Edit tour

Windows Analysis Report
jU0hAXFL0k.exe

Overview

General Information

Sample Name:	jU0hAXFL0k.exe
Original Sample Name:	6e8215eee3034d6dcf18d79d397e5715.exe
Analysis ID:	1326341
MD5:	6e8215eee3034d6dcf18d79d397e5715
SHA1:	5612bff0830a9a025eb35cf7c054d2062745d1b9
SHA256:	ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
Tags:	32exesigned
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores files to the Windows start menu directory

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

jU0hAXFL0k.exe (PID: 3628 cmdline: C:\Users\user\Desktop\jU0hAXFL0k.exe MD5: 6E8215EEE3034D6DCF18D79D397E5715)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4455549712.0000000009B23000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jU0hAXFL0k.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: jU0hAXFL0k.exe	ReversingLabs: Detection: 31%
Source: jU0hAXFL0k.exe	Virustotal: Detection: 45%			Perma Link

Source: jU0hAXFL0k.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: jU0hAXFL0k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_004062DD FindFirstFileA,FindClose,	0_2_004062DD
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057A2
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765

Source: jU0hAXFL0k.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: jU0hAXFL0k.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jU0hAXFL0k.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: jU0hAXFL0k.exe	String found in binary or memory: http://s.symcd.com06
Source: jU0hAXFL0k.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: jU0hAXFL0k.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: jU0hAXFL0k.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: jU0hAXFL0k.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: jU0hAXFL0k.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: jU0hAXFL0k.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040523F

Source: jU0hAXFL0k.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: jU0hAXFL0k.exe, 00000000.00000000.1996169194.000000000043A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeskatologiskes outsubtle.exe4 vs jU0hAXFL0k.exe
Source: jU0hAXFL0k.exe	Binary or memory string: OriginalFilenameeskatologiskes outsubtle.exe4 vs jU0hAXFL0k.exe

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403235

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_00406666		0_2_00406666
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_6E571A98		0_2_6E571A98

Source: jU0hAXFL0k.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Process Stats: CPU usage > 49%

Source: jU0hAXFL0k.exe	ReversingLabs: Detection: 31%
Source: jU0hAXFL0k.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File read: C:\Users\user\Desktop\jU0hAXFL0k.exe

Jump to behavior

Source: jU0hAXFL0k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

0_2_00403235

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens

Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File created: C:\Users\user\AppData\Local\Temp\nsb67D9.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File written: C:\Users\user\AppData\Local\Temp\reinhold.ini

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044FA

Source: jU0hAXFL0k.exe

Static file information: File size 1272864 > 1048576

Source: jU0hAXFL0k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.4455549712.0000000009B23000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_6E572F60 push eax; ret

0_2_6E572F8E

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_6E571A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E571A98

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

File created: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers	Jump to behavior
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie	Jump to behavior

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

RDTSC instruction interceptor: First address: 0000000009C7429E second address: 0000000009C7429E instructions: 0x00000000 rdtsc 0x00000002 test ch, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F9A50BFF034h 0x00000008 inc ebp 0x00000009 cmp edx, ebx 0x0000000b inc ebx 0x0000000c test al, cl 0x0000000e rdtsc

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_004062DD FindFirstFileA,FindClose,	0_2_004062DD
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057A2
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	API call chain: ExitProcess graph end node			graph_0-4902
Source: C:\Users\user\Desktop\jU0hAXFL0k.exe	API call chain: ExitProcess graph end node			graph_0-4905

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

Code function: 0_2_6E571A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E571A98

Source: C:\Users\user\Desktop\jU0hAXFL0k.exe

0_2_00403235

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jU0hAXFL0k.exe	32%	ReversingLabs	Win32.Trojan.Guloader
jU0hAXFL0k.exe	46%	Virustotal		Browse
jU0hAXFL0k.exe	100%	Avira	HEUR/AGEN.1331786

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	jU0hAXFL0k.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	jU0hAXFL0k.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1326341
Start date and time:	2023-10-16 11:16:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	jU0hAXFL0k.exe renamed because original name is a hash value
Original Sample Name:	6e8215eee3034d6dcf18d79d397e5715.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	GuLoader	Browse
	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: #U4e5d#U6708#U58f0#U660e_40981677.xls, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: Part_number_91875-11400_x_6.xls, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\reinhold.ini

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.308751351247167
Encrypted:	false
SSDEEP:	3:T9RurfyWGRMWyn:TaSMWyn
MD5:	F54A2E254A72D0CC8E1EF8327CB8A7B5
SHA1:	B5635CB7A221E52073F56017FD4DBE36BAAC3228
SHA-256:	DB054403B148F267DE03752254EB25A8E981E59CA9F6E93F3E39C1E9D70405A7
SHA-512:	5A343BD2A70006CEE64831AB815DCAF1170BC7282378670236A835799DD1292B0A6D7496B863C3522F4379A94E0365DE5367F93D275A09D9A8F97A3426983382
Malicious:	false
Reputation:	low
Preview:	[coryphodont]..Antihemorrheidal=bursitis..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	data
Category:	dropped
Size (bytes):	86434
Entropy (8bit):	4.596147320376854
Encrypted:	false
SSDEEP:	1536:3bje52+ESCvPspqbrBoZDdRxR9oEOWU0HqkL:3bq1fCvPOmrc5Rz9nWm
MD5:	DCDA6C782E8D6EE806DD3E1A71575B12
SHA1:	DD5394A4443E7E1CDBA0E565D8F0095854CEB3A5
SHA-256:	088C8536AF2896DF8E6873107C4183D013D137C924BBE8C32F29A35D46874DBB
SHA-512:	5AE46A43F73EBE19DB3B4A0FA6A3EAA70875EA34F23CC0565F9872D3FD6D6E3B1A8E4E5658BDDA750D26BDEF5BBFAAD6D47F7BA5D7A27C38A70B7C6876A8BE8D
Malicious:	false
Reputation:	low
Preview:	............x.,.........yyyy.................Q.................,.............................;;;.........i....u................(((.11111.......V.3.....5...}........]]......w..........LLLL....z..............H..........._.................xxx.................ggg...................N..................................e..\|..............9.....................P.......``............... ............................ssssss...t.....8.........S..7..........,,,......................G..^.......PP.66666.???..ll.............Q....^^^.....]]].........pppppp..777...............k...''........B....................~.....M........======.......N.....u.999...nnn.........,,...........II.7.........+...........................y................uu.$...;......\\\.......*...........................................................R....OO.....P...[[....e...............................................NNNNN......................H........ee.@....................''.....L........................................1..........bb.$$

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 246-148, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2362119990157315670016.000000
Category:	dropped
Size (bytes):	163779
Entropy (8bit):	4.938326189697288
Encrypted:	false
SSDEEP:	3072:KNwfAuxv4zSDxRWO0kdxyjf5TWKuT56kieBNKYAqrszfq:6wffxA+tR8jV9uT5vieBNKYfgu
MD5:	0782692CFF38628B70495E562B2614A1
SHA1:	1CF24A8842C79FA929D31571AEB187673A91CF22
SHA-256:	136B62E6481EF62303BD2305C8FB497CE931521C71CB331CB92179621D558E20
SHA-512:	613F3E3CF46FE6222AD7C8562C785A23190502B4B4EEEF54CFFEB381AA1D7F71D1C307D480489046E34C6E4981594DB29E6E86382A49D8CFAB530E757DAA8B22
Malicious:	false
Reputation:	low
Preview:	. ......W...........)E..............................U...^.w....U........'....#.......18.{U.........?..........U....j....a.........-.d...7.3.[...'.h.v......D...}../....................!......t......................-.%:......H.D......./V...<.......h....z.b...R...............ju...s=Ee...j.............o......GA....(.....Z........................I.M....&8...,........,...-.......... .7.<............J5..........ix./.}&...c..D!........."..............N...........7.n].".......F..j..~...q..i..u..e.....8.......7A.....&.........Y.......D.....=...a........g...kUv.......{...Hm....................l......Y.......o............5.....G....%.......LK.............^....>........3.C......_..].O...B........W.b8.p.X.......n.%f'v...;........%....5...6........._...........&......\........r......o/Y.....\...J.Hh.......X9..-uL.......(..dB.........v.............%.......q...z..............!.....6...._..............d..........x................L.............Ui...........d..&...Q(....N..+.F............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	data
Category:	dropped
Size (bytes):	1390858
Entropy (8bit):	5.47049513454331
Encrypted:	false
SSDEEP:	12288:4iaNjSuAdwvibD6iNM4Fe4IeLIK12pGOifrwpSO1VmTE1tjGcMMvLLIikq5wa:mN2ivuNhbI9pGOQmSO1VHacVTLI9q6a
MD5:	D4910FD9A8A5BBF2030E2D2480BAC516
SHA1:	B7CDA4C565EE6BCCB3956AFE5DC057CA9A1B5993
SHA-256:	C5EC53E76C60CE7494228BA21E135C1698B8EF82365119DF3759BEC2DFECE45C
SHA-512:	F917486869AF1F6AF4466DE5B2F62777885E5A4B4B5686DA8FD687A3F8A24975315A00AD887457D7675085DCAB9D05FBD76A4634143A8F744DD23D5808D95B50
Malicious:	false
Reputation:	low
Preview:	.........nn.."...............ttt..........ff.........[.).."........--......3....D......RR....rr.............44.....ccc.................4....//....hh..........;;;;;;;;;..UUUU.RRRRRR................}.p...................22222............$.##.......:............\.............J........N........x..................::::..yyy...........S......{...........gg..........:................11.... ...P...ddd...w........@..HH...................ccc......y.777..........AA................--....$$$$$$..^^......f.................c.........+..... .........................[[[..........,,.........ww.......SS......bbbb.....................zzz......+..H.....k..........%%%......\\.0......$$$$............y......hh............==..............b..rr..G.........................b....................)).2........TT................&&&&...........2222.__.............^^............a.........q...............X.....gg.........@........................qq.....}..........o....5..............))................g...............tt...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	data
Category:	dropped
Size (bytes):	144737
Entropy (8bit):	4.9429482615607165
Encrypted:	false
SSDEEP:	3072:5w8VNxOulgKUnkFg3sgS2fm0ieW5zym0HVCmV:5woLlgKUnkFHgSURz4zIrV
MD5:	F84B9E2BDA2302BC917050F4F1B5C907
SHA1:	8258DE54AEC259536F36285708D66E494D247905
SHA-256:	8B4250121C2470B3E1458EE51E6DB638C7DAE2A188F24D9141849D267B65D36B
SHA-512:	1AFD54A056CBB8D7D87DBAB318F46D77706C4F05735E52DE3301FD2A78EB36637CF534E2CED8638689C1904828829A11E1974D4679E1D297068E293DF6D55CA2
Malicious:	false
Preview:	.2.r.A................b...F...S.v..]....Z......n?.................k.........R.({.E;......U........2.........<.1..............F.(...........p.3..............Z.............\|.............Q..P.Zw...JZ.......:.....)A....[RV...H............O.................B.....5..)....~..k.....\|.1....d......6@...+.....j......"g.y.-?..........DB.\......'K...M..........I.....Q.........S.....B.........2.3.N.....E....C......b....K.6................$...Z.^.{.........[Y........ ...6,..&..P....f}.L.....q.....1..".\.....j.......fT...B.F.................8.........e...q.............6.\|.....F.._"...?..........1O..&.K..t...<n:..................=...DO,..c.L.....N+...3..!.....J..Hg;.}.}........2.4.,......."4.C.........n............c.O....2.E.....lr`.:..ea........qC...Q....h.....r..........Z...............q}t."..M.......!V..b.........C..9....J..v......+...........=...v&...............K..[..D.........{..L....u........5.....................:.....7.e..}.P.....`.^..M...p..M..<4.......n......4....'........(L..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	data
Category:	dropped
Size (bytes):	243403
Entropy (8bit):	4.95927012728034
Encrypted:	false
SSDEEP:	6144:ZATFfjMU61iyzkn+upJwQIkCqLWZNPzlmAZOibfQJGnbOKVy:sfjr61RO+uwQ5ENPzmib4Yy
MD5:	894C5CFD443EABAA15BE7A7CCEA4E9F5
SHA1:	C25D071C1BBDB7813B5A9EB8E7D04FFACB063389
SHA-256:	3CE9F1F2DC922EB0ED91C0ED1264D17506B7B4EF065E49555F77A96317A3CCD5
SHA-512:	FCD61116FAA5CCFB004CCAAFDA68AA42BAB7CF3AF8B0D0AD6AF67A0132434806765A1EBB4C36F12ED69745D1A3BE1F4A4C5AADCA15FECED53D37C004104CCAD0
Malicious:	false
Preview:	-............Y...........".............-......A:...h............#.......[...\."...................?.D..a...?.............~."....)....R.........M....P...].b;....a.u.Ia..z.....n.t....S....[........).W.......l..e................M+......\...........%...$..%..n..............-............+F...!..n.......y..................C[..]...f....s.....(................q.l...'...........l...m.7.5...t....kcZ..Q....(.x....zn..........B..W....G..........a.....:*............1.q...v. ......\L.1..2./Q....5.........5.k..w.....!....P......K..+...[......y.2............#....@.p...2..D.7. c..&..................#.......7.'..............T.(E...!...............I........]............g...>.r.U...4........<....................B....1....\|........O.R.........3[.v....+....a).....@....!.F...;...u. .....^....q_.V\|BJ..w`........jM........F.....A../..$....0.d..5N..g..v.................-p............E....YU.....+....\|....%..........S....5..>.G...........y....E..i.)....V.......................h...(Q[-G.:.........]........Y

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.292190557993067
Encrypted:	false
SSDEEP:	12:U6cKWn1izXeejCThRvO4IQJWc05kC257zNC1NFLyx:U3KW1SeeYzvlIQJd0qC25MByx
MD5:	1693541DFB1E3B101649889AAE97DC5B
SHA1:	E9F89EE2A9F46ABB9738625B97600EE3B56B705D
SHA-256:	A4943074FBBB15A41254082AB6FEA90FE5D302F6E6969E963F6B04A92B49F739
SHA-512:	B72C8DB040CDA851C4D68110DB1E6CCBA2D90DF93AE829E03436F17223693014FBF2F68D4AC713FA0CF2A74055424250F5DB8C285CC8A767BF7C894788724EA7
Malicious:	false
Preview:	udviklingscenter tiljubler kurrende kaper politicalized vandindvindingsanlgget neuroleptanalgesia havergrass postique flise baptizer sprjtenarkomanen..imino udklippende forpakning unalterably.daedalean skeers fogyishness parathyroidectomised udlign autocrat maskinparkens teknokratiseret..rutebaadenes unpreventable bogkrybbens sknhedspletternes overstegnes slugtens dekorum,urbane serest selektionernes,liquify adfrdsmnstres polybranchian neall brandtale.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie

Download File

Process:	C:\Users\user\Desktop\jU0hAXFL0k.exe
File Type:	data
Category:	dropped
Size (bytes):	5935
Entropy (8bit):	4.893001480959504
Encrypted:	false
SSDEEP:	96:wCHb7caV5pcvPQzcsG4LMvyER8TY8Vvj3B442oBIBr7qTRRtSubJuf+F5LzllGEt:dPcaV3cnQzc4LZECYQt2jqT1bJuWjLzR
MD5:	064C026C4CAA1483900E7AC2C0DFFF1C
SHA1:	EAAF94292A01CF711B27321265A929E4C8F2A9DF
SHA-256:	B3E57DBE2DE42502F0C3D005F8347C1B2B72B6A29EC80474921C6A274FF2E081
SHA-512:	15B03A3DBB34CDB0AFA733FEF6761A4955A4891015F1A6E43EDFC86EB05790AA4C6929D8374A47AADDE4C911BB7F100E329C866E68959887DB9897761627300D
Malicious:	false
Preview:	.g.....k....q.......DL..+.n....S.*...V.. .+..U.........<..X....e.".....6.....g...........f....49.......dE.h.......X...[....M.....M.....y.........T..w`E....5l.z..............c,..y..o....................QE...............r......)....../.........;..g....c.A.rf.k.....[..Z...i............M......[.............V\|..F...........1.(....).z.@....I......J....W............A................[..4.....B,..B.k......g...C..3...t.....{....5.9._F.........T........Q.....e............C.... ........E{.....k....(.x..l..............A....,w........@........9.`....Z..........a3...$W....#..Bd.....c..........e...............r......~......jl..................hj..... .....l.'m.4............._..<.Q.f...>6.......e...M..........'.......&.....n....."\.....F.....O.....A...........................I._.........i...<.d."......m................o...U....y;........+........o.O...> ........$..o......v............./......................................z...7w8g...2.........:....a~...........Is.....N.$....a.............Y...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.983367304390116
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jU0hAXFL0k.exe
File size:	1'272'864 bytes
MD5:	6e8215eee3034d6dcf18d79d397e5715
SHA1:	5612bff0830a9a025eb35cf7c054d2062745d1b9
SHA256:	ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
SHA512:	5b5a08e02c7f58f25a436508848f90d397c2545b474f37202cef5f8ba9d4924761e500a2d54e082f51eabd80b2cc33d21d73b45206d79e64c7bb0ce21abf83c1
SSDEEP:	24576:ZQ3IGHgEKN05uKEPfbze1J9c8ae1D1FkTaO/bwntZKo4PCnsoO+Lt:ZQ3IbGEf+X9Xtk2O/bw7KpCnsa5
TLSH:	2C45236023C1D97BEB5A47F4AA9E29FAA1E4CE87DD28860B93143F713F723458D214D1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

File Icon


Icon Hash:	272707636343090f

Static PE Info

General

Entrypoint:	0x403235
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9c0657252137ac61c1eeeba4c021000

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Afruse@Paaberaabtes.Unp, OU="Perfay puces ", O=Absorberer, L=Hermerode, S=Sachsen-Anhalt, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	15/03/2023 10:03:08 14/03/2026 10:03:08
Subject Chain	E=Afruse@Paaberaabtes.Unp, OU="Perfay puces ", O=Absorberer, L=Hermerode, S=Sachsen-Anhalt, C=DE
Version:	3
Thumbprint MD5:	D200528519AD6686EEFFD2596A2A2F55
Thumbprint SHA-1:	597512FD1BFD1E677353ED0A5021A23E7F5CC129
Thumbprint SHA-256:	874162BB890EF7A67C60203F2DD0E4EE2F4015C6F2C437BC175010C6AE2FB567
Serial:	57F1B2B5B2C4B7C9C1DEF821A4632D692E16B719

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F9A50BF2CC3h
push ebx
call 00007F9A50BF5DABh
cmp eax, ebx
je 00007F9A50BF2CB9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F9A50BF5D27h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F9A50BF2C9Dh
push 0000000Ah
call 00007F9A50BF5D7Fh
push 00000008h
call 00007F9A50BF5D78h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F9A50BF5D6Ch
cmp eax, ebx
je 00007F9A50BF2CC1h
push 0000001Eh
call eax
test eax, eax
je 00007F9A50BF2CB9h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407040h]
push ebx
call dword ptr [00407284h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x21d08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x135408	0x1818
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f7d	0x6000	False	0.6680094401041666	data	6.466064816043304	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x123e	0x1400	False	0.4275390625	data	4.989734782278587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	False	0.638671875	data	5.130817636118804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x16000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3a000	0x21d08	0x21e00	False	0.9174858740774908	data	7.758972914922993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3a418	0x11d3c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9978499041358532
RT_ICON	0x4c158	0x6782	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9879990942712658
RT_ICON	0x528e0	0x28b6	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9959700633275763
RT_ICON	0x55198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6062240663900414
RT_ICON	0x57740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6512664165103189
RT_ICON	0x587e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6993603411513859
RT_ICON	0x59690	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7928700361010831
RT_ICON	0x59f38	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.526219512195122
RT_ICON	0x5a5a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7247109826589595
RT_ICON	0x5ab08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_ICON	0x5af70	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.6693548387096774
RT_ICON	0x5b258	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.7128378378378378
RT_DIALOG	0x5b380	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5b480	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5b5a0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5b668	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5b6c8	0xae	data	English	United States	0.6264367816091954
RT_VERSION	0x5b778	0x24c	data	English	United States	0.4812925170068027
RT_MANIFEST	0x5b9c8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	GetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
GDI32.dll	SelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:17:29
Start date:	16/10/2023
Path:	C:\Users\user\Desktop\jU0hAXFL0k.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\jU0hAXFL0k.exe
Imagebase:	0x400000
File size:	1'272'864 bytes
MD5 hash:	6E8215EEE3034D6DCF18D79D397E5715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4455549712.0000000009B23000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	14%
Signature Coverage:	17.2%
Total number of Nodes:	1540
Total number of Limit Nodes:	50

Executed Functions

Function 00403235 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040325A
GetVersion.KERNEL32 ref: 00403260
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403293
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032CF
OleInitialize.OLE32(00000000), ref: 004032D6
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032F2
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00403307
CharNextA.USER32(00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000020,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000000,?,00000006,00000008,0000000A), ref: 00403343
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403440
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403451
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040345D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403471
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403479
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403492
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034A6

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

Part of subcall function 004037F7: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75923410), ref: 004038E7
Part of subcall function 004037F7: lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
Part of subcall function 004037F7: GetFileAttributesA.KERNEL32(Call), ref: 00403905
Part of subcall function 004037F7: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E
Part of subcall function 004037F7: RegisterClassA.USER32(00422EA0), ref: 0040398B

Part of subcall function 0040371D: CloseHandle.KERNEL32(000002CC,00403554,?,?,00000006,00000008,0000000A), ref: 00403728

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403554
ExitProcess.KERNEL32 ref: 00403575
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403692
OpenProcessToken.ADVAPI32(00000000), ref: 00403699
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036B1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036D0
ExitWindowsEx.USER32(00000002,80040002), ref: 004036F4
ExitProcess.KERNEL32 ref: 00403717

Part of subcall function 004056F6: MessageBoxIndirectA.USER32(00409218), ref: 00405751

Strings

~nsu, xrefs: 00403580
UXTHEME, xrefs: 00403287, 0040328C, 00403292
C:\Users\user\Desktop, xrefs: 004035A7, 004035AC, 004035D8
TEMP, xrefs: 00403485
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00403531
NSIS Error, xrefs: 004032F8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403425, 00403526, 004035D0, 004035D9
.tmp, xrefs: 0040359C
Low, xrefs: 00403473
TMP, xrefs: 0040348D
\Temp, xrefs: 00403457
C:\Users\user\Desktop\jU0hAXFL0k.exe, xrefs: 00403632
"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 0040330D, 00403313, 004034CA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403435, 0040343A, 00403450, 0040345C, 0040346B, 00403478, 00403484, 0040348C, 00403585, 00403596, 004035A1, 004035AD, 004035BA, 004035C9, 00403678
1033, xrefs: 004034A1
SeShutdownPrivilege, xrefs: 004036AB
", xrefs: 00403368
Error launching installer, xrefs: 0040350C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\jU0hAXFL0k.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$C:\Users\user\Desktop$C:\Users\user\Desktop\jU0hAXFL0k.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-1124582691
Opcode ID: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction ID: 70de6b230954929a2c0fab4aa6e61a8dc1a32ac2bd4530e0982157a086cffda4
Opcode Fuzzy Hash: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction Fuzzy Hash: 62C1F6706086526AE7216F759D49B2F3EA8EB81706F04453FF541B61E2CB7C8E05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040523F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040529E
GetDlgItem.USER32(?,000003EE), ref: 004052AD
GetClientRect.USER32(?,?), ref: 004052EA
GetSystemMetrics.USER32(00000002), ref: 004052F1
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405312
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405323
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405336
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405344
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405357
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405379
ShowWindow.USER32(?,00000008), ref: 0040538D
GetDlgItem.USER32(?,000003EC), ref: 004053AE
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053BE
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053D7
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053E3
GetDlgItem.USER32(?,000003F8), ref: 004052BC

Part of subcall function 0040409D: SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

GetDlgItem.USER32(?,000003EC), ref: 004053FF
CreateThread.KERNELBASE(00000000,00000000,Function_000051D3,00000000), ref: 0040540D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405414
ShowWindow.USER32(00000000), ref: 00405437
ShowWindow.USER32(?,00000008), ref: 0040543E
ShowWindow.USER32(00000008), ref: 00405484
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054B8
CreatePopupMenu.USER32 ref: 004054C9
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054DE
GetWindowRect.USER32(?,000000FF), ref: 004054FE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405517
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405553
OpenClipboard.USER32(00000000), ref: 00405563
EmptyClipboard.USER32 ref: 00405569
GlobalAlloc.KERNEL32(00000042,?), ref: 00405572
GlobalLock.KERNEL32(00000000), ref: 0040557C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405590
GlobalUnlock.KERNEL32(00000000), ref: 004055A9
SetClipboardData.USER32(00000001,00000000), ref: 004055B4
CloseClipboard.USER32 ref: 004055BA

Strings

K, xrefs: 0040548E
Trochidae Setup: Installing, xrefs: 0040552F

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Trochidae Setup: Installing$K
API String ID: 4154960007-528882221
Opcode ID: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction ID: b9a96890980d2d8b9797d0de0d5ce2eab2fec2a682b8a0b11cb6d69254f0e8d6
Opcode Fuzzy Hash: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction Fuzzy Hash: C4A15CB1900208BFDB119FA0DD89AAE7FB9FB48355F00403AFA05B61A0C7B55E51DF69

Uniqueness

Uniqueness Score: -1.00%

Function 6E571A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E571215: GlobalAlloc.KERNEL32(00000040,6E571233,?,6E5712CF,-6E57404B,6E5711AB,-000000A0), ref: 6E57121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6E571BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6E571C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6E571C16
GlobalFree.KERNEL32(00000000), ref: 6E571C29
GlobalFree.KERNEL32(?), ref: 6E571D09
GlobalFree.KERNEL32(?), ref: 6E571D0E
GlobalFree.KERNEL32(?), ref: 6E571D13
GlobalFree.KERNEL32(00000000), ref: 6E571EFA
lstrcpyA.KERNEL32(?,?), ref: 6E572098
GetModuleHandleA.KERNEL32(00000008), ref: 6E572114
LoadLibraryA.KERNEL32(00000008), ref: 6E572125
GetProcAddress.KERNEL32(?,?), ref: 6E57217E
lstrlenA.KERNEL32(00000408), ref: 6E572198

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 0072485be489e8976ebd394ead1b49d0fd8550fc719aa76c27bcbd860a51b318
Instruction ID: ab24fd746e9856ae6df7e55ef2f75c180ae7c0932e2051dc4d47552994141d95
Opcode Fuzzy Hash: 0072485be489e8976ebd394ead1b49d0fd8550fc719aa76c27bcbd860a51b318
Instruction Fuzzy Hash: 0A22BEB1954216DEDF70CFE9CAA07EDBBF4BB05304F10892ED2A5A3140DB7456A9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CB
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405813
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405834
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040583A
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584B
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058F8
FindClose.KERNEL32(00000000), ref: 00405909

Strings

\*.*, xrefs: 0040580D
"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 004057A2
C:\Users\user\AppData\Local\Temp\, xrefs: 004057AF

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1711251070
Opcode ID: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction ID: d5f8e1a5a2f38c4268bcbec4acbb3c578bb2518a62eabdffbc14051f19ad4651
Opcode Fuzzy Hash: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction Fuzzy Hash: F251E171900A18BADB21BB228C45BAF7A79DF42724F14807BF841B51D2D77C8942DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406666 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction ID: 4f714145f5a313d6319dbd2ae6a602097e3dd159542c3e152d0bb7460fb66c8d
Opcode Fuzzy Hash: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction Fuzzy Hash: 25F17571D00229CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7395A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004062DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75923410,00421558,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
FindClose.KERNEL32(00000000), ref: 004062F4

Strings

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp, xrefs: 004062DD

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp
API String ID: 2295610775-2542702260
Opcode ID: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction ID: 9f0851c2fc9ceccd35e24d87c19841e9ead441a619ffea6187f1505ec1ede2b7
Opcode Fuzzy Hash: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction Fuzzy Hash: B1D012319090207BC30117386E0C85B7A599B553317228A77F967F12F0C7388C7696E9

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BD0
ShowWindow.USER32(?), ref: 00403BED
DestroyWindow.USER32 ref: 00403C01
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C1D
GetDlgItem.USER32(?,?), ref: 00403C3E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C52
IsWindowEnabled.USER32(00000000), ref: 00403C59
GetDlgItem.USER32(?,00000001), ref: 00403D07
GetDlgItem.USER32(?,00000002), ref: 00403D11
SetClassLongA.USER32(?,000000F2,?), ref: 00403D2B
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D7C
GetDlgItem.USER32(?,00000003), ref: 00403E22
ShowWindow.USER32(00000000,?), ref: 00403E43
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E55
EnableWindow.USER32(?,?), ref: 00403E70
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E86
EnableMenuItem.USER32(00000000), ref: 00403E8D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EA5
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403EB8
lstrlenA.KERNEL32(Trochidae Setup: Installing,?,Trochidae Setup: Installing,00000000), ref: 00403EE2
SetWindowTextA.USER32(?,Trochidae Setup: Installing), ref: 00403EF1
ShowWindow.USER32(?,0000000A), ref: 00404025

Strings

K, xrefs: 00403F3F
Trochidae Setup: Installing, xrefs: 00403ED2, 00403ED8, 00403EEF

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Trochidae Setup: Installing$K
API String ID: 3282139019-528882221
Opcode ID: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction ID: ba3e3afbb1df49eb3663f2526bbc67ab17a8ece20d2805bf2467eb782e73bce3
Opcode Fuzzy Hash: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction Fuzzy Hash: FEC1AEB2604205BBDB206F61ED49D2B7A6CFB85706F40443EF641B11F1C779A942EB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

lstrcatA.KERNEL32(1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000000), ref: 00403872
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,75923410), ref: 004038E7
lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
GetFileAttributesA.KERNEL32(Call), ref: 00403905
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

RegisterClassA.USER32(00422EA0), ref: 0040398B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039A3
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039D8
ShowWindow.USER32(00000005,00000000), ref: 00403A0E
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 00403A3A
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 00403A47
RegisterClassA.USER32(00422EA0), ref: 00403A50
DialogBoxParamA.USER32(?,00000000,00403B94,00000000), ref: 00403A6F

Strings

.exe, xrefs: 004038F4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403881, 00403889, 00403921, 00403927, 00403937
RichEdit20A, xrefs: 00403A32, 00403A38
RichEd32, xrefs: 00403A22
RichEd20, xrefs: 00403A14
RichEdit, xrefs: 00403A41
.DEFAULT\Control Panel\International, xrefs: 0040385D
"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 004037FB
Control Panel\Desktop\ResourceLocale, xrefs: 0040382B
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
1033, xrefs: 00403817, 0040386D
Call, xrefs: 004038B5, 004038BD, 004038CA, 00403914, 0040391A
_Nb, xrefs: 0040396A, 004039D2
Trochidae Setup: Installing, xrefs: 00403823, 00403829, 0040384E, 00403857, 0040386C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Trochidae Setup: Installing$_Nb
API String ID: 1975747703-3908693124
Opcode ID: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction ID: cc9ff768997195dfc6b08b7ed0d0e3ca7810037f4103f2fdd35eeb1d807c43ce
Opcode Fuzzy Hash: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction Fuzzy Hash: 1961C4B07442007EE620AF659D45F2B3AACEB4475AB40447EF941B22E2D7BC9D02DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD5
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\jU0hAXFL0k.exe,00000400), ref: 00402DF1

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00402E3D
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
C:\Users\user\Desktop, xrefs: 00402E1F, 00402E24, 00402E2A
C:\Users\user\Desktop\jU0hAXFL0k.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00402DC4
Null, xrefs: 00402EBB
Inst, xrefs: 00402EA9
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
Error launching installer, xrefs: 00402E14
soft, xrefs: 00402EB2

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\jU0hAXFL0k.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-960328974
Opcode ID: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction ID: 90621c4e807be281ea96420bab05d42ad29c2ea1f6fd119d4e9c070f99f8684f
Opcode Fuzzy Hash: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction Fuzzy Hash: 1A51F771A00216ABDF209F61DE89B9E7BB8EB54355F50403BF900B72C1C6BC9E4197AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406127
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000), ref: 0040613A
SHGetSpecialFolderLocation.SHELL32(00405139,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000), ref: 00406176
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406184
CoTaskMemFree.OLE32(00000000), ref: 00406190
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004061B4
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,00000000,004168C0,00000000), ref: 00406206

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061AE
Call, xrefs: 00406026, 004060F3, 004060F4, 004060F5, 00406111, 00406126, 00406139, 00406155, 00406180, 004061B3, 004061B9, 004061D1, 004061E4, 004061FF, 00406205, 0040620D, 00406237
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060F6
Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll, xrefs: 00406021

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1260080314
Opcode ID: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction ID: f6f0e3a74e6b455581cb0d86726a6c3d239f08f65b325d122068a3aaf356d786
Opcode Fuzzy Hash: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction Fuzzy Hash: F4610571A00115ABEF20AF64DC84B7A3BA4DB55314F12417FEA03BA2D2C23C4962DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

Strings

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll, xrefs: 00401826, 00401842
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp$C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$Call
API String ID: 1941528284-3252339540
Opcode ID: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction ID: a8f8d2e71aafd7953ecb4fd9af401e61999b8e286ce35665580707d8cc6a98aa
Opcode Fuzzy Hash: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction Fuzzy Hash: BC41D371A0451ABACB107FA5DC45D9F3AB9EF05329B20823BF411F10E1C63C8A419B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405101 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll), ref: 0040516F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll, xrefs: 00405121, 00405133, 00405139, 0040515C, 00405168

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll
API String ID: 2531174081-3531462292
Opcode ID: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction ID: da75402713979d4bf34db42cde910fb2485d85a1008762fbb7bcbbad6d42931f
Opcode Fuzzy Hash: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction Fuzzy Hash: BB219A71E00108BADF119FA4CD84ADFBFB9EF05354F04807AF404A6291C6798E419FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004055C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A
GetLastError.KERNEL32 ref: 0040561E
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405633
GetLastError.KERNEL32 ref: 0040563D

Strings

C:\Users\user\Desktop, xrefs: 004055C7
|s@, xrefs: 004055CD
C:\Users\user\AppData\Local\Temp\, xrefs: 004055ED
ls@, xrefs: 004055FC

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ls@$|s@
API String ID: 3449924974-148832918
Opcode ID: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction ID: d76da5e920ef4cf84c76b5f8b6eadacb43d526ba9f765b2b55af8eda6d007f2e
Opcode Fuzzy Hash: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction Fuzzy Hash: 90010871C04219EAEF019BA1CC447EFBBB8EB14355F00853AD905B6290E779A605CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406304 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
wsprintfA.USER32 ref: 00406354
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Strings

UXTHEME, xrefs: 0040630D
%s%s.dll, xrefs: 0040634E
\, xrefs: 0040632C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 15cbb93803340843acffe9ced60e7e2f3372dd006ff9664fb566d465880257e2
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: C8F09C30900116ABDB159768DD0DFFB365CEB08309F14057AB986E11D1D574E9258B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403059
GetTickCount.KERNEL32 ref: 004030DA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00403107
wsprintfA.USER32 ref: 00403117

Strings

... %d%%, xrefs: 00403111

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction ID: eed10709806649b2ce9ecdbe6bed08e8f554dc741dea3641cf9b2fc180d08aa2
Opcode Fuzzy Hash: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction Fuzzy Hash: A7515E71901219ABDB10EF65D904A9F3BB8AF48756F14413BFD10BB2C0C7789E51CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BB6
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BD0

Strings

nsa, xrefs: 00405BAD
"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00405BA2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405BA5

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3940041654
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 2f7af396f84d097035df83fe1d719984909df90e6a6ed76a9758152acb097983
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: B9F082367082086BEB108F5ADC04B9B7BA8DF91750F14803BFA08DA291D6B4B9548B69

Uniqueness

Uniqueness Score: -1.00%

Function 6E5716DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E571A98: GlobalFree.KERNEL32(?), ref: 6E571D09
Part of subcall function 6E571A98: GlobalFree.KERNEL32(?), ref: 6E571D0E
Part of subcall function 6E571A98: GlobalFree.KERNEL32(?), ref: 6E571D13

GlobalFree.KERNEL32(00000000), ref: 6E571786
FreeLibrary.KERNEL32(?), ref: 6E571809
GlobalFree.KERNEL32(00000000), ref: 6E57182E

Part of subcall function 6E5722AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6E5722E0

Part of subcall function 6E5726B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E571757,00000000), ref: 6E572782

Part of subcall function 6E57156B: wsprintfA.USER32 ref: 6E571599

Strings

, xrefs: 6E57180F

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 81106067a621283a6b6043f98157890767aa4956995836a03f583075ea6fc898
Instruction ID: 7cac97bb54480eecf3790afe62ec091765379ffd830407fd904c62c595ddc91e
Opcode Fuzzy Hash: 81106067a621283a6b6043f98157890767aa4956995836a03f583075ea6fc898
Instruction Fuzzy Hash: 9341B1B10002059ACF609FF48EE4BE937ECBF45314F048865EA159E086DF7488A9CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction ID: 5540d85999f992b2d0d9c3d63f09df6deeece4c427f082cd61f041684b2cd5b6
Opcode Fuzzy Hash: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction Fuzzy Hash: 6E216BB1D48208BEEF06AFB4D98AAAD7FB5EB44304F10447EF501B61D1C7B89640DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000023,00000011,00000002), ref: 00402488
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,00000011,00000002), ref: 004024C5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,00000011,00000002), ref: 004025A9

Strings

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp, xrefs: 00402479, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp
API String ID: 2655323295-2542702260
Opcode ID: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction ID: 8e9ea0cf859de5a6fe7672b5a81e2234dbec8cc7450cb22075f11fbb1059ccd6
Opcode Fuzzy Hash: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction Fuzzy Hash: 42119072E00218BEEB01AFA58E49EAE7BB8FB48314F20443BF504B71C1C6B85D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction ID: 97d835e61fc7e0b97890b4be7664cc53dce4a02014942e479506a03d8351e840
Opcode Fuzzy Hash: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction Fuzzy Hash: 4521D871A00214BBCF117FA4CE8DAAE79B4AB44319F20413BFA01B62D0C6FD9981D65E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055C7: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
API String ID: 1892508949-3978666454
Opcode ID: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction ID: 3a09c20382928311ba1d31a626229d1df209b5e1cddac7105c79dbf72218ebe6
Opcode Fuzzy Hash: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction Fuzzy Hash: B4112731508141EBCB212FB94D4197F36B0EA96325F28453FE4D2B23E2D63D49429A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406105,80000002), ref: 00405F07
RegCloseKey.KERNELBASE(?,?,00406105,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll), ref: 00405F12

Strings

Call, xrefs: 00405EC4, 00405EF8

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction ID: 897067c620da28adabf34c96f4b8630bfa599ba4fb7ce992f063a5310404d611
Opcode Fuzzy Hash: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction Fuzzy Hash: 6D015A7251020AABEF22CF61CC09FDB3BACEF55364F004026FA55A2190D278DA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction ID: 81ce818a04e0c3cc04ce684d9a2a9ddfd009c22adec174195ca66df60ea86fc9
Opcode Fuzzy Hash: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction Fuzzy Hash: 69A14271E00229DBDF28CFA8C8446ADBBB1FF44305F15842AD916BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C9C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction ID: 08e1f0bd3e012b2653e952fb076f5459688999f8fa16d8000732ef154d800f7e
Opcode Fuzzy Hash: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction Fuzzy Hash: 53912370E00229CBEF28CF98C8547ADBBB1FF44305F15816AD956BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069B2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction ID: f9b0e14a80994b8e3cce9b061f2e265d206a391058c15f1564a8a9ac8da356b6
Opcode Fuzzy Hash: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction Fuzzy Hash: 80814571D04229DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004064B7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction ID: 64fae73fcf261b5a29c0697abf595a3f572636c651b32177eb72ec05398ad39b
Opcode Fuzzy Hash: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction Fuzzy Hash: 39817831D04229DBEF24CFA8D8447ADBBB0FB44305F21816AD856BB2C1C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406905 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction ID: 51e77fe0f08f8d7ba03d7e1561fc41eb13955110d3fdee4e61b85cd17e52ee3e
Opcode Fuzzy Hash: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction Fuzzy Hash: C4712371D04229DBEF28CF98C8447ADBBB1FB44305F15806AD806BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406A23 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction ID: 3517892101dd69bd75e64738494877d03a8317e446f0652336487a17687a2cae
Opcode Fuzzy Hash: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction Fuzzy Hash: 53712571E04229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281D7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040696F Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction ID: 34c5161cf4e4322df4c522de15ced9ded486b5ca7425d8c28145854c0c0886a7
Opcode Fuzzy Hash: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction Fuzzy Hash: 29714571D04229DBEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(00000000), ref: 00401BD2
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BE4

Strings

Call, xrefs: 00401B8A, 00401B90, 00401BAA

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1fe632c829319894c03c4f390d25a6009dfdfdfa543a20855fb3c628d0abeb6c
Instruction ID: 90574936f02aea29710b4ee6ae69819f4a98e20e624d26ff257ec3688bf7659d
Opcode Fuzzy Hash: 1fe632c829319894c03c4f390d25a6009dfdfdfa543a20855fb3c628d0abeb6c
Instruction Fuzzy Hash: 1B21A8B3604106ABCB10EB64DE8495F73E9EB48318B204437F501F32D1D77CA8528B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004022B2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062DD: FindFirstFileA.KERNELBASE(75923410,00421558,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
Part of subcall function 004062DD: FindClose.KERNEL32(00000000), ref: 004062F4

lstrlenA.KERNEL32 ref: 004022F2
lstrlenA.KERNEL32(00000000), ref: 004022FC
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402324

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction ID: e190a191dd6904399be212acf1c509ba618b837bf102c15a3da6bfbe2c681905
Opcode Fuzzy Hash: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction Fuzzy Hash: E6112A71E04318AACB00EFB98949A8EBBB9EF04318F10407BA405FB2D2D6BCD540CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402591
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction ID: 35fd857a3e442691b1a787247be78dd7b49a46040516f967143c2ea575d22cfd
Opcode Fuzzy Hash: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction Fuzzy Hash: 5801B1B1905204FFE7119F659E89ABF7ABCEB40344F10443EF402B62C0D6B85E019669

Uniqueness

Uniqueness Score: -1.00%

Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040250A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction ID: 8f3c8c2c6778634c6bf67ed2425ae169c6cf17cae75ec7db2a606e7394f4df6a
Opcode Fuzzy Hash: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction Fuzzy Hash: 36118F71905205FEDB11CF64CA5D5AEBAB4AF15344F60447FE042B62C0D2B88A45DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction ID: 3754a530b6758dc8908f2ef617aa9c280200ea706ec51d0fb7e67c491179f4d9
Opcode Fuzzy Hash: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction Fuzzy Hash: A3012831724210ABE7294B389D04B2A369CE710328F11823BF811F72F1D6B8DC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction ID: ce1450a8ab12a7957634bce685e0bfb7e2b45ee5234afc219fd3c41b35330c67
Opcode Fuzzy Hash: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction Fuzzy Hash: AAF0F672E04120ABD700AFB89B4DAAE72A89B44304F11017BF202B72C1D5F85E02826E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction ID: 79d5ad403a5aaaf22ef605bc71de2bbac2c7999a6642915e38ea97ae4a47edd5
Opcode Fuzzy Hash: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction Fuzzy Hash: BAF0A771B09240EBCB21DF759D44A9F7FE8EF91354B10803BE145F6290D2388901CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EAD
EnableWindow.USER32(00000000,00000000), ref: 00401EB8

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction ID: ea2ebfb6392eb1d35c1d77cf7a204b1acfca181ccf64587d83a13520139c7bad
Opcode Fuzzy Hash: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction Fuzzy Hash: C8E012B2A08210DFD715DFA8AA859AE77B4FB84325F10493BE102F12D1D7B85940965D

Uniqueness

Uniqueness Score: -1.00%

Function 00406372 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

Part of subcall function 00406304: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
Part of subcall function 00406304: wsprintfA.USER32 ref: 00406354
Part of subcall function 00406304: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction ID: 5c1bd2d9329a739c8a877d318ed38f6c7ac4115b407851283e1fe7e546b0050a
Opcode Fuzzy Hash: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction Fuzzy Hash: 85E08C32A08210ABD7106B709D0493B72E89B85700302483EFE0AF2191D738EC21AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B73 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405644 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403228,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040564A
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405658

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: fc3bbe6b068c7ca676e2af9f6a434936c7df2cd1c21a2d5f2b74ac8b5b27fed5
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 0BC08C30688101AADA002B308D08B073A55AB20340F608836600AE00F0CA32A600DD3F

Uniqueness

Uniqueness Score: -1.00%

Function 6E572A38 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000), ref: 6E572AF7

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 62ba053aa43e0be9d5a0e0f4d8cac37be0503906ed2970312905f88141a9de7f
Instruction ID: f4e79cebbc768c3531b6a7487834ce869e9d509b276013aa371d784202af0845
Opcode Fuzzy Hash: 62ba053aa43e0be9d5a0e0f4d8cac37be0503906ed2970312905f88141a9de7f
Instruction Fuzzy Hash: DA412CBA504614DFDF30DFE4D880B993BF8EB86358F158C29D508CB244DB349DB28A51

Uniqueness

Uniqueness Score: -1.00%

Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction ID: 3a2c95f3f261f3e7b92da62a1208cffd6d7f8b014e901ac2ca999815bcbce589
Opcode Fuzzy Hash: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction Fuzzy Hash: 2D21C770C0428AAADF219F644A456BFBB709B11318F14447FE891B63D1C1BD9981CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004026EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040270D

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction ID: f53dea761aa5693b03f4aeaa9096613f160725ff62c28ab2a383c2bfee997f34
Opcode Fuzzy Hash: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction Fuzzy Hash: 5AE0EDB1A04215BBD702AB95AE89DBE776CEB44315F10043BF201F11C1C67D4941966E

Uniqueness

Uniqueness Score: -1.00%

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction ID: fe35eca7c2654f279d717fea31bdeaa6937bb5491eee9e26a1e5aab6719f7fed
Opcode Fuzzy Hash: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction Fuzzy Hash: B2E04F31A003256BDB213EB25E8ED6F3669AB84744B16113BFA01BA2C2D9BC1C05C26D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402BDD,00000000,?,?), ref: 00405EB7

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction ID: 95beb03159e1ed36dc188c03c0911f4594c5194c551a9f11594fd4679c6f4357
Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction Fuzzy Hash: 23E0ECB2014109BEEF095F90ED0ADBB371DEB04315F00492EFA06E4090E7B5A920AA75

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,004031B8,00000000,004128C0,00000020,004128C0,00000020,000000FF,00000004,00000000), ref: 00405C2E

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: 28dd51bc99cbbe9e43bc3b4155210361b58306b45153a5fd00399a3e640b4bcc
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: 3AE0EC3261835AABEF249E559C01EEB7B6CEB05360F044472FD15E6150D231E8219FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405BEB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031EA,00000000,00000000,00403047,000000FF,00000004,00000000,00000000,00000000), ref: 00405BFF

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 7d11c2845e787d99b8eae26fbbcce04266139d1862b3a193897eab19ac9c5e73
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 72E0E632558759ABDF106E559C00AEB775CEB45754F004832FE15E3150D231E8519BE9

Uniqueness

Uniqueness Score: -1.00%

Function 6E572921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6E57404C,00000004,00000040,6E57403C), ref: 6E57293F

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 88f0f63f97b519beb11868dfb25db0d68d1aaba1390c47d57540df2e71d599bc
Instruction ID: 0036436b183f04ab4bb7e7fa8fb757cf48b3612b1b4494b3baf8d10de90a58f9
Opcode Fuzzy Hash: 88f0f63f97b519beb11868dfb25db0d68d1aaba1390c47d57540df2e71d599bc
Instruction Fuzzy Hash: E0F04EB1958AA0DECFA0CFBD8884B057FE0A71B355B13496EE158DF241EB7448668B11

Uniqueness

Uniqueness Score: -1.00%

Function 004023A7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004023DA

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction ID: 87433fbf28b19ed2e9e97c64dce3a42f5842ec6a66e9b0e36d30645c49e8dc10
Opcode Fuzzy Hash: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction Fuzzy Hash: 92E01230904309BAEB02AFB08D09EBE3E79EF05710F10042AB9606A0D2E6B89542D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E60 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EEE,?,?,?,?,00000002,Call), ref: 00405E84

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 31d842323d9a2f535784a2c12e989c9eb1b9f9f44251d53ba3eec0f14c414acf
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: 75D0EC3204420DBADF115F90ED05FAB371DEB14355F004522FE05A4090D2769520AA55

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction ID: d5005c83e4bc13d794db0995845c4037c46dc405a88debeb1123cd551caf7fcc
Opcode Fuzzy Hash: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction Fuzzy Hash: F5D05BB2B08200EBCB11DFE8EF08A5E77B5EB54325F204577E101F21D1D2B88641975A

Uniqueness

Uniqueness Score: -1.00%

Function 004040B4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010464,00000000,00000000,00000000), ref: 004040C6

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: d19a9dbcf4508c1e9b2ca47d0762ffb16ec5c10abf7e35186d5f4f0c6b5da105
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: F9C04C71754201BAEA319B50DD49F0777586750B00F5584257314F60D1C6B4E451D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004031ED Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction ID: 8831d3de15784b4579c3d7b303db9b45d0c358e109056f74ce618eb3ecc3c243
Opcode Fuzzy Hash: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction Fuzzy Hash: 74B01231544200BFDB214F00DE05F057B21A790700F10C030B344780F082712460EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004056BC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,004044AF,?), ref: 004056CB

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0040408A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E66), ref: 00404094

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004044FA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404549
SetWindowTextA.USER32(00000000,?), ref: 00404573
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404624
CoTaskMemFree.OLE32(00000000), ref: 0040462F
lstrcmpiA.KERNEL32(Call,Trochidae Setup: Installing), ref: 00404661
lstrcatA.KERNEL32(?,Call), ref: 0040466D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040467F

Part of subcall function 004056DA: GetDlgItemTextA.USER32(?,?,00000400,004046B6), ref: 004056ED

Part of subcall function 00406244: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040629C
Part of subcall function 00406244: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062A9
Part of subcall function 00406244: CharNextA.USER32(?,"C:\Users\user\Desktop\jU0hAXFL0k.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062AE
Part of subcall function 00406244: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062BE

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040473D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404758

Part of subcall function 004048B1: lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
Part of subcall function 004048B1: wsprintfA.USER32 ref: 00404957
Part of subcall function 004048B1: SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A

Strings

A, xrefs: 0040461D
K, xrefs: 00404500
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 0040464A
Call, xrefs: 0040465B, 00404660, 0040466B
Trochidae Setup: Installing, xrefs: 004045F7, 0040465A

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Trochidae Setup: Installing$K
API String ID: 2624150263-3087169317
Opcode ID: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction ID: a574bab901635a86c0a25b0ea1efcbf713871747dcedb108b051a9d89a4042ab
Opcode Fuzzy Hash: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction Fuzzy Hash: E9A16FB1900219ABDB11EFA5CD41AAFB7B8EF85315F10843BF601B62D1D77C8A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407410,?,00000001,00407400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 004021FA

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
API String ID: 123533781-3978666454
Opcode ID: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction ID: 364dec1ee03e4b34996bd20462589a1769652030a90c2beac7f749610b7a86d9
Opcode Fuzzy Hash: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction Fuzzy Hash: 30511871E00209AFCB00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction ID: 2655497eb84a062ae037f6c25fa5e5de2408fe63ae01e39025771dd9bbe68540
Opcode Fuzzy Hash: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction Fuzzy Hash: 3BF0A0B2644101AAD701EBB49A49AEEB768EB11324F60417BE241F21C1D2BC89459B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A6D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A84
GetDlgItem.USER32(?,00000408), ref: 00404A91
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AE0
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404AF7
SetWindowLongA.USER32(?,000000FC,00405075), ref: 00404B11
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B23
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B37
SendMessageA.USER32(?,00001109,00000002), ref: 00404B4D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B59
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B69
DeleteObject.GDI32(00000110), ref: 00404B6E
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B99
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BA5
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C3F
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C6F

Part of subcall function 0040409D: SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C83
GetWindowLongA.USER32(?,000000F0), ref: 00404CB1
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CBF
ShowWindow.USER32(?,00000005), ref: 00404CCF
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DCA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E2F
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E44
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E68
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E88
ImageList_Destroy.COMCTL32(00000000), ref: 00404E9D
GlobalFree.KERNEL32(00000000), ref: 00404EAD
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F26
SendMessageA.USER32(?,00001102,?,?), ref: 00404FCF
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FDE
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FFE
ShowWindow.USER32(?,00000000), ref: 0040504C
GetDlgItem.USER32(?,000003FE), ref: 00405057
ShowWindow.USER32(00000000), ref: 0040505E

Strings

M, xrefs: 00404C27
N, xrefs: 00404D08
, xrefs: 00405036

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction ID: 966653e8360bab3e2fc21879108ab338c3bc3285e0cd99f232f5bc98bb3d6c0f
Opcode Fuzzy Hash: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction Fuzzy Hash: 86025CB0900209AFDB10DF64DC45AAE7BB9FB84314F10813AFA15BA2E0D7799E41DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041D3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040425E
GetDlgItem.USER32(00000000,000003E8), ref: 00404272
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404290
GetSysColor.USER32(?), ref: 004042A1
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042B0
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042BF
lstrlenA.KERNEL32(?), ref: 004042C2
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042D1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042E6
GetDlgItem.USER32(?,0000040A), ref: 00404348
SendMessageA.USER32(00000000), ref: 0040434B
GetDlgItem.USER32(?,000003E8), ref: 00404376
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043B6
LoadCursorA.USER32(00000000,00007F02), ref: 004043C5
SetCursor.USER32(00000000), ref: 004043CE
LoadCursorA.USER32(00000000,00007F00), ref: 004043E4
SetCursor.USER32(00000000), ref: 004043E7
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404413
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404427

Strings

N, xrefs: 00404364
K, xrefs: 00404327
Call, xrefs: 004043A1

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$K
API String ID: 3103080414-1662157190
Opcode ID: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction ID: a86fe1b261e308fa50e110e5a31abfd90c360c5de8850f7aae14d0f145b03158
Opcode Fuzzy Hash: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction Fuzzy Hash: 1561A0B1A00209BBEB109F61DD45F6A7B69FB84705F008036FB01BA2D1C7B8A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction ID: e0713781b635691343a74aeb4589e3ea90c77733c460a74728c978b7faf409cc
Opcode Fuzzy Hash: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction Fuzzy Hash: A7419C71804249AFCF058FA4CD459BFBFB9FF44310F00812AF561AA2A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DDA,?,?), ref: 00405C7A
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405C83

Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405CA0
wsprintfA.USER32 ref: 00405CBE
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405CF9
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D08
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D40
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D96
GlobalFree.KERNEL32(00000000), ref: 00405DA7
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DAE

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Strings

%s=%s, xrefs: 00405CB4
[Rename], xrefs: 00405D28, 00405D3A

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction ID: 6ce2b9c5035192946699426d8eaee961ce023100f281e1c8236941499ee81097
Opcode Fuzzy Hash: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction Fuzzy Hash: 19311331605B19ABD6207B659C4CFAB3A6CDF45714F14003BFA01FA2D2E67CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00406244 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040629C
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062A9
CharNextA.USER32(?,"C:\Users\user\Desktop\jU0hAXFL0k.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062AE
CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062BE

Strings

"C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00406280
C:\Users\user\AppData\Local\Temp\, xrefs: 00406245
*?|<>/":, xrefs: 0040628C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2073713104
Opcode ID: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction ID: 98a55a52ac5494643caf5fd5857683424a9a77f1076ac2e6562e20d377716777
Opcode Fuzzy Hash: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction Fuzzy Hash: EE11E25180879029EB3226344C40B7B7F988F5B760F2904FFE9D6722C2D67C5C52876E

Uniqueness

Uniqueness Score: -1.00%

Function 004040CF Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040EC
GetSysColor.USER32(00000000), ref: 0040412A
SetTextColor.GDI32(?,00000000), ref: 00404136
SetBkMode.GDI32(?,?), ref: 00404142
GetSysColor.USER32(?), ref: 00404155
SetBkColor.GDI32(?,?), ref: 00404165
DeleteObject.GDI32(?), ref: 0040417F
CreateBrushIndirect.GDI32(?), ref: 00404189

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction ID: 778babcb3f3cb4702814cedc7f3687c69535c8aec6342fb1ab2b401637f1774e
Opcode Fuzzy Hash: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction Fuzzy Hash: 8A21C7715047049BC7309F78DC4CB5BBBF8AF91710B048A2AEA96A62E0D334E884CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6E5724D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6E571215: GlobalAlloc.KERNEL32(00000040,6E571233,?,6E5712CF,-6E57404B,6E5711AB,-000000A0), ref: 6E57121D

GlobalFree.KERNEL32(?), ref: 6E5725DE
GlobalFree.KERNEL32(00000000), ref: 6E572618

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 89f2a407c5397fcdccc7f672026d7eadcdcecb9572db35ed5517ba0a2358a2c2
Instruction ID: b98de604b4ad799f792466e49911ee346d0f367f5bdea42baf753def4287b95c
Opcode Fuzzy Hash: 89f2a407c5397fcdccc7f672026d7eadcdcecb9572db35ed5517ba0a2358a2c2
Instruction Fuzzy Hash: D241D2B5518251EFCF21CF95CC98C2AB7FEEB86314B01496DF6418B210EB319D65CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004049BB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049D6
GetMessagePos.USER32 ref: 004049DE
ScreenToClient.USER32(?,?), ref: 004049F8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A0A
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A30

Strings

f, xrefs: 00404A0C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction ID: 78e79842b3afbaa1123eb4bc953d8a824fe30bd623f786c3032228cde2642f29
Opcode Fuzzy Hash: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction Fuzzy Hash: DA018071D40218BAEB00DB94DC81BFEBBB8AB45B11F10412BBA00B61D0C7B469418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E84

Strings

Calibri, xrefs: 00401E6A

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction ID: f74e6b169c59b5c86824efe7ff79e827475fcd3c365d9a6f340974a330803a43
Opcode Fuzzy Hash: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction Fuzzy Hash: 6001B571948341AFE7019BB0AE49F9A7FB4EB15304F108479F201B72E2C6B851509B2F

Uniqueness

Uniqueness Score: -1.00%

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32(00135201,00000064,00136C20), ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction ID: 989b2dafafbc5add767bef13d928cf85595003a1ad1b8b7172a09c7de12a9e27
Opcode Fuzzy Hash: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction Fuzzy Hash: 3801EC71A40209ABEF20AF60DD49FAE3769EB04305F008039FA06AA1D0D7B599558F59

Uniqueness

Uniqueness Score: -1.00%

Function 6E5722F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6E572447

Part of subcall function 6E571224: lstrcpynA.KERNEL32(00000000,?,6E5712CF,-6E57404B,6E5711AB,-000000A0), ref: 6E571234

GlobalAlloc.KERNEL32(00000040,?), ref: 6E5723C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6E5723D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6E5723E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6E5723F6
GlobalFree.KERNEL32(00000000), ref: 6E5723FD

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: ac033bc4d8c28fd9485294dcb742604178cf080b69bdd2d4c2de220cbe775774
Instruction ID: be4d1a545c2fea89e58611a2d19290e143db659a0b61af16af58d0068aac6723
Opcode Fuzzy Hash: ac033bc4d8c28fd9485294dcb742604178cf080b69bdd2d4c2de220cbe775774
Instruction Fuzzy Hash: 29418DF5508741EFDF30CFA68844B6AB7E9FB41311F01881EE955DB190EB309965CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction ID: ec0d33f595d451752a188c19515fdbd8f87975fde9c964b970e1a5072f162152
Opcode Fuzzy Hash: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction Fuzzy Hash: 7D219C72C00124BBCF213FA5CD49DAE7F79EF09364B10823AF520762E0C67959419FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004048B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
wsprintfA.USER32 ref: 00404957
SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A

Strings

%u.%u%s%s, xrefs: 00404939
Trochidae Setup: Installing, xrefs: 00404941, 00404946, 0040494C, 00404960

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Trochidae Setup: Installing
API String ID: 3540041739-3189352601
Opcode ID: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction ID: 99a67daf6c97d227f7cf07030b4f4762c36886faa54bbd44db56b2f9a5a008fd
Opcode Fuzzy Hash: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction Fuzzy Hash: 4F110D7350812937DB00656D9C45EEF328CDF85374F254637FA25F21D1EA78DC1252A8

Uniqueness

Uniqueness Score: -1.00%

Function 6E571837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6E571893
GlobalFree.KERNEL32(?), ref: 6E571A2A
GlobalFree.KERNEL32(?), ref: 6E571A2F

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: c20ecb9f69cac64bb8fd9b229b523497f524961a8524b89676ffec54aac5f7ba
Instruction ID: 59b12ec4c18701d7243665f678fc6ca9c52b23827e97f18ee5b5609499884c4e
Opcode Fuzzy Hash: c20ecb9f69cac64bb8fd9b229b523497f524961a8524b89676ffec54aac5f7ba
Instruction Fuzzy Hash: 03511272D04059AEDFB0CFF9CB745BEBBF9AB86345F04485AD440A3100E6319E6E87A1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction ID: 879b8917e8c3c9b7c2a93b5436fc05cb0971dbd0d1073f8587bede8dddcc77ec
Opcode Fuzzy Hash: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction Fuzzy Hash: CC2196B2E04109AFDB01DF98DD44AEE7BB5FB48300F10803AF905F6290C7789941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AB3
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405AC3

Strings

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp, xrefs: 00405A66, 00405A6B, 00405A71, 00405AAC, 00405AB2, 00405ABA, 00405AC2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A60

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nss6BE1.tmp
API String ID: 3248276644-2162652150
Opcode ID: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction ID: fa13fd96d81fd76c8fc81ec80775158a1daeec84e0c55be597840f6fdc29cec0
Opcode Fuzzy Hash: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction Fuzzy Hash: D5F0C825305D6616D62233361C85EAF1649CE82364715473FF851B12D3DB3C8943DE7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405972 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405978
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405981
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 00405992

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405972

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction ID: 0da8bf888325795cdd0c5347214511d48edcf337a1f8d4df24ff951c9a6f7455
Opcode Fuzzy Hash: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction Fuzzy Hash: C7D0A9A2605A716AD21223199C09EDB2A0CCF02314B080063F600B22A3CA3C1D018BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction ID: a6da729fb9552a58d385ec1c0953cf8d4b7f97d7084d0a629d1ed2eab5a533bf
Opcode Fuzzy Hash: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction Fuzzy Hash: 8E115B32904109BBEF129F50DE09B9E7B6DEB54380F104072BE05B51E0E7B59E11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405A0B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,C:\Users\user\AppData\Local\Temp\nss6BE1.tmp,75923410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
CharNextA.USER32(00000000), ref: 00405A1E
CharNextA.USER32(00000000), ref: 00405A32

Strings

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp, xrefs: 00405A0C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nss6BE1.tmp
API String ID: 3213498283-2542702260
Opcode ID: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction ID: a4ce128402f48f1feafc2c55b1118e7c053650975221e3f5fcc16cd8d0856992
Opcode Fuzzy Hash: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction Fuzzy Hash: 13F0C251B04F916BFB32A2280CD4F6B5B88CB55365F145267E280672C2C27C88408F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
GetTickCount.KERNEL32 ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction ID: 88e2776c24fdb891b0502b3cf10dbd42b902845c03a9ebe61091678d0ea3e225
Opcode Fuzzy Hash: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction Fuzzy Hash: E0F05E75905221ABCA207B62BE4CACA7BA4FB42B527014976F845B31E4C3784C868BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405075 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050A4
CallWindowProcA.USER32(?,?,?,?), ref: 004050F5

Part of subcall function 004040B4: SendMessageA.USER32(00010464,00000000,00000000,00000000), ref: 004040C6

Strings

, xrefs: 00405085

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction ID: 69794148541a1a4d8d7be296dba567d41b1ee09d4c6a2f8e6d5670bc2f98cc64
Opcode Fuzzy Hash: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction Fuzzy Hash: 3F017171100649ABDF219F11DD80A9F7A65EB84314F208037FA017A2D1D77A9C51DEEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004056A2
CloseHandle.KERNEL32(?), ref: 004056AF

Strings

Error launching installer, xrefs: 0040568C

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 7ab3ce879d7da258620b5dd87dc6aa02706b67d8cc8a7f981bd8ed1ee31a9d30
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 46E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Uniqueness

Uniqueness Score: -1.00%

Function 00403762 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,0040373A,00403554,?,?,00000006,00000008,0000000A), ref: 0040377C
GlobalFree.KERNEL32(004ED680), ref: 00403783

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403762

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction ID: ee514f1fc3f324b596d41214b75e1b85a5e4a54197580a2dff82031d974a72f0
Opcode Fuzzy Hash: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction Fuzzy Hash: 40E0C27380112097C7251F07EC04B5A776CAF45B22F01C02AEC007B3A0C7742C418BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004059B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 004059BF
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 004059CD

Strings

C:\Users\user\Desktop, xrefs: 004059B9

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction ID: a086819795abd80aa1ad59fb022c9920fa60cb9da26d6d2253466900a8022463
Opcode Fuzzy Hash: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction Fuzzy Hash: 3FD0A7E3408DB05EE70353149C04B9F6A48CF12310F0900A3F180A21A6C67C1C414BFE

Uniqueness

Uniqueness Score: -1.00%

Function 6E5710E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E57115B
GlobalFree.KERNEL32(00000000), ref: 6E5711B4
GlobalFree.KERNEL32(?), ref: 6E5711C7
GlobalFree.KERNEL32(?), ref: 6E5711F5

Memory Dump Source

Source File: 00000000.00000002.4461126122.000000006E571000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E570000, based on PE: true

Associated: 00000000.00000002.4461109696.000000006E570000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461139811.000000006E573000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4461154349.000000006E575000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e570000_jU0hAXFL0k.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b3c7f988d0dd78aa33104e3a20396e8960de673464c2c20f78203a9a65cb64ee
Instruction ID: a0034763c3430d3ad142c24f080c71d35f216e6c41ab19fa57741f91646dbf85
Opcode Fuzzy Hash: b3c7f988d0dd78aa33104e3a20396e8960de673464c2c20f78203a9a65cb64ee
Instruction Fuzzy Hash: 5231DEB1404661AFEF21CFFADA68A257FF8FB46250B064819E944CA210DB30CC39CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B00
CharNextA.USER32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11
lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

Memory Dump Source

Source File: 00000000.00000002.4454701091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4454681113.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454718895.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454732627.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4454822672.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_jU0hAXFL0k.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction ID: 2cbfd0870324320007afb9b70b5ca04d8eb3af27e3ea935175830c0dc6d3898b
Opcode Fuzzy Hash: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction Fuzzy Hash: 50F0C231604414BFC702DBA9DC40D9EBBB8EF46250B2540A6E800F7251D274FE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jU0hAXFL0k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nss6BE1.tmp\System.dll

C:\Users\user\AppData\Local\Temp\reinhold.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
jU0hAXFL0k.exe

Function 00403235 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Function 0040523F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B94 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00405FFC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00405101 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 004055C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406304 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405BA2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6E5716DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON