Edit tour

Windows Analysis Report
Qr0aoYPmZE.exe

Overview

General Information

Sample Name:	Qr0aoYPmZE.exe
Analysis ID:	1317541
MD5:	bc76bd7b332aa8f6aedbb8e11b7ba9b6
SHA1:	c6858031315a50ec87e37966291ec69b64600efb
SHA256:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Found detection on Joe Sandbox Cloud Basic

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

One or more processes crash

Drops PE files

Tries to load missing DLLs

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Qr0aoYPmZE.exe (PID: 1476 cmdline: C:\Users\user\Desktop\Qr0aoYPmZE.exe MD5: BC76BD7B332AA8F6AEDBB8E11B7BA9B6)

Sahofivizu.exe (PID: 5512 cmdline: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Qr0aoYPmZE.exe MD5: 7FE00CC4EA8429629AC0AC610DB51993)

WerFault.exe (PID: 5056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 236 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Qr0aoYPmZE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Qr0aoYPmZE.exe	Virustotal: Detection: 81%			Perma Link
Source: Qr0aoYPmZE.exe	ReversingLabs: Detection: 95%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Avira: detection malicious, Label: HEUR/AGEN.1344339
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Avira: detection malicious, Label: HEUR/AGEN.1358866
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Avira: detection malicious, Label: HEUR/AGEN.1328180
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Avira: detection malicious, Label: HEUR/AGEN.1328724
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Avira: detection malicious, Label: HEUR/AGEN.1322941

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Virustotal: Detection: 74%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Virustotal: Detection: 67%	Perma Link

Source: Qr0aoYPmZE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_00405D07 FindFirstFileA,FindClose,	4_2_00405D07
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_00405331
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_0040263E FindFirstFileA,	4_2_0040263E

Source: Qr0aoYPmZE.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Qr0aoYPmZE.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404EE8

System Summary

Found detection on Joe Sandbox Cloud Basic

Source: Qr0aoYPmZE.exe

Joe Sandbox Cloud Basic: Detection: malicious Score: 100 Threat Name: Gamarue Analyzer: w7x64

Perma Link

Source: Qr0aoYPmZE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 236

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: natigezeholi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: zojemilocan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: xuxokuxoka.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_004030FA

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_00406128	4_2_00406128
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_004046F9	4_2_004046F9
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_004068FF	4_2_004068FF

Source: Zojemilocan.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xuxokuxoka.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Qr0aoYPmZE.exe	Virustotal: Detection: 81%
Source: Qr0aoYPmZE.exe	ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

File read: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Jump to behavior

Source: Qr0aoYPmZE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Qr0aoYPmZE.exe C:\Users\user\Desktop\Qr0aoYPmZE.exe
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Qr0aoYPmZE.exe
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 236
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Qr0aoYPmZE.exe	Jump to behavior

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5512

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

File created: C:\Users\user\AppData\Local\Temp\nsgF0BC.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.winEXE@4/12@0/0

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,

4_2_00402020

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_004041FC

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Code function: 6_2_005E3A20 push eax; ret

6_2_005E3A4E

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405D2E

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	File created: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	File created: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	File created: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	File created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	File created: C:\Users\user\AppData\Local\Temp\natigezeholi.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Code function: 6_2_004012F0 ??2@YAPAXI@Z,GetCapture,GetMenu,GetMenuItemInfoA,malloc,GetSystemInfo,xupetipe,_ftol,Negefibizoh,fread,fclose,CreateHatchBrush,??2@YAPAXI@Z,Fetomekiratu,bedevahetay,

6_2_004012F0

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_00405D07 FindFirstFileA,FindClose,	4_2_00405D07
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_00405331
Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	Code function: 4_2_0040263E FindFirstFileA,	4_2_0040263E

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe	API call chain: ExitProcess graph end node			graph_4-2867
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	API call chain: ExitProcess graph end node			graph_6-1815

Source: Amcache.hve.10.dr

Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405D2E

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Qr0aoYPmZE.exe

Jump to behavior

Source: C:\Users\user\Desktop\Qr0aoYPmZE.exe

Code function: 4_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405A2E

Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Qr0aoYPmZE.exe	100%	Avira	TR/AD.Gamarue.njjtd
Qr0aoYPmZE.exe	82%	Virustotal		Browse
Qr0aoYPmZE.exe	96%	ReversingLabs	Win32.Backdoor.Andromeda

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	100%	Avira	HEUR/AGEN.1344339
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	100%	Avira	HEUR/AGEN.1358866
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	100%	Avira	HEUR/AGEN.1328180
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	100%	Avira	HEUR/AGEN.1328724
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	100%	Avira	HEUR/AGEN.1322941
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	77%	ReversingLabs	Win32.Trojan.Tiggre
C:\Users\user\AppData\Local\Temp\Gozekeneka.dll	75%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	57%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Sahofivizu.exe	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	64%	ReversingLabs	Win32.Backdoor.Andromeda
C:\Users\user\AppData\Local\Temp\Zojemilocan.dll	74%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	78%	ReversingLabs	Win32.Trojan.Ursu
C:\Users\user\AppData\Local\Temp\natigezeholi.dll	76%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	67%	ReversingLabs	Win32.Trojan.Symmi
C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll	67%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false	high
http://nsis.sf.net/NSIS_Error	Qr0aoYPmZE.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	Qr0aoYPmZE.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1317541
Start date and time:	2023-10-01 15:49:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Qr0aoYPmZE.exe
Detection:	MAL
Classification:	mal72.winEXE@4/12@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:51:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sahofivizu.exe_99171066bc99f4afaf39e8633f36db99d51c7fd_7dc17cab_0bb4b60b-0900-464a-91a3-513535e1976c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7508777981557769
Encrypted:	false
SSDEEP:	96:e6FfLysnh7zxz7fwbvXIxcQvc6QcEscw3P+HbHg/8BRTf3eSOyWZAXQ65FMTPS62:tlLywAmBUWYjKqDu76XfAIO8YWVT
MD5:	FD1D85F623E3EA07FD07518974E43FE3
SHA1:	0311F5444BDE4C89E35249FB3D71F6206C518469
SHA-256:	E6CE3707019852C41ED963C77845C39FF3C4BE40836CB57878409828699113BE
SHA-512:	E93891473D3A6F098A1B55C5BCDFFDA71D1FC648BC45B8067AC293D6212F90B991C8DF204F93786160BD99114642ECBD6125F25EF28D4CDAFA6634E8461A239B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.6.4.1.8.8.8.4.6.2.3.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.6.4.1.8.8.8.9.7.7.7.9.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.b.4.b.6.0.b.-.0.9.0.0.-.4.6.4.a.-.9.1.a.3.-.5.1.3.5.3.5.e.1.9.7.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.3.e.6.3.d.c.-.f.2.a.a.-.4.4.8.8.-.a.0.a.b.-.0.9.0.1.5.b.2.e.4.3.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.a.h.o.f.i.v.i.z.u...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.8.-.0.0.0.1.-.0.0.2.7.-.9.5.8.d.-.b.9.5.c.6.e.f.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.4.9.7.a.2.b.c.7.4.8.9.e.c.c.e.1.7.0.5.0.9.d.2.b.4.8.d.5.6.8.5.0.0.0.0.f.f.f.f.!.0.0.0.0.5.b.2.b.4.b.f.7.5.e.f.9.9.d.0.3.d.3.e.a.3.a.7.7.8.e.0.b.d.0.b.1.2.4.c.5.e.7.0.b.!.S.a.h.o.f.i.v.i.z.u...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 1 13:51:28 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36978
Entropy (8bit):	1.8624331350750023
Encrypted:	false
SSDEEP:	96:5m8wGsVTgsi7O7MF96Gnyurqkkdkvr/kxCkjTyu6t6E8WI9bIX4ID8bDFQqBmy:7eNxOOYzkdkvj9kjTh6t1j8vF9gy
MD5:	2CFE0160A896034789EAADC78628205F
SHA1:	32889FDA3371CB84500836F2C4D63163C3F68C7A
SHA-256:	700377218C96200763D4BFE348DB93D3A662AE9AE82FF8F6D60AE49A9D9F5F6E
SHA-512:	793572AD3730F4FA0A671F08BE2A4170339F5649321F48E5D3D30C7D5A788EFC7B026BFC223AE281126AF5B51525DACC43E64B6D3149D561E69E49B8743ECBBD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......`y.e........................................."..........T.......8...........T...............r.......................................................................................................bJ......X.......GenuineIntel...........T...........Zy.e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6284
Entropy (8bit):	3.7212117912618896
Encrypted:	false
SSDEEP:	192:R9l7lZNigL6ZCwYG4wCwprJ89bNjsfcvm:R9lnNis6ZCwYG4wwNIfp
MD5:	099D2CFB2DC070EA27F8EA5426B92A80
SHA1:	18F19CC397CE9E30256A3054B7FE5B928B5980F1
SHA-256:	35F2EC47F82987F013A41E73FF5BDC75FA8B173396EAE67855C2353E7C2EB25F
SHA-512:	24EF8CE9BBB3156C901BCED0E6F64C75E64A15FE6CB679D3C388B0F54996BBA6E6DBDBCFA92E0A3E2B06E8F3D310A2DE3160C70E0877B1B9B825D33A41965E5A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	4.507983458925909
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsHe702I7VFJ5WS2CfjkBs3rm8M4JoXFv4+q8NBnQABeL6d:uILf+7GySPfhJ8485eL6d
MD5:	11071E9837FD8DDBE4E411ECF4FA3784
SHA1:	DA35A38EF7406339A000054FF7B7F21E801620C0
SHA-256:	9A563D2E02D81A76AEB5A17CB9B7FB23DBB15C0AFAB6173918969E73C569C855
SHA-512:	4FB96D40906697BA8241862C34D2089E2D39047591130EB906B5FC2EB7F62A2C1F7C5B2F8D5A752B35219420BFED9306B4967F8136A05A43600B2578B6244962
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222341222" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Temp\Gozekeneka.dll

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.3074171093110873
Encrypted:	false
SSDEEP:	48:CXqWBMk6A7qZ2LcYKEbcqNCCC81iBtYf86SyuUH5npNpRppv5D:Cqv2cOCCC81Aw8hyBnNvv
MD5:	7AC02E7E2C7EC30BFC8C946D12DF26A0
SHA1:	079FF9DBFC5AF1D4DC569203847F50A8B30B5056
SHA-256:	71CFBE0622AEA1248EFF7CA09095493B3D47DF40E0936493B098D770551213F3
SHA-512:	DAC09E5CA0BDA7A9094A34F17B6606767B4A1E308148BFC1AC7E1C0AA55404C4AA50366C8F5F9BC2D225BE88D9290CCB7F55AECF71CB400528538367A2E2CA3F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 77% Antivirus: Virustotal, Detection: 75%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IMr..,...,...,...0...,...3...,...,...,..o3...,...3...,......,...3...,..Rich.,..........................PE..L.....GQ...........!......................... ...............................`....................................... ..J... ..<....@..X....................P..d.................................................... .. ............................text...B........................... ..`.rdata...... ......................@..@.data...x....0......................@....rsrc...X....@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.1878975851833986
Encrypted:	false
SSDEEP:	192:1AFmqdxP1oynRg94DELe9vZ/wJcVuhWEx:yFL1Q9eR6hTx
MD5:	7FE00CC4EA8429629AC0AC610DB51993
SHA1:	5B2B4BF75EF99D03D3EA3A778E0BD0B124C5E70B
SHA-256:	9827E20FFED86C23DD493845F03A9041977C5CF0E5DA14EDFEB7EDADFAA34508
SHA-512:	F1E919C53E6829447F03AAFEDFC0128CEC4F03C21CC127A26C9CB336D42DEBF94703C9939976EE9B74F629C6713CB571F178D500503BE88E8A2D770AA2843BF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 57% Antivirus: Virustotal, Detection: 61%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v..%..%..%T..%..%?..%..%?..%..%...%..%..%..%?..%..%o.%..%Rich..%................PE..L.....GQ.....................V......6........ ....@.......................................................................... .......P...;........................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc....;...P...<..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yumicebivud.rih

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	7.980181192486164
Encrypted:	false
SSDEEP:	1536:gVbB3S+6LC/SQd6sTGmGEWx+JWgxhfCvWYjo/pk2X+FMCZTtkUn4rEeaMj31e5+P:KhTSQ0omUyD2X8htksIae31fX9cnheF7
MD5:	0F12B3226FE28398608E4F48B3FAFCA2
SHA1:	38B5BFD50DF9775C8ED379A0FA5F43979411E252
SHA-256:	7637E855C4F59DDFE01C9857FBDFF59036177BC1B439B4B0A24E14BC2E3E509A
SHA-512:	089DBFF0BFB72F3925E67055D45D357602D999AFAF7E82238AF18A2D3C86C9B1C37672C049E14939B3E414B11875DD70EF31F72D29B3ADA68D826081B5C347AF
Malicious:	false
Reputation:	low
Preview:	a\JFBTTs[YWQrM82758275827g]ABX]f_G]SS5827582758275827^]@YPT...\^[58275827582758275kWCaP@RT\qX[LWOA8275827582yAm\ZTHd^PO}Qf]QC\W\75827582pPLf_G]SSvW\CP@F758275827582pPL.XQM^RsQ^R{Y_Rt82758275827gL^mPJ]zPU]EL8275827582758\CQT^.QT^75827582758275.WCeJ]Tt\VEPKA75827582{ZYV{\Z@VGAs758275827582758a_YOSG\.V[Y827582758275827582`GQFReJ]TPKAzPU]EL82758275.WCvW_ZTVV{\VWv58275827eYF_r]FvG_Av582758275827vJWVA]bEZ[WDFy2758275827582758275uh.5;275<275..75.2758275x27582758275827582758275827582758275.2756-.;8.>...6y..c]QA.EJ]PGY_.VY\YZL.UP.@B[.[Y.\|}d.U]SP.?:?.2758275.....O...O...O..7P...O..\S...O..7P...O...O...O..P...O...O...O..7P...O..gI...O..j[T].O..82758275hw75t345..pd82758275.284331582758.658275..758"758"7582w58"758075<2758275<27582758.5586758275:27582'58"7582'58"758275(27582758275<#75.2758.75..658275827582758275827582758275827582758275827582758275827582758275827582758"75.275827582758275827582758275.@STLS75d4758"758:758675827582758275x27u.VVAY275.?758.758<758>75827582758275x27..@DG[275..658.758.658(

C:\Users\user\AppData\Local\Temp\Zojemilocan.dll

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.9848615810105574
Encrypted:	false
SSDEEP:	24:eFGSWUcWLuSDlkGPfe58//zYVVfiRHtaU4VExxSIVSPAEVlcr7:iWGLvybcMDfXtVe4PAylcr
MD5:	3ED0F4B16841CCF3C6D613E77BCEF3CD
SHA1:	751E4846DB47CCF5F94DB4CA198E96E77A7032E7
SHA-256:	A9B7526FE7C988F2219FA3B726DC2F771DE38C31593C3B8DAD3AC06E60135AC3
SHA-512:	6D44120D28AB5CA8164423C428EDDBF488C605A56F20794BB96618E8539AA50F9A24B9FD48E58001CEB95EC7932DC96BC48CB3F9C732FA0481F76C81F91CFFCB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 64% Antivirus: Virustotal, Detection: 74%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................y................y.....y.....Rich...........PE..L.....GQ...........!................Q........ ...............................P...................................... !..O...$ ..<............................@..L.................................................... ..$............................text............................... ..`.rdata..o.... ......................@..@.data...d....0......................@....reloc..t....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\natigezeholi.dll

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	6.081723116162573
Encrypted:	false
SSDEEP:	192:MwPLlx5c4kJlbOxPDAE/mZBdZDEql+frQXYezGGK5vJgZa+HNgt/GI/x0mqESzyj:nsORXml/gDJuyt/RqyyuFX4o947Q
MD5:	F0C82EE96B56BF20D2B1CE93F7C0F941
SHA1:	432B3E4B9A1362D267630655DD44FEE58C49A2F0
SHA-256:	E6E1FA7A937C3CFA383C7A5CC5D1723E551A8AF62A03C7D8AF46504384D7993D
SHA-512:	0A342A87300C8BE6E1558A2729418A286F2770AE51960083289B25055659F27B3CC8870636660ECA67CC0C0A88D4E416B48B8ABFA0B709D434A953D6E59220D2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 78% Antivirus: Virustotal, Detection: 76%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Xv.6%.6%.6%1.<%.6%Z.8%.6%..%%.6%.7%..6%1.=%.6%a.0%.6%1.2%.6%Rich.6%........................PE..L.....GQ...........!.....,..........N........@.......................................................................F..O....C..(....`..`....................p.......................................................@...............................text....*.......,.................. ..`.rdata..?....@.......0..............@..@.data........P.......8..............@....rsrc...`....`.......:..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll

Download File

Process:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.080260047634796
Encrypted:	false
SSDEEP:	24:ev1GSqYDIuQyKxsq1X//oRVCR7tqU4xbaVZGy1Uua0wlqF4JNeS4G8Xq5S493Q00:qq4IBvsW/uTtx2OySuF30lN3T74
MD5:	81F429115E1AFD4A95DA0A8A73E4ACD1
SHA1:	520F4618A20E20E2ACC2382AF16CA244FE42B97E
SHA-256:	29D1AC834EDB48C1A75C90CF896EF27A53366BFECDEE7D65DDBB6621DC540200
SHA-512:	350994DB9C153E5CE2DD62D3C759378E0CD091F8FBD67E6D555FF34266C4BB5097FB376DC007D89EEDF939DA05BDBFFE00EF2A9A8EA2C0048C309702D1163619
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 67%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1.k.1.k.1.k..a.5.k.1.j.=.k..`.3.k...m.0.k..o.5.k.Rich1.k.................PE..L.....GQ...........!................Q........ ...............................`.......................................!..M..., ..(....@.......................P..P.................................................... ..,............................text............................... ..`.rdata..M.... ......................@..@.data...X....0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2359296
Entropy (8bit):	4.363725119761993
Encrypted:	false
SSDEEP:	49152:32+pPRtI5e9HbrpM89jJsRagmcnYJ1z80s:6
MD5:	D3C734F43D0A5382AA66E2133A714E19
SHA1:	E23F19A351D998FD0963DAE5863A09711E39B4E2
SHA-256:	B73C3BCD8A5E52D2C731BABCDFD0B4819A6ACBE040A6715FDD438613D0237543
SHA-512:	2C73E268FCE1BC1352331BDF5043D391065DB4D19D13B245167C19FB9E1903556A354F256729625B8389136ABCA038A7BD6F56745D5A420E89EB498089E6A4C2
Malicious:	false
Reputation:	low
Preview:	regfE...E...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.j.q................................................................................................................................................................................................................................................................................................................................................Sb..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.7005491090744043
Encrypted:	false
SSDEEP:	768:vmQyPpn9hOy/OTBiefuYiJU6gnuVnfRnNqOB6yG2fKrTd9vaiHdefjFBBp5/9a38:eZuouQp4kuTdwiQTV8gGfurut
MD5:	8CB0A7071C6546B77BBBCB5303AC6D54
SHA1:	CE9FE59F485D000DBF3F07D289AF4578137611E3
SHA-256:	48100ABE4F6E590FD42D63A57294D1D034110B9EB4278644F9FEEDE25EFC8A88
SHA-512:	7BB9B2CDF681B9CDBC05764532E3441C9D634555FF6183BDF036C1164797F4A3C5E5A18F807EF031BF36E4D46DC2513FF4716F946A0A2CB317B103B6C069CB87
Malicious:	false
Reputation:	low
Preview:	regfD...D...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.j.q................................................................................................................................................................................................................................................................................................................................................Ub..HvLE........D.....!..........\......:o..................`.......0................................................!..0..hbin................5.#.^...........nk,....S........!......................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .@..e........(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................................Z...............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.67760121359675
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Qr0aoYPmZE.exe
File size:	196'227 bytes
MD5:	bc76bd7b332aa8f6aedbb8e11b7ba9b6
SHA1:	c6858031315a50ec87e37966291ec69b64600efb
SHA256:	9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
SHA512:	c74a8a893d0d91ef9423c75c14e701102f01d46b4638d7e3184c95bfd4ff29f9cab71fe5de45e8e201dcdb8df77e952a18e32bfed5014b9c8155c189825f37e9
SSDEEP:	3072:ugXdZt9P6D3XJ3TCM/vosUE2L/TLqtAyD2XXhtksIae31fXJHhKgzyJtdeV:ue34p/vr6yrC2sJe35ZBKg0dW
TLSH:	6B14024364F582BFD6820432D5B92B79D77BCD8D438A7A470B447F21BA318D3C909E8A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	9270c4ccc6741c42

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FA89061EAC6h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FA89061E779h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FA89061E767h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FA89061BEDCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FA89061E25Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FA89061BF35h
cmp cl, 00000020h
jne 00007FA89061BED8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FA89061BECCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x43f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x43f8	0x4400	False	0.16670496323529413	data	2.6375067972964095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.09076763485477178
RT_ICON	0x397e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.14118198874296436
RT_ICON	0x3a888	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3891843971631206
RT_DIALOG	0x3acf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3adf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3af10	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3af70	0x30	data	English	United States	0.8541666666666666
RT_VERSION	0x3afa0	0x184	MS Windows COFF Alpha object file	English	United States	0.5463917525773195
RT_MANIFEST	0x3b128	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States	0.5656424581005587

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	4
Start time:	15:51:21
Start date:	01/10/2023
Path:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Qr0aoYPmZE.exe
Imagebase:	0x400000
File size:	196'227 bytes
MD5 hash:	BC76BD7B332AA8F6AEDBB8E11B7BA9B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:51:22
Start date:	01/10/2023
Path:	C:\Users\user\AppData\Local\Temp\Sahofivizu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Qr0aoYPmZE.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	7FE00CC4EA8429629AC0AC610DB51993
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 57%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:51:28
Start date:	01/10/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 236
Imagebase:	0x50000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.8%
Total number of Nodes:	1217
Total number of Limit Nodes:	24

Executed Functions

Function 004030FA Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNELBASE(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(0042E360,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 0040317B
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000020), ref: 004031A6
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNELBASE(1033), ref: 0040326D
ExitProcess.KERNEL32(00000000), ref: 004032E6
OleUninitialize.OLE32(00000000), ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,0042F000,?), ref: 00403380
CopyFileA.KERNEL32(C:\Users\user\Desktop\Qr0aoYPmZE.exe,00428B98,00000001), ref: 00403394
CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

C:\Users\user\Desktop\Qr0aoYPmZE.exe, xrefs: 0040338F
Error launching installer, xrefs: 004032A3
SeShutdownPrivilege, xrefs: 00403428
C:\Users\user\AppData\Local\Temp, xrefs: 004032C8
NSIS Error, xrefs: 00403159
", xrefs: 004031C8
1033, xrefs: 00403268
NCRC, xrefs: 004031E6
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
\Temp, xrefs: 00403254
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 0040316E, 00403174, 0040328A
_?=, xrefs: 00403294
/D=, xrefs: 004031FC
~nsu.tmp, xrefs: 00403311
C:\Users\user\Desktop, xrefs: 0040331C, 00403321, 00403344

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Qr0aoYPmZE.exe"$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Qr0aoYPmZE.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-3415643519
Opcode ID: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 004053C0
FindFirstFileA.KERNELBASE(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 004053D1
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 0040533B
\*.*, xrefs: 00405393

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3061436115
Opcode ID: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: eeee1fe6d78b479acfa35fd6cd9b42f31f1d942e4a3e46f321804d068e117fb2
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403555 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(hjgjhad,?,?,?,hjgjhad,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\Qr0aoYPmZE.exe"), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe), ref: 0040364E
GetFileAttributesA.KERNEL32(hjgjhad), ref: 00403659
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
RegisterClassA.USER32(0042E300), ref: 004037B2
DialogBoxParamA.USER32(?,00000000,004038EB,00000000), ref: 004037D1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
.DEFAULT\Control Panel\International, xrefs: 004035B1
_Nb, xrefs: 004036F8, 004036FD
RichEd32, xrefs: 00403787
hjgjhad, xrefs: 00403609, 00403611, 0040361E, 00403668, 0040366E
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
RichEdit, xrefs: 004037A3
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 00403561
RichEd20, xrefs: 0040377C
.exe, xrefs: 00403648
1033, xrefs: 00403575, 004035C1
RichEdit20A, xrefs: 00403794, 0040379A

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$hjgjhad
API String ID: 914957316-2965673070
Opcode ID: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Qr0aoYPmZE.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Qr0aoYPmZE.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Qr0aoYPmZE.exe,C:\Users\user\Desktop\Qr0aoYPmZE.exe,80000000,00000003), ref: 00402C9B

Strings

Inst, xrefs: 00402D07
C:\Users\user\Desktop\Qr0aoYPmZE.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
Error launching installer, xrefs: 00402C72
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 00402C2C
Null, xrefs: 00402D19
soft, xrefs: 00402D10
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Qr0aoYPmZE.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1040958073
Opcode ID: 0ad9351aefdec6b018d8aa1082fe140e4ec26696f029c93557235995d19712a3
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 0ad9351aefdec6b018d8aa1082fe140e4ec26696f029c93557235995d19712a3
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EC2
GetTickCount.KERNEL32 ref: 00402F69
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNELBASE(00000000,00000000,0041DB88,7FFFFFFF,00000000), ref: 00402FD0

Strings

a\A, xrefs: 00402F2F, 00402F41
... %d%%, xrefs: 00402F9C

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$a\A
API String ID: 4209647438-1826951565
Opcode ID: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,00409B80,00409B80,00000000,00000000,00409B80,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,0042E360,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,764423A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Strings

fd , xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp, xrefs: 00401761
open Sahofivizu.exe, xrefs: 00401801, 0040181D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$fd $open Sahofivizu.exe
API String ID: 1941528284-355965833
Opcode ID: a563b83719f4d977ed5608150edd6f528b586db9dcf12dbbc5143ed679107f4b
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: a563b83719f4d977ed5608150edd6f528b586db9dcf12dbbc5143ed679107f4b
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-670666241
Opcode ID: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405725
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040573F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 00405719
nsa, xrefs: 0040571E

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3128694225
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED
1033, xrefs: 004030EE

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2414109610
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E07

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401DF2

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 587946157-670666241
Opcode ID: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
Opcode Fuzzy Hash: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318

Uniqueness

Uniqueness Score: -1.00%

Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B00: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28

RegQueryValueExA.ADVAPI32(00000000,00000000,?,000003FF,?,?,?,?,00000033), ref: 004023DF
RegCloseKey.ADVAPI32(?,?,?,fd ,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c895cf90978fe9ef530acde7783083059366b6ad1ee30967e7d08bcc3b791e82
Instruction ID: b014844320ad767dada11dd3629d5dc4f3fca22d365999f113298c01dbc1c66c
Opcode Fuzzy Hash: c895cf90978fe9ef530acde7783083059366b6ad1ee30967e7d08bcc3b791e82
Instruction Fuzzy Hash: B011C471904205EFDB15DF64CA889AE7BB4EF14348F20807FE442B72C1D2B88A45EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Qr0aoYPmZE.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00401B06 Relevance: 2.6, APIs: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B75
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B87

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: 7844cdec247ac3d2d35134a6f1d3b53f218c9fb6cb13e3d504aae78faa3084e8
Instruction ID: 02e27a443d0c975bd2d35078e55c9ecbb47b75263e9a7029776e4410220f8425
Opcode Fuzzy Hash: 7844cdec247ac3d2d35134a6f1d3b53f218c9fb6cb13e3d504aae78faa3084e8
Instruction Fuzzy Hash: C821C3B67002029BC710EB94DEC595F73A8EB84368724463BF502F32D0DB78AC019B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B00 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction ID: 26822e9457f7499eaf47d686268157363fcd7c772d88ad4a089d565b944a1739
Opcode Fuzzy Hash: 332b4b28ccf70e09bb7c329d8b92fdd51d6a369451d7e4fe1d23c46d78dfb372
Instruction Fuzzy Hash: 4DE08CB6240108BFDB50EFA5ED4BFD677ECBB04340F008921B618EB091CA75E5809B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 25ac80cc8f42eb6b6973bcf28b0dcf98930a4937f6a650695082248e1846420d
Instruction ID: fb11a27b057d952daa1a0232a569a569c421c01e2099f6af0567112f3631a007
Opcode Fuzzy Hash: 25ac80cc8f42eb6b6973bcf28b0dcf98930a4937f6a650695082248e1846420d
Instruction Fuzzy Hash: 60D01273B08211D7DB50EFA59E4859D7664AB503A8B204637E512F11D0D2B98541A619

Uniqueness

Uniqueness Score: -1.00%

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030BD

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040347B Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 5a6660c02ad1c86e623dcf8c9c59cdfb5971a71a93a5c6486248268c0836a900
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Uniqueness

Uniqueness Score: -1.00%

Function 0040552A Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,004031A5,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000020), ref: 00405537

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction ID: 0f5e8f9c138dbb7fffa8c0a0b6e027db07d0556037e4082c66113ebc521312aa
Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction Fuzzy Hash: C2C0806440D68077C7104710AC344777FF1AA51740FD48857F4C863164D13469408F36

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F47
GetDlgItem.USER32(?,000003EE), ref: 00404F56
GetClientRect.USER32(?,?), ref: 00404F93
GetSystemMetrics.USER32(00000015), ref: 00404F9B
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FBC
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FCD
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FE0
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FEE
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405001
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32(?,000003EC), ref: 00405058
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405068
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405081
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040508D
GetDlgItem.USER32(?,000003F8), ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01

GetDlgItem.USER32(?,000003EC), ref: 004050AA
CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(?,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
GetWindowRect.USER32(?,?), ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32 ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405222
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405236
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040524E
SetClipboardData.USER32(00000001,00000000), ref: 00405259
CloseClipboard.USER32 ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404710
GetDlgItem.USER32(?,00000408), ref: 0040471D
GlobalAlloc.KERNEL32(00000040,?), ref: 00404769
LoadBitmapA.USER32(0000006E), ref: 0040477C
SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32(?,00001109,00000002), ref: 004047D3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047DF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404821
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040482D
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C2
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048ED
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404901
GetWindowLongA.USER32(?,000000F0), ref: 00404930
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A52
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AB7
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ACC
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AF0
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B16
ImageList_Destroy.COMCTL32(?), ref: 00404B2B
GlobalFree.KERNEL32(?), ref: 00404B3B
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BAB
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C54
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32(?,000003FE), ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

M, xrefs: 004048A9
, xrefs: 00404CBB
N, xrefs: 0040498D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041FC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(hjgjhad,00429FE0), ref: 00404367
lstrcatA.KERNEL32(?,hjgjhad), ref: 00404373
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0

Strings

hjgjhad, xrefs: 00404361, 00404366, 00404371
A, xrefs: 00404323

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$hjgjhad
API String ID: 2246997448-1285462269
Opcode ID: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B51
GetWindowsDirectoryA.KERNEL32(hjgjhad,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,0041DB88), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(0041DB88,hjgjhad), ref: 00405BAE
CoTaskMemFree.OLE32(0041DB88), ref: 00405BB9
lstrcatA.KERNEL32(hjgjhad,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(hjgjhad,?,004297B8,00000000,00404DE2,004297B8,00000000), ref: 00405C2D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5
hjgjhad, xrefs: 00405A57, 00405B1E, 00405B3B, 00405B50, 00405B63, 00405B7F, 00405BAA, 00405BDA, 00405BE0, 00405BF8, 00405C0B, 00405C26, 00405C2C, 00405C37, 00405C61

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$hjgjhad
API String ID: 900638850-281039111
Opcode ID: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-670666241
Opcode ID: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
Opcode Fuzzy Hash: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406128 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004068FF Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004038EB Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
GetDlgItem.USER32(?,?), ref: 00403995
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32(?,00000001), ref: 00403A5E
GetDlgItem.USER32(?,00000002), ref: 00403A68
SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AD3
GetDlgItem.USER32(?,00000003), ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
EnableWindow.USER32(?,?), ref: 00403BAC
EnableWindow.USER32(?,?), ref: 00403BC7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
EnableMenuItem.USER32(00000000), ref: 00403BE4
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BFC
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,0042E360), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F06 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC3
GetSysColor.USER32(?), ref: 00403FD4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404019
GetDlgItem.USER32(?,0000040A), ref: 0040407C
SendMessageA.USER32(00000000), ref: 0040407F
GetDlgItem.USER32(?,000003E8), ref: 004040AA
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EA
LoadCursorA.USER32(00000000,00007F02), ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32(00000000,00007F00), ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404151
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404165

Strings

open, xrefs: 0040410D
hjgjhad, xrefs: 004040D5
N, xrefs: 00404098

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$hjgjhad$open
API String ID: 3615053054-1121083075
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042E360,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
GetShortPathNameA.KERNEL32(?,0042C170,00000400), ref: 004057B0
GetShortPathNameA.KERNEL32(00000000,0042BBE8,00000400), ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
GlobalFree.KERNEL32(00000000), ref: 004058AA
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

%s=%s, xrefs: 004057E1
[Rename], xrefs: 0040585B, 0040586D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

Strings

*?|<>/":, xrefs: 00405CB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA
"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 00405C74

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-139973252
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E42
GetSysColor.USER32(00000000), ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32(?), ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4b8fa3628b081e0438b4821d2192478359882c36ef1501fd467ef056b60871df
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 4b8fa3628b081e0438b4821d2192478359882c36ef1501fd467ef056b60871df
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAA Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,764423A0), ref: 00404E06
SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32(?,?), ref: 004046B6
SendMessageA.USER32(?,00001111,00000000,?), ref: 004046C8
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(0000BE00,00000064,?), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,004297B8,00000000,0041DB88,764423A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(004297B8,00402FB6,00402FB6,004297B8,00000000,0041DB88,764423A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(004297B8,004297B8), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Uniqueness

Uniqueness Score: -1.00%

Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(fd ,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,fd ,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,fd ,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Strings

fd , xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: fd
API String ID: 1356686001-2313478379
Opcode ID: b420de31dc9c68157b539464946d16b4b10041e5386462d81354b763ddd82414
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: b420de31dc9c68157b539464946d16b4b10041e5386462d81354b763ddd82414
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

Error launching installer, xrefs: 0040527F
C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-3839656143
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Uniqueness

Uniqueness Score: -1.00%

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharNext
String ID: ES@
API String ID: 3213498283-1851447614
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040381E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,0042E360), ref: 004038B6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F
1033, xrefs: 00403822, 0040382C, 0040389D

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-2414109610
Opcode ID: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E1C

Strings

, xrefs: 00404D08

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,open Sahofivizu.exe,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

open Sahofivizu.exe, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: FileWritelstrlen
String ID: open Sahofivizu.exe
API String ID: 427699356-1596923502
Opcode ID: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
Opcode Fuzzy Hash: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\Qr0aoYPmZE.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32(?), ref: 004034E1

Strings

"C:\Users\user\Desktop\Qr0aoYPmZE.exe", xrefs: 004034D2

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\Qr0aoYPmZE.exe"
API String ID: 1100898210-3003052484
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Qr0aoYPmZE.exe,C:\Users\user\Desktop\Qr0aoYPmZE.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Qr0aoYPmZE.exe,C:\Users\user\Desktop\Qr0aoYPmZE.exe,80000000,00000003), ref: 0040555A

Strings

C:\Users\user\Desktop, xrefs: 00405546

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405678
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000004.00000002.418137068556.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.418137033339.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137105357.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137139890.0000000000434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.418137333740.0000000000437000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Qr0aoYPmZE.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Sahofivizu.exePID: 5512, Parent PID: 1476COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	86.3%
Signature Coverage:	3.4%
Total number of Nodes:	291
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004012F0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 189
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 004012FB
GetCapture.USER32 ref: 0040130F
GetMenu.USER32(00000000), ref: 00401316
GetMenuItemInfoA.USER32(00000000), ref: 0040131D

Part of subcall function 004015D8: free.MSVCRT(00401332,00401332,00000000), ref: 004015DC

malloc.MSVCRT ref: 0040133E
GetSystemInfo.KERNELBASE(00000000), ref: 0040134D
xupetipe.GOZEKENEKA(?), ref: 004013D1
_ftol.MSVCRT ref: 004013EA
Negefibizoh.XUXOKUXOKA(0040328C,004042C0,?), ref: 0040145A
fread.MSVCRT ref: 00401478
fclose.MSVCRT ref: 0040147F
CreateHatchBrush.GDI32(00000005,00000000,?,?), ref: 00401491
??2@YAPAXI@Z.MSVCRT ref: 0040149C
Fetomekiratu.ZOJEMILOCAN(00000000,?,00000004,?,023D0048,?,?,?), ref: 004014BD
bedevahetay.NATIGEZEHOLI(023D0048,?,023D0048,?,?,?), ref: 0040150C

Part of subcall function 004011F0: ReadConsoleInputW.KERNELBASE(?,?,00000001,00000000,00000000,004014F8,?,00000004), ref: 00401202

Strings

D0@, xrefs: 0040138F
P, xrefs: 004014D3
`0@, xrefs: 00401372
H0@, xrefs: 004013AD, 004013B6
T0@, xrefs: 0040137F
LDs, xrefs: 0040137A

Memory Dump Source

Source File: 00000006.00000002.418232384930.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.418232361853.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232408102.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232431540.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232460855.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Sahofivizu.jbxd

Similarity

API ID: ??2@InfoMenu$BrushCaptureConsoleCreateFetomekiratuHatchInputItemNegefibizohReadSystem_ftolbedevahetayfclosefreadfreemallocxupetipe
String ID: D0@$H0@$LDs$P$T0@$`0@
API String ID: 2075003006-1845043185
Opcode ID: 53cd896a6e9f52e95d25f5558639e1f3db188788eb616e60ca084bd420d84f84
Instruction ID: 7e94330157edeea2d52b545d952624ab7b3320839cf697c0ec5b1c23d0548237
Opcode Fuzzy Hash: 53cd896a6e9f52e95d25f5558639e1f3db188788eb616e60ca084bd420d84f84
Instruction Fuzzy Hash: D271A2B0508340ABE310DF64EE49B5B7FD8AB85309F04457EF685772E1D7B98608CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00711000 Relevance: 10.5, APIs: 7, Instructions: 46
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 0071100A
fseek.MSVCRT ref: 00711029
ftell.MSVCRT ref: 00711031
fseek.MSVCRT ref: 00711048
??2@YAPAXI@Z.MSVCRT ref: 0071104D
mblen.MSVCRT ref: 00711071
malloc.MSVCRT ref: 0071107D

Memory Dump Source

Source File: 00000006.00000002.418233021931.0000000000711000.00000020.00000001.01000000.00000009.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.418232989174.0000000000710000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.418233052888.0000000000712000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.418233085371.0000000000714000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_Sahofivizu.jbxd

Similarity

API ID: fseek$??2@fopenftellmallocmblen
String ID:
API String ID: 1956454988-0
Opcode ID: 777168a1cf896c299c645225205f7edc74e6e1fd491281e62d551b2710acf71e
Instruction ID: 4c9cd02819db89d5a06021f13324da1979f5f07f531619c40df47162c9bf8cbf
Opcode Fuzzy Hash: 777168a1cf896c299c645225205f7edc74e6e1fd491281e62d551b2710acf71e
Instruction Fuzzy Hash: 5C0108B1A00240AFD710DB6CEC89F863BEAAB8C740F10C555F608D72D1E67CD695CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 005E24FE Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,005E22C6,00000000,00000001,00000000), ref: 005E2526
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005E22C6,00000000,00000001,00000000), ref: 005E255A
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004), ref: 005E2574
HeapFree.KERNEL32(00000000,?), ref: 005E258B

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: f158f93ff637991be2e79a055804622b696ffb125b92fc7056c512ded24c97c0
Instruction ID: 2a20f8f75392b4574061139b1c7dac675437fc4652aaa099bc127bac6aa7787a
Opcode Fuzzy Hash: f158f93ff637991be2e79a055804622b696ffb125b92fc7056c512ded24c97c0
Instruction Fuzzy Hash: 29115B70200BC1DFC7298F19ECC5A557BB5FBA4329B144629E2E2CE5B1E3709959EF10

Uniqueness

Uniqueness Score: -1.00%

Function 005E161E Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,005E13AF,00000000), ref: 005E162F

Part of subcall function 005E1E61: HeapAlloc.KERNEL32(00000000,00000140,005E1643), ref: 005E1E6E

HeapDestroy.KERNEL32 ref: 005E164D

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 46c4382807b76d1d7988c90029dd58c8166dfcbaaeb6dd2e36a6650af8c846e2
Instruction ID: 34a03202338c1bc33a030b3d07854134b06ded591083d9b7f3ba38b88bf91d3f
Opcode Fuzzy Hash: 46c4382807b76d1d7988c90029dd58c8166dfcbaaeb6dd2e36a6650af8c846e2
Instruction Fuzzy Hash: 91E012706147819EEB581B31ADC97653ED4AB54787F048835FAC1CC5B0E7B0C544FA14

Uniqueness

Uniqueness Score: -1.00%

Function 004011F0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadConsoleInputW.KERNELBASE(?,?,00000001,00000000,00000000,004014F8,?,00000004), ref: 00401202

Memory Dump Source

Source File: 00000006.00000002.418232384930.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.418232361853.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232408102.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232431540.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232460855.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Sahofivizu.jbxd

Similarity

API ID: ConsoleInputRead
String ID:
API String ID: 2678145460-0
Opcode ID: 3f281e164ad0f9bc0558ec0bc0912ad3493fcfeef59d32a753cb9bf77e607541
Instruction ID: 4604c4dd289105b8d950e77d79f852291ea06f9e8577e5016097409ed9135a4f
Opcode Fuzzy Hash: 3f281e164ad0f9bc0558ec0bc0912ad3493fcfeef59d32a753cb9bf77e607541
Instruction Fuzzy Hash: 79E0EC72654310ABE770DB78E841BC777E5BB84310F014859F285E7690C3B1F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 005E25AF Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,-000000C9,?,005E22D5,000000E0,00000000,00000001,00000000), ref: 005E2600

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e1c48bd000b959a61bfe798053bd5e49981d3d11ca578e034557dc89235a997
Instruction ID: 03cf0671c1e1ce3917eed828347a23a662ccb166fd4fb4255e380732953eb2d8
Opcode Fuzzy Hash: 4e1c48bd000b959a61bfe798053bd5e49981d3d11ca578e034557dc89235a997
Instruction Fuzzy Hash: 4131AE716012469FD318CF19C885BA5BBE4FF54368F24C2BEE5998F2A1DB70E946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005E26E8 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000000,-0000000E,00000000,005E26CC,000000E0,005E26B9,00000001,005E1CAB,00000001,?,?,?,?,?,?,005E13F6), ref: 005E2716

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 3662f193def1530f975d80ff312b9009cbe88a19f25837d8cb50727a55a9ce9e
Instruction ID: 6ac6e9d7eff09418e472d7b6f3079a1659e671893ca35182ed6b7b2ba14008f4
Opcode Fuzzy Hash: 3662f193def1530f975d80ff312b9009cbe88a19f25837d8cb50727a55a9ce9e
Instruction Fuzzy Hash: 46E0C2338056F0A6D928661ABCC4BCA3F18FF14330F160120FCD47F0E893502D4856C5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401636 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00401663
__p__fmode.MSVCRT ref: 00401678
__p__commode.MSVCRT ref: 00401686
__setusermatherr.MSVCRT ref: 004016B2
_initterm.MSVCRT ref: 004016C8
__getmainargs.MSVCRT ref: 004016EB
_initterm.MSVCRT ref: 004016FB
GetStartupInfoA.KERNEL32(?), ref: 0040173A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040175E
exit.MSVCRT ref: 0040176E
_XcptFilter.MSVCRT ref: 00401780

Memory Dump Source

Source File: 00000006.00000002.418232384930.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.418232361853.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232408102.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232431540.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232460855.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Sahofivizu.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 5aebc21d16daa3226e8ba3e2363bcb09e8429e496330bfdcdb3189a9ea3462e8
Instruction ID: 59e29d7587bae7e9570ce306a69a77950e06f0e43c92f3a1b352005f67b7f482
Opcode Fuzzy Hash: 5aebc21d16daa3226e8ba3e2363bcb09e8429e496330bfdcdb3189a9ea3462e8
Instruction Fuzzy Hash: 61416DB5900344AFDB209FA4DE49AAA7BB8FB49750F20057FF641B72E1D7784841CB18

Uniqueness

Uniqueness Score: -1.00%

Function 005E2FD5 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,005E1E32,?,Microsoft Visual C++ Runtime Library,00012010,?,005E42F4,?,005E4344,?,?,?,Runtime Error!Program: ), ref: 005E2FE7
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 005E2FFF
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 005E3010
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 005E301D

Strings

GetActiveWindow, xrefs: 005E300A
MessageBoxA, xrefs: 005E2FF9
DC^, xrefs: 005E3043
user32.dll, xrefs: 005E2FE2
GetLastActivePopup, xrefs: 005E3012

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DC^$GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-2017073425
Opcode ID: 928495fc34237d41bda06e7b0f2fa12002a24ae58afafa47afcb70bc2b9cba04
Instruction ID: 2a93e8a1635fc83e9cf47c1c265f3f2a88b6f4c8e6482e715a3574e62ca1819e
Opcode Fuzzy Hash: 928495fc34237d41bda06e7b0f2fa12002a24ae58afafa47afcb70bc2b9cba04
Instruction Fuzzy Hash: 0D0188317017C1AFC7298FF6ACCC9167EE8BB687953440439E2C5C7110EB748B45AB50

Uniqueness

Uniqueness Score: -1.00%

Function 005E1D0E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 005E1D7B
GetStdHandle.KERNEL32(000000F4,005E42F4,00000000,?,00000000,00000000), ref: 005E1E51
WriteFile.KERNEL32(00000000), ref: 005E1E58

Strings

@P^, xrefs: 005E1D1C
Microsoft Visual C++ Runtime Library, xrefs: 005E1E27
Runtime Error!Program: , xrefs: 005E1DE1
<program name unknown>, xrefs: 005E1D8B
..., xrefs: 005E1DCD

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$@P^$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-1100027743
Opcode ID: 3dc8a7ec4f74fc89d4aee08b4fe102635a1e652ddc030213dd1598848cbf53ab
Instruction ID: 59b071d5bdd834519764e137bffcad7f318447d4c9348dc09b7b4132bf34efab
Opcode Fuzzy Hash: 3dc8a7ec4f74fc89d4aee08b4fe102635a1e652ddc030213dd1598848cbf53ab
Instruction Fuzzy Hash: 4831EB72A006999FDF2CD662CD89FDE7F6CFB85304F500466F5C4DA050E6B09A848F51

Uniqueness

Uniqueness Score: -1.00%

Function 005E34B0 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,005E43C0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 005E34F2
LCMapStringA.KERNEL32(00000000,00000100,005E43BC,00000001,00000000,00000000), ref: 005E350E
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 005E3557
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 005E358F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 005E35E7
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 005E35FD
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 005E3630
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 005E3698

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: f2ad5fede00ad37528b1b15ad83b20edf71cb3268944eda0f3388fc93f8c191d
Instruction ID: 9629a41664e54c6b4077eaf740e6a78dc63f61ceb347cd1e7e438b15a63946bb
Opcode Fuzzy Hash: f2ad5fede00ad37528b1b15ad83b20edf71cb3268944eda0f3388fc93f8c191d
Instruction Fuzzy Hash: 6B516D32900289BBCF258F66DD8D99F7FB5FB98750F100119F991A6260D3318E50EF61

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10001007
wsprintfA.USER32 ref: 10001030
wsprintfA.USER32 ref: 100010C1
_fullpath.MSVCRT ref: 100010DD

Strings

C:\Users\user\AppData\Local\Temp\dfdfadf.tmp, xrefs: 100010D8
%sI%d4%s, xrefs: 1000102A
dfdfadf.tmp, xrefs: 100010D3

Memory Dump Source

Source File: 00000006.00000002.418233463217.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.418233430707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233494926.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233526109.0000000010003000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233559358.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Sahofivizu.jbxd

Similarity

API ID: wsprintf$_fullpathmalloc
String ID: %sI%d4%s$C:\Users\user\AppData\Local\Temp\dfdfadf.tmp$dfdfadf.tmp
API String ID: 3673379386-3464263076
Opcode ID: 2dd9034246ec4725d217df12698c793118fe691191401a29058284c93d603664
Instruction ID: 18fa23fb358446c120492a001f856b55cd490ffc9e900a5654441e584e7b1836
Opcode Fuzzy Hash: 2dd9034246ec4725d217df12698c793118fe691191401a29058284c93d603664
Instruction Fuzzy Hash: BB2181B6902260ABF313CB55CCE4B9777ADF7487D0B00C116FB449222DD3B2A950DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E1BA3 Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,005E13F6), ref: 005E1BBE
GetEnvironmentStrings.KERNEL32(?,?,?,?,005E13F6), ref: 005E1BD2
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,005E13F6), ref: 005E1BFE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,005E13F6), ref: 005E1C36
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,005E13F6), ref: 005E1C58
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,005E13F6), ref: 005E1C71
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,005E13F6), ref: 005E1C84
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 005E1CC2

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 9a26155ca64777bb9876fa60f3540ad223ec6693ab7de50c5d64bca87b52d4c7
Instruction ID: a0736dc6f2ad4a6d123bed6d47371dc051f4a84b1fa4a0248b32f049cbe50b46
Opcode Fuzzy Hash: 9a26155ca64777bb9876fa60f3540ad223ec6693ab7de50c5d64bca87b52d4c7
Instruction Fuzzy Hash: 363124B2544AE15F97283F769CC883B7E9CF6553447350929F6CAC7100EA308C849769

Uniqueness

Uniqueness Score: -1.00%

Function 005E16CF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 005E1728
GetFileType.KERNEL32(00000800), ref: 005E17CE
GetStdHandle.KERNEL32(-000000F6), ref: 005E1827
GetFileType.KERNEL32(00000000), ref: 005E1835
SetHandleCount.KERNEL32 ref: 005E186C

Strings

dY^, xrefs: 005E1761

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: dY^
API String ID: 1710529072-1463099392
Opcode ID: dfd604dcc1498564b4e3c3fb40314299ad70ce7fa1b40d9cc41a425911906d7c
Instruction ID: 4a7235160614471cf00ea9de7c701e8be5b4011de4ad6ef6b2ea96fe83d2a05f
Opcode Fuzzy Hash: dfd604dcc1498564b4e3c3fb40314299ad70ce7fa1b40d9cc41a425911906d7c
Instruction Fuzzy Hash: BC515771908BD58BD7288B2ACC887563FA1FB25730F194728E4E2CF2E1D7709849C704

Uniqueness

Uniqueness Score: -1.00%

Function 005E28BB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,?,?,?,00000000), ref: 005E2903

Strings

@X^, xrefs: 005E296A
W^, xrefs: 005E2A2C
P^, xrefs: 005E28EA
W^, xrefs: 005E29DE
@X^, xrefs: 005E2917

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: Info
String ID: W^$ W^$@X^$@X^$P^
API String ID: 1807457897-2587328087
Opcode ID: d8b7444e5fd555db299acdac7c2054d506f99869d23408d14fd9dfc050f9646d
Instruction ID: 8aca7486fd06fc302d2e6bda54e514433ecee0122ec16c9cf2402172415813f4
Opcode Fuzzy Hash: d8b7444e5fd555db299acdac7c2054d506f99869d23408d14fd9dfc050f9646d
Instruction Fuzzy Hash: 3F4198708086D1AEDB2DCB27D8C436D7FE9FB40358F285079E6C5CB256E27149899B80

Uniqueness

Uniqueness Score: -1.00%

Function 005E36FF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,005E43C0,00000001,00000000,?,00000100,00000000,005E2B99,00000001,00000020,00000100,?,00000000), ref: 005E373E
GetStringTypeA.KERNEL32(00000000,00000001,005E43BC,00000001,?), ref: 005E3758
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,005E2B99,00000001,00000020,00000100,?,00000000), ref: 005E378C
MultiByteToWideChar.KERNEL32(005E2B99,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,005E2B99,00000001,00000020,00000100,?,00000000), ref: 005E37C4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 005E381A
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 005E382C

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 75394d3c34638554028627e3fe17f78d5701cbb3de2a5dbb70ff4ca2c5c75cca
Instruction ID: 6c84de5810a10b09590848d84c8592f4bec410c5d6620069db27d10bc4a30fb7
Opcode Fuzzy Hash: 75394d3c34638554028627e3fe17f78d5701cbb3de2a5dbb70ff4ca2c5c75cca
Instruction Fuzzy Hash: 26418DB2501295AFCF249F95DC8DAAF7FB8FB18750F104525FA91DB250D3308A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E165A Relevance: 7.5, APIs: 5, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(023C04A4,00100000,00004000,?,?,?,?,005E1448,005E148E,?,?,?), ref: 005E1688
VirtualFree.KERNEL32(023C04A4,00000000,00008000,?,?,005E1448,005E148E,?,?,?), ref: 005E1693
HeapFree.KERNEL32(00000000,?,?,?,005E1448,005E148E,?,?,?), ref: 005E16A0
HeapFree.KERNEL32(00000000,?,?,005E1448,005E148E,?,?,?), ref: 005E16BE
HeapDestroy.KERNEL32(?,?,005E1448,005E148E,?,?,?), ref: 005E16C6

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 14284b1b36dba8a6fbac7ad56c2b8c0918a8d2bb9448828eb1267b5b8a642bd5
Instruction ID: aecb3cb1b2bb169370eeb8328bfde8fddddb4026ced1fba50aa48afdde577fce
Opcode Fuzzy Hash: 14284b1b36dba8a6fbac7ad56c2b8c0918a8d2bb9448828eb1267b5b8a642bd5
Instruction Fuzzy Hash: 91F0A936200685EBC6295F51ECCAF46BB21E754729F210024F3C05E0B2D6B27828FF28

Uniqueness

Uniqueness Score: -1.00%

Function 005E1000 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 223libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 005E1044

Part of subcall function 005E1303: GetProcAddress.KERNEL32(?,?), ref: 005E131E

Strings

pR^, xrefs: 005E104E
(, xrefs: 005E1262
tR^, xrefs: 005E1009

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ($pR^$tR^
API String ID: 2574300362-4041730820
Opcode ID: d5336d6557c608c76a33950258f0dca178ec3dc89b38d615391a45e056442bd4
Instruction ID: 8e5425d8d811fcdf60836d7c1c259b11af9756924eea06e8ded78c6c35ce5bc5
Opcode Fuzzy Hash: d5336d6557c608c76a33950258f0dca178ec3dc89b38d615391a45e056442bd4
Instruction Fuzzy Hash: 79A1B179600A819FD70CCF28D8C8E257BA5FB683087854159F6868F372E731A809EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00401080 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 004010A1
malloc.MSVCRT ref: 0040113A

Strings

TEMP, xrefs: 0040108A
00@, xrefs: 00401103, 00401147

Memory Dump Source

Source File: 00000006.00000002.418232384930.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.418232361853.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232408102.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232431540.0000000000403000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.418232460855.0000000000405000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Sahofivizu.jbxd

Similarity

API ID: getenvmalloc
String ID: 00@$TEMP
API String ID: 3016273935-1863785868
Opcode ID: e5752d7e964cc45001351181cb80afe316824892046b893d0cd7ffa74a926f00
Instruction ID: 17352a3b23e8b41dd4c3654eb86734d26610b7628fbd5f895abf2d9db2bed888
Opcode Fuzzy Hash: e5752d7e964cc45001351181cb80afe316824892046b893d0cd7ffa74a926f00
Instruction Fuzzy Hash: F7318DB17052058BC718DF5AEE8006ABBEAE7C83A1B54027FF745A73B0D7758C458B88

Uniqueness

Uniqueness Score: -1.00%

Function 00701000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

FillConsoleOutputCharacterA.KERNEL32(00000020,00000258,?,0070303C), ref: 0070102F
FillConsoleOutputAttribute.KERNEL32(?,00000258,?,0070303C), ref: 0070107B
GetModuleHandleW.KERNEL32(00703010), ref: 0070108B

Strings

<0p, xrefs: 00701007

Memory Dump Source

Source File: 00000006.00000002.418232914192.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true

Associated: 00000006.00000002.418232873183.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.418232955082.0000000000702000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_700000_Sahofivizu.jbxd

Similarity

API ID: ConsoleFillOutput$AttributeCharacterHandleModule
String ID: <0p
API String ID: 3686675960-1567851049
Opcode ID: 5eef0f9352fe9f92da4070fd2a8d492e8825b02ea3a236224aa75e65a0de324b
Instruction ID: 3838990359513ab1668f09f2f3b45ac87df0f6ccbee8565cf22eb46f943da166
Opcode Fuzzy Hash: 5eef0f9352fe9f92da4070fd2a8d492e8825b02ea3a236224aa75e65a0de324b
Instruction Fuzzy Hash: CE1191B1501244FFE7118F95EC88A5B7FBEFB45B50F008259E644A3261D6BD4A44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 007010A6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 007010D4
_initterm.MSVCRT ref: 007010FF
free.MSVCRT(?,?,00701191,?,?,?), ref: 0070113C

Strings

kv, xrefs: 007010BC

Memory Dump Source

Source File: 00000006.00000002.418232914192.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true

Associated: 00000006.00000002.418232873183.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.418232955082.0000000000702000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_700000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: kv
API String ID: 1678931842-155876773
Opcode ID: 8520c5b545d7f0f7ca997062fb3178077a8e0d23d23a4eec21d1983d24ea2554
Instruction ID: cbad23dfd63a37a6f6ef376b7897dabc36f643c23cc95d98461bc05cac69fef8
Opcode Fuzzy Hash: 8520c5b545d7f0f7ca997062fb3178077a8e0d23d23a4eec21d1983d24ea2554
Instruction Fuzzy Hash: 1E115E32706344DBE728CB65EC84B5637EAA700715B50C32AEA01C62E0EF6CDA41CB18

Uniqueness

Uniqueness Score: -1.00%

Function 007110A6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 007110D4
_initterm.MSVCRT ref: 007110FF
free.MSVCRT(?,?,00711191,?,?,?), ref: 0071113C

Strings

kv, xrefs: 007110BC

Memory Dump Source

Source File: 00000006.00000002.418233021931.0000000000711000.00000020.00000001.01000000.00000009.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.418232989174.0000000000710000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.418233052888.0000000000712000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.418233085371.0000000000714000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: kv
API String ID: 1678931842-155876773
Opcode ID: 4bf04dc93cdc5c42d91b5b4d7bbace4db16b4886e11a577d4a94eac82fb10b06
Instruction ID: e809e9f27041bb415c4144e00b249e3611248a14484becd8fff7a7b4a17ee622
Opcode Fuzzy Hash: 4bf04dc93cdc5c42d91b5b4d7bbace4db16b4886e11a577d4a94eac82fb10b06
Instruction Fuzzy Hash: 38111C31605205EBE724CB6CED447E5B7F6B708B51B50C02AE702DA1E0E72D9A81DB18

Uniqueness

Uniqueness Score: -1.00%

Function 100011F4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10001222
_initterm.MSVCRT ref: 1000124D
free.MSVCRT(02360CF8,?,100012DF,?,?,?), ref: 1000128A

Strings

kv, xrefs: 1000120A

Memory Dump Source

Source File: 00000006.00000002.418233463217.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.418233430707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233494926.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233526109.0000000010003000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.418233559358.0000000010004000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_Sahofivizu.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: kv
API String ID: 1678931842-155876773
Opcode ID: 5b6f63f67fb1f02955d176aff28fd79f63f50c801960370766fffc8a6111cfd1
Instruction ID: 8c57fb6397317483648498f5f92f1ada265d9291dc5e3cc515ae26a8f32dc0df
Opcode Fuzzy Hash: 5b6f63f67fb1f02955d176aff28fd79f63f50c801960370766fffc8a6111cfd1
Instruction Fuzzy Hash: 2C111831608322DBF715CBA9DCD5BE777A8FB093D5F51841EE901C61ACDB21A850CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005E2AFA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 005E2B0E

Strings

, xrefs: 005E2B57
, xrefs: 005E2B33

Memory Dump Source

Source File: 00000006.00000002.418232660177.00000000005E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000006.00000002.418232629513.00000000005E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232693556.00000000005E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232727978.00000000005E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.418232763905.00000000005E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5e0000_Sahofivizu.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 85d75df8c165ec1280763d2767a17e513f5d111bcade6dd19cbe6f94a2f24f0a
Instruction ID: 79f664ca92bf5d662b5335ad273dc2c6b0d85cdebac5de4e750454c316a65c8b
Opcode Fuzzy Hash: 85d75df8c165ec1280763d2767a17e513f5d111bcade6dd19cbe6f94a2f24f0a
Instruction Fuzzy Hash: 974127310046D8AADB2E8B26DDCDBFA7F9DFB11748F2404D4D5C9CB152D2614D489BA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Qr0aoYPmZE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sahofivizu.exe_99171066bc99f4afaf39e8633f36db99d51c7fd_7dc17cab_0bb4b60b-0900-464a-91a3-513535e1976c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C.tmp.xml

C:\Users\user\AppData\Local\Temp\Gozekeneka.dll

C:\Users\user\AppData\Local\Temp\Sahofivizu.exe

C:\Users\user\AppData\Local\Temp\Yumicebivud.rih

C:\Users\user\AppData\Local\Temp\Zojemilocan.dll

C:\Users\user\AppData\Local\Temp\natigezeholi.dll

C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Qr0aoYPmZE.exe

Function 004030FA Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 270
filestringcomCOMMON

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403555 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON