B, 00E2444B, 00E2445F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr$H_prolog3_memmove_strlen
String ID: <call stack>$%s%s() : line %d [%s : line %d]$%sunknown : line %d [%s : line %d]$-- | $-> | $lc?^$nSlu
API String ID: 379101648-3076329294
Opcode ID: c19f2de33010c38ad933b9dc4a41a9c57872f58a9806ee20abc790bbd00ed3bc
Instruction ID: bcd209013e9f707abca750dd0683b3df6b7e0726b4f09731ad8d04db06ebcec6
Opcode Fuzzy Hash: c19f2de33010c38ad933b9dc4a41a9c57872f58a9806ee20abc790bbd00ed3bc
Instruction Fuzzy Hash: C731D672208354ABC734EB64EC52F6BB7D9AB89720F106A1DF1ADB22C2DB3155048752

Uniqueness

Uniqueness Score: -1.00%

Function 00E211F9 Relevance: 13.6, APIs: 9, Instructions: 144servicesleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E2122D

Part of subcall function 00E217F4: _memset.LIBCMT ref: 00E21813

EnumDependentServicesW.ADVAPI32(?,00000001,00000000,00000000,?,?,00000000,?), ref: 00E2127A
GetLastError.KERNEL32(?,00000001,00000000,00000000,?,?,00000000,?), ref: 00E21280
EnumDependentServicesW.ADVAPI32(?,00000001,?,?,?,?,?,?,00000001,00000000,00000000,?,?,00000000,?), ref: 00E212B8
OpenServiceW.ADVAPI32(?,?,00000024,?,00000001,?,?,?,?,?,?,00000001,00000000,00000000,?,?), ref: 00E212DA
ControlService.ADVAPI32(00000000,00000001,00000000,?,00000001,?,?,?,?,?,?,00000001,00000000,00000000,?,?), ref: 00E212FD
Sleep.KERNEL32(?,?,00000001,?,?,?,?,?,?,00000001,00000000,00000000,?,?,00000000,?), ref: 00E21339
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000,?,00000001,?,?,?,?,?,?,00000001,00000000,00000000), ref: 00E21353
GetTickCount.KERNEL32 ref: 00E21363

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Service$CountDependentEnumServicesTick$ControlErrorLastOpenQuerySleepStatus_memset
String ID:
API String ID: 2007799816-0
Opcode ID: 14cb15997491772485757407ae5b5144bf39851267cea9b0ddf36da4a6c7dccb
Instruction ID: 7c539b921fe90569a61a3cff2da5d34c9477880c71fe7725f96ef2c93b48d7c5
Opcode Fuzzy Hash: 14cb15997491772485757407ae5b5144bf39851267cea9b0ddf36da4a6c7dccb
Instruction Fuzzy Hash: BC517772109344EFD310DF5AD884A6BBBF8FF99749F41196EF189E2220D771DA088B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E28615 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E28673
__swprintf.LIBCMT ref: 00E28685
OutputDebugStringW.KERNEL32(?), ref: 00E28691

Part of subcall function 00E23061: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00E23091

PathFileExistsW.SHLWAPI(?), ref: 00E286CC
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00E286F2

Strings

Lua_DeleteFileAfterReboot, xrefs: 00E2867F
hwang , xrefs: 00E28658

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: File$DebugEnvironmentExistsExpandMoveOutputPathStringStrings__swprintf_memset
String ID: Lua_DeleteFileAfterReboot$hwang
API String ID: 2373601923-728301025
Opcode ID: bc34e51d7af9a6c9fb65196415a60cd9488e802d78c267cc455f0393eaf748a5
Instruction ID: 7e9fe219e467c93107eac9c065d5b7402bbdfad6e93eb440fdfbbee9e9bda2ff
Opcode Fuzzy Hash: bc34e51d7af9a6c9fb65196415a60cd9488e802d78c267cc455f0393eaf748a5
Instruction Fuzzy Hash: 37317E726083009FC710DF29E885A5BB7E8FF89720F50592EF849E7291DB70D549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E351DB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00E35206
_sprintf.LIBCMT ref: 00E35223
_strspn.LIBCMT ref: 00E35233
_localeconv.LIBCMT ref: 00E35242

Strings

%.14g, xrefs: 00E3521D
-0123456789, xrefs: 00E3522D
%lld, xrefs: 00E35200

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _sprintf$_localeconv_strspn
String ID: %.14g$%lld$-0123456789
API String ID: 2271272227-645645145
Opcode ID: 72b70c315849e7c8e102b55b43c56b731e1beb6bab72d8a1fc265b93b67ada8c
Instruction ID: 2fcfc14b540e19fffb1fad1e6be0918f3a610bf1a55ffc7ce6b1fc4bec7e9f6d
Opcode Fuzzy Hash: 72b70c315849e7c8e102b55b43c56b731e1beb6bab72d8a1fc265b93b67ada8c
Instruction Fuzzy Hash: 3711E775A00705AFD710EFB8EC4589EBFF8AF0A304F1469AAF845B7352E6309944C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E600DC Relevance: 12.2, APIs: 8, Instructions: 184pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,?,00E96BD8,0000002C,00E52AB8,?,00000400,00000000,00E96628,0000009C,00E3E705,?,00000000,00E7E488), ref: 00E6016B
GetLastError.KERNEL32 ref: 00E60175
__dosmaperr.LIBCMT ref: 00E6017C

Part of subcall function 00E50095: __getptd_noexit.LIBCMT ref: 00E50095

Part of subcall function 00E500C9: __getptd_noexit.LIBCMT ref: 00E500C9

Part of subcall function 00E6766B: __mtinitlocknum.LIBCMT ref: 00E67683

__set_osfhnd.LIBCMT ref: 00E602C8
__set_osfhnd.LIBCMT ref: 00E602D1
CloseHandle.KERNEL32(?), ref: 00E60342
CloseHandle.KERNEL32(?), ref: 00E60347

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle__getptd_noexit__set_osfhnd$CreateErrorLastPipe__dosmaperr__mtinitlocknum
String ID:
API String ID: 3608612400-0
Opcode ID: da41b0bc64b417dd4c421ec608efbc49b48a3c2a00a35985ae5414cdd7595de2
Instruction ID: e9fddadcfaa99fa59c38dfacda00c71de16fcd9c091ba1d70661b565bce1094b
Opcode Fuzzy Hash: da41b0bc64b417dd4c421ec608efbc49b48a3c2a00a35985ae5414cdd7595de2
Instruction Fuzzy Hash: 1B614631A416148FCB08EFB8EC54AAE7BA1AF05365F18465DE461BF2E3EB31D8058740

Uniqueness

Uniqueness Score: -1.00%

Function 00E2965D Relevance: 12.2, APIs: 8, Instructions: 156processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E296EC
_memset.LIBCMT ref: 00E29703
Process32FirstW.KERNEL32 ref: 00E29719
Process32NextW.KERNEL32(?,?), ref: 00E2973C

Part of subcall function 00E22A67: Process32NextW.KERNEL32(?,?), ref: 00E22A72

__wcsnicmp.LIBCMT ref: 00E2977B
OpenProcess.KERNEL32(00000001,00000000,?,?,00000000,?), ref: 00E2978E
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 00E297A0
Process32NextW.KERNEL32(?,?), ref: 00E297B4

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Process32$Next$Process$CreateFirstOpenSnapshotTerminateToolhelp32__wcsnicmp_memset
String ID:
API String ID: 3961592381-0
Opcode ID: c94f735972b2bc8831b4b72f26168e8a74a0cabcdc8fe96a9713992b4c5b88d5
Instruction ID: cf87d7fa8c98f2018dc3663cee11e9f32069c07aa3a6ce9353d1af3013a537db
Opcode Fuzzy Hash: c94f735972b2bc8831b4b72f26168e8a74a0cabcdc8fe96a9713992b4c5b88d5
Instruction Fuzzy Hash: 2B517D726083509FD724DF65EC45B6BB7E8EF84714F00292EF855E2191EBB0D908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6766B Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00E67683

Part of subcall function 00E5BFE3: __FF_MSGBANNER.LIBCMT ref: 00E5BFF8
Part of subcall function 00E5BFE3: __NMSG_WRITE.LIBCMT ref: 00E5BFFF
Part of subcall function 00E5BFE3: __malloc_crt.LIBCMT ref: 00E5C01F

__lock.LIBCMT ref: 00E67696
__lock.LIBCMT ref: 00E676E2
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,00E96C80,00000018,00E60189), ref: 00E676FE
RtlEnterCriticalSection.NTDLL(0000000C), ref: 00E6771B
RtlLeaveCriticalSection.NTDLL(0000000C), ref: 00E6772B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: d9975be79f7901c3d8677e8327ecdf86b21d52525e9adc251008c3cb75aeb39c
Instruction ID: 689cda525a13276598e4b4c8e029ece280156186e45b8b31835d0283555865bf
Opcode Fuzzy Hash: d9975be79f7901c3d8677e8327ecdf86b21d52525e9adc251008c3cb75aeb39c
Instruction Fuzzy Hash: 7C415871A446068FDB14DF69EC4539CBBA0BF013BEF20A21BE4A5B72C1D774A854CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E57AE9 Relevance: 10.7, APIs: 7, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

_wcscmp.LIBCMT ref: 00E57BCF
_wcscmp.LIBCMT ref: 00E57BE5
___lc_wcstolc.LIBCMT ref: 00E57C11
___get_qualified_locale.LIBCMT ref: 00E57C36

Part of subcall function 00E663B8: _TranslateName.LIBCMT ref: 00E663F8
Part of subcall function 00E663B8: _GetLocaleNameFromLangCountry.LIBCMT ref: 00E66411
Part of subcall function 00E663B8: _TranslateName.LIBCMT ref: 00E6642C
Part of subcall function 00E663B8: _GetLocaleNameFromLangCountry.LIBCMT ref: 00E66442
Part of subcall function 00E663B8: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,00E57C3B,?,?,?,?,00000004,?,00000000), ref: 00E66496

GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 00E57CCD
_memmove.LIBCMT ref: 00E57D83
__invoke_watson.LIBCMT ref: 00E57DD8

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Name$CountryFromLangLocaleTranslate_wcscmp$CodePageValid___get_qualified_locale___lc_wcstolc__getptd_noexit__invoke_watson_memmove
String ID:
API String ID: 90596148-0
Opcode ID: 8298b8b10025bd635608606d11d5995846a8d325695bd1a2a389fda9dec46cc1
Instruction ID: 8fde4f0dc117ded30b85dece5bc06c83553bf7bc344f2a55673c7517c1359661
Opcode Fuzzy Hash: 8298b8b10025bd635608606d11d5995846a8d325695bd1a2a389fda9dec46cc1
Instruction Fuzzy Hash: 3771D3729042156BDB219B21EC01BFF77B9EF55355F0428A6FD48F3241EB319EA48BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A955 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_rand.LIBCMT ref: 00E3AA49
_rand.LIBCMT ref: 00E3AB96

Strings

interval too large, xrefs: 00E3AAE6
wrong number of arguments, xrefs: 00E3AB57
interval is empty, xrefs: 00E3AB62
value expected, xrefs: 00E3A9BB, 00E3AA2F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _rand
String ID: interval is empty$interval too large$value expected$wrong number of arguments
API String ID: 1172538735-3023847178
Opcode ID: 750b0fd8005fbfda421a1893282f969ffe27367af71f398d6eb016f07feff624
Instruction ID: 8a2681a826ca0d1aa5d003f47fb07e459acd9ca6ff4e61230e10a1912d0d9fb1
Opcode Fuzzy Hash: 750b0fd8005fbfda421a1893282f969ffe27367af71f398d6eb016f07feff624
Instruction Fuzzy Hash: 146119327047145BD708DE38D88552EBBD6EFC5360F19A63DF89BBB282DA70DC818281

Uniqueness

Uniqueness Score: -1.00%

Function 00E352A7 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E352D1
_sprintf.LIBCMT ref: 00E35406
___from_strstr_to_strchr.LIBCMT ref: 00E35454

Strings

(null), xrefs: 00E353CD
invalid option '%%%c' to 'lua_pushfstring', xrefs: 00E354CE
<\%d>, xrefs: 00E3534C

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_sprintf
String ID: (null)$<\%d>$invalid option '%%%c' to 'lua_pushfstring'
API String ID: 4149170566-1859914613
Opcode ID: 807f1282ff609346a1af51406335d06e19386b20a9cf0c9e14fa9c2acaa9c619
Instruction ID: 0e4fdc9c27cab8545e16dd2a331f8194386cb6b8939941cb7c0d1add5442e197
Opcode Fuzzy Hash: 807f1282ff609346a1af51406335d06e19386b20a9cf0c9e14fa9c2acaa9c619
Instruction Fuzzy Hash: D1513772604B018FD718CF28C898A2ABBE1EFC5318F28991DE456E7356D730E905C752

Uniqueness

Uniqueness Score: -1.00%

Function 00E5F46E Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000000), ref: 00E5F495
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,?,00000000), ref: 00E5F509
__freea.LIBCMT ref: 00E5F5FB

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$__freea
String ID:
API String ID: 2689816821-0
Opcode ID: 0e984292c82be34cefc89402ea3f42216794db9b0bcb8bab555fec81412746c9
Instruction ID: 881ed90fe41a5ece7c0509ba66c8d5c4a9fa96799463534f6bb4ecda65d9bb2a
Opcode Fuzzy Hash: 0e984292c82be34cefc89402ea3f42216794db9b0bcb8bab555fec81412746c9
Instruction Fuzzy Hash: D6410872501206ABEF259F549C41FBF3B65EF4435AF245978FD1AB6250EB30CD18C660

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E591 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E501E1: __fsopen.LIBCMT ref: 00E501EC

___from_strstr_to_strchr.LIBCMT ref: 00E3E636
_strspn.LIBCMT ref: 00E3E65E

Strings

rwa, xrefs: 00E3E631
invalid mode, xrefs: 00E3E694
cannot open file '%s' (%s), xrefs: 00E3E5D1
h, xrefs: 00E3E669

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr__fsopen_strspn
String ID: cannot open file '%s' (%s)$h$invalid mode$rwa
API String ID: 1994843342-2170200070
Opcode ID: c3bcceafe552ca7c625bef42bad2004d2e1057f68aaffcb3ff3491e11466b80b
Instruction ID: d4a8fdf9d8e57f6227611bfa15b39b506a6d8ad18f97a997ae5ff0d30f1da99a
Opcode Fuzzy Hash: c3bcceafe552ca7c625bef42bad2004d2e1057f68aaffcb3ff3491e11466b80b
Instruction Fuzzy Hash: BF315B327043103BD7146B29A847A7E7FD9DF84724F24A06EF849BB3C2EE719C018691

Uniqueness

Uniqueness Score: -1.00%

Function 00E29C6D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E29CD4
_memmove.LIBCMT ref: 00E29D7C

Strings

<call stack>, xrefs: 00E29D0F, 00E29D14, 00E29D32, 00E29D7A
-- | , xrefs: 00E29C9C, 00E29CA2, 00E29D52, 00E29D58
string too long, xrefs: 00E29D02, 00E29DA0
invalid string position, xrefs: 00E29CF8

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID: <call stack>$-- | $invalid string position$string too long
API String ID: 4104443479-1494190266
Opcode ID: 4bfa1657b57489531e10c1ab749c2bc0f7eccf082733a586014d569840be0fe3
Instruction ID: 3af1677b04fbfa85bf6efb4e6952368e990a59a42ccebf73449aacdffbbad2fb
Opcode Fuzzy Hash: 4bfa1657b57489531e10c1ab749c2bc0f7eccf082733a586014d569840be0fe3
Instruction Fuzzy Hash: 7241AE317043249BD734EE68F881A6AF7E9EB80714F10392DF492A7682CB60E845C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C633 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E3C652
_memmove.LIBCMT ref: 00E3C6D7

Strings

invalid format (width or precision too long), xrefs: 00E3C6BC
invalid format (repeated flags), xrefs: 00E3C6EB
-+ #0, xrefs: 00E3C64D
., xrefs: 00E3C68A

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr_memmove
String ID: -+ #0$.$invalid format (repeated flags)$invalid format (width or precision too long)
API String ID: 1158259468-2773969720
Opcode ID: 0edd7b56f60473ef78e4a5bbf7fe9d2d163a22af39749aa8bf5eb4c4e6f57225
Instruction ID: a7e87e130c018310838a826d4dc9aba839dcdbf09a426cb6dc8d10e8ed20cde9
Opcode Fuzzy Hash: 0edd7b56f60473ef78e4a5bbf7fe9d2d163a22af39749aa8bf5eb4c4e6f57225
Instruction Fuzzy Hash: F22160595087A229DB2112799C9AB363FCC4FC7B29F3436B9F891FA182D958CC01C371

Uniqueness

Uniqueness Score: -1.00%

Function 00E22868 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E2286F
FormatMessageA.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00000028), ref: 00E228B2
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 00E22918

Strings

F:\DTL6\dtl_install\project\DTLInstaller_duilib\Common\base\ProcessToolHelp.hpp, xrefs: 00E228F4
DTLBase::ProcessToolHelp::TerminateProcessByPid, xrefs: 00E228EA
Throw win_exception at File:%sLine:%uFunction:%sMessage:%sLastError:%uDescription:%s, xrefs: 00E228F9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: FormatFreeH_prolog3_LocalMessage
String ID: DTLBase::ProcessToolHelp::TerminateProcessByPid$F:\DTL6\dtl_install\project\DTLInstaller_duilib\Common\base\ProcessToolHelp.hpp$Throw win_exception at File:%sLine:%uFunction:%sMessage:%sLastError:%uDescription:%s
API String ID: 2435402305-1184792285
Opcode ID: ffde5564aef149e014446c5d10690cab1ef80a5a0fdf47936476d8b8d2138d01
Instruction ID: d133094362290e7c37099c673a59003d51417f496ea13a06cb9bfdfe52187eb3
Opcode Fuzzy Hash: ffde5564aef149e014446c5d10690cab1ef80a5a0fdf47936476d8b8d2138d01
Instruction Fuzzy Hash: 2B216D71910218EFDB19DFA4ED86EEEBBB5FF04300F149029F91576251CBB09A48DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E577D9 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E577D9

Part of subcall function 00E54496: __initp_misc_winsig.LIBCMT ref: 00E544BA
Part of subcall function 00E54496: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E5896C
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E58980
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E58993
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E589A6
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E589B9
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E589CC
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E589DF
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E589F2
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E58A05
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E58A18
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E58A2B
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E58A3E
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E58A51
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E58A64
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E58A77
Part of subcall function 00E54496: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00E58A8A

__mtinitlocks.LIBCMT ref: 00E577DE

Part of subcall function 00E5C08A: InitializeCriticalSectionAndSpinCount.KERNEL32(00E9AD38,00000FA0,?,?,00E577E3,00E4F2B1,00E96440,00000014), ref: 00E5C0A8

__mtterm.LIBCMT ref: 00E577E7

Part of subcall function 00E5784F: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00E5BFA6
Part of subcall function 00E5784F: RtlDeleteCriticalSection.NTDLL(00E9AD38), ref: 00E5BFCF

__calloc_crt.LIBCMT ref: 00E5780C
GetCurrentThreadId.KERNEL32 ref: 00E57835

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm
String ID:
API String ID: 3148795158-0
Opcode ID: dd5dad6f1571afa0aabc2cd9dd0a3cda2b2c79a00b574c7bb35050c766e29de4
Instruction ID: e6085da97b814f57678fd751da7034dbc0649ce3f2b73bef0b6521ea2b9c5f74
Opcode Fuzzy Hash: dd5dad6f1571afa0aabc2cd9dd0a3cda2b2c79a00b574c7bb35050c766e29de4
Instruction Fuzzy Hash: 70F0AF3220D6211AE2387A387C0664A27C58F0137BF643E2AFCA1F50D1EE9084998084

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C510 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 00E3C5B8
_sprintf.LIBCMT ref: 00E3C5FA

Strings

0x%llx, xrefs: 00E3C5E2
value has no literal form, xrefs: 00E3C624
%lld, xrefs: 00E3C5EF, 00E3C5F6

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _localeconv_sprintf
String ID: %lld$0x%llx$value has no literal form
API String ID: 890530849-1121615176
Opcode ID: 20c12955d16359f9c855fc9d885f4323719db9bad3f0d5e899ec27a342592d0d
Instruction ID: c36ed829c4803cbfbae2381aa8509f46dc4f055421c01298f836d092ae49d004
Opcode Fuzzy Hash: 20c12955d16359f9c855fc9d885f4323719db9bad3f0d5e899ec27a342592d0d
Instruction Fuzzy Hash: F521096570422067DB15A6289C0BA7FAADF8FD5714F3470AAF805F7292EEB0DD01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E284C2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00E226CF: __EH_prolog3_GS.LIBCMT ref: 00E226D6

_memset.LIBCMT ref: 00E2859B
__swprintf.LIBCMT ref: 00E285BC
OutputDebugStringW.KERNEL32(?), ref: 00E285C9

Strings

%s, xrefs: 00E285B6
hwang , xrefs: 00E2857F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugH_prolog3_OutputString__swprintf_memset
String ID: %s$hwang
API String ID: 1256804999-2770030846
Opcode ID: 10644b7403484302a0b4ed5d2027fcd8453115628435cba2179a0d3e1334a950
Instruction ID: 76a1252cf0c75539d3ef8c554e9662d0d99be52c6cc4c33a542f35595c9e429f
Opcode Fuzzy Hash: 10644b7403484302a0b4ed5d2027fcd8453115628435cba2179a0d3e1334a950
Instruction Fuzzy Hash: 75314B722487009FC710EF14EC82B5AB7E9FB84720F148A29F559AB2D1DB71E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E29302 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E293AB
__swprintf.LIBCMT ref: 00E293CC
OutputDebugStringW.KERNEL32(?,?,?,?,?,00000003,00000001,?,?,?,?,?,?,7694B390,00000000), ref: 00E293D9

Strings

%s, xrefs: 00E293C6
hwang , xrefs: 00E2938F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString__swprintf_memset
String ID: %s$hwang
API String ID: 797231043-2770030846
Opcode ID: f9255c242969e7a42f2a5832fcb7f5160bab96fe00285c8502ad3f37657726f8
Instruction ID: 9c24b3dc063088b5453e0c2215b6d52a8941b46adac0446d328adbb8ad4f881e
Opcode Fuzzy Hash: f9255c242969e7a42f2a5832fcb7f5160bab96fe00285c8502ad3f37657726f8
Instruction Fuzzy Hash: B431B872604210DFC700EF64EC82E5AB7E9FF88320F449519F959AB2D2DB71E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FCF5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

__wgetenv.LIBCMT ref: 00E3FD14
__wgetenv.LIBCMT ref: 00E3FD25

Part of subcall function 00E541FC: _strnlen.LIBCMT ref: 00E54231
Part of subcall function 00E541FC: __lock.LIBCMT ref: 00E54242
Part of subcall function 00E541FC: __getenv_helper_nolock.LIBCMT ref: 00E5424D

Strings

_5_3, xrefs: 00E3FCFC
%s%s, xrefs: 00E3FD06
LUA_NOENV, xrefs: 00E3FD37

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __wgetenv$__getenv_helper_nolock__lock_strnlen
String ID: %s%s$LUA_NOENV$_5_3
API String ID: 3323649511-3642853900
Opcode ID: 9f2bbbade8630b050b433d14497810ae3faf039f549696d7e101006412e7f3b4
Instruction ID: 74c203e2df36e915f2e9db4b05ff886ed5a2b2ad47177b08d17d7b6cabbc0b76
Opcode Fuzzy Hash: 9f2bbbade8630b050b433d14497810ae3faf039f549696d7e101006412e7f3b4
Instruction Fuzzy Hash: 15113B72744B202B4A207528AC0A92E77D79EC1730720E339F939373C5EE749D028688

Uniqueness

Uniqueness Score: -1.00%

Function 00E4FA5E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00E4FA62

Part of subcall function 00E576B7: GetLastError.KERNEL32(?,?,00E500CE,00E4F07C), ref: 00E576B9
Part of subcall function 00E576B7: __calloc_crt.LIBCMT ref: 00E576DA
Part of subcall function 00E576B7: GetCurrentThreadId.KERNEL32 ref: 00E57703
Part of subcall function 00E576B7: SetLastError.KERNEL32(00000000,00E500CE,00E4F07C), ref: 00E5771B

__calloc_crt.LIBCMT ref: 00E4FA85
__get_sys_err_msg.LIBCMT ref: 00E4FAA3
__invoke_watson.LIBCMT ref: 00E4FAC0

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00E4FA6D, 00E4FA93

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2164971522-798102604
Opcode ID: 948d2e77d9e6395d3bb76feb0217d505008a4d0e4051775507ef3a11730e5801
Instruction ID: 3c0f96bd8fc40bb49f77e1d9c208abf4517cc645a407ca6fb21123955ffca568
Opcode Fuzzy Hash: 948d2e77d9e6395d3bb76feb0217d505008a4d0e4051775507ef3a11730e5801
Instruction Fuzzy Hash: 1FF0E932644B126BD72266597C42D6B73CCDB61FAEB102936FD4DB7202EA11DC402295

Uniqueness

Uniqueness Score: -1.00%

Function 00E2739A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E273B9

Part of subcall function 00E2C6F5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,5E3F636C,00000000,00000001,00000000,?,?,?,00E7333C,000000FF,00E2C7E6), ref: 00E2C750
Part of subcall function 00E2C6F5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,5E3F636C,00000000,00000001,00000000,?,?), ref: 00E2C769

__swprintf.LIBCMT ref: 00E273F1
OutputDebugStringW.KERNEL32(?,00000001,00000000), ref: 00E2740E

Strings

TerminateProcessByPid failed, %s, xrefs: 00E273EB
hwang , xrefs: 00E2739A

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$DebugOutputString__swprintf_memset
String ID: TerminateProcessByPid failed, %s$hwang
API String ID: 2884027105-2046656990
Opcode ID: 554c98add03d81329d230919254d80bd4481ea2727b0296b77e3ed8a2d0f9dd0
Instruction ID: 7109909921828d8464548ba83c1137d07f9381f1ca00331e6be3ea8df3996753
Opcode Fuzzy Hash: 554c98add03d81329d230919254d80bd4481ea2727b0296b77e3ed8a2d0f9dd0
Instruction Fuzzy Hash: 2BF081329001285BCB10EB54EC45EDA73FDBF88300F4095E5F859BB181DEB19A85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2873C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00E2874F
GetProcAddress.KERNEL32(00000000), ref: 00E28756
GetCurrentProcess.KERNEL32(00000000), ref: 00E28766

Strings

kernel32, xrefs: 00E2874A
IsWow64Process, xrefs: 00E28745

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 9edd0510f506908e421ab508265c11c3f144e892da544eb80288201e3b781a41
Instruction ID: dd7df04f009501ce55ca83701ede53826fa6f6fef969f3afc1629405ff65919c
Opcode Fuzzy Hash: 9edd0510f506908e421ab508265c11c3f144e892da544eb80288201e3b781a41
Instruction Fuzzy Hash: 80F08272922719EFC710DBB5C809A8EB7ECEB08369B50C555E109E7100D7B4D981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6600A Relevance: 7.8, APIs: 5, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 00E5769F: __getptd_noexit.LIBCMT ref: 00E576A0

__invoke_watson.LIBCMT ref: 00E66222

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __getptd_noexit__invoke_watson
String ID:
API String ID: 2533157543-0
Opcode ID: 8105e5e9337329e52863c4fd38e6f92baa258c910c9edbbe6a7d55064b6b1471
Instruction ID: 1cf7ed02975787752b44391840064b6312c62330a3612f6a90f95f3044affbd2
Opcode Fuzzy Hash: 8105e5e9337329e52863c4fd38e6f92baa258c910c9edbbe6a7d55064b6b1471
Instruction Fuzzy Hash: 3371E8729946119BEF149E24EC86BBB77ECEF01394F1450A9FD09FA182EB34DD448760

Uniqueness

Uniqueness Score: -1.00%

Function 00E7018D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E7021D

Part of subcall function 00E70DE0: __87except.LIBCMT ref: 00E70E1B

Strings

pow, xrefs: 00E701F5, 00E70212

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 71b4f141429e658f60020ac154e58376e350aed5f1712d0c5c67037af0bc754e
Instruction ID: e41f21b941429da685802fa6c9efad6cdbf827b0dd2b39281616f767d61b6368
Opcode Fuzzy Hash: 71b4f141429e658f60020ac154e58376e350aed5f1712d0c5c67037af0bc754e
Instruction Fuzzy Hash: EF513862A08202DACB25B714CD053AE7BD4DB40718F24FD59F4DDB22FAEB348CC49A46

Uniqueness

Uniqueness Score: -1.00%

Function 00E58496 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

___crtGetStringTypeW.LIBCMT ref: 00E585B1
_memcmp.LIBCMT ref: 00E585E8
InterlockedDecrement.KERNEL32(?), ref: 00E586D5

Strings

C, xrefs: 00E584A2

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DecrementInterlockedStringType___crt_memcmp
String ID: C
API String ID: 722280844-1037565863
Opcode ID: ae234c6069bd5a55ded6013969dd90ff378c8176e70174c04a38dc76baaec7fd
Instruction ID: 1e47c754a4ea2d1d85dd094c445649d1ba21598fc23dc5e5c1c7006dfbfe4cf3
Opcode Fuzzy Hash: ae234c6069bd5a55ded6013969dd90ff378c8176e70174c04a38dc76baaec7fd
Instruction Fuzzy Hash: 5871B574A022299FCB24DF18D9C8A9CB7B5BF09305F2095DAE809B7351DB71AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3EDCC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 00E3EE5D

Part of subcall function 00E3EBB6: _fgetc.LIBCMT ref: 00E3EC2B

Strings

_IO_input, xrefs: 00E3EF50
invalid format, xrefs: 00E3EF3B
too many arguments, xrefs: 00E3EE1B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _fgetc
String ID: _IO_input$invalid format$too many arguments
API String ID: 762172173-2273374480
Opcode ID: bb8990358e0ea82688b671d0d59e9351c9c406cec6080b89043ea8802a03b588
Instruction ID: d3764845db292dedd939996b3b62201c732031b22d4c6952f68fcbcdb1809b1b
Opcode Fuzzy Hash: bb8990358e0ea82688b671d0d59e9351c9c406cec6080b89043ea8802a03b588
Instruction Fuzzy Hash: 1041E4317083529BCB14EE29944A63E7BD6AFC4724F14A629F859BB3C5DE60EC01C792

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A5F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E3A676
__floor_pentium4.LIBCMT ref: 00E3A730
__floor_pentium4.LIBCMT ref: 00E3A73E

Strings

zero, xrefs: 00E3A6DC

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4$__allrem
String ID: zero
API String ID: 2906899411-2883514770
Opcode ID: c6b11242d7f3b188d2c76f7f009d76a81fb2c756c79cc965510d61d91d0789e8
Instruction ID: 25446df7d43aa778075cc5fe1edd46fe15fc86a3a66f88c91c19898c5102b5a4
Opcode Fuzzy Hash: c6b11242d7f3b188d2c76f7f009d76a81fb2c756c79cc965510d61d91d0789e8
Instruction Fuzzy Hash: 68412C71604B148BD714EF24A84692EB7E5EFC5760F18D22EF49A671A2DF7148C1C287

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA83: __EH_prolog3.LIBCMT ref: 00E2AA8A
Part of subcall function 00E2AA83: _strlen.LIBCMT ref: 00E2AB44

_strnlen.LIBCMT ref: 00E2A970
_memcpy_s.LIBCMT ref: 00E2A9A9
_strcat.LIBCMT ref: 00E2AA03

Strings

AStringMetaTable, xrefs: 00E2A9F5, 00E2AA3D, 00E2AA42, 00E2AA4D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_memcpy_s_strcat_strlen_strnlen
String ID: AStringMetaTable
API String ID: 1366018426-3285423709
Opcode ID: f593bb56a6cc29b4751edf3ec986e5e9b7f21cb4137a3d1c5e7f7b7ccb3043cb
Instruction ID: ef01ffd7732427dfe3ac856f700ecc2cd76f921ca202b233c0a8db0a7cea0d8c
Opcode Fuzzy Hash: f593bb56a6cc29b4751edf3ec986e5e9b7f21cb4137a3d1c5e7f7b7ccb3043cb
Instruction Fuzzy Hash: 7B4105325042119FC714EF28EC40E6AB7E9FFC8334F28463DF455A7292DA30A805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E2AA83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2AA8A
_strlen.LIBCMT ref: 00E2AB44

Strings

AStringMetaTable, xrefs: 00E2AB11
WStringMetaTable, xrefs: 00E2AB25

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_strlen
String ID: AStringMetaTable$WStringMetaTable
API String ID: 782648989-3501246679
Opcode ID: 5b0fce574c9dd2a04c7bcba7ec2f1d39c3ff0a7937dfcad14eddfe044d1aa100
Instruction ID: ad695c309cb85f1e2fca0f05f65d4d3d51bf3efc911e792c4edd713aee597585
Opcode Fuzzy Hash: 5b0fce574c9dd2a04c7bcba7ec2f1d39c3ff0a7937dfcad14eddfe044d1aa100
Instruction Fuzzy Hash: 4C31A270A046258B8F24AF29EC4256DB7E7AFC5730724662AE526B72E1DE34CD418782

Uniqueness

Uniqueness Score: -1.00%

Function 00E230B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(lc?^), ref: 00E23114
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E7383D), ref: 00E23120

Strings

lc?^, xrefs: 00E2310A, 00E2310E, 00E23113
DllManagerMetaTable, xrefs: 00E2314B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastLibraryLoad
String ID: DllManagerMetaTable$lc?^
API String ID: 3568775529-3872318702
Opcode ID: cf40db8494d40a7499ce2c29b8ecd44965e172358aa9ff41fff885c3228afe73
Instruction ID: 87eed0a2a7580b5dda2af87e0deb212e737dfe2c737208e6bc88a56352b2e6df
Opcode Fuzzy Hash: cf40db8494d40a7499ce2c29b8ecd44965e172358aa9ff41fff885c3228afe73
Instruction Fuzzy Hash: BE21B3726087109FC304DF29DC82A5BB7E8EB88720F50562EF556E72D1DA34A905CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2454D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,?,:-( ,00010010), ref: 00E24628
ExitProcess.KERNEL32 ref: 00E24630

Strings

lc?^, xrefs: 00E245A0, 00E245A4, 00E245B0, 00E245B4, 00E245CB, 00E245BF, 00E245C0, 00E245CF
:-( , xrefs: 00E24620

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: :-( $lc?^
API String ID: 1220098344-532068705
Opcode ID: 20c4f1e99b08bd30731fbbd97fc16456ac4d09bd0a27f9e71667711b38109e04
Instruction ID: ded0ccd8ec0cb9aaa77fbd1b0d60123f213938a3773f45a6c374f8a433976d26
Opcode Fuzzy Hash: 20c4f1e99b08bd30731fbbd97fc16456ac4d09bd0a27f9e71667711b38109e04
Instruction Fuzzy Hash: B1216D72218301AFD304DF19DC41A5BB7E8EF89714F505A1DF589A2191EB70EA48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E662D9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00E662F0
_wcscmp.LIBCMT ref: 00E66301

Strings

ACP, xrefs: 00E662EA
OCP, xrefs: 00E662FB

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 3425667bbfe056a55e507fc9527711b05f8ebf7e6cc63d77edcd1540635b8489
Instruction ID: 908c9cf7d89d46479a5d8d3dfd2f19e6221405830362dcebcfa7ce210ed33e6b
Opcode Fuzzy Hash: 3425667bbfe056a55e507fc9527711b05f8ebf7e6cc63d77edcd1540635b8489
Instruction Fuzzy Hash: B301F5326D561576EB10AA18FC52FDA33CC9F607E9F44A415F908FB282F730DA4042D4

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C25D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 00E2C28B
_memcpy_s.LIBCMT ref: 00E2C2BF

Strings

lc?^, xrefs: 00E2C25D
lc?^, xrefs: 00E2C263, 00E2C28A, 00E2C2B9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s_wcsnlen
String ID: lc?^$lc?^
API String ID: 296551695-2981666739
Opcode ID: a792312c52136bc7f2c542663d3d38a6e6de55c1ba47e02a277a4dc8d49b4c5f
Instruction ID: 7bae73ec49fd2c689004884af51649e7fddd8a9a911913625b5c437f36444517
Opcode Fuzzy Hash: a792312c52136bc7f2c542663d3d38a6e6de55c1ba47e02a277a4dc8d49b4c5f
Instruction Fuzzy Hash: 6B112572500628DFC714EEE4E884C6FB3DCEB94320B31562DF025BB292DE34A80487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E578C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 00E578D4

Strings

U, xrefs: 00E578DD

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b66dc4ad0f1e2e76dfcdb571bf476acc49475a3a8db8ef0f4cc99bad16c0a139
Instruction ID: 969413e5fe1da0dc435ffe11ca9c2be231b70ec6cac2098571062ec69168b7cd
Opcode Fuzzy Hash: b66dc4ad0f1e2e76dfcdb571bf476acc49475a3a8db8ef0f4cc99bad16c0a139
Instruction Fuzzy Hash: 41F02B7221C2182DEF089AB4FC49B7B33DDCB80366F201C21FD48E5151F621C968C250

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D7C4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00E4D7DC

Part of subcall function 00E4EF94: __FF_MSGBANNER.LIBCMT ref: 00E4EFAB
Part of subcall function 00E4EF94: __NMSG_WRITE.LIBCMT ref: 00E4EFB2
Part of subcall function 00E4EF94: RtlAllocateHeap.NTDLL(008E0000,00000000,00000001), ref: 00E4EFD7

std::exception::exception.LIBCMT ref: 00E4D7F8
__CxxThrowException@8.LIBCMT ref: 00E4D80D

Part of subcall function 00E4F421: RaiseException.KERNEL32(?,?,00E4D0D4,?,?,?,?,?,00E4D0D4,?,00E9634C,?), ref: 00E4F472

Strings

bad allocation, xrefs: 00E4D7F1

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 4602571cacf4d7358c6aa0704b6601270a1048524808baab287e88bcd98dfdb4
Instruction ID: 5be99e467b35814a65edf6ebf9c188574277f6ae0a22a5f97906600159787d1b
Opcode Fuzzy Hash: 4602571cacf4d7358c6aa0704b6601270a1048524808baab287e88bcd98dfdb4
Instruction Fuzzy Hash: 49E0E53510420AAACB00EB94EC069DE77FCAB00344F102422F414B1091DBB0C6449691

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BCDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00E257F3,?,00000000,?,00000000,00000000), ref: 00E2BCED
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E2BCFD

Strings

Advapi32.dll, xrefs: 00E2BCE8
RegDeleteKeyTransactedW, xrefs: 00E2BCF7

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 89933f21490f79385b41f1e9a7ba2d70f748982c4454157a5ce0ba06cbd92607
Instruction ID: fcacc9e7f10a388b4cc37eccf1f4ecec9d29f20c9823244ba294cbd543ed507a
Opcode Fuzzy Hash: 89933f21490f79385b41f1e9a7ba2d70f748982c4454157a5ce0ba06cbd92607
Instruction Fuzzy Hash: 94F0A032244691AB87215B26AC08DA7BBF8FFD9B0B705583EB088B1021D7718481C630

Uniqueness

Uniqueness Score: -1.00%

Function 00E22928 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2292F

Strings

F:\DTL6\dtl_install\project\DTLInstaller_duilib\Common\base\ProcessToolHelp.hpp, xrefs: 00E22972
DTLBase::ProcessToolHelp::TerminateProcessByPid, xrefs: 00E22968
Throw win_exception at File:%sLine:%uFunction:%sMessage:%s, xrefs: 00E22977

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID: DTLBase::ProcessToolHelp::TerminateProcessByPid$F:\DTL6\dtl_install\project\DTLInstaller_duilib\Common\base\ProcessToolHelp.hpp$Throw win_exception at File:%sLine:%uFunction:%sMessage:%s
API String ID: 431132790-93563643
Opcode ID: 277f838d04bdf0f35ae7bd03cb72533b36102e56c1eb98978f649564dfd931da
Instruction ID: 039c70cd2597a8a6e069e78038dd5804e51e6b2e900b6c600bd4207d2c425c35
Opcode Fuzzy Hash: 277f838d04bdf0f35ae7bd03cb72533b36102e56c1eb98978f649564dfd931da
Instruction Fuzzy Hash: 76F090B06003549FCB25EF289802B9A3BE0AF04704F109459E558BB282D7B1C641D796

Uniqueness

Uniqueness Score: -1.00%

Function 00E4EA96 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,?,00E4EA48,00000000), ref: 00E4EAB0
GetProcAddress.KERNEL32(00000000), ref: 00E4EAB7

Strings

RoInitialize, xrefs: 00E4EA9F
combase.dll, xrefs: 00E4EAAB

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: af004d231be3adc0adbc96b18656089bbe5610f88263c714ef5c43279c852ab9
Instruction ID: 6942f6c74f377cba70629a31a5406ef397ff4161bc8ec6af8d9a0ee1f8e54c9b
Opcode Fuzzy Hash: af004d231be3adc0adbc96b18656089bbe5610f88263c714ef5c43279c852ab9
Instruction Fuzzy Hash: C9E04F71691700EFDB206FBAFD0EB153AA5B714B0AF605527B109F52F0EBB8484C9B10

Uniqueness

Uniqueness Score: -1.00%

Function 00E4EB6B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E4EA85), ref: 00E4EB85
GetProcAddress.KERNEL32(00000000), ref: 00E4EB8C

Strings

RoUninitialize, xrefs: 00E4EB74
combase.dll, xrefs: 00E4EB80

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 5a3e8c32b109af51dcbffb0c5caf264ca129b3efaf38f6851f40c625571f59fe
Instruction ID: 15bc06477e99fdbeed10f6d262c0f269e05033d71de76eb42cb2b247aa222a7d
Opcode Fuzzy Hash: 5a3e8c32b109af51dcbffb0c5caf264ca129b3efaf38f6851f40c625571f59fe
Instruction Fuzzy Hash: 32E09270542780EFDB606B67BD0DB1A3BA5B74470AF609057B106F56B1EBB848488E50

Uniqueness

Uniqueness Score: -1.00%

Function 00E23037 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,Wow64RevertWow64FsRedirection), ref: 00E23049
GetProcAddress.KERNEL32(00000000), ref: 00E23050

Strings

Kernel32, xrefs: 00E23044
Wow64RevertWow64FsRedirection, xrefs: 00E2303F

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Kernel32$Wow64RevertWow64FsRedirection
API String ID: 1646373207-2204841719
Opcode ID: aa9a9bea4177eac0fc233597d4f7ebc21a20dea321aedf25af7825fa5d756f6e
Instruction ID: bc1e9d924d0ca75cac2c28bfdb4c0b5558f58f0e9ced4e36e9dd559e594457d3
Opcode Fuzzy Hash: aa9a9bea4177eac0fc233597d4f7ebc21a20dea321aedf25af7825fa5d756f6e
Instruction Fuzzy Hash: 7CD0A932204B21AEDB301BB1BC08F853B98EB00B09F049418A298B10A2DBA88880CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E290D1 Relevance: 6.2, APIs: 4, Instructions: 171windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000400,00000400,00000000), ref: 00E29137

Part of subcall function 00E227EE: __EH_prolog3.LIBCMT ref: 00E227F5

TranslateMessage.USER32(?), ref: 00E29284
DispatchMessageW.USER32(?), ref: 00E2928F
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E2929D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchH_prolog3PeekTranslate
String ID:
API String ID: 2404587510-0
Opcode ID: ea2676d8d19948165e89d9cb458bbc3ef4424f1b932675d18155d7339f4cd004
Instruction ID: f83834f53253b49d00001b1a7cfcf8cf63b0db745238c89dfacfcf7f9e3ed38c
Opcode Fuzzy Hash: ea2676d8d19948165e89d9cb458bbc3ef4424f1b932675d18155d7339f4cd004
Instruction Fuzzy Hash: D1613C725083519FC714DF64D884AABB7E8FF89714F005A1EF999D72A1DB30E908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E501F6 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E50252
_memcpy_s.LIBCMT ref: 00E502C4
__filbuf.LIBCMT ref: 00E50345
_memset.LIBCMT ref: 00E50389

Part of subcall function 00E500C9: __getptd_noexit.LIBCMT ref: 00E500C9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: dda5197ddf4204d7b1203af45941f3a5603b98c6e6585dacabc379b8970434be
Instruction ID: 0885ad05102603dd296308ec33abbad1b65dfe4ed45d997200cdf4e97eebe93c
Opcode Fuzzy Hash: dda5197ddf4204d7b1203af45941f3a5603b98c6e6585dacabc379b8970434be
Instruction Fuzzy Hash: 7151A734A00705DFDB248FA9D8846AE77B5AF40326F249F29FC65B62E2D7709D588B40

Uniqueness

Uniqueness Score: -1.00%

Function 00E5BA26 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E5BAAA
_memmove.LIBCMT ref: 00E5BAF1
___AdjustPointer.LIBCMT ref: 00E5BB3F
_memmove.LIBCMT ref: 00E5BB48

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: ee2029981bd4b5826ecad0fe5af492897296f0b4f6e875728a90a17e08cb372f
Instruction ID: 10a683863f8461c5998246985c7a713eedaa868352f6e2aa4a04bf8f9a467b8a
Opcode Fuzzy Hash: ee2029981bd4b5826ecad0fe5af492897296f0b4f6e875728a90a17e08cb372f
Instruction Fuzzy Hash: EF41F3762083029EEB285F15E842B6A33E49F10369F24281EFC45BB5D1EFB1ED88D654

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BAD1 Relevance: 6.1, APIs: 4, Instructions: 113windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E2BAD8
LoadStringW.USER32(?,00000000,00000100,00000018), ref: 00E2BB50
LoadStringW.USER32(?,00000000,00000100,00000018), ref: 00E2BBD8
MessageBoxW.USER32(00000000,?,?,00010022), ref: 00E2BBF5

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: LoadString$H_prolog3_catchMessage
String ID:
API String ID: 1190379205-0
Opcode ID: 0daa7e29b326013f0112cfc62e31ff54845726f73e259520c5e4ecff79bad4df
Instruction ID: e6e38497fe226c10e8c532afb288e86d626681c87d793bd254e9ee17c6124a05
Opcode Fuzzy Hash: 0daa7e29b326013f0112cfc62e31ff54845726f73e259520c5e4ecff79bad4df
Instruction Fuzzy Hash: 5E31B571A01219AFDB048F65ED8A6BE7BB4EF44360F20502EF505FA2D4EBB44D418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2881D Relevance: 6.1, APIs: 4, Instructions: 99processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E2887B
_memset.LIBCMT ref: 00E288A7
Process32FirstW.KERNEL32 ref: 00E288C0
Process32NextW.KERNEL32(?,?), ref: 00E2890A

Part of subcall function 00E22A67: Process32NextW.KERNEL32(?,?), ref: 00E22A72

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Process32$Next$CreateFirstSnapshotToolhelp32_memset
String ID:
API String ID: 2803600000-0
Opcode ID: 733a966ef2d63ff55e751f5c83edba542961915840076145cbad4e2e58eb6f04
Instruction ID: b1c9ae8d20ad1dadc179a0b8da25f79cde4c49ce8e15adb0b7687101e0bc9392
Opcode Fuzzy Hash: 733a966ef2d63ff55e751f5c83edba542961915840076145cbad4e2e58eb6f04
Instruction Fuzzy Hash: 72316B71519350AFD724DF25E885B6BB7E8FB88714F40192EF49992280EB709908CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00E6292B Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E6295F
__isleadbyte_l.LIBCMT ref: 00E6298D
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00E629BB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00E629F1

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8590c1a0a3e8a4a9f10c95ad3ced01aa483db0678bcfdccf09d68011f8e68d9e
Instruction ID: 9011bc511547df14e009c42d1fd8df3120c2af332f3efdc501dd72d4cda6c91a
Opcode Fuzzy Hash: 8590c1a0a3e8a4a9f10c95ad3ced01aa483db0678bcfdccf09d68011f8e68d9e
Instruction Fuzzy Hash: 4A310131640A46AFDB218F75D844BBA7BB5FFC13A4F15942CE660BB191E330D891DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BD2D Relevance: 6.1, APIs: 4, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2BEBD: RegCloseKey.ADVAPI32(?,?,00E25127,00000000,?), ref: 00E2BF01

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00E2BDB6
RegCloseKey.ADVAPI32(?), ref: 00E2BDCE
RegDeleteKeyW.ADVAPI32(?,?), ref: 00E2BDF1
RegCloseKey.ADVAPI32(00000000,?,?,?,?,00000000,00000000), ref: 00E2BE08

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Close$DeleteEnum
String ID:
API String ID: 650376604-0
Opcode ID: e2787f47db4acc1e07ea456330a012200965d8598ac8a1a74d3c874f5d280d18
Instruction ID: f4a02953c9e2d0ebd15d97bc210866b452e41b3be9f0ba6536cd1231ae2ee72d
Opcode Fuzzy Hash: e2787f47db4acc1e07ea456330a012200965d8598ac8a1a74d3c874f5d280d18
Instruction Fuzzy Hash: D4213B7594123DAFDB20DB55EC88AEABBB8EF18354F0001A6A509F2151DB309EC4CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4E98E Relevance: 6.1, APIs: 4, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E4E9B8
CreateThread.KERNEL32(00000002,00000010,00E4EAEE,00000000,?,?), ref: 00E4E9FC
GetLastError.KERNEL32(?,00E28E28,00000000,00000000,00000000,?,00000000,00000000), ref: 00E4EA06
__dosmaperr.LIBCMT ref: 00E4EA1A

Part of subcall function 00E500C9: __getptd_noexit.LIBCMT ref: 00E500C9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit
String ID:
API String ID: 910100809-0
Opcode ID: 9e29b8a37789808a8b23cd79c8293b05e5eb002bcb7807d9bd2408ddbfb94a24
Instruction ID: 43f6507674c8a5f38a30a3116aaa30ba2a9d671edd8032bd8a9e67b0edbe387a
Opcode Fuzzy Hash: 9e29b8a37789808a8b23cd79c8293b05e5eb002bcb7807d9bd2408ddbfb94a24
Instruction Fuzzy Hash: 27112133104706AF9B10AFA9BC41AAB3BD8FF44739B101819F908B22D1EB71D8049760

Uniqueness

Uniqueness Score: -1.00%

Function 00E5293D Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00E52977
__lock.LIBCMT ref: 00E52983
_idtab.LIBCMT ref: 00E5298E

Part of subcall function 00E500C9: __getptd_noexit.LIBCMT ref: 00E500C9

__cwait.LIBCMT ref: 00E529C5

Part of subcall function 00E60050: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00E529CA,?,?,00000001,?,00E96608,0000000C,00E3E6B7,00000000), ref: 00E60066
Part of subcall function 00E60050: GetExitCodeProcess.KERNEL32(?,?), ref: 00E60075
Part of subcall function 00E60050: CloseHandle.KERNEL32(?,?,00E529CA,?,?,00000001,?,00E96608,0000000C,00E3E6B7,00000000), ref: 00E600B7

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWait__cwait__getptd_noexit__lock__mtinitlocknum_idtab
String ID:
API String ID: 36153976-0
Opcode ID: ba0226b9dec4b6d5965443f75fd833a8d4ee99d7d87937a729ce55b56a695199
Instruction ID: 38f4d5ab98383e05839e5a1e61d32c010cffce958e0412204f0c03ba77bf8c9d
Opcode Fuzzy Hash: ba0226b9dec4b6d5965443f75fd833a8d4ee99d7d87937a729ce55b56a695199
Instruction Fuzzy Hash: 2B115B716413019FDB117BA0CC4276D76E4AF42727F116D1AFE147B2C2DB7899488A61

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B370 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00E5B387

Part of subcall function 00E5B998: ___AdjustPointer.LIBCMT ref: 00E5B9E1

_UnwindNestedFrames.LIBCMT ref: 00E5B39E
___FrameUnwindToState.LIBCMT ref: 00E5B3B0
CallCatchBlock.LIBCMT ref: 00E5B3D4

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 55a506a801e90e1ee71051e5bc1063aa43d04cb7b5b3622a6187c7274493763c
Instruction ID: 31450fd4a38064b410956a17a2a99924a9a8d29db24a0c09f6e1eb3dd3a8efcb
Opcode Fuzzy Hash: 55a506a801e90e1ee71051e5bc1063aa43d04cb7b5b3622a6187c7274493763c
Instruction Fuzzy Hash: F7012532000108BBCF129F95DC01EDA3BBAEF58755F159825FE1876121D772E865EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E67D3D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E67D61

Part of subcall function 00E68440: __fltout2.LIBCMT ref: 00E68469

__cftog_l.LIBCMT ref: 00E67D87
__cftoe_l.LIBCMT ref: 00E67DB9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 62f6cce5e9977a0a6e20e9342b9f6c998af7222c8a7650f7c34285a6c0f474ee
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: B4016D7208414EBBCF125E84EC018ED3F63BF19398B189914FA9869031C736C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E453E0 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 00E453FE
GetLastError.KERNEL32 ref: 00E4540C
CloseHandle.KERNEL32(?,?,?), ref: 00E45449
GetLastError.KERNEL32 ref: 00E45453

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandle
String ID:
API String ID: 614986841-0
Opcode ID: 0a427defebe0f7c9a53601aaf729e12129f6e85b4d42757248bd08cee66cb1f1
Instruction ID: b1035045e854b7bbdeefe1ef3ed285e36c4763db102634a3e8affc2da419eb27
Opcode Fuzzy Hash: 0a427defebe0f7c9a53601aaf729e12129f6e85b4d42757248bd08cee66cb1f1
Instruction Fuzzy Hash: 24012B32B00A087BDB209B65BC49B5DB768DB90326F204615F925FA2D1DAF089989750

Uniqueness

Uniqueness Score: -1.00%

Function 00E57726 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00E5776A

Part of subcall function 00E5BF5B: __mtinitlocknum.LIBCMT ref: 00E5BF6D
Part of subcall function 00E5BF5B: RtlEnterCriticalSection.NTDLL(?), ref: 00E5BF86

InterlockedIncrement.KERNEL32(00E9A860), ref: 00E57777
__lock.LIBCMT ref: 00E5778B
___addlocaleref.LIBCMT ref: 00E577A9

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 6b90a41d4b96d863c7a7daf20729e432b615eba645fc263bbdbdc48c2c884205
Instruction ID: a0a4f0b2c8f729922d23833a99b83adb82dac7a085c89d2b414e368da0d03627
Opcode Fuzzy Hash: 6b90a41d4b96d863c7a7daf20729e432b615eba645fc263bbdbdc48c2c884205
Instruction Fuzzy Hash: C3015B71404B00DFE7209F65E80674ABBF0AF44726F20AD0FE899A72A1DB70A588CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E41187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

invalid order function for sorting, xrefs: 00E4117B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid order function for sorting
API String ID: 0-1445527858
Opcode ID: a640295ac4835704986be2e96c63267e8300de9e088726eba624a007857d1df8
Instruction ID: b137813d73f892af4476c666dc6d16394c9d4aeac6fd7449a40052f27cec1737
Opcode Fuzzy Hash: a640295ac4835704986be2e96c63267e8300de9e088726eba624a007857d1df8
Instruction Fuzzy Hash: 0551E931B0021597CF08DF29AC816AEB7E69F95320F24917EF916FB3C1DA749D458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E3EA0A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 00E3EA36
_fgetc.LIBCMT ref: 00E3EA4B

Strings

+, xrefs: 00E3EB44

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _fgetc_localeconv
String ID: +
API String ID: 225233785-2126386893
Opcode ID: acb2eb5e0745c4c889eaed77d0a13ba6a229a0836868351d435e358fcd656ba7
Instruction ID: f76cd3f51b338ab7774c0f1355c6278cb6b1599c806d3360a193ece1cb8845e7
Opcode Fuzzy Hash: acb2eb5e0745c4c889eaed77d0a13ba6a229a0836868351d435e358fcd656ba7
Instruction Fuzzy Hash: 46415E309002698BDF75DB64CC85BADBBF0AF44354F1899EAD40AB6291DA709EC4CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A0A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA83: __EH_prolog3.LIBCMT ref: 00E2AA8A
Part of subcall function 00E2AA83: _strlen.LIBCMT ref: 00E2AB44

_memset.LIBCMT ref: 00E2A199
_strcat.LIBCMT ref: 00E2A1B3

Strings

AStringMetaTable, xrefs: 00E2A1BA

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_memset_strcat_strlen
String ID: AStringMetaTable
API String ID: 38168682-3285423709
Opcode ID: 489839f6f6d46c0fe0eaabdacbfab33793ffebc8f8d6b08d170ba91fd44ccaf6
Instruction ID: f4e4830106fd8985d5a48d809659b4ede1470a3b3781cd72e5fdd122c7482615
Opcode Fuzzy Hash: 489839f6f6d46c0fe0eaabdacbfab33793ffebc8f8d6b08d170ba91fd44ccaf6
Instruction Fuzzy Hash: DC41D6B16043118FD714EF24E884B6AB7E1FFC4324F18992DF45667292DB35E809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C3FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00E3C478

Strings

\%d, xrefs: 00E3C46B
\%03d, xrefs: 00E3C472

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _sprintf
String ID: \%03d$\%d
API String ID: 1467051239-1830572345
Opcode ID: 41fc4aba83a7788a130c0eb850f9b95d9183541f5cb1e9a0e903ee6653000f23
Instruction ID: d5eaa53b9d645a01a0ea1f3304ddc3ecdcf973c6072a6317a42bd2a7f175f843
Opcode Fuzzy Hash: 41fc4aba83a7788a130c0eb850f9b95d9183541f5cb1e9a0e903ee6653000f23
Instruction Fuzzy Hash: 3A318534200B519BC725EF29D4A587ABBE6EF8A304724A85DD4F6B7752CB30F842C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E28ABD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(lc?^,5E3F636C), ref: 00E28B02
CommandLineToArgvW.SHELL32(00000000), ref: 00E28B09

Part of subcall function 00E227EE: __EH_prolog3.LIBCMT ref: 00E227F5

Part of subcall function 00E226CF: __EH_prolog3_GS.LIBCMT ref: 00E226D6

Strings

lc?^, xrefs: 00E28AF7, 00E28AFD

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CommandLine$ArgvH_prolog3H_prolog3_
String ID: lc?^
API String ID: 648356053-3458774033
Opcode ID: c1055db38e7ba7e27ab77f4152de822afb8fc43625eaa780f8f663c56ee1ec71
Instruction ID: 1e780b175ed9a0d2a8ee91f060781914c0afc0605524f670c5e403d4bb488800
Opcode Fuzzy Hash: c1055db38e7ba7e27ab77f4152de822afb8fc43625eaa780f8f663c56ee1ec71
Instruction Fuzzy Hash: 56315A712083919FC314DF28E845A5BB7E9FFC5720F105A1EF596A3291DF309909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F09A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00E3F11D

Strings

%.14g, xrefs: 00E3F114
%lld, xrefs: 00E3F102

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _fprintf
String ID: %.14g$%lld
API String ID: 1654120334-1635807733
Opcode ID: 7fc7fbdae17e3af712efb229f9045c69a0f757365844d823ffdac5dc985c3fd4
Instruction ID: d38279871bbfb801c53c4e9122938c7b16149e2387dbda968e54d88055bb2c13
Opcode Fuzzy Hash: 7fc7fbdae17e3af712efb229f9045c69a0f757365844d823ffdac5dc985c3fd4
Instruction Fuzzy Hash: A3213B32E08310ABD710EA68E84592AB7E5DFC4314F10693DFA5477242EA31DC05C792

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2A597

Part of subcall function 00E2B956: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,?,?,00E2A650,00000000,00E9A000,0000000C,00E2A00E,00000002,00000000,5E3F636C), ref: 00E2B96F
Part of subcall function 00E2B956: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00E2A650,00000000,00E9A000,0000000C,00E2A00E,00000002,00000000), ref: 00E2B994

Strings

AStringMetaTable, xrefs: 00E2A616
WStringMetaTable, xrefs: 00E2A62A

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3
String ID: AStringMetaTable$WStringMetaTable
API String ID: 692526729-3501246679
Opcode ID: 0b5150364d3041b36cb5c288813f265e06d9907b1f3881d4b48ea84a0f3f9674
Instruction ID: dab99f2c3e73b5561921620438d3c7e64fde483379243dd09494cc5834862eaa
Opcode Fuzzy Hash: 0b5150364d3041b36cb5c288813f265e06d9907b1f3881d4b48ea84a0f3f9674
Instruction Fuzzy Hash: D721B4707046368B8F24AF68EC9247D73A2AFC4334728662DE526BB2D5CF34CE414686

Uniqueness

Uniqueness Score: -1.00%

Function 00E4031C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E40337

Strings

no module '%s' in file '%s', xrefs: 00E40398
cpath, xrefs: 00E4034E

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: no module '%s' in file '%s'$cpath
API String ID: 601868998-2543832310
Opcode ID: 40079d85ac432221398836cee6eb5bf7a30414ce3576bf25d35780b3ae9ce7d9
Instruction ID: dd1a46a32dabd9b42522bcd8aab6247193f4048cd31d4f342f3a54f4b57628b7
Opcode Fuzzy Hash: 40079d85ac432221398836cee6eb5bf7a30414ce3576bf25d35780b3ae9ce7d9
Instruction Fuzzy Hash: 8A01842274861167A519753A3C52A3F47CE9BC5B78B24A039F709F72D2DD708D020069

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E2C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00E30097: ___from_strstr_to_strchr.LIBCMT ref: 00E300F2
Part of subcall function 00E30097: ___from_strstr_to_strchr.LIBCMT ref: 00E30118

_strncmp.LIBCMT ref: 00E2E31D

Strings

_G., xrefs: 00E2E317
_LOADED, xrefs: 00E2E2E6

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_strncmp
String ID: _G.$_LOADED
API String ID: 2516952115-344459542
Opcode ID: 2575f111750eed049fcae15c0c59b91fbf5175f396b7033d1e0c23f422cb6bea
Instruction ID: 9248049cded9c3986725dce48b1db5495bab191539c980cae9177f010cc13e44
Opcode Fuzzy Hash: 2575f111750eed049fcae15c0c59b91fbf5175f396b7033d1e0c23f422cb6bea
Instruction Fuzzy Hash: 7C1148333087305FD614A638AC42A2E73DADFC9730B24972DE176A77D6DFA0AC064691

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C60E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,5E3F636C,?,?,?,lc?^,lc?^,00000000,00E7423F), ref: 00E2C666
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,lc?^,lc?^,00000000,00E7423F,000000FF), ref: 00E2C681

Strings

lc?^, xrefs: 00E2C61C, 00E2C61D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: lc?^
API String ID: 626452242-3458774033
Opcode ID: bc82f59ebc9f4ffc38c0c9adf853c0132167125d6a6d412b1789819a111aede1
Instruction ID: 7d918c910f986c872a2e018c01d9aa2b4e28974724d6647c7deb8b497a323caf
Opcode Fuzzy Hash: bc82f59ebc9f4ffc38c0c9adf853c0132167125d6a6d412b1789819a111aede1
Instruction Fuzzy Hash: 141139B1608745BFE300CF19DC44F37BBECFB89664F110B2AB815D2690DBA5A9088671

Uniqueness

Uniqueness Score: -1.00%

Function 00E3FBEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00E3FC15
_strrchr.LIBCMT ref: 00E3FC2C

Part of subcall function 00E2F5D0: _strstr.LIBCMT ref: 00E2F665

Strings

unable to get ModuleFileName, xrefs: 00E3FC7D

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName_strrchr_strstr
String ID: unable to get ModuleFileName
API String ID: 726832683-205594539
Opcode ID: 006793b2fdaff22ae4076f938e062ef934f1864db5c78bddda6833d8c36a6f9d
Instruction ID: 008752500fc814bbb8e53d1cb6fdeccd0e5ee596c2ddb09601639682140f9ef0
Opcode Fuzzy Hash: 006793b2fdaff22ae4076f938e062ef934f1864db5c78bddda6833d8c36a6f9d
Instruction Fuzzy Hash: 47016631B00A182BD724E628AC06BEE77E85F85730F20133AF621F31C5EEA08E448655

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F54D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_tmpnam.LIBCMT ref: 00E3F565

Part of subcall function 00E524F9: __tmpnam_helper.LIBCMT ref: 00E52511

__wgetenv.LIBCMT ref: 00E3F5A6

Strings

unable to generate a unique filename, xrefs: 00E3F589

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __tmpnam_helper__wgetenv_tmpnam
String ID: unable to generate a unique filename
API String ID: 2058239520-1457574477
Opcode ID: beba8412801eb8c1370c53d68a3af0bd86360925a9a704b8e327701d919b2466
Instruction ID: 73eafd2c7331b02f26dc7a5ea881e0147224f1b06b006caa81a4ce2d7867314e
Opcode Fuzzy Hash: beba8412801eb8c1370c53d68a3af0bd86360925a9a704b8e327701d919b2466
Instruction Fuzzy Hash: 6DF0C871B04318ABDF04FBB8E8068BE33E9DF89318B509425F805F7281EE70EE058595

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A4B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2A4B9

Part of subcall function 00E2A590: __EH_prolog3.LIBCMT ref: 00E2A597

Part of subcall function 00E2C25D: _memcpy_s.LIBCMT ref: 00E2C2BF

_wcscpy.LIBCMT ref: 00E2A529

Strings

WStringMetaTable, xrefs: 00E2A51B

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$_memcpy_s_wcscpy
String ID: WStringMetaTable
API String ID: 3123550153-1986380071
Opcode ID: 36e647fdf9749622a491ebab341dbc7ddf84b224021626b81a77b321323a605b
Instruction ID: 4c9826acf0fdec84fb322ff4f8348ea4ffb99ea0997a8a6cf42337f262dc490f
Opcode Fuzzy Hash: 36e647fdf9749622a491ebab341dbc7ddf84b224021626b81a77b321323a605b
Instruction Fuzzy Hash: 810196319041299BDF04EBA4ED45BEE77F5BF85310F245858F4617B2D1DE306A05C791

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D0D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00E4D0E8

Part of subcall function 00E4E29B: std::exception::_Copy_str.LIBCMT ref: 00E4E2B4

__CxxThrowException@8.LIBCMT ref: 00E4D0FD

Part of subcall function 00E4F421: RaiseException.KERNEL32(?,?,00E4D0D4,?,?,?,?,?,00E4D0D4,?,00E9634C,?), ref: 00E4F472

Strings

bad function call, xrefs: 00E4D103

Memory Dump Source

Source File: 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.3419303246.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419320899.0000000001ACB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419829915.0000000001ACE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.0000000001ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000024CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3419858747.00000000026D8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: bad function call
API String ID: 757275642-3612616537
Opcode ID: a5fc0d88840334e77655e166a14de066b708eb3d4b0bab8eb61a901c00d3d248
Instruction ID: aa912c0f9c9e5c64d0b94dbe2af0dae5ad2c9b2b9051eb727e16721205e9837e
Opcode Fuzzy Hash: a5fc0d88840334e77655e166a14de066b708eb3d4b0bab8eb61a901c00d3d248
Instruction Fuzzy Hash: D9D01279D0020CBB8B00EF94D4468CD7BBCAA84340F50E572F529A6200EAB0D6448B95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Bulgarian.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\French.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\German.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Greek.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Japanese.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Polish.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Portuguese.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Russian.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Spanish.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Turkish.ini

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll

C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Function 00E24712 Relevance: 79.3, APIs: 36, Strings: 9, Instructions: 527
memoryCOMMON

Function 00E21F35 Relevance: 44.0, APIs: 9, Strings: 16, Instructions: 286
COMMON

Function 00E2764D Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 148
COMMON

Function 00E21E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93
synchronizationCOMMON

Function 01ACE930 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 00E23337 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 194
stringCOMMON

Function 00E43EFB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 45
COMMON

Function 00E26198 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 124
fileCOMMON

Function 00E26B11 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 195
COMMON

Function 00E454D0 Relevance: 18.3, APIs: 12, Instructions: 325
fileCOMMON

Function 00E23EF5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96
COMMON

Function 00E5A8A7 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 00E23803 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 42
stringCOMMON

Function 00E25059 Relevance: 7.7, APIs: 5, Instructions: 198
registryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre